Data Processing Addendum for Providers

‍‍ENTERED INTO BY: 

Hopin Limited, incorporated and registered in England and Wales with company number 12035150, whose registered office is at 5 Churchill Place, 10th Floor, London, E14 5HU (“Hopin”); and  

“Provider” the entity identified in the signature block of the Main Agreement (defined below).

Each a “party,” together the “parties.”

BACKGROUND

The parties have entered into an agreement for Provider to provide certain services (the “Services”) to Hopin (the “Main Agreement”). This data processing agreement (the “DPA”) sets forth the terms on which the parties will collect and process Personal Data in connection with the Services, and is hereby incorporated into the Main Agreement by reference.

APPLICATION OF THIS DPA

Events held on Hopin’s platform and associated technology (“Platform”) can be attended by individuals from around the world.  The Provider provides Services to Hopin in connection with the Platform.  This DPA will apply to the processing of Personal Data under the Main Agreement.  

DESCRIPTION OF DATA PROCESSING

The section below sets out the subject-matter, nature and purpose, duration of the processing, the type(s) of Personal Data being processed, and the categories of data subjects that may be processed under this DPA.

DATA PROCESSING DETAILS

Subject-matter

Processing of data related to the Services.  

Nature and purpose

Processing data for the purpose of managing access to the Platform by Hopin’s customers and end users, also for the purpose of the Provider supplying the Services to Hopin.

Duration

Term of the Main Agreement or for as long as Provider retains the Personal Data.

Types of Personal Data

May include name, email address, billing and payment information, events booked, organized and attended, content generated through the attendance of events, and any other Personal Data that may be processed pursuant to the supply of the Services under the Main Agreement.

Categories of Data Subject

The Personal Data that may be processed may relate to event organizers, attendees, employees, contractors and contacts of both Hopin and Hopin’s customers.  

DEFINITIONS

Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Main Agreement, if applicable. For the purposes of this DPA.

“Affiliate” means, regarding a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise.

“Applicable Laws” means all applicable data protection and privacy legislation in force from time to time which apply to a Party relating to the use of Personal Data, including Data Protection Legislation; the California Consumer Privacy Act of 2018 (AB 375) (CCPA); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.

“Controller”, “Processor”, “data subject”, “Personal Data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organizational measures” are as defined in the Data Protection Legislation. “Personal data” includes “personal information” as defined by the CCPA.

“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including but not limited to the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 

“Hopin Personal Data” means any and all Personal Data that is provided to Provider or otherwise collected and/or accessed by Provider on behalf of Hopin and/or its Affiliates in the course of the Provider supplying the Services under the Main Agreement.

“Information System” means the systems and electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial/process controls systems and environmental control systems.

"SCCs" means:

​​​​For UK transfers - The then current SCCs for controller-to-processor transfers (“Legacy SCCs”) available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en and, to the extent applicable, incorporated herein by reference.  

For EEA or Switzerland transfers – The then current Module 2 SCCs for controller-to-processor transfers and Module 3 SCCs for processor-to-processor transfers (“New SCCs”) available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en and, to the extent applicable, incorporated herein by reference.   

"Sub-processor" means an entity engaged by a Processor to receive Personal Data from the Processor exclusively intended for the processing activities to be carried out as part of the Services.

1. Applicability of DPA and scope of data processing activities

1.1 For purposes of this DPA, Hopin may act as a Controller, or it may act as a Processor of one of its customers. Provider therefore acknowledges that it may act as a Processor of Hopin or a Sub-processor of Hopin. Where Hopin acts as a Processor, Hopin is obligated contractually and / or under Applicable Laws to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations placed on Processors in this DPA shall apply to Provider regardless of whether Provider acts as a Processor or Sub-processor.

1.2 Both parties will comply with the requirements of Applicable Laws, and shall not perform their obligations under this DPA or any other agreement or arrangement between them in such way as to cause either Party to breach any of its applicable obligations under Applicable Laws.

2. Data Processor’s Responsibilities

2.1 Without prejudice to the generality of Section 1.2, the Data Processor shall, in relation to any Personal Data processed in connection with the performance of its obligations under this DPA:

2.1.1 warrant and undertake to process Hopin Personal Data only on the documented written instructions of Hopin, which include this DPA and the Main Agreement, unless Provider is required by Applicable Laws to otherwise process that Personal Data. Provider shall not process Hopin Personal Data for Provider’s own purposes or for the benefit of anyone other than Hopin. Without limiting the foregoing, where Provider is relying on Applicable Laws as the basis for processing Hopin Personal Data, Provider shall promptly notify Hopin of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Provider from so notifying Hopin. The Provider must promptly notify Hopin if, in its opinion, Hopin’s instructions do not comply with Applicable Laws.  

2.1.2 maintain a record of all categories of processing carried out on Hopin’s behalf and make it available to Hopin or the data protection supervisory authority upon request;

2.1.3 ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Hopin Personal Data and against accidental loss or destruction of, or damage to, Hopin Personal Data, appropriate to (a) the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the Personal Data; and (b)  the nature of the Personal Data to be protected; in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting the  Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident or personal data breach, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it).

2.1.4 only permit employees, staff, agents, or any other person or entity acting on its behalf to access Hopin Personal Data if that access is in compliance with this DPA, conducted by individuals who have a need-to-know and who have been appropriately trained and are bound by commercially reasonable and legally enforceable confidentiality, data privacy, and data security obligations that are no less protective of Hopin’s interests than those set forth in this DPA.

2.1.5. not transfer any Hopin Personal Data to a territory outside of the European Economic Area, Switzerland or the United Kingdom without the prior written consent of Hopin.  Where such consent is granted, the Provider may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:

a) the Provider is processing the Personal Data in a territory which is subject to adequacy regulations under Applicable Laws that the territory provides adequate protection for the privacy rights of individuals; or

b) the Provider participates in a valid cross-border transfer mechanism (such as the SCCs) under Applicable Laws so that the Provider (and where appropriate Hopin) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR and UK GDPR, where applicable.

c) Legacy SCCs

If any transfer of Hopin Personal Data between Hopin and the Provider requires execution of Legacy SCCs in order to comply with the Data Protection Legislation (where Hopin is the entity exporting Personal Data to the Provider outside the UK), the parties agree that Appendix 1 of the Legacy SCCs shall be replaced with Annex A of this DPA and Appendix 2 shall be replaced by Annex B.  

If Hopin consents to appointment by the Provider of a Sub-processor located outside the UK in compliance with the provisions of section 2.1.10 and 2.1.5, then Hopin authorises the Provider to enter into Legacy SCCs with the Sub-processor in Hopin’s name and on its behalf. The Provider will ensure that all relevant details are completed, and that all other actions required to legitimise and execute the Legacy SCCs are taken, and shall make the executed Legacy SCCs available to Hopin on request.  In such cases Appendix 2 of the Legacy SCCs shall be replaced by Annex B.  

d) New SCCs

If any transfer of Hopin Personal Data between Hopin and the Provider requires execution of New SCCs in order to comply with the Applicable Laws (where Hopin is the entity exporting Personal Data to the Provider outside the EEA), the parties agree that the New SCCs will be deemed entered into (and incorporated into the DPA by this reference) and completed as set forth in Annex C to this DPA.   

e) If the parties are required to execute the SCCs in order to comply with the provisions of this section, then signature to the Main Agreement or this DPA shall also constitute signature of the SCCs by the parties.  To the extent there is any conflict between the SCCs, and any other terms in this DPA or the Main Agreement, the provisions of the SCCs will prevail.  

2.1.6  take such technical and organizational measures as may be appropriate and provide all assistance reasonably required by Hopin at no additional cost to Hopin, to enable Hopin to comply with:

a) the rights of Data Subjects under Applicable Laws, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and

b) its obligations under Applicable Laws, including its obligations relating to the security of processing, maintaining detailed records of processing activities (including the location of data), notification of a Personal Data breach to the data protection supervisory authority and to the data subject, data protection impact assessments as well as prior consultation with the data protection supervisory authority.

Provider warrants that in the event that any such request, question or complaint under this Section 2.1.6 is made directly to Provider, Provider shall immediately inform Hopin providing full details of the same.

2.1.7 in the event that Provider becomes aware of a Data Breach, Provider will, at Provider’s cost:

a)  notify Hopin without undue delay (and at the latest within 48 hours of becoming aware of the Data Breach);

b) provide Hopin with a reasonably detailed description of the Data Breach, including the type of data that was the subject of the Data Breach and the identity and state or country of residence of each affected Data Subject as well as any other information that Hopin may reasonably request relating to the Data Breach, as soon as such information can be collected or otherwise becomes available;  

c) promptly (and latest beginning within 48 hours of becoming aware of the Data Breach) investigate the Data Breach, make reasonable efforts to mitigate the effects and harm of the Data Breach in accordance with its obligations under Section 4 (Confidentiality and Security) above, and provide any other assistance that Hopin may reasonably request relating to the Data Breach; and

d) not disclose the existence of a Data Breach to any third party, including to Hopin’s customers, consumers, or the general public, without first obtaining the prior express written consent of Hopin. Hopin has the sole right to determine: (i) whether notice of the Data Breach is to be provided to any customer, individuals, regulators, law enforcement agencies, or others; and (ii) the form and content of such notice.

2.1.8  upon termination or expiry of this DPA, Provider shall (at Hopin's election) destroy or return to Hopin all Hopin Personal Data (including all copies of Hopin Personal Data) in its possession or control (including any Hopin Personal Data in the possession of a Sub-processor or provided by a Sub-processor to a third party for processing), unless any applicable law requires Provider to retain Hopin Personal Data.

2.1.9 Provider acknowledges that Hopin has the right to fully monitor and audit Provider’s compliance with its duties under this DPA and Applicable Laws, including provision of audit questionnaires, provision of security policies and summaries of assessments of compliance with any industry standards (such as ISO 27001, SSAE 16 SOC II), penetration testing and vulnerability scans, and inspections at the premises of Provider where Hopin Personal Data is processed; and Provider shall provide to Hopin, its authorized representatives and any such independent inspection body as Hopin may appoint, on reasonable notice: (a) access to Provider’s information processing premises and records; (b) reasonable assistance and cooperation of Provider’s relevant staff; and (c) reasonable facilities at Provider’s premises.  The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider's management.

2.1.10  Provider shall not (and shall ensure that any person or entity providing services on Provider’s behalf shall not) engage a Sub-processor without prior written authorization from Hopin.  Hopin consents generally to the appointment by Provider of Sub-processors engaged by Provider and brought to the attention of Hopin prior to the commencement of the Main Agreement.  

Provider shall notify Hopin in advance of any new Sub-processors it intends to use, or any changes to the approved list.  Hopin may object to such appointments of Sub-processors within fourteen (14) days of receipt of notice. If Hopin objects to such changes, Hopin will give Provider the opportunity to make a change in the service or recommend a change to Provider’s configuration to avoid processing of Personal Data by the objected-to new Sub-processor.  If Provider’s proposed change is not acceptable to Hopin, Hopin may in its sole discretion terminate the Main Agreement without further liability or obligation to Provider.  

Provider shall ensure that in relation to both existing and new Sub-processors:  

a) any Sub-processor is contractually bound in writing to provide at least the same level of protection as is required by this DPA and complies with Applicable Laws;

b) Provider shall be fully responsible for, and liable to Hopin for acts and omissions of any Sub-processor as if they were Provider's own act or omission; and

c) Provider shall provide Hopin with copies of relevant excerpts from such contracts with any Sub-processors appointed, on request.

3. Indemnity

3.1 Provider will indemnify and defend Hopin, its clients, officers, directors, employees, agents, representatives and Affiliates (each an "Indemnified Party") from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Provider's (or its sub-processors) non-compliance with the requirements of this DPA.

4. Termination

4.1 This DPA will remain in full force and effect so long as:

a) the Main Agreement remains in effect; or

b) the Provider retains any Hopin Personal Data related to the Main Agreement in its possession or control.

4.2 Any provision of this DPA expressly or by implication that comes into or continues in force on or after termination of the Main Agreement in order to protect Hopin Personal Data will remain in full force and effect.

4.3 The Provider's failure to comply with the terms of this Agreement is a material breach of the Main Agreement. In such event, Hopin may terminate the Main Agreement effective immediately on written notice to the Provider without further liability or obligation of Hopin.

4.4 If a change in Applicable Laws prevents either party from fulfilling all or part of its Main Agreement obligations, the parties may agree to suspend the processing of Hopin Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Hopin Personal Data processing into compliance with Applicable Laws within 14 days, either party may terminate the Main Agreement with immediate effect on written notice to the other party.

5. General

5.1 This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity.

5.2 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

5.3. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.

Annex A

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Hopin, a provider of an online virtual events platform.  

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

The Provider, who is providing Services to Hopin under the Main Agreement.  

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Individuals whose Personal Data or personal information Hopin elects to transfer to Provider so that Provider can supply the Services in accordance with the Main Agreement.  This may include event organizers, attendees, employees, contractors and contacts of both Hopin and Hopin’s customers.  

Categories of data

The personal data transferred concern the following categories of data (please specify):

May include name, email address, billing and payment information, events booked, organized and attended, content generated through the attendance of events, and any other Personal Data that may be processed pursuant to the supply of the Services under the Main Agreement.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

None

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The provision and  receipt of the Services under the Main Agreement. 

Annex B

Appendix 2 to the Standard Contractual Clauses

Security Measures

https://hopin.com/datasec-providers

Annex C

Module Two (Controller to Processor) of the New SCCs will apply where Hopin is a Controller of Participant Data and Provider is processing Participant Data.  “Participant Data” is data provided by end users when they create a Hopin account to attend an event on the Platform, including (a) image; (b) email address; (c) first and last name; (d) alias; (e) event participation information (like event name and date and time of event); and (f) any additional information provided independently by individuals in connection with customer events held on the Platform.   

Module Three (Processor to Processor) of the New SCCs will apply where the Provider is processing Event Content and Hopin is processing Event Content.  “Event Content” includes (a) materials submitted in the course of creating or during an event; and (b) Personal Data embedded in customer event related content.  

For each Module, where applicable: (a) In Clause 7 of the New SCCs, the optional docking clause will not apply; (b) in Clause 9 of the New SCCs, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 2.1.10 of this DPA; (c) in Clause 11 of the New SCCs, the optional language will not apply; (d) the competent supervisory authority shall be determined in accordance with clause 13; (e) the governing law for purposes of Clause 17 shall be the law of Ireland, save to the extent not permitted by UK law, in which case the law of England and Wales will apply; (f) for the purpose of clause 18, the Irish courts will have jurisdiction, save to the extent not permitted by UK law, in which case the courts of England and Wales will have jurisdiction. To the extent required by UK law, all references to EU and EU Member State law in the New SCCs shall be read as references to the equivalent laws of England and Wales. 

In Annex I, Part A of the New SCCs:  The Data Exporter is Hopin and the Data Importer is Provider, and the contact details are set forth in the Main Agreement.  The roles of Data Exporter and Data Importer are set forth in the Application of this DPA Section of this DPA and as otherwise set forth in the Main Agreement.  

In Annex I, Part B of the New SCCs:  The categories of data subjects and nature and purpose of the processing are described in the Description of Data Processing Section of this DPA.  It is not anticipated that sensitive data will be transferred.  The frequency of the transfer is a continuous basis for the duration of the Main Agreement.  The period for which the Personal Data will be retained is for the term of the Main Agreement or for as long as Provider is permitted or required to retain the Personal Data.  Annex B to this DPA serves as Annex II of the New SCCs.