Hopin Limited, incorporated and registered in England and Wales with company number 12035150 whose registered office is at 5 Bonhill St., Shoreditch, London, EC2A 4BX (“Hopin”); and
Customer, the entity identified in the signature block of the Main Agreement (defined below).
Each a “party,” together the “parties.”
The parties have entered into an agreement for Hopin to provide certain services (the “Services”) to the Customer (the “Main Agreement”). This data processing agreement (the “DPA”) sets forth the terms on which the parties will collect and process personal data in connection with the Service, and is hereby incorporated into the Main Agreement by reference.
Events held on Hopin’s platform and associated technology (“Platform”) can be attended by individuals from around the world. Hopin’s processing of personal data is subject to privacy laws in England and the European Union irrespective of Customer’s location, and depending on where Customer and attendees of an Event are located, various different jurisdictions’ privacy laws may also apply.
This DPA will always apply to the processing of personal data under the Main Agreement. Section 7 will only apply to the extent that a Restricted Transfer takes place.
The table below sets out the subject-matter, nature and purpose, duration of the processing, the type(s) of personal data being processed, and the categories of data subjects that may be processed depending on the nature of the Services and role of each of Hopin and Customer:
Processing of data related to the Services as described in the Main Agreement
Processing data for the purpose of managing access to Hopin’s platform by Customer and end users
Term of the Main Agreement or for as long as Hopin is permitted or required to retain the personal data
“Participant Data” such as (a) image; (b) contact details and address; (c) first and last name; (d) alias; (e) event participation and registration data; and (f) additional information provided independently by individuals in connection with Customer’s events.
“Event Content” which includes (a) first and last name and email of Customer’s invitees to the customer’s event; and (b) personal data embedded in Customer event related content
individuals in Event Content
“Applicable Laws” means all applicable data protection and privacy legislation in force from time to time which apply to a Party relating to the use of personal data, including the Data Protection Legislation ; the California Consumer Privacy Act of 2018 (AB 375) (CCPA); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
“Business” is as defined in the CCPA.
“Controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organisational measures” are as defined in the Data Protection Legislation. “Personal data” includes “personal information” as defined by the CCPA.
“C-to-C Transfer Clauses” means the then current Standard Contractual Clauses for controller-to-controller Restricted Transfers available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32004D0915&from=EN and, to the extent applicable, incorporated herein by reference.
“C-to-P Transfer Clauses” means the then current Standard Contractual Clauses for controller-to-processor Restricted Transfers available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en and, to the extent applicable, incorporated herein by reference.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
“Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Applicable Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Law.
1.1. Customer and Hopin each act as an independent Data Controller of Participant Data. Each party represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such personal data and, as applicable, it has the right to share such personal data with the other party. Sections 6 to 8 of this DPA apply. All other terms of this DPA apply regardless of the role of the parties except where expressly stated.
1.2. In all other circumstances, Customer is the Data Controller of Event Content and Hopin is the Data Processor, and Sections 2 through 5 and 8 shall apply to the processing of such Event Content.
1.3. All other provisions of this DPA apply regardless of the role of the parties unless provided otherwise.
Hopin As Data Processor:
2.1. Data Processor may, at any time on not less than 30 days’ notice, revise this DPA by replacing it with any applicable controller to processor standard clauses or similar terms approved by the relevant supervisory authority forming part of an applicable certification scheme to which the Data Processor is subject.
2.2. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Section 2.2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
Without prejudice to the generality of Section 2.2, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Event Content to the Data Processor and/or lawful collection or processing of the Event Content by the Data Processor on behalf of the Data Controller for the duration and purposes of this DPA. Data Controller will not instruct Data Processor to process any personal data, including Event Content, in violation of Data Protection Legislation.
4.1. Without prejudice to the generality of Section 2.2, the Data Processor shall, in relation to any personal data processed in connection with the performance by the Data Processor of its obligations under this DPA:
4.2. process Event Content only on the documented written instructions of the Data Controller, which include this DPA and the Main Agreement, unless the Data Processor is required by Applicable Laws to otherwise process that personal data. Without limiting the foregoing, where the Data Processor is relying on Applicable Laws as the basis for processing Event Content, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller;
4.3. ensure that it has in place appropriate technical and organizational measures provided in https://hopin.com/security (the “Security Measures”), to protect against unauthorized or unlawful processing of Event Content and against accidental loss or destruction of, or damage to, Event Content, appropriate to: the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Event Content, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);
4.4. ensure that all personnel who have access to and/or process Event Content are obliged to keep the Event Content confidential;
4.5. not transfer any Event Content outside of the European Economic Area and the United Kingdom unless either: the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU) 2016/679), that the third country (or sector thereof), territory, or international organization to which personal data is to be transferred, ensures an adequate level of protection; or pursuant to an transfer mechanism that is compliant with Data Protection Legislation, which may include but is not limited to approved Standard Contractual Clauses;
4.6. assist the Data Controller, at the Data Controller’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
4.7. notify the Data Controller without undue delay, and where practicable, within 48 hours, on becoming aware of a personal data breach of Event Content;
4.8. at the written direction of the Data Controller, delete or return Event Content and copies thereof to the Data Controller on termination of the DPA unless required by Applicable Law to store the Event Content;
4.9. maintain complete and accurate records and information to demonstrate its compliance with this Section 4 and allow for audits by the Data Controller or the Data Controller’s designated auditor, only so far as is necessary in order to demonstrate compliance, provided that: the Data Controller provides the Data Processor with no less than 30 days’ notice of such audit or inspection; is conducted at Data Controller’s sole expense; and the parties agree to the scope, duration, and purpose of such audit or inspection in advance, including reasonable reimbursement of Data Processor for time expended by Data Processor or its subprocessors. Data Controller shall conduct its audit in a manner that will result in minimal disruption to Data Processor’s business operations and shall not be entitled to receive or obtain access to any system that also stores the data or information of other clients of Data Processor or any other confidential information of Data Processor that is not directly relevant for the authorized purposes of the audit. If the Data Controller becomes privy to any confidential information of the Data Processor as a result of this Section 4.9, the Data Controller shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Data Controller acknowledges that the Data Processor shall only be required to use reasonable endeavors to assist the Data Controller in procuring access to any third party assets, records or information as part of any audit; and
4.10. inform the Data Controller immediately if, in the Data Processor’s opinion, an instruction from the Data Controller infringes (or, if acted upon, might cause an infringement of) the Data Protection Legislation.
5.1. The Data Controller acknowledges and consents generally to the appointment by the Data Processor of third parties as sub-processors of the Event Content being processed under this DPA. The names and locations of all sub processors used for the processing of Event Content under this DPA are listed at https://hopin.com/security.
5.2. The Data Processor confirms that: (a) it shall impose on all sub-processors the same data protection obligations as set out in Section 1 and 4; and (b) the Data Processor shall remain fully liable for the actions of its sub-processors at all times.
5.3. The Data Processor shall give the Data Controller notice of the appointment of any new sub-processors by updating the list of sub-processors referenced in Section 5.1 above. Data Controller may reasonably object to such appointments within ten (10) U.S. business days of such notice. If Data Controller objects to such changes, Data Controller will give Data Processor the opportunity to make a change in the service or recommend a commercially reasonable change to Data Controller’s configuration to avoid processing of personal data by the objected-to new sub processor without unreasonably burdening Customer.
6.1. Each party is a solely responsible for compliance with Applicable Laws, including Data Protection Legislation, with respect to its own processing of personal data in connection with the Services, including:
6.2. Any legal requirement to provide notice or transparency to data subjects regarding or to obtain an individual’s consent for its own processing of the personal data.
6.3. Any legal requirement applicable to its own transfer of personal data to the other party.
6.4. Each party shall provide reasonable assistance to and cooperation with the other party for their consultation with supervisory authorities in relation to the transfer, control, and processing of personal data involved in this DPA.
6.5. Each party shall be responsible for responding to and, if required, complying with, any data subject requests to exercise rights under Data Protection Legislation with respect to personal data, or a request purporting to exercise such rights, or a complaint related to the processing of such data. Notwithstanding the foregoing, as applicable the Parties will reasonably cooperate to address the situation promptly and in compliance with Data Protection Legislation.
7.1. For Restricted Transfers, the parties agree to be bound by the applicable standard contractual clauses (“SCCs”) to the extent that either party processes personal data of data subjects located in the European Economic Area, Switzerland, or United Kingdom . In case of conflict between the SCCs and this DPA, the SCCs will prevail. The SCCs shall not apply with respect to personal data that either party processes in a country that the European Commission has decided provides adequate protection for personal data. By entering into this DPA, the parties are deemed to have executed the applicable SCCs and its corresponding appendices.
7.2. When Hopin and Customer act as independent controllers and Customer engages in a Restricted Transfer to Hopin, the C to C Transfer Clauses will be deemed completed as follows:
7.2.1. The “exporter” is the Customer and Customer’s contact information is set forth in the Main Agreement.
7.2.2. The “importer” is Hopin, and Hopin’s contact information is set forth below.
7.2.3. For the purpose of Annex B to the C to C Transfer Clauses (i) the data subjects are those end users whose personal data Customer provides to Hopin in accordance the Main Agreement; (ii) the purpose of the transfer is to permit provision of the Services in accordance with the Main Agreement; (iii) the categories of personal data are: Participant Data; (iv) the recipients of the personal data are Hopin and as set forth in the Main Agreement; (v) it is not anticipated that sensitive data will be transferred; (vi) there is no applicable data registration information; (vii) there is no additional useful information; and (viii) the contact points for data protection inquiries are as set forth in the Main Agreement. For the purposes of clause II(h) of the C to C Transfer Clauses, Hopin hereby selects option (iii) and agrees to be governed by and comply with the data processing principles set out in Annex A to the C to C Transfer Clauses. To the extent the terms of the C to C Transfer Clauses conflict with other terms of your Main Agreement, the terms of the C to C Transfer Clauses will control.
7.3. When Hopin and Customer act as independent controllers and Hopin engages in a Restricted Transfer to Customer, the C to C Transfer Clauses will be deemed completed as follows:
7.3.1. The “exporter” is the Hopin, and the Hopin’s contact information is set forth below.
7.3.2. The “importer” is Customer, and Customer’s contact information is set forth in the Main Agreement.
7.3.3. For the purpose of Annex B to the C to C Transfer Clauses (i) the data subjects are those end users whose personal data Hopin provides to Customer in accordance the Main Agreements; (ii) the purpose of the transfer is to permit provision of the Services in accordance with the Main Agreement; (iii) the category of personal data is Participant Data; (iv) the recipients of the personal data are Customer and as set forth in the Main Agreement; (v) all categories of sensitive data may be transferred; (vi) there is no applicable data registration information; (vii) there is no additional useful information; and (viii) the contact points for data protection inquiries are as set forth in the Main Agreement. For the purposes of clause II(h) of the C to C Transfer Clauses, Customer hereby selects option (iii) and agrees to be governed by and comply with the data processing principles set out in Annex A to the C to C Transfer Clauses. To the extent the terms of the C to C Transfer Clauses conflict with other terms of the Main Agreement, the terms of the C to C Transfer Clauses will control.
7.4. When Hopin is acting as a data processor to Customer and Customer engages in a Restricted Transfer to Hopin, the C to P Transfer Clauses will be deemed completed as follows:
7.4.1. The “exporter” is the Customer, and the exporter’s contact information is set forth in the Main Agreement.
7.4.2. The “importer” is Hopin, and Hopin’s contact information is set forth below.
7.4.3. For the purpose of Appendix 1 to the C to P Transfer Clauses: (i) data subjects are (a) Customer employees; (b) Customer end users; and (c) individuals in Event Content; (ii) the categories of Event Content are not restricted by the Services but may include (a) Customer Employee Contact Information; (b) Participant Data; and (c) Event Content; (iii) special categories of data (if appropriate) are not anticipated but would include information provided by Customer in its content or Customer End Users in the Services; (iv) processing operations include Hopin’s provision of the Services to Customer as further described in the Main Agreement. The processing takes place from the commencement of the Main Agreement until deletion of Event Content by Hopin in accordance with the DPA.
7.5. For the purpose of Appendix 2 to the C to P Transfer Clauses: Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c), can be found at https://hopin.com/security.
8.1. This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity. This DPA will remain in full force and effect so long as: (a) the Main Agreement remains in effect; or (b) Hopin retains any personal data related to the Main Agreement in its possession or control.
8.2. This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
8.3. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.