Data Processing Agreement
THIS DATA PROCESSING AGREEMENT (“AGREEMENT”) IS INCORPORATED BY REFERENCE INTO THE HOPPER MASTER SERVICES AGREEMENT AVAILABLE AT: [https://www.hopper.security/end-user-saas-agreement] (“MAIN AGREEMENT”) BETWEEN YOU ("CONTROLLER"), AND HOPPER INC. ("PROCESSOR") AND CONSTITUTES A BINDING AGREEMENT BETWEEN CONTROLLER AND PROCESSOR. ALL DEFINED TERMS CONTAINED HEREIN SHALL HAVE THE SAME MEANING AS THE DEFINITIONS SET FORTH IN THE MAIN AGREEMENT. BY CLICKING THE “I ACCEPT” BUTTON BELOW OR BY ACCESSING OR USING THE PLATFORM IN ANY WAY OR MANNER, CONTROLLER AGREES TO BE BOUND BY THIS AGREEMENT. IF CONTROLLER IS ENTERING INTO THIS AGREEMENT ON BEHALF OF AN ENTITY, CONTROLLER REPRESENTS THAT IT HAS THE RIGHT, AUTHORITY, AND CAPACITY TO BIND SUCH ENTITY TO THIS AGREEMENT. IF CONTROLLER DOES NOT AGREE WITH ANY OF THE TERMS OR CONDITIONS OF THIS AGREEMENT, CONTROLLER MUST NEITHER CLICK “I ACCEPT” NOR ACCESS OR USE THE PLATFORM IN ANY WAY OR MANNER.
Processor shall comply with the following in respect of any and all personal data (as defined under Regulation (EU) 2016/679 (General Data Protection Regulation) and European Union (Withdrawal Agreement) Act 2020 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020, the California Consumer Privacy Act (Cal. Civ. Code §1798) and any other data protection or privacy laws, all as applicable), ("PII", "GDPR", UK GDPR” and "CCPA", respectively):
- Controller's Compliance. Controller's instructions for processing of PII shall comply with all applicable privacy and data protection laws, including the GDPR, UK GDPR, CCPA and Israel Protection of Privacy Law, 1981 (collectively, “Applicable Law”).
- Consent. Controller hereby represents, warrants and covenants that it shall comply with all Applicable Law, rules and regulations, including without limitation, all applicable privacy laws and policies, and shall ensure that all required consents, permits and approvals are obtained from data subjects in respect of all collection, retention, transfer and processing of PII.
- Details of Processing. Processor will process PII only pursuant to Controller’s documented instructions unless processing is required by applicable laws to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before the relevant processing of that PII, unless prohibited from doing so by law. The details of the processing activities to be carried out by Processor in respect of the Services are specified in Appendix 1.
- Data Subjects Rights. Processor shall assist Controller, by using appropriate technical and organizational measures, in the fulfillment of Controller's obligations to respond to requests by data subjects in exercising their rights under applicable laws.
- Confidentiality. Processor shall ensure that its personnel engaged in the processing of PII are bound by a confidentiality undertaking.
- Data Breach. Processor will promptly notify Controller after becoming aware of any suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PII ("Data Breach").
- Records. Processor will maintain up-to-date written records of its processing activities, including, inter alia, Processor's and Controller's contact details, details of data protection officers (where applicable), the categories of processing, transfers of PII across borders and the technical and organizational security measures implemented by the Processor. Upon request, Processor will provide an up-to-date copy of these records to Controller.
- Sub-Processors. Controller acknowledges and agrees that Processor may engage any of the third-party sub-processors listed in Appendix 2, which Processor may update from time to time. Such sub-processors shall be bound by a written contract including terms which set data protection obligations no less protective than those in this Agreement to the extent applicable to the nature of the services provided by such sub-processor.
- Assistance. Processor will reasonably assist Controller, at Controller’s expense, in ensuring compliance with Controller's obligations related to the security of the processing, notification and communication of Data Breaches, conduct of data protection impact assessments and any inquiry, investigation or other request by a supervisory authority.
- Possible Violation. Where Processor believes that an instruction would result in a violation of any applicable data protection laws, Processor shall notify the Controller thereof.
- Information. Processor will make available to Controller, upon request, information necessary to demonstrate compliance with the obligations set forth in this Agreement.
- Audits. Upon Controller's request, Processor shall cooperate with audits and inspections of its compliance with the requirements and obligations herein and/or under applicable law. Such audits and inspections may be conducted by Controller or by any third party designated by Controller, which will be required to sign a non-disclosure agreement. Such audits shall be coordinated with Processor, upon reasonable prior written notice, and shall be conducted at reasonable times during business hours and in a manner designed to cause the least possible impact on Processor’s ordinary business activities and shall not be performed more often than once annually, unless there is a reason to suspect that a Data Breach has occurred.
- Technical and Organizational Measures.
13.1 Processor shall implement and maintain all technical and organizational measures that are required for protection of the PII and ensure a level of security that is appropriate to for dealing with and protecting against any risks to the rights and freedoms of the data subjects, and as required in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to PII and/or as otherwise required pursuant to Applicable Law. When complying with Section 12 hereof, Processor shall take into consideration the state of technological development existing at the time and the nature, scope, context and purposes of processing as well as the aforementioned risks.
13.2. Processor shall regularly monitor its compliance with this Agreement and will provide Controller, upon request, with evidence that will enable verification of such monitoring activities. Processor shall ensure that all persons acting under its authority or on its behalf and having access to the PII, do not process the PII except as instructed by Controller and permitted herein.
- Transfer of PII to Third Countries. Processor will not transfer PII to a recipient located in a country that is not a Member State of the European Union or European Economic Area, unless that country is considered by the European Commission to have an adequate level of protection or pursuant to an EU standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Implementing Decision (EU) 2021/914), before such transfer.
- Return and Deletion of PII. Pursuant to the Controller's request, Processor shall return or destroy PII to the extent permitted by applicable law and unless retention of such PII is subject to a legitimate interest.
- Conflict. In the event of any conflict or inconsistency between certain provisions of this Agreement and the provisions of the Main Agreement, the provisions of this Agreement shall prevail over the conflicting provisions of the Main Agreement solely with respect to the processing activities of PII.
- Limitation on Liability. UNDER NO CIRCUMSTANCES WILL PROCESSOR BE LIABLE UNDER ANY CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER LEGAL OR EQUITABLE THEORY, FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES OR LOST PROFITS IN CONNECTION WITH THE SUBJECT MATTER HEREOF EVEN IF THE PARTY IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY EVENT PROCESSOR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE CAP ON LIABILITY SET FORTH IN THE MAIN AGREEMENT.
- Amendments. If Processor considers that changes are required to this Agreement in order to comply with requirements of applicable laws or of a competent authority, this Agreement will be amended accordingly.
Appendix 1 - Processing Details
- Nature, purpose and subject matter of the Processing. The nature, purpose and subject matter of the Processing is the provision of the services set forth in the Main Agreement.
- Categories of Data Subjects. Controller’s employees.
- Types of PII. Name, phone number, email.
Appendix 2 - Sub-Processors
Clerk Inc.
Amazon Web Services Inc.
Google LLC
Slack Technologies Inc.