DemoHop DPA
1. Introduction
This Data Processing Addendum (“DPA”) sets forth obligations for the Processing and security of Personal Information in connection with DemoHop’s provision, and Customer’s use, of the Software. This DPA is incorporated into the agreement in place between Customer and DemoHop covering Customer’s use of the Software (“Agreement”). The purpose of this DPA is to reflect the Parties’ agreement regarding the Processing of Personal Information in the Software, in accordance with Data Privacy Law.
2. General Terms
2.1 Scope. The DPA terms apply to the Processing of Personal Information by DemoHop, its Affiliates, and Subprocessors in providing the Software.
2.2 Compliance with Laws. The Parties shall comply with laws and regulations applicable to the provision and use of the Software, including security breach notification laws and Data Privacy Laws as it applies to DemoHop and Customer respectively.
2.3 Affiliates. DemoHop and Customer acknowledge and agree that Customer and DemoHop each enter into the terms set forth herein on behalf of itself and its Affiliates, where such Affiliate is a party to the Agreement and/or Order Form that is governed by the Agreement. For purposes of this DPA, the term “DemoHop” and “Customer” include their respective Affiliates that are parties to the Agreement and/or Order Form governed by the Agreement.
3. Data Processing Terms
3.1 Roles. The Parties agree that Customer is the “controller” and DemoHop is the “processor” or “sub-processor” of Customer Content sent to and processed in the Software. Schedule 1 and Schedule 2 of this DPA further describe processing activities.
3.2 Purpose of Processing. DemoHop shall Process Personal Information only (i) as a Processor to provide the Software to Customer according to the terms of this DPA, the Agreement, Order Forms, or according to Customer’s written instructions, or (ii) as otherwise required by applicable law. If applicable law requires DemoHop to Process Personal Information for any other purposes, DemoHop will inform Customer of such requirement prior to the Processing unless prohibited from doing so by applicable law. A description of this processing activity and the purpose of processing can be found in Schedule 2 below.
3.3 Confidentiality of Processing. DemoHop will take appropriate measures to ensure the confidentiality of Personal Information as outlined in the Agreement.
3.4 Disclosure of Personal Information. DemoHop will not disclose or provide access to Personal Information to any third party, unless:
3.4.1 Customer directs DemoHop to send Personal Information to a third party in writing,
3.4.2 Customer uses Third-Party Services available through the Software as described in the Agreement, or
3.4.3 As required by applicable law. Unless prohibited by law, DemoHop shall promptly notify Customer of any requests from law enforcement for Personal Information and attempt to re-direct such requests to Customer, as described in our Transparency Report. DemoHop shall only provide Personal Information to law enforcement when compelled to do so by a valid legal process.
3.5 Assistance with Compliance Obligations.
3.5.1 Data Subject Rights Requests. DemoHop shall assist Customer with Customer’s obligation to respond to requests from Data Subjects to exercise rights under Data Privacy Law (including requests to know, access, correct, erase, or portability of Personal Information). DemoHop shall promptly redirect all data subject rights requests from Data Subjects to Customer. Customer is solely responsible for responding to Data Subjects to fulfil these requests.
3.5.2 Privacy Impact Assessments. DemoHop provides Customers with product documentation and a data transfer information sheet to assist in Customer’s Privacy Impact Assessment obligations.
4. Data Security Program
4.1 DemoHop shall, without limitation of Customer’s security obligations under the Agreement, implement and maintain Appropriate Technical and Organisational Measures designed to protect Personal Information against accidental, unauthorised or unlawful Processing, including, but not limited to destruction, loss, alteration, access or disclosure. These measures shall be designed to provide a level of security appropriate to the risk of harm which might result from such incidents and having regard to the nature of the Personal Information. DemoHop may make changes to its security program without notifying Customer, provided that the level of security is not materially degraded. These technical and organisational measures shall include:
4.1.1 Information Security Program. DemoHop has a defined information security program managed by a corporate officer who is responsible and accountable for the protection of DemoHop and our customers. This program includes security teams, company policies, as well as technical, physical, and administrative controls as described below.
4.1.2 Security Policies. DemoHop maintains policies documenting our processes and procedures for developing our products, securing Personal Information, and responding to security incidents.
4.1.3 Technical Controls. DemoHop employs a large number of technical controls to protect Customer Content, including those found at https://trust.demohop.com.
4.1.4 Administrative Controls. DemoHop maintains industry standard administrative controls for the protection of Personal Information, including:
4.4.1. Confidentiality Training of DemoHop Personnel. DemoHop ensures that all DemoHop personnel that require access to Personal Information are informed of its confidential nature, are subject to a duty of confidentiality in respect thereof, and comply with the obligations set out in this DPA and applicable Data Privacy Law,
4.1.4.1 Security Training. DemoHop periodically provides training regarding common security issues, data security best practices, and data privacy best practices to DemoHop personnel, and
4.1.4.2 Access Controls and Permissions. DemoHop restricts access to the Software through the use of single sign on (“SSO”) and other role-based security measures.
4.1.5 Physical Security Measures. DemoHop restricts access to servers that store and Process Customer Content to only those employees that require access to perform their jobs.
5. Security Incident
DemoHop shall notify Customers without undue delay if DemoHop becomes aware of a breach of its security that has resulted in any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to Personal Information that is Processed by DemoHop in the course of providing the Software (“Incident”). DemoHop shall (i) investigate the Incident; (ii) provide Customer with a description of the Incident and periodic updates about the Incident; and (iii) exercise commercially reasonable efforts to prevent or mitigate the effects of the Incident.
6. Documents & Audits
6.1 Documentation Requests. Upon written request from Customer, no more than once per calendar year, DemoHop shall provide the following information and documentation to verify its compliance with Data Privacy Law and this DPA: (1) third-party certifications and audit reports on its security, privacy practices and architecture, and (2) written responses to industry standard written audit questionnaires.
6.2 Audits by Customer. Audits of DemoHop’s privacy and security practices by Customers are only permitted if the information and documentation provided to Customer by DemoHop in Section 6.1 is insufficient to demonstrate DemoHop’s compliance with this DPA or where required by Data Privacy Law. DemoHop and Customer shall jointly select a qualified third party (“Third Party Auditor”) to perform audits at Customer’s expense. Such audits shall be subject to the following limitations:
6.2.1 Third Party Auditors are required to have professional certificates or qualifications that bind said body to a duty of confidentiality,
6.2.2 No access will be granted to any part of DemoHop’s information technology systems, data hosting sites or centres, or its infrastructure during the course of the audit,
6.2.3 No access will be granted to any Subprocessor facilities,
6.2.4 Any audit shall be conducted at the expense of Customer,
6.2.5 Any audit shall be conducted under mutually agreed notice, scope and duration,
6.2.6 Any audit shall exclude any internal accounting or financial information, trade secret, data or information of any other DemoHop customer (including its end users), or any information that in DemoHop’s reasonable opinion could compromise the security of its systems or premises or cause DemoHop to be in breach of its obligations under Data Privacy Law or its security, confidentiality, or privacy obligations to any other DemoHop customer or third-party, and
6.2.7 Audits shall be limited to once per calendar year.
6.3 The Parties agree that any audit described in the Standard Contractual Clauses shall be performed pursuant to this provision.
7. Subprocessors
7.1 DemoHop uses Subprocessors to provide limited services on its behalf as part of the Software. DemoHop’s current Subprocessors list is available at: https://trust.demohop.com/subprocessors (“Authorised Subprocessors”). Customer hereby confirms its general authorization for DemoHop’s use of Subprocessors, as described below.
7.1.1 New Subprocessors. At least thirty (30) days prior to the date on which any new Subprocessor shall commence Processing Personal Information, DemoHop will update the list of Authorised Subprocessors to include the new Subprocessor. To receive updates regarding new Subprocessors or modifications to the Agreement, please contact privacy@demohop.com.
7.1.2 Objection to New Subprocessors. Where Customer has reasonable grounds to object to DemoHop’s appointment of a new Subprocessor, Customer may notify DemoHop in writing by emailing privacy@DemoHop.com within thirty (30) calendar days of the update or receipt of the notice, whichever is later. Customer is deemed to consent to the new Subprocessor if Customer does not timely object to the new Subprocessor. Customer acknowledges and agrees that (a) DemoHop’s Affiliates may be retained as Subprocessors through written agreement with DemoHop and (b) DemoHop and DemoHop Affiliates respectively may engage third party subcontractors, pursuant to this clause 7, in connection with the provision of the Software.
7.1.3 Processing by Subprocessors. DemoHop shall enter into written agreements with its Subprocessors requiring the Subprocessor to abide by terms no less protective than this DPA. The Subprocessors will be permitted to Process Personal Information only to deliver the services DemoHop has retained them to provide, including requirements to comply with Data Privacy Law applicable to the Personal Information they Process. DemoHop remains responsible for its Subprocessors’ compliance with the obligations of this DPA.
8. Data Transfer and Storage Locations
8.1 DemoHop stores Personal Information on our servers in the US. DemoHop relies on the DPF (as defined below), for lawful transfer purposes, but may also enter into EU Standard Contractual Clauses with Customer as described in Section 8.2 below. DemoHop only transfers Personal Information to the United States or to other third countries that do not provide an adequate level of legal protection to data subjects according to the safeguards described in this DPA, including:
8.1.1 Data Privacy Framework Certifications. DemoHop relies on the EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (together, “DPF”) to transfer Personal Information from these jurisdictions to the United States. DemoHop will continue to certify with the U.S. Department of Commerce and comply with the DPF Principles and applicable Data Privacy Law.
8.1.2 Standard Contractual Clauses. DemoHop enters into EU Standard Contractual Clauses for the transfer of Personal Information to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”) as set forth below.
8.1.2.1 Controller to Processor & Processor to Processor Transfers. Where DemoHop is the Processor of Personal Information subject to GDPR as described in this DPA, Module Two and Module Three of the SCCs shall apply as described below.
8.1.2.1.1 Customer and DemoHop agree that the optional docking clause in Clause 7 shall apply,
8.1.2.1.2 Customer and DemoHop agree that the time period for notification of Subprocessor changes under Clause 9 is the period set forth in Section 7 above,
8.1.2.1.3 Customer and DemoHop agree that the optional language in Clause 11 shall not apply,
8.1.2.1.4 Customer and DemoHop agree to Option 1 of Clause 17, and that disputes will be resolved before the courts of Ireland, and
8.1.2.1.5 Customer and DemoHop agree that disputes under Clause 18(b) will be resolved before the courts of Ireland.
8.1.2.2 Controller to Controller. Where DemoHop is the Controller of Personal Information that is subject to GDPR as described in this DPA, Module One of the SCCs shall apply as described below.
8.1.2.2.1 Customer and DemoHop agree that the optional docking clause in Clause 7 shall apply,
8.1.2.2.2 Customer and DemoHop agree that the optional language in Clause 11 shall not apply,
8.1.2.2.3 Customer and DemoHop agree to Option 1 of Clause 17, and that disputes will be resolved before the courts of Ireland, and
8.1.2.2.4 Customer and DemoHop agree that disputes under Clause 18(b) will be resolved before the courts of Ireland.
8.1.2.3 Transfers from the UK. The UK Addendum to the SCCs applies to Personal Information protected by the UK GDPR as described below.
8.1.2.3.1 Customer and DemoHop agree that Tables 1, 2, and 3 of the UK Addendum shall be completed with relevant information from the SCCs attached as Schedule 2 below and information included in this Section 8,
8.1.2.3.2 Customer and DemoHop agree that “neither party” shall be checked under Table 4, and
8.1.2.3.3 Customer and DemoHop agree that the start date of the UK addendum shall be the date of this DPA.
8.1.2.4 Transfers from Switzerland. The Swiss SCCs shall apply to the protection of Personal Information protected by the Swiss Federal Data Protection Act as set forth below.
8.1.2.4.1 Customer and DemoHop agree that Swiss law shall apply in lieu of “EU”, “Member State”, “Union”, and “Member State Law” under the SCCs, and
8.1.2.4.2 Customer and DemoHop agree that the FDPIC and competent courts in Switzerland shall be the competent supervisory authority for purposes of the Swiss SCCs.
9. Data Retention
Following termination or expiration of the Agreement and/or upon Customer’s written request, DemoHop shall securely make Personal Information available to Customer for a period of 30 days, then destroy such Personal Information, unless retention is required by law. Customer may request a certificate of destruction necessary to demonstrate compliance with this obligation.
10. Notices
Notices to DemoHop may be provided by emailing privacy@DemoHop.com.
11. Limitation of Liability
This DPA shall be subject to the limitations of liability agreed between Customer and DemoHop in the Agreement and such limitation shall apply in aggregate for all claims under the Agreement and this DPA.
12. Incorporation and Precedence
This DPA is hereby incorporated into and forms part of the Agreement. The order of precedence in case of any conflict, exclusively in relation to the processing of Personal Information under this DPA, will be, in order of priority: (i) the Order Form (ii) this DPA; (iii) the Agreement and any schedules or exhibits thereto, unless otherwise agreed in writing.
13. Execution
The parties agree to the terms of this DPA as of the Effective Date (as defined in the Agreement or applicable Order Form).
14. Term
The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement, or at such time that DemoHop ceases to process Personal Information.
15. Definitions
15.1 “Data Privacy Law” means laws, directives, and accompanying regulations governing the processing of Personal Information, including, as applicable:
15.1.1 the Regulation EU 2016/679 of 27 April 2016 (“GDPR”) and related regulations such as the UK Data Protection Act of 2018 (“UK GDPR”), UK Electronic Communications Regulation of 2003 (“PECR”), Swiss Federal Act on Data Protection of 1992 (“FADP”), and Directive 2002/58/EC on Privacy and Electronic Communications (“ePrivacy”),
15.1.2 “U.S. State Data Privacy Law” means all applicable state laws in effect in the United States of America that involve the processing of Personal Information, including the California Consumer Privacy Act (“CCPA”) inclusive of the California Privacy Rights Act of 2020 (“CPRA”) as set forth in California Civil Code §1798.100 et seq., and other similar state-based privacy laws, and
15.1.3 other applicable laws relating to processing of Personal Information and privacy that may exist in relevant jurisdictions where DemoHop operates.
15.2 “Appropriate Technical and Organisational Measures”, “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Person”, “Processor”, “Process”, “Processing”, “Sell”, “Service Provider”, “Share”, and “Third Party”, shall be interpreted in accordance with applicable Data Privacy Law.
15.3 “Personal Information” means any Customer Content Processed by DemoHop in the Software pursuant to the Agreement, relating to an identified or identifiable natural person or household; where an “identifiable natural person” means an individual who can be identified, directly or indirectly. Personal Information includes “Personal Data” and “Personally Identifiable Information” within the Customer Content as defined by applicable Data Privacy Law.
15.4 “Subprocessor” or “Sub-processor” means any person (including any third party and any DemoHop Affiliate, but excluding DemoHop personnel) appointed by or on behalf of DemoHop or any DemoHop Affiliate to process Personal Information on behalf of Customer and/or Customer Affiliate in connection with the Agreement.
15.5 All other defined terms shall have the meaning set forth in the Agreement.
DPA Schedule 1
Jurisdiction and Industry Specific Processing Terms
- GDPR. DemoHop shall take reasonable steps at the Customer’s request to assist Customer in meeting Customer’s obligations under the GDPR. This includes Customer’s obligations to comply with Article 32 to 36 of the GDPR taking into account the nature of the Processing under this DPA.
- US State-Based Laws. DemoHop shall comply with applicable U.S. State Based Data Privacy Laws, including as defined below.
2.1 California. DemoHop complies with, and assists Customers in their compliance with, the CCPA. In addition to the terms set forth in this DPA, DemoHop Processes Personal Information of California residents under the following terms.
2.1.1 Roles. Customer is a “Business” and DemoHop is its “Service Provider” for the purpose of DemoHop’s Processing of Personal Information under the Agreement and applicable Order Form. The parties agree to comply at all times with the provisions of the CCPA applicable to their respective obligations as Business and Service Provider, in respect to the Processing of Personal Information.
2.1.2 Business Purpose. Customer agrees that the Business Purpose for which DemoHop is Processing Personal Information is to provide Customer with the Software, as described in the Agreement, applicable Order Form, and as described in Section 3.2 of the DPA. DemoHop shall not retain, use, or disclose such Personal Information: (i) for a commercial purpose other than for the limited and specified purposes identified in the Agreement, applicable Order Form, and as described in Section 3.2 of the DPA, or (ii) outside the direct business relationship with Customer. DemoHop shall not combine such Personal Information with personal information that it receives from other sources, except as expressly authorised by Customer and permitted under the CCPA.
2.1.3 No “Sale” & “Sharing” by DemoHop. DemoHop shall not “sell” or “share” Personal Information, as defined by the CCPA, unless expressly directed to by Customer.
2.1.4 Audit & Monitoring Rights. DemoHop complies with requests made by Customer under Cal. Civ. Code §1798.100(d) and Cal. Civ. Code § 1798.140(ag)(1) as set forth in Section 6 of the DPA.
2.1.5 Notification. DemoHop shall inform Customer if it determines that it can no longer meet its obligations under the CCPA, and allow Customer to take reasonable and appropriate steps to prevent, stop, or remediate any unauthorised processing of Personal Information.
2.2 Virginia. DemoHop complies with, and assists Customers in their compliance with, the Virginia Consumer Data Privacy Act (“VCDPA”) when processing the Personal Information of residents of Virginia. In addition to the terms set forth in this DPA, DemoHop Processes Personal Information of Virginia residents under the following terms.
2.2.1 Roles. See Section 3.1 of this DPA.
2.2.2 Purpose of Processing. See Section 3.2 of this DPA.
2.2.3 Deletion of Data Upon Termination. Upon Termination as defined in the Agreement, DemoHop shall make available, delete or render unusable all Customer Content, including Personal Information, as described in the Agreement.
2.2.4 Data Protection Assessments. See Privacy Impact Assessments in Section 3.5.2 of this DPA.
2.3 Utah. DemoHop complies with, and assists Customers in their compliance with, the Utah Consumer Privacy Act of 2021 (“UCPA”) as set forth in the provisions of this DPA.
2.3.1 Roles. See Section 3.1 of this DPA.
2.3.2 Purpose of Processing. See Section 3.2 of this DPA.
2.4 Colorado. DemoHop complies with, and assists Customers in their compliance with, the Colorado Privacy Act (“CPA”) of 2022 as set forth in this DPA. In addition to the terms set forth in this DPA, DemoHop processes Personal Information of Colorado residents in the following way.
2.4.1 Roles. See Section 3.1 of this DPA.
2.4.2 Purpose of Processing. See Section 3.2 of this DPA.
2.4.3 Deletion of Data Upon Termination. Upon Termination as defined in the Agreement, DemoHop shall make available, delete or render unusable all Customer Content, including Personal Information, as described in the Agreement.
2.4.4 Assistance with Data Protection Assessments. DemoHop complies with requests made by Customer under CPA §6-1-1305(2)(c) as set forth in Section 3.5.2 above.
2.4.5 Audits & Inspections. DemoHop complies with reasonable requests for audits and inspections made by Customer under CPA §6-1-1305(5)(d)(II)(A) and (B) as set forth in the Privacy Impact Assessments 3.5.2 of this DPA.
2.5 Connecticut. DemoHop complies with, and assists Customers with their compliance with, the Connecticut Data Privacy Act (“CTDPA”).
2.5.1 Roles. See Section 3.1 of this DPA.
2.5.2 Purpose of Processing. See Section 3.2 of this DPA.
2.5.3 Deletion of Data Upon Termination. Upon Termination as defined in the Agreement, DemoHop shall make available, delete or render unusable all Customer Content, including Personal Information, as described in the Agreement.
2.5.4 Data Protection Assessments. See Privacy Impact Assessments in Section 3.5.2 of this DPA.
2.6 US Federal Legislation, Industry Specific Laws, and Restrictions on Processing.
2.6.1 US Healthcare Customers. If Customer is a “covered entity” or “business associate” as described in the Health Insurance Portability and Accountability Act of 1996, as amended and including the regulations promulgated thereunder (“HIPAA”), Customer must enter into a separate Business Associate Agreement with DemoHop prior to sending Protected Health Information (“PHI”) to the Software.
2.6.2 Telecommunications Data. To the extent that DemoHop Processes traffic, content or other Personal Information in the provision of the Software, DemoHop will comply with applicable telecommunications laws and regulations applicable thereto, including security, security breach notification, and data protection laws. Customer is responsible for providing their end-users with notice and/or consent associated with their use of the Software.
DPA Schedule 2
Description of Processing Activities
The following is a description of data Processing and transfer activities by DemoHop. The Parties acknowledge that the following is a description of DemoHop’s Processing activities, including the Processing of Personal Information, provided by DemoHop to Customer as part of the Software.
DemoHop as Processor: Customer Content (Software Data)
Categories of Personal Information
Data collected by the Software is:
- Name
- Email address
- City / Location
- Avatar / Photo
- Personal profile
- Timezone
- Browser
- Browser version
- Device
- Current URL
- Video call recordings
Sensitive Personal Information
None, unless the Agreement specifically provides for the transfer and processing of such data.
Nature of processing
Providing account access to the services as described in the Agreement or accompanying Order Form; configuring and maintaining customer preferences within the Software; providing support for services purchased by customer; communicating with customer about products, support, and services; transmitting, structuring, storing, and making available personal information as required to provide the services.
Duration of Processing
Data will be stored, processed, and retained for the duration of an active Subscription Plan. Data will be deleted upon customer request for deletion, or within 90 days of Customer’s termination or expiration of the Agreement.
Transfer of Personal Information
Data transfer is provided to enable the following:
- Providing account access to the Software to Customer and Customer’s users
- Storage, processing, and display of Personal Information within the Software
- Communicating with customer about support issues, products, and services
- Communicating with customer about events, promotions, and product updates