This Data Processing Addendum (including its Attachments) (“DPA”) forms part of and is subject to the terms and conditions of the Hype Creator Terms (the “Terms”) by and between you (“Creator”) and Hype Kit, Inc. (“Hype”).
1.1
Subject Matter. This DPA reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Creator Personal Data in connection with Hype’s execution of the Creator Terms. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Creator Terms. If and to the extent language in this DPA or any of its Attachments conflicts with the Creator Terms, this DPA shall control.
1.2
Duration and Survival. This DPA will become legally binding upon the effective date of the Creator Terms. Hype will Process Creator Personal Data until the relationship terminates as specified in the Creator Terms.
For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.
2.1
“Creator Personal Data” means the Creator Content that is Personal Data contained within contact list(s) uploaded to, stored, or managed via the Services by Creator.
2.2
“Data Protection Laws” means the applicable data privacy, data protection, cybersecurity, marketing, and communication(s) laws, rules and regulations to which the Creator Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; the United Kingdom Data Protection Act 2018; the Virginia Consumer Data Protection Act, and any and all laws that govern communications sent by, or on behalf of, Creator to third parties (in each case, as amended, adopted, or superseded from time to time).
2.3
“Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
2.4
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.5
“Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Creator Personal Data attributable to Hype.
2.6
“Services” means the services that Hype performs under the Creator Terms.
2.7
“Subprocessor(s)” means Hype’s authorized vendors and third-party service providers that Process Creator Personal Data.
3.1
Documented Instructions. Hype shall Process Creator Personal Data to provide the Services in accordance with the Creator Terms and this DPA. Hype will, unless legally prohibited from doing so, inform Creator in writing if it reasonably believes that there is a conflict between Creator’s instructions and applicable law or otherwise seeks to Process Creator Personal Data in a manner that is inconsistent with Creator’s instructions.
3.2
Authorization to Use Subprocessors. Creator hereby authorizes Hype to engage Subprocessors. Creator acknowledges that Subprocessors may further engage vendors.
3.3
Hype and Subprocessor Compliance. Hype shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Creator Personal Data that imposes on such Subprocessors data protection requirements for Creator Personal Data that are consistent with this DPA; and (ii) remain responsible to Creator for Hype’s Subprocessors’ failure to perform their obligations with respect to the Processing of Creator Personal Data.
3.4
Right to Object to Subprocessors. Where required by Data Protection Laws, Hype will notify Creator prior to engaging any new Subprocessors that Process Creator Personal Data and allow Creator five (5) days to object after notice has been provided.
3.5
Confidentiality. Any person authorized to Process Creator Personal Data must be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.
3.6
Personal Data Inquiries and Requests. Where required by Data Protection Laws, Hype agrees to provide reasonable assistance and comply with reasonable instructions from Creator related to any requests from individuals exercising their rights in Creator Personal Data granted to them under Data Protection Laws. If a request that explicitly references and solely relates to Creator is sent directly to Hype, Hype may instruct the individual to contact Creator.
3.7
Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. Where required by Data Protection Laws, Hype agrees to provide reasonable assistance and information to Creator where, in Creator’s judgement, the type of Processing performed by Hype requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Creator shall reimburse Hype for all non-negligible costs Hype incurs in performing its obligations under this Section.
3.8
Demonstrable Compliance. Hype agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Creator’s reasonable request.
3.9
California Specific Terms. To the extent that Hype’s Processing of Creator Personal Data is subject to the CCPA, this Section shall also apply. Creator discloses or otherwise makes available Creator Personal Data to Hype for the limited and specific purpose of Hype providing the Services to Creator in accordance with the Creator Terms and this DPA. Hype shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Creator if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Creator Personal Data; (v) not retain, use, or disclose Creator Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Creator Terms or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Creator Personal Data outside of the direct business relationship between Creator and Hype; and (vii) unless otherwise permitted by the CCPA, not combine Creator Personal Data with Personal Data that Hype (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Creator may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that Hype Processes Creator Personal Data in a manner consistent with Creator’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Creator Personal Data by Hype.3.1. Documented Instructions. Hype shall Process Creator Personal Data to provide the Services in accordance with the Creator Terms and this DPA. Hype will, unless legally prohibited from doing so, inform Creator in writing if it reasonably believes that there is a conflict between Creator’s instructions and applicable law or otherwise seeks to Process Creator Personal Data in a manner that is inconsistent with Creator’s instructions.
3.10
Service Optimization. Where permitted by Data Protection Laws, Hype may Process Creator Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
3.11
Aggregation and De-Identification. Hype may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Creator or any data subject to whom Creator Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
Hype shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Creator Personal Data.
Upon becoming aware of a Security Incident, Hype agrees to provide written notice without undue delay. Where possible, such notice will include all available details required under Data Protection Laws for Creator to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
6.1
Cross-Border Transfers of Creator Personal Data. Creator authorizes Hype and its Subprocessors to transfer Creator Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
6.2
EEA, Swiss, and UK Standard Contractual Clauses. If Creator Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Creator to Hype in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Attachment 1 attached hereto, the terms of which are incorporated herein by reference. Each party’s execution of the Creator Terms shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
Where Data Protection Laws afford Creator an audit or assessment right, Creator (or its appointed representative) may carry out an audit or assessment of Hype’s policies, procedures, and records relevant to the Processing of Creator Personal Data by having Hype complete a data protection questionnaire of reasonable length. Any audit or assessment must be: (i) with reasonable advance notice to Hype; (ii) carried out in a manner that prevents unnecessary disruption to Hype’s operations; and (iii) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority having proper jurisdiction.
At the expiry or termination of the Creator Terms, Hype will delete all Creator Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Hype’s data retention schedule), except where Hype is required to retain copies under applicable laws, in which case Hype will isolate and protect that Creator Personal Data from any further Processing except to the extent required by applicable laws.
The Services may allow Creator to communicate with third parties including, but not limited to, Users via email, text message, or other communication channels. Creator is solely responsible for complying with Data Protection Laws in connection with its communications to such third parties including, but not limited to, obtaining any and all required consents for such communications and complying with any and all required opt-out obligations for such communications.
Creator represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Creator Personal Data will be Processed in connection with the Creator Terms with a privacy notice or similar document that clearly and accurately describes Creator’s practices with respect to the Processing of Creator Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Creator Personal Data as contemplated by the Creator Terms including, but not limited to, any consents required to send communications to individuals; (iv) it will provide and honor all opt-outs required under Data Protection Laws; and (v) Hype’s Processing of Creator Personal Data in accordance with the Creator Terms will not violate Data Protection Laws or cause a breach of any agreement or obligations between Creator and any third party.
You acknowledge and agree that Hype may Process Personal Data about Creator and/or third parties as a separate, independent controller and/or business (as such terms are defined under Data Protection Laws). This DPA does not govern Hype’s Processing of Personal Data as a separate, independent controller and/or business.
12.1
Subject Matter. The subject matter of the Processing is the Services pursuant to the Creator Terms.
12.2
Duration. The Processing will continue until the expiration or termination of the Creator Terms.
12.3
Categories of Data Subjects. Data subjects whose Creator Personal Data will be Processed pursuant to the Creator Terms.
12.4
Nature and Purpose of the Processing. The purpose of the Processing of Creator Personal Data by Hype is the performance of the Services.
12.5
Types of Creator Personal Data. Creator Personal Data that is Processed pursuant to the Creator Terms.
This Attachment 1 forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Attachment 1 have the meaning set forth in the DPA.
The parties agree that the following terms shall supplement the Standard Contractual Clauses:
The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
Annex I to the Standard Contractual Clauses shall read as follows:
A.
List of Parites
Data Exporter: Creator.
Address: As set forth in the Notices section of the Creator Terms.
Contact person’s name, position, and contact details: As set forth in the Notices section of the Creator Terms.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Controller.
Data Exporter: Hype.
Address: As set forth in the Notices section of the Creator Terms.
Contact person’s name, position, and contact details: As set forth in the Notices section of the Creator Terms.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Processor.
B.
Description of the Transfer:
Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses.
Categories of personal data transferred: The categories of personal data transferred under the Clauses.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties knowledge, no sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.
Nature of the processing: The Services.
Purpose(s) of the data transfer and further processing: The Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature, and duration as identified above.
C.
Competent Supervisory Authority:
The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
D.
Additional Data Transfer Impact Assessment Questions:
Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?
Not to data importer’s knowledge.
Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:
As of the effective date of the DPA, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending.
Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:
No.
Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:
No.
E.
Data Transfer Impact Assessment Outcome:
Taking into account the information and obligations set forth in the DPA and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.
F.
Clarifying Terms:
The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the DPA; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Creator Terms.
Annex II to the Standard Contractual Clauses shall read as follows:
Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with the DPA.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the DPA.
A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the DPA.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.
