HubSpark Data Processing Addendum
This HubSpark Data Processing Addendum (“DPA”) applies to the extent HubSpark Processes any Covered Data as Client’s Processor or Service Provider in connection with HubSpark’s provision of the Services to Client pursuant to the HubSpark Terms of Service or Master Services Agreement (as applicable, the “Underlying Agreement”).
1. DEFINITIONS.
1.1 “Applicable Data Protection Law” means privacy and data protection Laws applicable to HubSpark’s Processing of Covered Data on behalf of Client in connection with HubSpark’s provision of the Services, including but not limited to the CCPA and the Safeguards Rule, in each case together with its implementing regulations and as amended, superseded, or replaced from time to time.
1.2 “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
1.3 “Client Account Data” means Personal Data or Personal Information that relates to Client’s relationship with HubSpark, such the names and contact information of Authorized Users, billing information associated with Client’s account, and any Personal Data or Personal Information HubSpark may need to collect for the purpose of identity verification (including providing multi-factor authentication).
1.4 “Covered Data” means any Personal Data, Personal Information, or Customer Information pertaining to a Consumer or Data Subject within the Territory that is provided to HubSpark by Client or otherwise Processed by HubSpark as a Processor or Service Provider in connection with HubSpark’s provision of the Services to Client pursuant to the Underlying Agreement. Covered Data excludes Client Account Data.
1.5 “Customer Information” has the meaning set forth in the Safeguards Rule (16 C.F.R. § 314.2(d)).
1.6 “Financial Institution” has the meaning set forth in the Safeguards Rule (16 C.F.R. § 314.2(h)).
1.7 “Safeguards Rule” means the Federal Trade Commission’s Standards for Safeguarding Customer Information implemented under the Gramm-Leach-Bliley Act, codified at 16 C.F.R. § 314 et seq.
In addition, “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Information”, “Process”, “Processor”, “Sale”, “Share”, and “Service Provider” and their respective derivative terms as used in this DPA shall be interpreted in accordance with Applicable Data Protection Laws. All other capitalized terms used in this DPA have the meanings ascribed to them in the Underlying Agreement.
2. HUBSPARK AS A PROCESSOR OF COVERED DATA.
2.1 Processing Details. The parties acknowledge and agree that with respect to the Covered Data, Client is the Controller and HubSpark acts as a Processor or Service Provider for, and on behalf of, Client and conducts its Processing operations in accordance with Client’s instructions. Client hereby instructs HubSpark to Process Covered Data on Client’s behalf pursuant to this DPA and the Underlying Agreement. Notwithstanding anything to the contrary in this DPA, HubSpark may de-identify, aggregate, and/or anonymize all or portions of Covered Data so that it no longer constitutes Personal Data or Personal Information under Applicable Data Protection Laws, at which point such data will no longer constitute Covered Data under this DPA.
2.2 Client’s Obligations. Client determines the purposes for and means by which Covered Data is being or will be Processed, and the manner in which Covered Data is or will be Processed. Client represents and warrants that: (a) with respect to Covered Data, Client complies with data security and other obligations prescribed by Applicable Data Protection Laws for Controllers/Businesses and Financial Institutions (if applicable), and the provision of Covered Data to HubSpark complies with all Applicable Data Protection Laws; and (b) Client will provide notice to individuals and obtain all consents, rights, authorizations, or other lawful basis regarding Client’s Processing and sharing of Covered Data with HubSpark as required by applicable Law, including without limitation Applicable Data Protection Laws. Client will promptly notify HubSpark of any Consumer or Data Subject request made pursuant to any Applicable Data Protection Law with which Client must comply that requires HubSpark to take any action with respect to Covered Data being Processed, and will provide the information necessary for HubSpark to comply with such request.
2.3 HubSpark’s Obligations.
2.3.1 Unless otherwise permitted or required by applicable Law, HubSpark will Process Covered Data in accordance with Client’s instructions as a Processor or Service Provider to provide the Services described in the Underlying Agreement to Client, and Client hereby instructs HubSpark to do so.
2.3.2 HubSpark will ensure that any person authorized to Process Covered Data under this DPA is bound by appropriate obligations of confidentiality.
2.3.3 HubSpark has developed and implemented, and will maintain, a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to HubSpark’s size and complexity, the nature and scope of HubSpark’s activities, and the sensitivity of any Covered Data at issue, designed to protect the security and confidentiality of Covered Data, protect against any anticipated threats or hazards to the security or integrity of Covered Data, and protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to any Consumer, Data Subject, or Customer (as such term is defined in the Safeguards Rule, 16 C.F.R. § 314.2(c)).
2.3.4 Taking into account the nature of the Processing and the information available to HubSpark, HubSpark will provide Client with reasonable cooperation and assistance to enable Client as a Business or Controller to fulfill Client’s binding obligations with respect to the Covered Data, if any, under Applicable Data Protection Laws to: (a) respond to requests from Data Subjects or Consumers for the exercise of their rights; and (b) provide notification of a Covered Data breach (or analogous concept) as required under Applicable Data Protection Laws.
2.3.5 Upon written request, HubSpark will take reasonable and appropriate steps to make available to Client information to demonstrate HubSpark’s compliance with provisions of Applicable Data Protection Laws applicable to Processors/Service Providers, and will allow Client to verify HubSpark’s compliance with HubSpark’s obligations under this DPA as set forth in Section 2.3.6 below.
2.3.6 Upon Client’s written request no more than once per year, HubSpark will provide a copy of HubSpark’s then-current audit report to Client. Such audit report refers to an ISO 27001 certification or another industry standard audit that may be deemed appropriate by HubSpark which relates to HubSpark’s Processing of Covered Data and is conducted by an independent third-party auditor on at least an annual basis. The audit report will be deemed to be HubSpark’s Confidential Information.
2.3.7 Upon termination of the Underlying Agreement and receipt of Client’s written request, HubSpark will delete Covered Data in HubSpark’s possession, subject to any limitations described in the Underlying Agreement and unless applicable Law requires further storage.
3. CCPA-SPECIFIC TERMS.
In addition to the general terms in Section 2 of this DPA, this Section 3 applies to the extent that Client is a Business under the CCPA and HubSpark Processes Personal Information subject to the CCPA as a Service Provider in connection with its provision of the Services to Client. HubSpark will: (a) not Sell or Share such Personal Information, nor retain, use, or disclose such Personal Information for any purpose other than the Business Purposes specified in the Underlying Agreement, unless otherwise permitted by the CCPA; (b) except to perform the specific Business Purposes or as otherwise permitted by the CCPA, not combine such Personal Information with Personal Information received from or on behalf of another person or source; (c) otherwise comply with provisions of the CCPA applicable to Service Providers, providing the same level of privacy protection required of Businesses by the CCPA, and notify Client if HubSpark can no longer meet these obligations; and (d) upon receipt of written notice that Client reasonably believes HubSpark is using Personal Information in an unauthorized manner, take reasonable and appropriate steps to work with Client to remediate the allegedly unauthorized use, if necessary. HubSpark will notify Client in the event HubSpark determines it can no longer meet its obligations under the CCPA.
4. HUBSPARK SERVICE PARTNERS.
Client specifically authorizes HubSpark to engage sub-Processors/Service Providers. In the event that HubSpark seeks to use additional sub-Processors/Service Providers and update the HubSpark Service Partner List, HubSpark will provide notice of such update to Client (which may be via email, an online posting or notification, or other reasonable means). Client may reasonably object to a change to the HubSpark Service Partner List on legitimate grounds within 30 days of notice of this change by emailing legal@HubSpark.com. Notwithstanding the foregoing, Client acknowledges that HubSpark’s sub-Processors/Service Providers are essential to provide the Services and if Client objects to HubSpark’s use of a sub-Processor/Service Provider, then notwithstanding anything to the contrary in the Underlying Agreement (including this DPA), HubSpark will not be obligated to provide to Client the Services for which HubSpark uses that sub-Processor/Service Provider.
5. HUBSPARK AS A CONTROLLER OF CLIENT ACCOUNT DATA.
Client acknowledges that, with regard to the Processing of Client Account Data, Client is a controller and HubSpark is an independent Controller/Business, not a joint Controller with Client. HubSpark will Process Client Account Data as a Controller in order to: (a) manage the relationship with Client; (b) carry out HubSpark’s core business operations, such as billing and accounting; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; and (e) as otherwise permitted under Applicable Data Protection Laws and in accordance with this DPA, the Underlying Agreement, and HubSpark’s Privacy Policy.
6. CONFLICTS.
To the extent there is a conflict or inconsistency between this DPA and the Underlying Agreement, this DPA will control.
