Last Modified: March 18, 2019
This Data Processing Agreement (the “Partner DPA”) is incorporated into the agreement(s) entered into by you (“Partner”) and HubSpot, Inc. (“HubSpot”), and governs the data sharing between you and HubSpot (but excluding customer agreements between Partner and HubSpot that govern Partner’s purchase and use of HubSpot products and services) (“Partner Agreement”).
This DPA covers the processing of: (1) personal data that the Partner uploads, transfers, or otherwise provides to HubSpot in connection with a Partner Agreement; and (2) personal data that HubSpot (or its customers) uploads, transfers, or otherwise provides to Partner in connection with the Partner Agreement.
Collectively, this DPA (including the SCCs, as defined below) and the Partner Agreement are referred to in this DPA as the “Agreement”. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs (b) this DPA; and (c) the Partner Agreement.
The Purpose of this DPA is to establish a framework where both the Partner and HubSpot may in connection, with the Partner Agreement(s), each be Controllers of EU Personal Data and, in certain cases, transfer that EU Personal Data to the other party for that other party to act as a Controller of that EU Personal Data. Additionally, this DPA will address scenarios where:
A. HubSpot and Partner may each be Controllers (as defined below) of EU Personal Data and, in certain cases, transfers that EU Personal Data to the other party for that other party to provide certain services to the other party as a Processor (e.g., complete an API call); or
B. HubSpot and Partner may each be a Processors of a Joint Customer’s EU Personal Data and transfer such data to the other party for processing at the direction of that Joint Customer;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Controller-to-Controller SCCs” means the Standard Contractual Clauses (Controller to Controller Transfers - Set II) in the Annex to the European Commission Decision of December 27, 2004 as may be amended or replaced from time to time by the European Commission.
“Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010 as may be amended or replaced from time to time by the European Commission.
“Data Protection Law”means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.
“EU Personal Data” means Personal Information the sharing of which pursuant to this Agreement is regulated by the Directive, the General Data Protection Regulation, and Local Data Protection Laws.
“General Data Protection Regulation” or “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Joint Customer” means a customer of both Partner and HubSpot.
“Joint Customer Personal Data” means any Personal Information for which a Joint Customer acts as a Controller.
“HubSpot Personal Data” means any Personal Information for which HubSpot acts as a Controller.
“Partner Personal Data” means any Personal Information for which Partner acts a Controller.
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” or “SCCs” means all Controller-to-Processor SCCs and Controller-to-Controller SCCs entered into between the parties under this Partner DPA.
“Subprocessor” means any entity which provides processing services to a Processor, as defined in Section 5.1, in furtherance of such Processor’s processing on behalf of a Controller.
“Supervisory Authority”means an independent public authority which is established by a member state pursuant to Article 51 of the General Data Protection Regulation.
2. COMPLIANCE WITH LAWS
The parties shall each represent and warrant that they will comply with their respective obligations and duties under applicable Data Protection Law.
3. JOINT PROCESSOR SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Processor with respect to Personal Data, will (i) comply with the instructions and restrictions set forth in any agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Law. Partner and HubSpot both acknowledge and agree that each party is acting as a Processor for the Joint Customer and neither party is engaging the other as a Subprocessor.
4. CONTROLLER-TO-CONTROLLER SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Controller with respect to Personal Information, will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Law.
Where both parties act as a Controller with respect to Personal Data, and the transfer of data between the parties results in a transfer of Personal Data to a jurisdiction other than in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield framework(s); and/or (b) use the Controller-to-Controller SCCs, which are incorporated herein by reference. If data transfers under this DPA rely on Controller-to-Controller SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that the following terms apply: (i) Data subjects for whom a Partner processes Personal Data are third-party beneficiaries under the Controller-to-Controller SCCs; and (ii) Schedule A to this DPA shall apply as Annex B of the Controller-to-Controller SCCs.
The parties acknowledge and agree that each is acting independently as a Controller with respect of Personal Data and the parties are not joint controllers as defined in the General Data Protection Regulation.
5. CONTROLLER-TO-PROCESSOR SCENARIOS
a. Relationship of the parties. The rights, responsibilities, and obligations of the parties with regard to Sections 6-10 of this DPA shall be as follows:
For Processing operations where HubSpot processes Personal Data on Partner’s behalf and at Partner’s direction, the term “Processor” refers to HubSpot, the term “Controller” refers to Partner, and the term
“Personal Data” refers to Partner Personal Data.For data processing operations where Partner processes Personal Data on HubSpot’s behalf and at HubSpot’s direction, the term “Processor” refers to Partner, the term “ Controller” refers to HubSpot, and the term “Personal Data” refers to HubSpot Personal Data.
b.Scope of Processing. In the context of the scenarios described in Section 5.1 above, each party agrees to process Personal Data only for the purposes set forth in the Partner Agreement. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Schedule A to this DPA.
6. CONTROLLER OBLIGATIONS
The parties in their capacity as a Controller agree to:
a. Provide instructions to the Processor and determine the purposes and means of the Processor’s processing of Personal Data in accordance with the Agreement; and
b. Comply with its protection, security and other obligations with respect to Personal Data prescribed by applicable Data Protection Law for a Controller by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of the Controller; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this DPA by its personnel or by any third party accessing or using Personal Data on its behalf.
7. PROCESSOR OBLIGATIONS
a. Processing Requirements. The parties in their capacity as a Processor agree to:
A. Process Personal Data (i) only for the purpose of providing, supporting and improving the Processor’s services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from the Controller. The Processor will not use or process Personal Data for any other purpose. The Processor will promptly inform the Controller in writing if it cannot comply with the requirements under Sections 6-10 of this DPA, in which case the Controller may terminate the Agreement, and any applicable Partner Agreements, or take any other reasonable action, including suspending data processing operations;
B. Inform the Controller promptly and without undue delay if, in the Processor’s opinion, an instruction from the Controller violates applicable Data Protection Law;
C. If the Processor is collecting Personal Data from individuals on behalf of the Controller, follow the Controller’s instructions regarding such Personal Data collection;
D. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on the Processor’s behalf comply with the terms of the Agreement, and applicable Partner Agreements;
E. represent and warrants that its employees, authorized agents and any Subprocessors are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the personal data who is not under such a duty of confidentiality
F. if it intends to engage Subprocessors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors provided by the Processor to the Controller (such list for HubSpot is available online at https://legal.HubSpot.com/customer-subprocessors), obtain the prior written consent of the Controller to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to the Controller for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on the Processor’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;
G. upon request, provide the Controller with the Processor’s privacy and security policies; and
H. inform the Controller if the Processor undertakes an independent security review.
b. Notice to the Controller. The Processor will immediately and without undue delay inform the Controller if the Processor becomes aware of:
A. any non-compliance by Processor or its employees with Sections 6-10 of this DPA or the applicable Data Protection Law relating to the protection of Personal Data processed under this DPA;
B. any legally binding request for disclosure of Personal Data by a law enforcement or government authority, unless the Processor is otherwise forbidden by law to inform the Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
C. any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or
D. any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from data subjects of the Controller. The Processor will not respond to any such request without the Controller’s prior written authorization.
c. Assistance to the Controller. The Processor will provide and timely reasonable assistance to the Controller regarding:
A. responds to any request from an individual to exercise rights under applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and the Processor r agrees to promptly inform the Controller if such a request is received directly;
B. the investigation of Personal Data Breaches and the notification to the Supervisory Authority and the Controller data subjects regarding such Personal Data Breaches; and
C. where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
d. Required Processing. If the Processor is required by Data Protection Requirements to process any Personal Data for a reason other than in connection with the Agreement, the Processor will inform the Controller of this requirement in advance of any processing, unless the Processor is legally prohibited from informing the Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
e. Security. The Processor will:
A. maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data;
B. be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all of the Processor’s personnel with respect to Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
C. take appropriate steps to confirm that all of the Processor’s personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this DPA; and
D. notify the Controller of any Personal Data Breach by the Processor, its Subprocessors, or any other third parties acting on the Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
8. AUDIT, CERTIFICATION
a. Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which the Processor processes Personal Data in order to ascertain or monitor compliance with Data Protection Requirements, the Processor will cooperate with such audit.The Controller will reimburse the Processor for its reasonable expenses incurred to cooperate with the audit, unless such audit reveals the Processor’s noncompliance with this DPA.
b. Processor Certification.The Processor must, upon the Controller’s request (not to exceed one request per calendar year) by email (where HubSpot is the Processor, such emails shall be sent to DPO@HubSpot.com; where Partner is the Processor, Partner shall establish and provide to HubSpot upon request a single point of contact for email correspondence regarding data protection), certify compliance with this DPA in writing.
9. DATA TRANSFERS
a. Partner Personal Data. For transfers of EU Personal Data to HubSpot for processing by HubSpot as Data Processor on behalf of Partner as a Controller, in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, HubSpot agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the form of the Controller-to-Processor SCCs. If data transfers under this Section 9.1 rely on SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that data subjects for whom a HubSpot entity processes EU Personal Data are third-party beneficiaries under the SCCs. If HubSpot is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of Partner with respect to EU Personal Data. HubSpot shall promptly notify Partner of any inability by HubSpot to comply with the provisions of this Section 9.1
b. HubSpot Personal Data. For transfers of EU Personal Data to Partner for processing by Partner as a Processor on behalf of HubSpot as a Controller, in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, Partner agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the Controller-to-Processor SCCs.. If data transfers under this Section 9.2 rely on SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that data subjects for whom Partner processes EU Personal Data are third-party beneficiaries under the SCCs. If Partner is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of HubSpot with respect to Personal Data. Partner shall promptly notify HubSpot of any inability by Partner to comply with the provisions of this Section 9.2.
10. DATA RETURN AND DELETION
The parties agree that on the termination of the data processing services or upon the Controller’s reasonable request, the Processor shall and shall take reasonable measures to cause any Subprocessors to, at the choice of the Controller, return all the EU Personal Data and copies of such data to the Controller or securely destroy them and demonstrate to the satisfaction of the Controller that it has taken such measures, unless Data Protection Requirements prevent the Processor from returning or destroying all or part of the EU Personal Data disclosed. In such case, the Processor agrees to preserve the confidentiality of the EU Personal Data retained by it and that it will only actively process such EU Personal Data after such date in order to comply with applicable laws.
This DPA shall remain in effect as long as either party carries out Personal Data processing operations on the Personal Data uploaded or otherwise provided by the other party pursuant to and in accordance with the Partner Agreement.
Each Party shall defend, indemnify, and hold harmless the other and its subsidiaries, affiliates, and its respective officers, directors, employees, and agents from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys' fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against the other arising out of or resulting from the breaching party’s failure to comply with any of its obligations under this DPA or the applicable laws, regulations, or principles contained in the GDPR. Each Party’s liability shall be subject to the limitation of liability in the applicable Partner Agreement.
ANNEX B - DESCRIPTION OF THE TRANSFER
1. Data Subjects. The personal data transferred concerns the following categories of data subjects:
Depending on the agreement between the data importer and data exporter:
Potential and actual customers and employees of the data exporter;
Sales and marketing leads of the data exporter; and
Third parties that have, or may have, a commercial relationship with the data exporter (e.g. advertisers, customers, corporate subscribers, contractors and product users).
2. Purposes of the Transfer(s). The transfer is made for the following purposes:
The transfer is intended to enable the relationship of the parties contemplated by the Partner Agreement. The “Partner Agreement” is the agreement(s) entered into by the data importer and the data exporter that govern data sharing between those parties (but excluding customer agreements between Partner and HubSpot that govern Partner’s purchase of HubSpot products and services).
3. Categories of data. The personal data transferred concern the following categories of data:
The data transferred is the personal data provided by the data exporter to the data importer in connection with the Partner Agreement. Such personal data may include first name, last name, email address, contact information, education and work history and other information provided in HubSpot member profiles, resumes, CRM data concerning sales leads and customer lists, any notes provided by the data exporter regarding the foregoing and other activities of HubSpot members taken on the HubSpot platform.
4. Recipients. The personal data transferred may be disclosed only to the following recipients or categories of recipients:
Data importer's customers and users as permitted under the terms of the Partner Agreement; and
Employees and other representatives of the data importer who have a legitimate business purpose for the processing of such personal data.
5. Sensitive data (if appropriate). The personal data transferred may concern the following special categories of data:
6. Data protection registration information of data exporter (where applicable).
7. Additional useful information (storage limits and other relevant information).
The personal data transferred between the parties may only be retained for the period of time permitted under the Partner Agreement. The parties agree that each party will, to the extent that it, along with the other party, acts as a Controller with respect to Personal Information, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the Data Protection Requirements.
8. Requirements. Contact points for data protection enquiries:
Data Importer: Signatory to the Partner Agreement
Data Exporter: Signatory to the Partner Agreement