Last Modified: September 21, 2022
This Data Processing Agreement (the “Partner DPA”) is incorporated into the agreement(s) entered into by you (“Partner”) and HubSpot, Inc. (“HubSpot”), and governs the data sharing between you and HubSpot (but excluding customer agreements between Partner and HubSpot that govern Partner’s purchase and use of HubSpot products and services) (“Partner Agreement”).
This Partner DPA covers the processing of: (1) Personal Data that the Partner uploads, transfers, or otherwise provides to HubSpot in connection with a Partner Agreement; and (2) Personal Data that HubSpot (or its customers) uploads, transfers, or otherwise provides to Partner in connection with the Partner Agreement.
Collectively, this Partner DPA (including the SCCs, as defined below) and the Partner Agreement are referred to in this Partner DPA as the “Agreement.” In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs (b) this Partner DPA; and (c) the Partner Agreement.
The Purpose of this Partner DPA is to establish a framework to address scenarios where:
"Business" and "Service Provider" will have the meanings given to them in the CCPA.
“California Personal Information” means Personal Data that is subject to the protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable worldwide legislation or regulations relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time. “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.
“European Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by European Data Protection Laws.
“Joint Customer” means a customer of both Partner and HubSpot.
“Joint Customer Personal Data” means any Personal Data for which a Joint Customer acts as a Controller.
“HubSpot Personal Data” means any Personal Data for which HubSpot acts as a Controller.
“Partner Personal Data” means any Personal Data for which Partner acts as a Controller.
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within HubSpot Personal Data, Partner Personal Data or Joint Customer Personal Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021.
“Subprocessor” means any entity which provides processing services to a Processor.
“Supervisory Authority” means an independent public authority which is established by a member state of the European Economic Area, Switzerland or the United Kingdom.
"UK Addendum" means the International Data Transfer Addendum (Version B.1.0) issued by the UK ICO under s119A of the Data Protection Act 2018, as it may be amended, superseded or replaced.
2. COMPLIANCE WITH LAWS
The parties shall each represent and warrant that they will comply with their respective obligations and duties under applicable Data Protection Laws.
3. JOINT PROCESSOR SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Processor with respect to Joint Customer Personal Data, will (i) comply with the instructions and restrictions set forth in any agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Laws. The parties both acknowledge and agree that each party is acting as a Processor for the Joint Customer and neither party is engaging the other as a Subprocessor.
4. CONTROLLER-TO-CONTROLLER SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Controller with respect to Personal Data, will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Laws.
The parties acknowledge and agree that each is acting independently as a Controller with respect of Personal Data and the parties are not joint controllers as defined under European Data Protection Laws.
5. CONTROLLER-TO-PROCESSOR SCENARIOS
For Processing operations where HubSpot processes Personal Data on Partner’s behalf and at Partner’s direction, the term “Processor” refers to HubSpot, the term “Controller” refers to Partner, and the term “Personal Data” refers to Partner Personal Data. For data processing operations where Partner processes Personal Data on HubSpot’s behalf and at HubSpot’s direction, the term “Processor” refers to Partner, the term “Controller” refers to HubSpot, and the term “Personal Data” refers to HubSpot Personal Data.
B. Scope of Processing.
In the context of the scenarios described in Section 5.a above, each party agrees to process Personal Data only for the purposes set forth in the applicable Partner Agreement and/or the Partner’s agreement(s) with the Joint Customer. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Schedule A to this DPA.
6. CONTROLLER OBLIGATIONS
The parties in their capacity as a Controller agree to:
A. Provide instructions to the Processor and determine the purposes and means of the Processor’s processing of Personal Data in accordance with the Agreement; and
B. Comply with its protection, security and other obligations with respect to Personal Data prescribed by applicable Data Protection Laws for a Controller by: (i) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of the Controller; (ii) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (iii) ensuring compliance with the provisions of this DPA by its personnel or by any third party accessing or using Personal Data on its behalf.
7. PROCESSOR OBLIGATIONS
A. Processing Requirements. The parties in their capacity as a Processor agree to:
a. Process Personal Data (i) only for the purpose of providing, supporting and improving the Processor’s product and services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from the Controller. The Processor will not use or process Personal Data for any other purpose. The Processor will promptly inform the Controller in writing if it cannot comply with the requirements under Sections 6 – 9 of this DPA, in which case the Controller may terminate the Agreement, and any applicable Partner Agreement, or take any other reasonable action, including suspending data processing operations;
b. Inform the Controller promptly and without undue delay if, in the Processor’s opinion, an instruction from the Controller violates applicable Data Protection Laws;
c. If the Processor is collecting Personal Data from individuals on behalf of the Controller, follow the Controller’s instructions regarding such Personal Data collection;
d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on the Processor’s behalf comply with the terms of the Agreement, and applicable Partner Agreements;
e. Represent and warrant that its employees, authorized agents and any Subprocessors are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the personal data who is not under such a duty of confidentiality;
f. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, (i) provide a list of Subprocessors currently engaged by the Processor to the Controller (such list for HubSpot is available online at https://legal.hubspot.com/sub-processors-page), and notify the Controller of the engagement of any new Subprocessors at least 30 days in advance, giving the Controller the opportunity to object; (ii) remain liable to the Controller for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on the Processor’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;
g. Upon request, provide the Controller with the Processor’s privacy and security policies; and
h. Inform the Controller if the Processor undertakes an independent security review.
B. Notice to the Controller. The Processor will immediately and without undue delay inform the Controller if the Processor becomes aware of:
a. Any non-compliance by Processor or its employees with Sections 6 – 9 of this DPA or applicable Data Protection Laws relating to the protection of Personal Data processed under this DPA;
b. Any legally binding request for disclosure of Personal Data by a law enforcement or government authority, unless the Processor is otherwise forbidden by law to inform the Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
c. Any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or
d. Any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from data subjects of the Controller. The Processor will not respond to any such request without the Controller’s prior written authorization.
C. Assistance to the Controller.The Processor will provide timely and reasonable assistance to the Controller regarding:
a. Responding to any request from an individual to exercise rights under applicable Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable) and the Processor agrees to promptly inform the Controller if such a request is received directly;
b. The investigation of Personal Data Breaches and the notification to the Supervisory Authority and the Controller data subjects regarding such Personal Data Breaches; and
c. where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
D. Required Processing.
If the Processor is required by Data Protection Laws to process any Personal Data for a reason other than in connection with the Agreement, the Processor will inform the Controller of this requirement in advance of any processing, unless the Processor is legally prohibited from informing the Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
E. Security. The Processor will:
a. Maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data;
b. Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all of the Processor’s personnel with respect to Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
c. Take appropriate steps to confirm that all of the Processor’s personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this DPA; and
d. Notify the Controller of any Personal Data Breach by the Processor, its Subprocessors, or any other third parties acting on the Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
F. Additional Provisions for California Personal Information.
When the Processor Processes California Personal Information in accordance with the instructions received from the Controller, the parties acknowledge and agree that the Controller is a Business and the Processor is a Service Provider for the purposes of the CCPA. The parties agree that the Processor will Process California Personal Information as a Service Provider strictly for the purpose of providing, supporting and improving the Processor’s services (including to provide insights and other reporting) (the "Business Purpose") or as otherwise permitted by the CCPA.
8. AUDIT, CERTIFICATION
A. Supervisory Authority Audit.
If a Supervisory Authority requires an audit of the data processing facilities from which the Processor processes Personal Data in order to ascertain or monitor compliance with Data Protection Laws, the Processor will cooperate with such audit. The Controller will reimburse the Processor for its reasonable expenses incurred to cooperate with the audit, unless such audit reveals the Processor’s noncompliance with this DPA.
B. Processor Certification.
The Processor must, upon the Controller’s request (not to exceed one request per calendar year) by email (where HubSpot is the Processor, such emails shall be sent to firstname.lastname@example.org; where Partner is the Processor, Partner shall establish and provide to HubSpot upon request a single point of contact for email correspondence regarding data protection), certify compliance with this DPA in writing.
9. DATA RETURN AND DELETION
The parties agree that on the termination of the data processing services or upon the Controller’s reasonable request, the Processor shall and shall take reasonable measures to cause any Subprocessors to, at the choice of the Controller, return all the European Personal Data and copies of such data to the Controller or securely destroy them and demonstrate to the satisfaction of the Controller that it has taken such measures, unless Data Protection Laws prevent the Processor from returning or destroying all or part of the European Personal Data disclosed. In such case, the Processor agrees to preserve the confidentiality of the European Personal Data retained by it and that it will only actively process such European Personal Data after such date in order to comply with applicable laws.
10. DATA TRANSFERS
Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.a. Partner Personal Data. For transfers of European Personal Data from Partner to HubSpot for processing by HubSpot in a jurisdiction outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree that:
(i) Standard Contractual Clauses: The parties agree to abide by and process European Data in compliance with the SCCs as incorporated under Section 10(c) below.
(ii) Privacy Shield: Although HubSpot, Inc. does not rely on the EU-US Privacy Shield as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as HubSpot, Inc. is self-certified to the Privacy Shield HubSpot Inc will process European Personal Data in compliance with the Privacy Shield Principles and let Partner know if it is unable to comply with this requirement.
The parties agree that data subjects for whom a HubSpot entity processes European Personal Data are third-party beneficiaries under the SCCs. If HubSpot is unable or becomes unable to comply with these requirements, then European Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of European Personal Data to a non-EU country requires the prior written consent of Partner with respect to European Personal Data. HubSpot shall promptly notify Partner of any inability by HubSpot to comply with the provisions of this Section 10(a).
b. HubSpot Personal Data. For transfers of European Personal Data from HubSpot to Partner for processing by Partner in a jurisdiction outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree that:
(i) Standard Contractual Clauses: The parties agree to abide by and process European Data in compliance with the SCCs as incorporated under Section 10(c) below.
(ii) Privacy Shield: For as long as HubSpot, Inc. is self-certified to the Privacy Shield, Partner will process European Personal Data in compliance with the Privacy Shield Principles and let HubSpot know if it is unable to comply with this requirement.
The parties agree that data subjects for whom Partner processes European Personal Data are third-party beneficiaries under the SCCs. If Partner is unable or becomes unable to comply with these requirements, then European Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of European Personal Data to a non-EU country requires the prior written consent of HubSpot with respect to Personal Data. Partner shall promptly notify HubSpot of any inability by Partner to comply with the provisions of this Section 10(b).
c. Standard Contractual Clauses. The Parties acknowledge and agree that for the purposes of the SCCs: (i) with respect to Partner Personal Data, the “data exporter” shall be Partner and the “data importer” shall be HubSpot (acting on behalf of itself and its Affiliates); (ii) with respect to HubSpot Personal Data the “data exporter” shall be HubSpot (acting on behalf of itself and its Affiliates) and the “data importer” shall be Partner; (iii) the Module One terms shall apply where both parties are Controllers and the Module Two terms shall apply where the party receiving Personal Data under the SCCs is acting as a Processor on behalf of the other party as a Controller; (iv) in Clause 7, the optional docking clause shall apply; (v) in Clause 9, Option 2 of Module Two shall apply and the Processor shall obtain authorization for Subprocessors in accordance with Section 7(a) of this DPA; (vi) in Clause 11, the optional language shall be deleted; (vii) in Clause 17 and Clause 18(b), the SCCs shall be governed by the laws of and disputes shall be resolved before the courts of the Republic of Ireland or the EEA member state in which the HubSpot legal entity that has entered into the Agreement is established or, if such HubSpot is not established in the EEA, the Republic of Ireland; (viii) in Annex I of the SCCs, the details of the parties is set out in the Agreement; and (ix) the remaining information in Annex I and Annex II of the SCCs shall be deemed completed with the information set out in Schedule A of this DPA.
d. UK Transfers. In relation to Personal Data that is subject to the UK GDPR, the SCCs shall apply in accordance with Section 10(c) above and the following additional modifications: (i) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be populated with relevant information set out in Schedule A of this DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither”; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
e. Swiss Transfers. In relation to Personal Data that is subject to the Swiss DPA, the SCCs shall apply in accordance with Section 10(c) above and the following additional modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; (ii) references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland"; (iii) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland"; and (iv) in Clause 17 and Clause 18(b), the SCCs shall be governed by the laws of and disputes shall be resolved before the courts of Switzerland.
This DPA shall remain in effect as long as either party carries out Personal Data processing operations on the Personal Data uploaded or otherwise provided by the other party pursuant to and in accordance with the Partner Agreement.
Each Party shall defend, indemnify, and hold harmless the other and its subsidiaries, affiliates, and its respective officers, directors, employees, and agents from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys' fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against the other arising out of or resulting from the breaching party’s failure to comply with any of its obligations under this DPA or the applicable laws, regulations, or principles contained in European Data Protection Laws. Each Party’s liability shall be subject to the limitation of liability in the applicable Partner Agreement.
ANNEX A - DESCRIPTION OF THE TRANSFER
1. Categories of data subjects. The personal data transferred concerns the following categories of data subjects, depending on the agreement between the data importer and data exporter:
HubSpot members; potential and actual customers and employees of the data exporter; sales and marketing leads of the data exporter; and third parties that have, or may have, a commercial relationship with the data exporter (e.g. advertisers, customers, corporate subscribers, contractors and product users).
2. Categories of personal data. The personal data transferred concern the following categories of data:
The data transferred is the personal data provided by the data exporter to the data importer in connection with the Partner Agreement. Such personal data may include first name, last name, email address, contact information, education and work history and other information provided in HubSpot member profiles, resumes, CRM data concerning sales leads and customer lists, any notes provided by the data exporter regarding the foregoing and other activities of HubSpot members taken on the HubSpot platform.
ANNEX B – SECURITY MEASURES
We use a variety of security technologies and procedures to help protect your Personal Data. All Personal Data is protected using appropriate physical, technical and organizational measures. For more on Security at HubSpot, please see https://legal.hubspot.com/security.