Product
Learn more about the all-in-one, most powerful solution for community engagement
Last modified: November 3, 2022
Want a pdf copy? Click here
This Data Processing Agreement (hereinafter, the “DPA”) is entered into by and between Kit United, a French société par actions simplifiée having its registered office at 6 rue Auber, 75009 Paris, France and registered under number 753 391 713 RC.S. Paris (hereinafter, “Hivebrite” or the “Company”) and the party that electronically accepts or otherwise agrees or opts-in to this DPA, for instance by signing an order form (the “Customer”), it being specified that using the Hivebrite solution (hereafter the “Hivebrite Solution”) constitutes acceptance of this DPA.
PREAMBLE
In the context of the EU Regulation 2016/679 (GDPR) and the Data Protection Act 2018 as amended by the Data Protection Privacy and Electronic Communications Regulations 2019 (UK GDPR), the present Data Processing Agreement aims to determine the rights and obligations of the Parties, as defined by the Data Protection Legislation, as defined herein.
In this regard, Hivebrite is particularly sensitive to the privacy of its Users and of the Customer with regard to the protection of their Personal Data, as well as to its obligations as Data Processor, as the case may be, as described in the present DPA.
It is expressly understood that the present DPA forms an integral part of the master subscription agreement applying to the Parties regarding the provision of the Hivebrite solution (hereafter, the “Contract”).
ARTICLE 1 – DEFINITIONS
The terms used in the present DPA and having a capital first letter, whether singular or plural, shall have the following signification:
“Administrator” designates any person, employee, representative, or third party duly authorized by the Customer or one of its Administrators to access the administration panel of the Hivebrite Solution.
“Customer Contact Email” means the address email of the Customer that is communicated to Hivebrite for the purpose of notifying relevant information regarding the Processing carried out by the Company.
“Data Controller” means the natural or legal person, public authority or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Data Protection Legislation” means the GDPR as well as any legislation and/or regulation implementing or created pursuant to the GDPR and the e-Privacy Legislation, or which amends, replaces, re-enacts or consolidates any of them, and all other national applicable laws relating to processing of personal data and privacy that may exist under applicable law.
“Data Subject” means an individual who is the subject of Personal Data.
“End-User“ means any User of the Hivebrite Solution, other than an Administrator and the Customer, that can access the Hivebrite Solution with the credentials provided to it by an Administrator and that interacts using the Hivebrite Solution.
“GDPR” (the General Data Protection Regulation): means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and its European and national implementing laws.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“UK GDPR” means Regulation (EU) 2016/679 as it forms part of the laws of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
“User” means any Administrator or End-User.
ARTICLE 2 – PROCESSING OF PERSONAL DATA
The Personal Data is collected and processed as follows.
2.1 The Personal Data of the Customer’s staff
In accordance with its subscription to the Contract and the availability of the Hivebrite Solution, the Company collects information about the Customer’s identification (corporate name, legal form, corporate address, intra-European VAT number) and its contacts Personal Data (emails, invoice contacts).
For the collection of Personal Data of the Customer’s staff (including the Customer Contact Email), the Company will be qualified as a Data Controller.
2.2 The Personal Data of Users
The Users’ Personal Data, which are processed through the use of the Hivebrite Solution, is the sole responsibility of the Customer who collects and processes the Personal Data for its own account, it being understood that the Customer determines the purposes and the general means of the processing of Personal Data in accordance with the applicable Data Protection Legislation.
2.3 The processing of Users’ Personal Data by the Company
The Customer is informed that its User’s Personal Data is collected for the sole purpose of executing the Contract and the Hivebrite Solution to which Customer has subscribed. If the Customer does not communicate the required Personal Data, the Customer will not be able to utilize the full functionality of the services.
The Customer is informed that the Company carries out statistical analyses, as well as measurements of audience, visits, and effective uses of the Hivebrite Solution, but only after anonymising the Users’ Personal Data. In addition, these statistical analyses, as well measurements of audience, visits, and effective uses of the Hivebrite Solution, are only destined to Hivebrite, and to the exclusion of all third parties, and for the sole purpose of optimizing and improving the functionalities of the Hivebrite Solution.
The Customer guarantees the accurate transmission of this information to the Users of the Hivebrite Solution.
2.4 The Obligations of the Customer as Data Controller
The Customer, while using the Hivebrite Solution, must be qualified as Data Controller of the Personal Data of Users.
As Data Controller, the Customer explicitly commits to:
In the event that the information is directly collected from the Users, the Customer, as Data Controller, commits to provide the Users, as applicable, with the following information:
Pursuant to the present DPA, the Customer commits to carry out all declaratory formalities and/or authorization requests and/or impact assessments, if necessary, as well as to ensure the mandatory compliance with the competent supervisory authority in light of the processing it carries out in relation to the usage of the Hivebrite Solution.
In the event the Customer has not yet carried out the above-mentioned formalities, it explicitly commits to promptly do so.
The Customer remains responsible for the Personal Data Processing carried out under its own responsibility.
The Customer must communicate the Customer Contact Email to the Company.
2.5 Obligations of the Company as Data Processor
The use of the Personal Data of the Users within the context of the use of the Hivebrite Solution implies that Hivebrite must be qualified as a Data Processor.
The subject, the duration, the nature and the purpose of the Processing of the Personal Data, as well as the type of Personal Data which is processed and the categories of Data Subjects, are listed in Annex 1.
The Contract, its Appendices and the present DPA must be qualified as written instructions of the Customer, qualified as the Data Controller, to Hivebrite, qualified as the Data Processor, without prejudice to any additional instructions given in writing.
As Data Processor and pursuant to the privacy procedures provided by the Data Protection Legislation, Hivebrite can only use Personal Data pursuant to instructions of the Customer responsible for the processing of the same.
As Data Processor, Hivebrite commits to always present sufficient guarantees in order to ensure the implementation of the necessary security and privacy measures.
In addition, Hivebrite commits to:
Furthermore, where Hivebrite is subject to the California Customer Privacy Act, Hivebrite undertakes to comply with this legislation, in particular with the prohibition to combine personal data received from the Customer with personal data received from another entity.
2.6 Data breach
The Company shall put in place all technical measures enabling the detection of personal data breaches (as defined by the Data Protection Legislation) and enabling the Data Controller to be informed of the breaches within a reasonable timeframe.
In the event a Personal Data breach occurs or has occurred, the Company shall notify the Customer by email without undue delay, and in any event within 72 hours of becoming aware of the breach, using the Customer Contact Email.
Without prejudice to the legal obligations of the Company, the Customer shall be responsible for the notification of the breach to the competent authority(ies) and/or the affected individuals.
Without prejudice to the legal obligations of the Company, the Company shall assist the Customer in the best possible way with the notification of the breach to the competent authority(ies) and/or the affected individuals.
The Company shall in any event treat all questions/requests of the Customer concerning the breach as a priority.
In the event of breach, the Company shall take all measures necessary and appropriate to restore the Personal Data and/or to limit the negative impact of the breach as much as possible (including but not limited to the provision of forensic assistance to the Customer), it being understood that the Company shall, where reasonably possible, always consult the Customer on the measures to be taken.
2.7 Appropriate technical and organizational measures put into place by Hivebrite
At the outset of the Processing, the Company has put into place the appropriate technical and organizational measures in order to guarantee the security of the processing, as well as the respect of the rights of the persons involved and the requirements of the GDPR.
The code of the Hivebrite Solution and the processed Personal Data are hosted on the Amazon servers and Google Cloud Platform, as these both present sufficient guarantees in terms of technical and organizational measures that are required pursuant to the Data Protection Legislation.
The Customer may consult the privacy policies of Amazon AWS and Google Cloud Platform at the following addresses:
The Company also makes a daily copy of the Personal Data hosted on the Amazon and/or Google Cloud Platform servers. The Personal Data is saved once every hour. The Company keeps the last save of each day for a period of thirty (30) days.
The Customer has the ability to extract the Personal Data of the End-Users in an Excel spreadsheet from its administration module.
For any additional questions, the Company invites its Customers to get in touch by email at [email protected].
2.8 Sub-processors of the Data Processor
The Customer hereby consents to the Processing of Personal Data by the sub-processors listed at https://hivebrite.com/legal/subprocessors.
The Customer gives a general authorization to Hivebrite to make any modification, change, addition or replacement of these sub-processors, in which case Hivebrite will notify the Customer of this modification, change, addition or replacement, using the Customer Contact Email, by no less than 7 business days’ notice. During this timeframe, Hivebrite shall, upon request, make available to the Customer all necessary information to demonstrate compliance of the engagement of the new sub-processor. The Customer has 7 days from the notification date to object this change, in which case Hivebrite will, at its choice:
The Company warrants that each sub-processor is contractually subject to at least the same obligations as those the Company is subject to toward the Customer under this DPA. The Company guarantees that each sub-processor it relies on shall comply with these obligations.
In case of international transfer of Data by the Company to a sub-processor outside the European Economic Area (EEA), the adequate level of protection is guaranteed by the signature of model clauses, pursuant to Section 2.9. of this DPA.
In any event, the Company shall indemnify the Customer for any damage and claims that may arise from the non-compliance by the sub-processor with the model clauses signed by the sub-processor.
2.9 International Personal Data transfer
The Company may not transfer any Personal Data outside the EEA unless one of the following conditions is fulfilled:
The Parties agree to replace the model clauses with the latest version of the model clauses as updated or replaced by the European Commission in accordance with Article 46, paragraphs 2(c) and 2(d) and Article 93 of the GDPR and with the provisions of the UK GDPR.
A transfer to a country outside the EEA is otherwise allowed only if this transfer is required on the basis of a regulation which is binding under European or French law. In such case, the Company shall inform the Customer beforehand and in writing of the legal requirement on the basis of which the Company is obliged to proceed to the transfer of the Data, unless the law concerned prohibits such notification on important grounds of public interest.
By adhering to this DPA, the Customer gives its authorization for transfers of Personal Data in the countries listed at https://hivebrite.com/legal/subprocessors and for transfers of Personal Data outside the EEA to sub-processors authorized under Article 2.8.
2.10 Personal Data Retention period
A. The Personal Data of the Customer’s staff
Subject to the mandatory preservation period of all data related to customer files, which is three (3) years as of the end of the contractual relationship, the Customer’s staff (including the Customer Contact Email) identification data shall be retained by Hivebrite for a period that shall not exceed the subscription period of same of the Hivebrite Solution, to the exclusion of the statutory period for archiving.
B. The Personal Data of Users
The Company hereby informs the Customer that it deletes the Personal Data of the Users within a period of thirty (30) to ninety (90) days following the termination of the Contract, notwithstanding any deletion request directly from Users.
At the end of the contractual relationship, the Company commits to return, free of charge and at the first request of the Customer formulated by registered letter with acknowledgement of receipt, all Personal Data belonging to the Customer that remains in possession of the Company in accordance with the terms of this DPA in a standard format (Microsoft Excel or CSV) within thirty (30) days following same request.
The Company commits to also respond to any questions formulated by the Customer with the thirty (30) calendar days following the receipt of the return request.
2.11 The Customer’s responsibility
The Customer remains solely liable for the legality of the processing carried out during the use of the Hivebrite Solution.
In addition, the Customer remains solely liable for the Personal Data it collects and processes as Data Controller. The Customer commits to proceed with the collection and the processing of the Users’ Personal Data in strict accordance with the Data Protection Legislation.
The Customer is informed that certain categories of Personal Data so called, “sensitive”, pursuant to the Data Protection Legislation, cannot be collected nor processed without the prior explicit consent of the data subjects, or any other formality provided for by the applicable Data Protection Legislation (authorization request, impact assessment, etc.). The Customer commits to never proceed with the collection and processing of the sensitive Personal Data aside from what is provided for by the Data Protection Legislation for such processing. The Company declines any liability regarding the collection or processing of sensitive Personal Data. The Customer acknowledges and accepts that any potential sensitive personal data are subject to the same technical and organizational security measures as those the Company implemented for non-sensitive Personal Data.
The Company, as Data Processor, declines any liability regarding the quality, the relevance, and the legality of the Personal Data. Except as provided herein, the Company cannot be held liable in the event of a collection or Processing of Personal Data that would contravene with the provisions of the Data Protection Legislation.
The Customer guarantees the Company, at first demand, against any and all harm incurred to it as a result of any action of a User or any third party due to the violation of the present clause, and/or any violation of any of its obligations as data controller pursuant to the Data Protection Legislation.
ANNEX 1. OVERVIEW OF THE PROCESSING
A. Duration of the Processing
For the duration of the contractual relationship between the Parties, including the period covering the Data Reversibility clause of the Contract.
B. Nature and purpose of the Processing
Personal Data will be processed for purposes of providing the services set out and otherwise agreed to in the Contract. In that regard, Hivebrite may carry out all kinds of processing operations.
C. Type of Personal Data Processed
Personal identification data (first name, last name, gender, ID/profile photograph, date of birth, language spoken, nationality, email, phone, address);
D. Categories of Data Subjects
Controller’s Users including but not necessarily limited to Controller’s community members, employees, contractors, collaborators, customers, prospects, suppliers and subcontractors.
E. Security measures
Data Processor shall implement appropriate technical and organisational measures and shall control compliance with these measures on a regular basis. This includes: