Data Protection

Last updated 23rd Jan 2023

1. Definitions

The following definitions shall additionally apply in this Schedule:

“Agreed Purposes” the performance of the Contract.

“Controller”, “processor”, “data subject”, “personal data breach”, “processing” “appropriate technical and organisational measures” as defined in the Data Protection Legislation.

“Data Protection Legislation” the Data Protection Act 2018, the UK GDPR (as defined in section 3(11) of the Data Protection Act 2018) and any other applicable legislation related to the processing of personal data from time to time.

“personal data” as defined in the Data Protection Legislation and means personal data processed by Hook on behalf of the Client under the Contract.

2. Personal data types and processing

2.1 The Parties acknowledge that as between them, the Client is the controller and Hook is the processor of the personal data.

2.2 The Client retains control of the personal data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Hook.

2.3 The subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex A.

3. Hook’s obligations

3.1 Hook will only process the personal data to the extent, and in such a manner, as is necessary for the Agreed Purposes in accordance with the Client’s written instructions and / or the Contract. Hook will not process the personal data for any other purpose or in a way that does not comply with the Contract or the Data Protection Legislation.

3.2 Hook must notify the Client without delay if, in its opinion, the Client’s instruction would not comply with the Data Protection Legislation.

3.3 Hook must promptly comply with any Client request or instruction requiring Hook to amend, transfer, delete or otherwise process the personal data, or to stop, mitigate or remedy any unauthorised processing.

3.4 Hook will maintain the confidentiality of all personal data and will not disclose personal data to third parties unless the Client specifically authorises the disclosure, or as required to perform the Contract, or as required by law.

3.5 Hook will, subject to the Client reimbursing its reasonable costs and expenses, reasonably assist the Client with meeting the Client’s compliance obligations under the Data Protection Legislation, taking into account the nature of Hook’s processing and the information available to Hook, including in relation to security of processing, data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.

4. Hook’s staff

4.1 Hook shall ensure that all persons authorised by Hook to process the personal data are informed of the confidential nature of the personal data and are bound by confidentiality obligations and use restrictions in respect of the personal data.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Hook shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the personal data, including the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of security measures.

5. Personal data breach

5.1 Hook will notify the Client without undue delay if it becomes aware of:

5.1.1 any accidental, unauthorised or unlawful processing of the personal data; or

5.1.2 any personal data breach related to the personal data.

5.2 Where Hook becomes aware of any matter within the scope of paragraph 5.1, it shall also provide the Client without undue delay with the following information:

5.2.1 a description of the nature of the matter, including the categories and approximate number of both data subjects and personal data records concerned; and

5.2.2 a description of the measures taken, or proposed to be taken to address the matter, including measures to mitigate its possible adverse effects.

5.3 Promptly following any accidental, unauthorised or unlawful personal data processing or personal data breach related to the personal data, the parties will co-ordinate with each other to investigate the matter. Hook will reasonably assist and co-operate with the Client in its handling of the matter.

5.4 Hook shall not inform any third party of any personal data breach related to the personal data without first obtaining the Client’s prior written consent, except when required to do so by law.

6. Cross-border data transfers

6.1 Hook shall not transfer any personal data outside the United Kingdom and the European Economic Area without the Client’s prior written consent (except no consent shall be needed where Hook is transferring personal data back to the country or territory from which it originated).

7. Sub processors

7.1 Hook may not appoint a third party (“Sub-processor”) to process the personal data without the prior written consent of the Client and only if:

7.1.1 Hook enters into a written contract with the Sub-processor that contains terms substantially the same as those set out in this Schedule; and

7.1.2 the Sub-processor's contract terminates automatically on termination of the Contract for any reason.

7.2 Those Sub-processors approved as at the commencement of this Contract are in Annex A.

7.3 Where the Sub-processor fails to fulfil its obligations under such written contractor, Hook remains fully liable to the Client for the Sub-processor’s performance of its obligations.

7.4 The Client agrees to Hook supplementing its own workforce for example through the use of independents contractors and agency workers.

8.Complaints, data subject requests and third-party rights

8.1 Hook shall, subject to the Client reimbursing its reasonable costs and expenses, take such technical and organisational measures as may be appropriate, and provide such information to the Client as the Client may reasonably require, to enable the Client to comply with:

8.1.1 the rights of data subjects under the Data Protection Legislation; and

8.1.2 information or assessment notices served on the Client by any supervisory authority under the Data Protection Legislation.

8.2 Hook shall notify the Client without delay if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the personal data.

8.3 Hook shall notify the Client within 5 Business Days if it receives a request from a data subject for access to their personal data or to exercise any of their related rights under the Data Protection Legislation.

8.4 Hook shall, subject to the Client reimbursing its reasonable costs and expenses, give the Client all reasonable co-operation and assistance in responding to any complaint, notice, communication or data subject request.

8.5 Hook must not disclose the personal data to any data subject or to a third party other than at the Client’s written request or instruction, as provided for in the Contract or as required by law.

9.Data return and destruction

9.1 On termination or expiry of the Contract for any reason, and without prejudice to clause 9.8, Hook will securely delete or destroy or, if directed in writing by the Client, return and not retain, all or any personal data related to the Contract in its possession or control.

9.2 If any law, regulation, or government or regulatory body requires Hook to retain any documents or materials that Hook would otherwise be required to return or destroy, it will notify the Client in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

10.Audits

10.1 Hook shall provide the Client with all information reasonably requested by the Client to demonstrate compliance with the Contract. Hook shall permit the Client to audit Hook’s compliance with this Contract, on at least 30 days' notice, during the term of the Contract provided such audit is not carried out more than once each year, the Client enters into such confidentiality undertakings as Hook may reasonably require and the audit causes minimum disruption to Hook’s business.

10.2 The Client shall reimburse Hook for its reasonable costs and expenses incurred in relation to paragraph 10.1.

Annex A

Data Processing Details

Data exporter: Hook

Data importer: Customer

Subject matter and purpose

The subject matter and purpose of the processing is the provision of the Services under the Contract.

Duration

The duration of the processing is for the term of the Contract and for a short period afterwards to allow the data to be returned to the Client or deleted.

Nature

The nature of the processing includes the receipt, storage, transferring, using, analysing, returning and deleting the data.

Types of Personal Data

Names, email addresses, platform usage data, communication data relating to meetings

Categories of Data Subjects

Employees of the client and employees of the client’s customers ( i.e. users of the client’s platform)

Sensitive data transferred: none

Frequency of transfer: ongoing regular transfers throughout the term of the Contract.

Sub-processors

1. Amazon is our hosting provider and we use their facility in Ireland
2. Google is our e-mail provider, based in United States
3. Slack is used for internal messaging, based in United States
4. Atlassian is used for work tracking based in Australia, United States
5. Hubspot is used for managing our customers and contracts, based in United States
6. Datadog is our cloud data management and analytics platform, based in the United States

This page is public and kept updated as it changes:

https://hooktechnology.notion.site/Hook-data-sub-processors-383a724194db42ee9ea24858507227dc

Technical and organisational measures to ensure the security of the data: This page is public and kept updated as it changes:

https://hook.co/security