Hootsuite Developer Data Processing Addendum

Hootsuite Developer Data Processing Addendum

Last Modified: September 29, 2022

This data processing addendum (the “DPA”) is incorporated into the Hootsuite API Terms of Service (the “Developer Agreement”) entered into by you (“Developer”) and Hootsuite Inc. (“Hootsuite”), and governs the processing of European Personal Data (as defined below) in connection with the Developer Agreement.

1. Scope, Definitions and Applicable Law
This DPA governs the processing of personal data originating in the European Economic Area (the Member States of the European Union, plus Iceland, Liechtenstein and Norway, collectively the “EEA”), the United Kingdom (“UK”) or Switzerland (collectively, “Europe”), or that is otherwise subject to European Data Protection Law, that you receive from Hootsuite and Hootsuite Users in connection with the Developer Agreement (“European Personal Data”). Terms and expressions used herein that are not otherwise defined, including without limitation “personal data”, “controller”, “joint controller”, “processing”, “data subject”, “processor” and “subprocessor” shall have the meanings set forth in European Data Protection Law. “European Data Protection Law” means any data protection and privacy laws applicable in Europe to the personal data in question, including (i) the EU General Data Protection Regulation (“GDPR”), (ii) Directive 2002/58/EC (“ePrivacy Directive”), (iii) any applicable national implementations of (i) and (ii), (iv) the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, the “UK GDPR”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”); in each case as may be amended, superseded or replaced from time to time. 

2. Roles and Responsibilities
The parties shall each comply with their respective obligations under European Data Protection Law. Each party acknowledges and agrees the following:

  1. Controller-to-controller scenarios. Each party may be an independent controller of European Personal Data. For example, Hootsuite is a controller of Hootsuite Users’ account information (“Account Information”), as further described in the Hootsuite Privacy Policy. To the extent that the parties each act as controllers of European Personal Data, both parties will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in European Data Protection Law. The parties acknowledge and agree that they are not acting as joint controllers of European Personal Data.

  2. Joint processor scenarios. Each party may each be an independent processor of European Personal Data acting on behalf of a Hootsuite User that is a customer of both you and Hootsuite. For example, Hootsuite may be a processor of European Personal Data contained in Hootsuite User’s Content, as further described in the Hootsuite Privacy Policy. To the extent that the parties each act as a processor of European Personal Data on behalf of a Hootsuite User, both parties will (i) comply with the instructions and restrictions set forth in its respective agreements with the Hootsuite User, and (ii) reasonably cooperate with the other party to enable each party to comply with their instructions received from the Hootsuite User. The parties acknowledge and agree that neither party is engaging the other as a subprocessor.

3. Protection of European Personal Data
In addition to the obligations set out in the Developer Agreement, you:

  1. agree to comply with your protection, security and other obligations with respect to the processing of European Personal Data under European Data Protection Law for controllers and processors, including but not limited to: (i) maintaining a record of processing activities that includes the purposes of processing and a description of the categories of data subjects and the categories of personal data being processed; (ii) establishing and maintaining a procedure for the exercise of the rights of data subjects whose personal data are processed by you; (iii) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; (iv) ensuring compliance with the provisions of this DPA by your personnel or by any third party accessing or using personal data on your behalf; and (v) if you offer your Application for use outside of your organization, making available a copy of your privacy policy to data subjects;

  2. will cooperate with Hootsuite to implement appropriate security (including both organizational and technical) measures prior to and during processing of any European Personal Data to protect against, without limitation, the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of European Personal Data and ensure a level of security appropriate to the risks presented by the processing of European Personal Data and the nature of such European Personal Data, and these measures shall remain in place throughout the duration of your processing of European Personal Data or until you cease to process European Personal Data (whichever is later);

  3. will treat European Personal Data with strict confidence and take all reasonable steps to ensure that your personnel who will process European Personal Data are aware of and comply with this DPA and are under a duty of confidentiality with respect to European Personal Data no less restrictive than the duties set forth herein; and

  4. will not transfer European Personal Data to third parties except under written contracts that contain guarantees that comply with European Data Protection Law and ensure at least a level of data protection and information security as provided for in the Developer Agreement (including this DPA), and you will remain fully liable to Hootsuite for any third party’s failure to comply.

4. Notice and Cooperation
You will promptly give written notice to and fully cooperate with Hootsuite:

  1. if for any reason (i) you cannot comply, or have not complied, with any portion of this DPA, (ii) you have breached or, if you continued to process European Personal Data, would breach, any European Data Protection Law governing your processing, transfer, or receipt of European Personal Data. In such cases, you will take reasonable and appropriate steps to remedy any noncompliance, or cease further processing of European Personal Data and Hootsuite may immediately terminate your Developer Agreement or access to European Personal Data, or take any other reasonable action; and

  2. regarding (i) any breach of security or unauthorized access to European Personal Data that you detect or become aware of, or (ii) any complaint, inquiry, or request from a data subject or government or regulatory agency regarding European Personal Data, unless such notice is prohibited by law. In such cases, without limiting the generality of the foregoing, you will refrain from notifying or responding to any data subject, government or regulatory agency, or other third party, for or on behalf of Hootsuite or any Hootsuite personnel, unless Hootsuite specifically requests in writing that you do so, except as and when otherwise required by European Data Protection Law. You agree and acknowledge that if Hootsuite receives a request from a government or regulatory agency, Hootsuite may share the terms of this DPA, your Developer Agreement with Hootsuite, and other information you provide to demonstrate compliance with this DPA or European Data Protection Law.

5. Data Transfers

To the extent that you act as a controller of European Personal Data and process such data outside Europe in a country that does not provide an adequate level of protection for personal data within the meaning of applicable European Data Protection Law, the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021 (“SCCs”) shall be incorporated by reference and form an integral part of this DPA with Hootsuite as the "data exporter" and you as the "data importer". For the purposes of the SCCs: (a) the Module One terms shall apply; (b) Clause 7 shall apply; (c) in Clause 11, the optional language shall be deleted; (d) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the laws of the Republic of Ireland; (e) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; (f) in Clause 13(a) and Annex 1.C, the Irish Data Protection Commissioner shall act as competent supervisory authority; and (g) Annexes 1.A, 1.B and 2 of the SCCs shall be deemed populated with the relevant information included at Schedule A of this DPA. 

In addition, in relation to European Personal Data that is protected by the UK GDPR, the SCCs shall apply as set out above with the following modifications: (i) the SCCs shall be amended as specified by the International Data Transfer Addendum issued by the Information Commissioner's Office under s.119(A) of the UK Data Protection Act 2018 (the “UK Addendum”), which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in Schedule A of this DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "exporter"; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In relation to European Personal Data that is protected by the Swiss DPA, the SCCs shall apply as set out above with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references the Swiss DPA; (ii) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; and (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.

6. Order of Precedence
In the event of any conflict or inconsistency between any terms of this DPA, the Developer Agreement and the SCCs, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs, (b) this DPA, and (c) the Developer Agreement.

Annexes to the SCCs

Annex 1(A): List of parties

Data Exporter:
Name:Hootsuite Inc.
Address:111 East 5th Avenue, 3rd Floor, Vancouver, British Columbia, Canada V5T 4L1
Contact person's name, position and contact details:Senior Director, Privacy & Product Compliance and Data Protection Officer, privacy@hootsuite.com
Activities relevant to data transferred under these Clauses:Processing as necessary, in accordance with the Developer Agreement, to enable the Developer to access the Hootsuite APIs, API Documentation to develop, test and support an integration of its Application with the Hootsuite Platform.
Role (controller / processor):Controller
Data Importer:
Name:The name associated with the Developer’s Application or Developer’s account within the Hootsuite Platform.
Address:The address associated with the Developer’s Application or Developer’s account within the Hootsuite Platform.
Contact person's name, position and contact details:The email address associated with the Developer’s Application or Developer's account within the Hootsuite Platform.
Activities relevant to data transferred under these Clauses:Processing as necessary, in accordance with the Developer Agreement, to access the Hootsuite APIs, API Documentation to develop, test and support an integration of the Developer’s Application with the Hootsuite Platform.
Role (controller / processor):Controller
DescriptionHootsuite Services
Categories of data subjects:Individuals employed by or who work for Hootsuite’s customers. Individuals whose personal data is contained in the data provided to Developer in accordance with the Developer Agreement.
Categories of personal data:The personal data contained in Account Information, as further described in the Hootsuite Privacy Policy and any other personal data provided to the data importer under the Developer Agreement.
Sensitive data:N/A
Frequency of the transfer:Continuous
Nature of the transfer and processing:Transfer of personal data from the Hootsuite Platform to the Developer Application via the Hootsuite APIs.
Purpose(s) of the data transfer and further processing:Processing as necessary, in accordance with the Developer Agreement, to access the Hootsuite APIs, API Documentation to develop, test and support an integration of the Developer’s Application with the Hootsuite Platform.
Period for which the personal data will be processed and retained, or, if that is not possible, the criteria used to determine that period:Personal Data will be processed in accordance with the Developer’s data retention and deletion practices.

Annex 2: Technical and Organizational Measures

The technical and organizational measures to be implemented (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described in the Developer Agreement and the API Documentation and may be updated by Hootsuite from time to time.