This Hopper Data Processing and Security Addendum, inclusive of Appendices 1, 2, and 3 hereto, (“Addendum”) sets out the essential terms required by Hopper (USA), Inc., a Delaware corporation with its principal place of business located at 265 Franklin Street, Suite 1702, Boston, MA 02110 USA and/or its affiliates (meaning any other entity directly or indirectly controlling or controlled by, or under direct or indirect common control with Hopper (USA), Inc., including without limitation Hopper, Inc., a Canadian federal Corporation with a principal place of business at 5795 Avenue de Gaspe, Montreal, Quebec, H2S 2X3, Canada and Hopper Travel (Ireland), Ltd., a Ireland Corporation with a principal place of business at Mespil Business Centre, Mespil House, Sussex Road, Dublin 4 (collectively “Hopper”), for vendors and service providers (each a “Provider”) who collect, process, receive or otherwise have access to Hopper Data (as defined below). With respect to the Personal Data processed by Provider on behalf of Hopper, Hopper is the data controller of such data and Provider will operate as a data processor of such data. This Addendum shall be deemed incorporated into the terms and conditions of any agreement (each, and “Agreement”) between Hopper and Provider to which it is attached, whether entered into before or after the date of execution hereof. In the event of any conflict between any term of any Agreement and this Addendum, the terms of this Addendum shall govern and prevail.
“Agreement” means any and all agreements between the parties under which Provider receives, collects, accesses or otherwise processes Hopper Data.
“Hopper Data” means any data that is provided by Hopper to Provider, directly or indirectly (including through the Service) or otherwise collected, accessed or processed by Provider on behalf of Hopper, about Hopper, the Hopper apps websites and services, any Hopper consumer, end user, employee, partner, vendor or other provider, or the use of any services by any of them, including any Personal Data.
“Personal Data” means any Hopper Data that can be used to identify, locate, or contact an individual including: (i) first and last name; (ii) home or other physical address; (iii) telephone number; (iv) email address or online identifier associated with an individual; (v) social security number, passport number, driver’s license number, or similar identifier; (vi) credit or debit card number; (vii) employment, financial or health information; (viii) IP address or device identifier, or (ix) any other information relating to an individual, including cookie information and usage and traffic data or profiles, that is combined with any of the foregoing.
“Service” means the services provided by Provider under an Agreement.
The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least thirty (30) days prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation. The list of sub-processors already authorised by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date.
Clause 13(a) of the Model EU Third Country Clauses shall be agreed to be the following paragraph:
The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Clauses 17 and 18(b) of the Model EU Third Country Clauses shall be agreed to be the following paragraphs, which shall replace and supersede Section 11 of this Addendum with respect to any data subject to the provisions of this Section 3:
Clause 17. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
Clause 18(b) The Parties agree that those shall be the courts of Ireland.
In the event of any conflict between this Addendum or the Agreement and the Model EU Third Country Clauses incorporated herein, the Model EU Third Country Clauses shall govern.
Upon Hopper’s request, Provider will provide Hopper with information demonstrating that it maintains information security controls aligned with the requirements in this Addendum. Provider will maintain, at a minimum, SOC-2 Type I and Type II report compliance audit documentation, or its equivalent, during the Term and will provide a copy (without charge) to Hopper at least once per year during the Term upon written request by Hopper. If Provider handles any Cardholder Data as defined in the Payment Card Industry -– Data Security Standard (“PCI-DSS”), Provider will maintain, at a minimum, compliance with the latest PCI-DSS standard as applicable to Provider and/or Hopper and maintain independent audit documentation including at least an Attestation of Compliance, during the Term and will provide a copy (without charge) to Hopper on the date hereof and at least once per year during the Term upon written request by Hopper. If Provider does not maintain SOC-2 Type I and Type II report compliance audit documentation as specified above, then Provider shall maintain (for three (3) years after the Agreement ends) complete and accurate records relating to its processing of Hopper hereunder and its compliance with this Addendum. Hopper may audit such records during regular business hours, with reasonable advance notice and subject to reasonable confidentiality procedures. Hopper may not audit Provider more than once annually unless an audit reveals a noncompliance or is needed to satisfy Hopper’s own legal compliance obligations.
Provider will provide Hopper with the contact details of Provider’s global data privacy lead, chief privacy officer, data protection officer, or other employee appointed by Provider to address data privacy issues.
Provider will cooperate as directed by Hopper in any audits or inquiries conducted by or on behalf of Hopper, its affiliates and operations worldwide, and/or any data protection authorities, courts, and/or other authorities related to the processing of the Personal Data, including by providing support to Hopper with respect to (i) assisting Hopper in responding to data subject requests for exercising data subject rights under applicable law, including erasing or blocking Personal Data without delay on Hopper’s instruction; (ii) assisting Hopper in responding to data protection authority or other regulatory requests for information related to Provider’s processing; and (iii) providing all information necessary related to Provider’s processing for Hopper to demonstrate compliance with applicable data protection laws.
Provider shall promptly notify Hopper if it receives a request for subject access, rectification, cancellation, objection or any other data protection related requests, and, should any court, government agency or law enforcement agency contact Provider with a demand for Hopper's Data, Provider will direct the law enforcement agency to request such information directly from Hopper. As part of this effort, Provider may provide Hopper's basic contact information to the agency. If compelled to disclose Hopper's Data to law enforcement, then Provider will promptly, and without any undue delay, notify Hopper and deliver a copy of the request (except when Provider is legally prohibited from doing so) to allow Hopper to seek a protective order or any other appropriate remedy.
APPENDIX 1 (Hopper Data Processing and Security Addendum)
1.A - LIST OF PARTIES Data exporter(s): Name: Hopper Travel (Ireland), Ltd. Address: Mespil Business Centre, Mespil House, Sussex Road, Dublin 4 Contact person’s name, position and contact details: Brian Carroll, General Counsel, firstname.lastname@example.org Activities relevant to the data transferred under these Clauses: See Appendix 1.B **Signature and date: **
Role (controller/processor): Controller
Data importer(s): Name: ____ Address: __ Contact person’s name, position and contact details: ____ Activities relevant to the data transferred under these Clauses: See Appendix 1.B Signature and date:
Role (controller/processor): Processor
1.B - DETAILS OF THE TRANSFER(S)
1.C - COMPETENT SUPERVISORY AUTHORITY
Ireland Data Protection Commission (DPC) (An Coimisiún um Chosaint Sonrai)
APPENDIX 2 - Technical and Organizational Safeguards(Hopper Data Processing and Security Addendum)
a. Access Controls. Policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems, data processing equipment, data processing systems, and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to the Hopper Data have appropriately controlled access and will maintain the confidentiality of the Hopper Data, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing the Hopper Data or information relating thereto to unauthorized individuals; (iv) to encrypt and decrypt the Hopper Data where appropriate; (v) t provide for the use of pseudonymisation where appropriate; and (vi) to ensure that data collected for different purposes can be processed separately.
b. Security Awareness and Training. A security awareness and training program for all members of Provider'’s workforce (including management) who have access to the Hopper Data, which includes training on how to implement and comply with its Information Security Program.
c. Security Incident Procedures. Policies and procedures to detect, respond to, and otherwise address Security Incidents (as defined herein), including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into the Hopper Data or information systems relating thereto, and procedures to identify and respond to suspected or known security or privacy incidents, mitigate harmful effects of such incidents, and document such incidents and their outcomes.
d. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages the Hopper Data or systems that contain the Hopper Data, including a data backup plan, a Business Continuity Plan (BCP) and a disaster recovery plan, including measures to ensure the ongoing confidentiality, integrity, availability and resilience of Provider systems and services, and to ensure the ability to restore the availability and access to the Hopper Data in a timely manner in the event of a physical or technical incident;
e. Device and Media Controls. Policies and procedures that govern the receipt and removal of hardware and electronic media that contain the Hopper Data into and out of a Provider facility, and the movement of these items within a Provider facility, including policies and procedures to address the final disposition of the Hopper Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for reuse.
f. Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith, and measures to ensure that it is possible to check and establish whether and by whom data have been input into data processing systems or removed.
g. Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of the Hopper Data and protect it from disclosure, improper alteration, or destruction.
h. Storage and Transmission Security. Technical security measures to guard against unauthorized access to the Hopper Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Personal Data in electronic form while in transit and at rest in storage on networks or systems to which unauthorized individuals may have access, and to ensure that it is possible to check and establish to which bodies the transfer of Data by means of data transmission facilities is envisaged.
i. Storage Media. Policies and procedures to ensure that prior to any storage media containing Hopper Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, Provider will irreversibly delete such Hopper Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media such that it is impossible to recover any portion of data on the media that was destroyed. Provider shall maintain an auditable program implementing the disposal and destruction requirements set forth in this Section for all storage media containing Hopper Data.
j. Assigned Security Responsibility. Provider shall designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. Provider shall inform Provider as to the person responsible for security.
k. Testing. Provider shall regularly test, assess, and evaluate the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified and protecting the Hopper Data. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
l. Adjust the Program. Provider shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Provider or the Hopper Data, and Provider'’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
APPENDIX 3 - Subcontractors (Hopper Data Processing and Security Addendum)
The controller has authorised the use of the following sub-processors: None.