Data Processing Addendum

Last updated on Friday, July 5, 2024

This Data Processing Addendum and its appendixes ("DPA") form part of the Terms of Service available at www.hihello.com/legal/terms, or, if applicable, any other separate written agreement (the "Agreement" or “Services Agreement”), by and between HiHello, Inc., a Delaware corporation ("HiHello") and the Customer named in the Agreement, pursuant to which Customer has purchased a subscription to access and use the Service (as defined in the Agreement). The parties intend this DPA to be an extension of the Agreement governing certain requirements for HiHello’s Processing of Personal Data provided or made available by Customer, or collected or otherwise obtained by HiHello, in the course of providing the Service to Customer. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail.

Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Legislation, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Affiliates.

  • EU Transfers: In relation to Personal Data that is protected by the EU GDPR, the SCCs will apply completed as follows:

    • Module Two (Controller to Processor) will apply;

    • in Clause 7, the optional docking clause will not apply;

    • in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 3.3 of this DPA;

    • in Clause 11, the optional language will not apply;

    • in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of the Republic of Ireland;

    • in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland;

    • Annex I of the SCCs shall be deemed completed with the information set out in Appendix 1 of this DPA; and

    • Annex II of the SCCs shall be deemed completed with the information set out in Appendix 2 of this DPA. 

  • UK Transfers: In relation to Personal Data that is protected by UK Data Protection Legislation, the SCCs: (i) shall apply as completed in accordance paragraph a.(i)-(viii) above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Appendixes 1 and 2 of this DPA and Table 4 in Part 1 shall be deemed completed by selecting "neither party". 

  • Swiss Transfers: In relation to Personal Data that is protected by the Swiss FADP, the SCCs will apply in accordance with paragraph a.(i)-(viii) above with the following modifications: 

    • references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss FADP;

    • references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss FADP; 

    • references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" or "Swiss law"; 

    • the term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);

    • Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the Swiss Federal Data Protection Information Commissioner; 

    • references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland"; 

    • in Clause 17, the SCCs shall be governed by the laws of Switzerland; and

    • Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

  • It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA) the SCCs shall prevail to the extent of such conflict.

  1. Customer Responsibilities. Customer is responsible for determining whether the Service is appropriate for the storage and Processing of Personal Data under Data Protection Legislation. Customer further agrees that: (a) it will comply with its obligations under Data Protection Legislation regarding its use of the Service and the Processing of Personal Data; (b) it has provided notice and obtained all consents, permissions and rights necessary for HiHello and its Subprocessors to lawfully Process Personal Data for the purposes contemplated by the Agreement (including this DPA); and (c) it will notify HiHello if it is unable to comply with its obligations under Data Protection Legislation or if its Processing instructions will cause HiHello or its Subprocessors to be in breach of Data Protection Legislation.
  2. Limitation of liability. Any claim or remedy Customer or its Affiliates may have against HiHello, its employees, agents and Subprocessors, arising under or in connection with this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together.
  3. Permitted Disclosures. Each party acknowledges that the other party may disclose the SCCs, this DPA and any privacy related provisions in the Agreement to any European or US regulator upon request.
  4. Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Legislation or the SCCs.

Appendix 1: Description of Processing Activities/ Transfer

This Appendix 1 forms part of the DPA and describes the Processing that HiHello (as the Processor) will perform on behalf of Customer (as the Controller).

Annex I (A): List of Parties 
Data Exporter
Data Importer
Name:  [Customer Name as provided to HiHello] ("Customer")
Name: HiHello, Inc. ("HiHello")
Address: [Customer Address as provided to HiHello]
Address: ‌ 927 Industrial Ave, Palo Alto, CA 94303, United States
Contact Person's Name, position and contact details: [Customer Contact person as provided to HiHello]
Contact Person's Name, position and contact details: [email protected] 
Activities relevant to the transfer:  See Appendix 1 (B) below.
Activities relevant to the transfer: See Appendix 1 (B) below.
Signature and date: This Appendix 1 I shall automatically be deemed executed when the Agreement is executed by Customer. 
Signature and date: This Appendix 1 shall automatically be deemed executed when the Agreement is executed by HiHello. 
Role: Controller
Role: Processor
Annex I (B): Description of transfer
Description of Transfer
Categories of Data Subjects whose Personal Data is transferred: 
The categories of Data Subjects will depend upon Customer’s use of the Service as set out in the Agreement. To the extent the transfer contains Personal Data, it may concern:
- Employees of Customer
- Individual contacts of Customer, including, but not limited to, current and potential customers, clients, partners, prospects, and attendees of events hosted or sponsored by Customer-
- any other data subjects whose personal data may be processed from time to time pursuant to the Agreement and this DPA
Categories of Personal Data transferred: 
The Personal Data that will be included in the transfer will depend upon Customer’s use of the Service as set out in the Agreement. To the extent the transfer contains Personal Data, it may consist of:
- Photographs and/or video of data subjects
- Full or partial name (including but not limited to prefix, first name, middle name, last name, suffix, maiden name)
- Accreditations
- Preferred name and pronouns
- Audio and phonetic pronunciation
- Title, department, company, and headline message
- Email address(es)
- Telephone number(s)
- Address(es)
- Website links
- PDF documents
- Social media profiles like LinkedIn, Facebook, Instagram, X , and more
- Important dates
- IP address
- Any other information the Customer or the Data Subject chooses to include on the Data Subject’s HiHello digital business card
Sensitive Data Transferred (if appropriate) and applied Restrictions or Safeguards
HiHello does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service. No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data.
Frequency of the Transfer (e.g. whether the data is transferred on a one-off or continuous basis):  
Continuous
Purpose of the Data Transfer/Processing Operations: 
HiHello shall only process Customer Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
Nature and subject matter of the processing: 
The provision of the Service to Customer as set out in the Agreement.
HiHello is a software-as-a-service platform for digital brand and identity that enables individuals and companies of all sizes to leverage digital business cards, email signatures, and virtual backgrounds to present their brand consistently in every interaction, whether that is in-person, on video, or over email. HiHello offers applications that are available on the Web, on iOS, and Android. The HiHello platform allows users to share their digital business card, and also allows them to optionally receive their contact information in return.
Duration of the processing: 
The duration of the Processing under the DPA is until the termination of the Agreement in accordance with its terms, plus the period from the expiry of the Agreement until deletion of Personal Data in accordance with the terms of the Agreement and this DPA.
Period for which the Personal Data will be retained, or if that is not possible the criteria used to determinate that period, if applicable
As above.
Annex I (C): Competent Supervisory Authority 
Competent Supervisory Authority 
The competent supervisory authority will be determined in accordance with Data Protection Legislation.