HUBLE DIGITAL LIMITED
(“Huble Digital”, “us”, “we”, “our”)
Customer Service Ticket Portal for HubSpot® Service Hub™
Data Processing Agreement
Effective as of 01 May 2021
1.1 This Huble Digital Data Processing Agreement (“DPA”), reflects the agreement with respect to the terms governing the Processing of Personal Data by Huble Digital
(“us, “we”, “our”) and our clients that procure our software as a service (“SaaS”) offering.
1.2 This DPA must be read in conjunction with and forms part of the terms and conditions of service which govern the use of our SaaS products including, without limitation,
the Customer Service Ticket Portal (“CSTP”) for HubSpot® Service Hub™.
2. DEFINITIONS AND INTERPRETATION
2.1 “Agreement” means the DPA read with the terms and conditions of service, collectively governing the legal relationship between the Client and Huble digital pursuant
to the Client’s procurement of Huble Digital’s SaaS products.
2.2 "Client” means theHubSpot® customer which procures a service or product offering from Huble Digital.
2.3 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the
Processing of Personal Data.
2.4 “CSTP” means the customer service ticket portal, a digital platform developed and operated by Huble Digital that extends the HubSpot® Service Hub™ to allow
customers to view and manage service tickets.
2.5 “Data Protection Law” means all applicable legislation relating to data protection and privacy, including without limitation the EU Data Protection Directive 95/46/EC
and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any member state of the
European Union or, to the extent applicable, any state or country, as amended, repealed, consolidated or replaced from time to time.
2.6 “Data Subject” means the individual to whom Personal Data relates.
2.7 "GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data.
2.8 “Instruction” means the written, documented instruction, issued by Client to Huble Digital, and directing the same to perform a specific action with regard to Personal
Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
2.9 “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within data and is protected similarly as
personal data or personally identifiable information under applicable Data Protection Law.
2.10 "Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal
Data transmitted, stored or otherwise processed.
2.11 “POPIA” means South Africa’s Protection of Personal Information Act 4 of 2013 and all relevant Regulations and as amended from time to time.
2.12 “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,
restriction or erasure of Personal Data. The terms “process”, “processes” and “processed” will be construed according to the GDPR (Regulation (EU) 2016/679).
2.13 “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
2.14 “Special Category Data” means personal information of Data Subjects which is especially sensitive and includes information relating to; race and ethnic origin,
religious and philosophical beliefs, political opinions, trade union membership, biometric data used to identify an individual, genetic data, health data and data related
to sexual preferences, sex life and/or sexual orientation, criminal or objectionable behaviour, or information relating to children.
3. USE OF PERSONAL DATA COLLECTED (PURPOSE AND LEGAL BASIS)
3.1 Huble Digital does not Process the Personal Data received from the Client for its own purposes (whether commercial or personal) but rather processes the Personal
Data purely on behalf of and according to the instructions received from the Client as Data Controller. For these purposes Huble Digital is a Processor as contemplated
by the Data Protection Law.
3.2 The Client unconditionally acknowledges and accepts the legal duties imposed on it as a Controller in terms of the Data Protection Law and indemnifies Huble Digital
for any and all loss or harm whether direct or consequential which may arise as a result of its failure to comply with its compliance obligations as
4. DETAILS OF THE PROCESSING
4.1 Categories of Data Subjects:
4.1.1 The CSTP extracts all contacts and their related companies, tickets, ticket pipelines, ticket engagements and owners stored in the Client’s HubSpot® portal. This
includes all fields of data associated with these records, including custom properties which have been created in the Client’s HubSpot® portal.
4.2 Types of Personal Data:
4.2.1 Contact information, the extent of which is determined and controlled by the Client in its sole discretion, and other Personal Data such as navigational data
(including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by
end users via the HubSpot® subscription service and including the CSTP.
5. SUBJECT-MATTER AND NATURE OF THE PROCESSING
5.1 Huble Digital provides the services to the Client in accordance with the relevant SaaS agreement or terms and conditions of service. Such services in the ordinary
course involve the Processing of Personal Data in accordance with the instructions issued to Huble Digital by the Client.
5.2 Purpose of the Processing: Personal Data will be Processed for purposes of providing the services set out and otherwise agreed to in the SaaS agreement or terms and
conditions of service, as applicable.
5.3 Duration of the Processing: Personal Data will be Processed for the duration of the Agreement, subject to Section 6 of this DPA.
6. CLIENT RESPONSIBILITY AND UNDERTAKINGS
6.1 In its capacity as Controller and the Responsible Party as contemplated by Data Protection Law, within the scope of the Agreement and the use of the Huble Digital
services, the Client assumes absolute responsibility and warrants to Huble Digital that it will at all times comply with its statutory obligations in terms of Data Protection
Law, including, without limitation, those laws regarding the disclosure and transfer of Personal Data to Huble Digital and the Processing of Personal Data.
6.2 Client’s instructions for the Processing of Personal Data shall comply with the Data Protection Law and the Client indemnifies Huble Digital to the greatest extent
permissible in law for any direct and consequential loss occasioned by Huble Digital acting as Processor on behalf of and/or on the instructions of the Data Controller
with respect to the Processing of Personal Data.
6.3 The Client shall indemnify and hold Huble Digital harmless against all liability, including but not limited to legal costs, claims, civil actions, damages, indirect or
consequential damages, or expenses incurred by Huble Digital or for which Huble Digital may become liable due to any failure by the Client or its employees or agents
whether authorised or not, to comply with the obligations under this DPA or Data Protection Law.
6.4 The Client shall inform Huble Digital without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of
6.5 The Client shall inform Huble Digital and the appropriate authorities, without delay, if the Processing includes Special Category Data or any other special categories of
Personal Data as contemplated by Data Protection Laws including without limitation: financial, medical, racial and health related information as contemplated by HIPAA
or otherwise, information regarding children, or any type of Processing or Personal Data that is afforded a higher level of protection under Data Protection Law.
6.6 The Client warrants that it has implemented the required technical and organisational measures to adequately protect Personal Data against accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in compliance with its obligations in terms of Data Protection Law and indemnifies
Huble Digital for any loss, claims, harm or damages whether direct or indirect occasioned as a result of the Client’s use of Huble Digital’s services.
7. CLIENT INDEMNITIES
7.1 If Huble Digital is sued for something that the Client has indemnified us for, the Client will take our place in the lawsuit or be liable to reimburse us for any costs, damages
and expenses including attorneys’ fees on the attorney and own client scale. This means that the Client will be liable to pay Huble Digital attorney’s fees finally awarded
against us by a court or agreed to in a written settlement agreement, provided that:
7.1.1 Huble Digital will notify the Client in writing as soon as we become aware of the indemnified claim so it can take steps to contest it,
7.1.2 Client may assume sole control of the defence of the claim or related settlement negotiations; and
7.1.3 Huble Digital will provide, at Client’s expense, all the assistance, information, and authority necessary to enable you to perform your obligations under this clause.
7.2 The Client must pay any amount due under clause 7.1 as soon as Huble Digital demands payment. If the Client contests the amount, it must pay the amount into Huble
Digital’s attorney’s trust or give us security to cover the amount, until the dispute has been resolved.
7.3 The Client indemnifies Huble Digital against any claim, loss or damage that Huble Digital may suffer because of your actions.
8. OBLIGATIONS OF PROCESSOR
8.1 Compliance with Instructions.
8.1.1 The Parties acknowledge and agree that Client is the Controller and Huble Digital is the Processor of Personal Data.
8.1.2 Huble Digital shall collect, Process and use Personal Data only within the scope of Client’s instructions. If Huble Digital believes that an instruction of the Client
infringes the Data Protection Law, it shall immediately inform the Client without delay. If Huble Digital cannot process Personal Data in accordance with the
instructions due to a legal requirement under any applicable Data Protection Law, Huble Digital will:
22.214.171.124 promptly notify the Client of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and
126.96.36.199 cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Client issues new
instructions with which Huble Digital is able to comply.
8.1.3 If this provision is invoked, Huble Digital will not be liable to the Client for any failure to perform the applicable services until such time as the Client issues new,
lawful instructions regarding the Processing.
8.1.4 Huble Digital will facilitate the Client’s compliance obligations to implement security measures with respect to Personal Data (including if applicable, the Client’s
obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by (i) implementing and maintaining the security measures described in terms of our information
security policy, (ii) complying with the terms of section 8.1.6 (Personal Data Breaches); and (iii) providing the Client with information in relation to the Processing in
accordance with section 9 (Audits).
8.1.5 Confidentiality: Huble Digital shall ensure that any personnel whom Huble Digital authorises to Process Personal Data on its behalf is subject to confidentiality
obligations with respect to that Personal Data. The undertaking of confidentiality shall continue after the termination of the Processing activities to which the duty of
8.1.6 Personal Data Breaches: Huble Digital will notify the Client as soon as practicable after it becomes aware of any Personal Data Breach affecting any Personal Data.
At the Client’s request, Huble Digital will promptly provide the Client with all reasonable assistance necessary to enable the Client to notify the competent
authorities and/or affected Data Subjects about any relevant Personal Data Breaches if Client is required to do so under the Data Protection Law.
8.2 Data Subject Requests
8.2.1 Huble Digital will provide reasonable assistance, including by implementing reasonable and appropriate technical and organisational measures and taking into
account the nature of the Processing, to enable Client to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law
with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law.
If such request is made directly to Huble Digital, Huble Digital will promptly inform the Client and will advise Data Subjects to submit their request to the Client. The
Client shall be solely responsible for responding to any Data Subjects’ requests. The Client shall reimburse Huble Digital for any costs arising from this assistance.
8.3 Data Security
8.3.1 Huble Digital shall implement measures toward achieving the required technical and organisational measures to adequately protect Personal Data against
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
8.3.2 The Client warrants that it is aware of the status of the data privacy and security compliance initiatives which Huble Digital is undertaking and that the process of
POPIA and ISO certification is underway.
8.3.3 The Client further unconditionally assumes any and all risks to data which is or may be associated with the Huble Digital services and has voluntarily assumed
these risks with a full and unconditional indemnification in favour of Huble Digital against financial loss or reputational harm resulting from any data security or
privacy breach which may occur in the course of providing the services. This indemnification will not apply in the case of any data security or privacy breach which
is caused directly by the gross negligence or wilful misconduct of Huble Digital.
8.4 Sub-Processors, International Data Flow and Third-Party Hosting
8.4.1 Huble Digital shall be entitled to engage sub-Processors to fulfil Huble Digital’s obligations in relation to the services. For these purposes, Client consents to the
engagement as sub-Processors of Huble Digital’s affiliated companies and the third parties listed in Exhibit 1. For the avoidance of doubt, the above authorisation
constitutes Client’s prior written consent to the sub-Processing by Huble Digital.
8.4.2 The Client acknowledges and understands that in certain instances Huble Digital contracts with a third-party hosting service provider (“Hosting Service Provider”)
in order to host the Client’s data, including Personal Data (“Hosting Services”). As such, the terms of service of the Hosting Service Provider are applicable and are
supplementary to the Agreement. This means that:
188.8.131.52 Huble Digital is not liable in any form whatsoever, for any loss or damage resulting from the use of the Hosting Service Provider’s platform and the Client
accordingly indemnifies Huble Digital from any liability arising from civil or criminal proceedings instituted against Huble Digital or for any loss or damage
which the Client, a Data Subject or any third party may have suffered because of any interruption or unavailability of the Hosting Services.
184.108.40.206 The Client indemnifies and holds Huble Digital harmless against all losses it may suffer or actions against us as a result of:
220.127.116.11.1 the use of the Hosting Services, or any downtime, outage, degradation of the network, interruption in or unavailability of the Hosting Services. This
includes software or hardware service, repairs, maintenance, upgrades, modification, alterations, replacement or relocation of premises affecting
the Hosting Services;
18.104.22.168.2 non-performance or unavailability of any of the Hosting Services given by an electronic communications network or service provider, including,
line failure, or in any international services or remote mail servers;
22.214.171.124.3 non-performance or unavailability of external communications networks to which the Hosting Service Provider or the Huble Digital network
infrastructure is connected, and
126.96.36.199.4 repairs, maintenance, upgrades, modifications, alterations or replacement of any hardware forming part of the Services, or any faults or defects in
8.4.3 If Huble Digital intends to instruct sub-Processors other than the companies listed in Exhibit 1, Huble Digital will notify the Client thereof in writing (email to the
email address(es) on record in Huble Digital’s account information for the Client is sufficient) and will give the Client the opportunity to object to the engagement of
the new sub-Processors within 30 (thirty) days after being notified. The objection must be based on reasonable grounds (e.g. if the Client proves that significant
risks to the protection of its Personal Data exist at the sub-Processor). If Huble Digital and Client are unable to resolve such objection, either party may terminate
the services to which the sub-Processing relates by providing written notice to the other party.
8.4.4 Where Huble Digital engages sub-Processors, Huble Digital will enter into a contract with the sub-Processor that imposes on the sub-Processor the same
obligations that apply to Huble Digital and the Controller under this DPA.
8.4.5 Where a sub-Processor is engaged, the Client must be granted the right to monitor and inspect the sub-Processor’s activities in accordance with this DPA and the
Data Protection Law, including to obtain information from Huble Digital, upon written request, on the substance of the contract and the implementation of the data
protection obligations under the sub-Processing contract, where necessary, by inspecting the relevant contract documents.
8.4.6 The provisions of this section shall mutually apply if Huble Digital engages a sub-Processor in a country outside the European Economic Area (“EEA”) not
recognized by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this DPA, Huble Digital transfers
any Personal Data to a sub-Processor located outside of the EEA, Huble Digital shall, in advance of any such transfer, ensure that a legal mechanism to achieve
adequacy in respect of that processing is in place.
8.4.7 Deletion or Retrieval of Personal Data:
188.8.131.52 Other than to the extent required to comply with Data Protection Law, following termination of the Agreement, Huble Digital will delete all Personal Data
(including copies thereof) processed pursuant to this DPA. If Huble Digital is unable to delete Personal Data for technical or other reasons, we will apply
measures to ensure that Personal Data is blocked from any further Processing. Client shall, upon termination or expiration of the Agreement, and by way of
issuing an instruction, stipulate, within a period of time set by Huble Digital, the reasonable measures to return data or to delete stored data. Any additional
cost arising in connection with the return or deletion of Personal Data shall be borne by Client.
184.108.40.206 The Client shall provide a comprehensive retention schedule for all Personal Data prior to commencement of Processing.
9.1 Either party may, prior to the commencement of Processing, at annual intervals hereafter, or where a security breach is reasonably suspected to have occurred, audit the
technical and organisational measures taken by the other in terms of the Data Protection Laws. For such purpose, the parties may:
9.1.1 obtain information from each other,
9.1.2 request an attestation or certificate by an independent professional expert, or
9.1.3 upon reasonable and timely advance agreement, during regular business hours and without interrupting business operations, conduct an on-site inspection of the
business operations or have the same conducted by a qualified third party which shall not be a competitor of either party.
9.1.4 Either party shall, upon written request, and within a reasonable period of time, provide the other with all information necessary for such audit, to the extent that
such information is within the other party’s control and neither are precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation
owed to a third party.
10. GENERAL PROVISIONS
10.1 With respect to updates and changes to this DPA. No addition, change or supersession of this DPA, nor any waiver of any right arising from this Agreement, shall be of
any force or effect unless reduced to writing and signed by all the Parties with a wet ink signature.
10.2 In case of any conflict, this DPA shall take precedence over the Agreement. Where individual provisions of this DPA are invalid or unenforceable, the validity and
enforceability of the other provisions of this DPA shall not be affected.
Location of Processing
Hosting Services: Liquid Web, LLC (liquidweb.com)
Google LLC (workspace.google.com)
This page refers to the "HubSpot® Service Hub™".
With “HubSpot® Service Hub™,” the “HubSpot” portion is a registered mark and the “Service Hub” portion is a (claimed) trademark. Service Hub is one piece of HubSpot, Inc’s complete CRM platform to help your business grow better.