Anexo de procesamiento de datos de Hootsuite

Last Modified: February 28, 2025

This Data Processing Addendum, including its Appendices (“DPA”), forms part of the Enterprise Terms of Service or other written or electronic agreement incorporating this DPA by reference (the “Agreement”) between Hootsuite and the entity identified as Customer in the Agreement (“Customer”), for the purpose of providing certain services (the “Services”).

In the course of providing the Services to Customer pursuant to the Agreement, Hootsuite may Process Customer Personal Data (as defined below) on Customer's behalf. This DPA sets out the terms that apply when Customer Personal Data that is subject to Applicable Data Protection Laws is Processed by Hootsuite on Customer's behalf under the Agreement.

Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Affiliates that are permitted to use the Services under the Agreement. Unless otherwise defined herein, capitalized terms in this DPA will have the same meaning ascribed to them in the Agreement.

1. PROCESSING OF PERSONAL DATA

1.1 Scope. This DPA applies to the Processing of Customer Personal Data that is subject to Applicable Data Protection Laws by Hootsuite in its capacity as a processor or service provider for the purpose of providing the Services.

1.2 Roles. The parties acknowledge and agree that, with regard to the Processing of Customer Personal Data, Customer is the controller or business and Hootsuite is Customer’s processor or service provider under Applicable Data Protection Laws.

1.3 Details of Processing. The subject matter, duration, nature, and purpose of the Processing, and the types of personal data or personal information, and categories of data subjects or consumers, are described in Appendix 1 of this DPA.

1.4 Customer’s Responsibilities. Customer shall, in its use of the Services: (a) comply with its obligations as a controller or business and Process Customer Personal Data in accordance with Applicable Data Protection Laws; (b) ensure that its instructions to Hootsuite comply with Applicable Data Protection Laws; (c) have sole responsibility for the accuracy, quality, and legality of Customer Personal Data; and (d) ensure that Customer is entitled to transfer Customer Personal Data to Hootsuite so that Hootsuite and its Subprocessors may lawfully Process Customer Personal Data under Applicable Data Protection Laws.

1.5 Customer’s Instructions. Customer instructs Hootsuite to collect, analyze, display, store and otherwise Process Customer Personal Data for the purpose of providing, updating, and improving the Services to Customer in a manner consistent with the Agreement, this DPA and, where applicable, the privacy policy published at https://hootsuite.com/legal/privacy. Hootsuite will comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) or initiated by Customer’s authorized users of the Services, where such instructions are consistent with the terms of the Agreement. Hootsuite will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

1.6 Hootsuite’s Responsibilities. Hootsuite shall comply with its obligations under Applicable Data Protection Laws in its role as a processor or service provider and notify Customer if it cannot or can no longer meet such obligations. Hootsuite will only Process Customer Personal Data in accordance with Customer’s documented instructions as set out in Section 1.5 and agrees that it shall not: (a) “sell” or “share” Customer Personal Data within the meaning of Applicable Data Protection Laws (including the CCPA); (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified under the Agreement and this DPA; (c) use Customer Personal Data received in connection with the Agreement outside of the relationship between Customer and Hootsuite; or (d) combine Customer Personal Data with information that Hootsuite has received from other sources; in each case except as permitted under the Agreement and Applicable Data Protection Laws.

2. SUBPROCESSORS

2.1 Appointment of Subprocessors. Customer agrees and provides a general written authorization that Hootsuite and its Affiliates may engage Subprocessors, provided that: (a) Hootsuite and each Subprocessor shall enter a written agreement containing data protection obligations that provide an equivalent level of protection for Customer Personal Data as those described in this DPA (in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Laws); and (b) Hootsuite shall remain responsible for its Subprocessors' compliance with the obligations under this DPA and for any acts or omissions of its Subprocessors that causes Hootsuite to breach any of its obligations under this DPA.

2.2 Identification and Notification of Authorized Subprocessors. Hootsuite maintains a list of its authorized Subprocessors at a publicly listed web page, currently found at https://hootsuite.com/legal/subprocessor-list. Customer may subscribe to receive notifications of new or replacement Subprocessors by emailing privacy@hootsuite.com with the subject “Subprocessor Subscribe”. If Customer subscribes to receive notifications, Hootsuite shall provide thirty (30) days' notification of any intended new or replacement Subprocessor before authorizing such Subprocessor to Process Customer Personal Data in connection with the provision of the applicable Services.

2.3 Right to Object to New Subprocessors. Customer may reasonably object to Hootsuite’s use of a new or replacement Subprocessor by notifying Hootsuite promptly in writing within ten (10) business days after receipt of Hootsuite’s notice in accordance with Section 2.2. Customer shall explain the reasonable grounds for any such objection, which must relate to compliance with Applicable Data Protection Laws. Upon receipt of an objection, Hootsuite will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid the Processing of Customer Personal Data by the objected-to Subprocessor. If Hootsuite is unable to make such a change or recommendation within a reasonable period of time, Customer may terminate the affected part of the Services in accordance with the terms of the Agreement.

3. Confidencialidad

3.1 Confidentiality. Hootsuite shall ensure that any persons that it authorizes to Process Customer Personal Data (including its staff, agents and contractors) shall be subject to a duty of confidentiality that survives the termination of their employment and/or contractual relationship.

3.2 Government requests. Hootsuite shall not disclose Customer Personal Data to any law enforcement agency or government authority (collectively, “Government Authority”) unless instructed by Customer, or as necessary to comply with applicable laws or a valid and binding order of a Government Authority, such as a subpoena or court order. If a Government Authority requests access to Customer Personal Data, and unless legally prohibited from doing so, Hootsuite shall (a) inform the Government Authority that Hootsuite is a processor or service provider and attempt to redirect the Government Authority to Customer (and may provide Customer’s basic contact information to the Government Authority for these purposes); and (b) take commercially reasonable steps to notify Customer of legally binding requests to allow Customer to seek a protective order or other appropriate remedy. If Hootsuite is legally compelled to respond to the request, Hootsuite shall review the legality of the request and determine whether the request may be challenged. In any event, Hootsuite shall only disclose the minimum information that is required to comply with the request.

4. SECURITY

4.1 Security Measures. Hootsuite shall maintain an information security program for the Services that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Information Security Management Standard (ISMS) family of standards (ISO/IEC 27000 standard series), or such other alternative standards as are substantially equivalent to those standards, and shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from Security Incidents and preserve the security, confidentiality, and integrity of Customer Personal Data, as further described in Appendix 2 of this DPA (“Security Measures”). These Security Measures shall include, as appropriate: (a) the pseudonymization and encryption of Customer Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Hootsuite's systems and services; (c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. Hootsuite may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services provided to Customer.

4.2 Audits and Third-Party Security Certifications. Hootsuite uses external auditors to verify the adequacy of its Security Measures and agrees to having an audit performed: (a) annually; (b) according to AICPA SOC 2 (AT-101) or substantially similar requirements; and (c) by independent third-party security professionals at Hootsuite’s selection and expense. Customer agrees that Hootsuite’s audit reports and certifications will be used to satisfy any audit or inspection requests by Customer (or Customer’s independent, third-party auditor), including for the purposes of meeting any audit obligations under Applicable Data Protection Laws or the SCCs, which Hootsuite will make available to Customer upon written request no more than once per year and subject to the confidentiality obligations set forth in the Agreement (or a separate non-disclosure agreement, if necessary).

5. INCIDENT MANAGEMENT AND NOTIFICATION

5.1 If Hootsuite becomes aware of a Security Incident for which notification to Customer is required under Applicable Data Protection Laws, Hootsuite will, without undue delay, notify Customer of the Security Incident. Hootsuite will include in the notification such information about the Security Incident as Hootsuite is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Hootsuite, and any restrictions on disclosing the information, such as confidentiality. Any notice of a Security Incident provided by Hootsuite is not, and will not be construed as, an acknowledgement by Hootsuite of any fault or liability.

6. PRIVACY RIGHTS REQUESTS

6.1 To the extent required under Applicable Data Protection Laws, and insofar as Customer cannot respond through functionality made available via the Services, Hootsuite shall provide Customer with commercially reasonable assistance to enable Customer to respond to requests from data subjects or consumers seeking to exercise their rights under Applicable Data Protection Laws, taking into account the nature of the Processing.

7. DPIA AND CONSULTATIONS

7.1 Upon Customer’s reasonable written request, and to the extent required under Applicable Data Protection Laws, Hootsuite shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations to carry out data protection impact assessments and consult with supervisory authorities related to Customer’s use of the Services.

8. Transferencias internacionales de datos

8.1 International Data Transfers. Customer acknowledges and agrees that Hootsuite may transfer and Process Customer Personal Data outside of your country as necessary to provide the Services, including Canada and other countries where Hootsuite, its Affiliates, and Subprocessors maintain data processing operations. Hootsuite shall take all such measures as are necessary to ensure such transfers are made in compliance with applicable European Data Protection Laws. In particular, Customer acknowledges that Hootsuite may Process Customer Personal Data in Canada, a jurisdiction recognized by the European Commission as providing an adequate level of protection for personal data.

8.2 Standard Contractual Clauses. To the extent that the transfer of Customer Personal Data from Customer to Hootsuite involves a Restricted Transfer, and the transfer is not covered by adequacy status, then the SCCs shall be incorporated and form an integral part of this DPA, with Customer (and any Customer Affiliates) as the "data exporter" and Hootsuite Inc. as the "data importer", as follows:

(a) In relation to Customer Personal Data that is subject to the GDPR: (i) Module Two (controller to processor) shall apply; (ii) in Clause 7, the optional docking clause shall apply; (iii) in Clause 9, Option 2 shall apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 2.2 of this DPA; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17, Option 1 shall apply, and the SCCs shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the SCCs shall be deemed completed with the information set out in Appendix 1 to this DPA; and (viii) Annex II of the SCCs shall be deemed completed with the information set out in Appendix 2 to this DPA.

(b) In relation to Customer Personal Data that is subject to the UK GDPR, the SCCs shall apply in accordance with Section 8.2(a), with the following modifications: (i) the SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA; (ii) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum; (iii) tables 1 to 3 in Part 1 shall be completed respectively with the information set out in Appendices 1 and 2 of this DPA; and (iv) table 4 in Part 1 shall be deemed completed by selecting "neither party".

(c) In relation to Customer Personal Data that is subject to the Swiss FADP, the SCCs shall apply in accordance with Section 8.2(a), with the following modifications: (i) references to "Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the Swiss FADP and the equivalent articles or sections therein; (ii) references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland"; (iii) Clause 13(a) and Annex II(C) are not used and the "competent supervisory authority" shall be the Swiss Federal Data Protection Information Commissioner; (iv) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland"; (v) in Clause 17, the SCCs shall be governed by the laws of Switzerland; and (vi) in Clause 18(b), disputes shall be resolved before the applicable courts of Switzerland.

8.3 Clarifications to the Standard Contractual Clauses. Where the Hootsuite contracting entity under the Agreement is not Hootsuite Inc., such contracting entity (not Hootsuite Inc.) will remain fully and solely responsible to Customer for the performance of the SCCs by Hootsuite Inc. and Customer shall direct any instructions or claims in relation to the SCCs to such contracting entity. The parties agree that if Hootsuite cannot ensure compliance with the SCCs, it shall promptly inform Customer and Customer shall provide Hootsuite with a reasonable period of time to cure the non-compliance, during which time Hootsuite and Customer shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required. Customer shall only be entitled to suspend the transfer of Customer Personal Data and/or terminate the affected parts of the Services for non-compliance with the SCCs if Hootsuite has not or cannot cure the non-compliance before the end of the cure period. Additionally, in the event Hootsuite adopts an alternative transfer mechanism, such alternative transfer mechanism shall apply instead of the SCCs described in Section 8.2 of this DPA, but only to the extent such alternative transfer mechanism complies with applicable European Data Protection Laws and extends to the territories to which Customer Personal Data is transferred.

9. RETURN AND DELETION OF PERSONAL DATA

9.1 Upon termination of the Services, Hootsuite shall, upon Customer’s written request received by Hootsuite within 30 days of termination of the Services, return or delete all Customer Personal Data and copies of such data in its custody or control, unless it is legally required to retain the Customer Personal Data. Until the Customer Personal Data is deleted or returned, Hootsuite shall continue to protect the Customer Personal Data in accordance with the Agreement, this DPA, and Applicable Data Protection Laws.

10. GENERAL PROVISIONS

10.1 Legal Effect. This DPA is an addendum to and incorporated as part of the Agreement between Customer and Hootsuite. Except as expressly provided herein, a Hootsuite entity is not a party to this DPA (or the SCCs) unless it is a party to the Agreement. Except for changes made by this DPA, the Agreement remains unchanged and in full force and effect. This DPA supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between Customer and Hootsuite, whether written or verbal, regarding the subject matter of this DPA, including any data processing addenda previously entered into between Hootsuite and Customer.

10.2 Conflict. If there is a conflict between any provision of this DPA and any provision of the Agreement, the following order of precedence shall apply: (1) the SCCs; (2) this DPA; and (3) any other part of the Agreement.

10.3 Termination. This DPA shall continue in force until the termination of the Agreement.

10.4 Limitations of Liability. The liability of each party under this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set out in the Agreement. For the avoidance of doubt, Hootsuite’s and its Affiliates’ total liability for all claims arising out of or related to this DPA shall apply in the aggregate for all claims, including by Customer and Customer’s Affiliates. In no event does this DPA restrict or limit the rights of any data subject or consumer under Applicable Data Protection Laws or the SCCs.

10.5 Disclosure of this DPA. Customer acknowledges that Hootsuite may disclose this DPA and any relevant privacy provisions in the Agreement to a European supervisory authority, or any other European, Canadian, or US judicial or regulatory body upon request.

10.6 Amendments. We may change any part of this DPA at any time by posting the revised terms on the Hootsuite website. We will notify you of any changes that, in our sole discretion, materially impact this DPA. The updated DPA will be effective as of the time of posting, or on such later date as may be specified in the updated DPA, and your continued use of the Services after any such changes are effective will constitute your consent to such changes.

11. DEFINITIONS

11.1 In this DPA, the following terms have the meanings given to them below:

(a) The terms “business”, “consumer”, “controller”, “data subject”, “personal data”, “personal information”, “processor”, “service provider”, and “supervisory authority” have the meanings given to them under Applicable Data Protection Laws.

(b) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

(c) “Agreement” means the written or electronic agreement that Customer has entered into with Hootsuite that incorporates this DPA by reference.

(d) “Applicable Data Protection Laws” means European Data Protection Laws, US Privacy Laws, and all other data protection and privacy laws and regulations as applicable to the Processing of Customer Personal Data under the Agreement.

(e) “Customer Personal Data” means any personal data or personal information provided by (or on behalf of) Customer to Hootsuite, or otherwise Processed by Hootsuite on Customer’s behalf under the Agreement, as described in Appendix 1 of this DPA. “Customer Personal Data” does not include any personal data or personal information that Customer Processes via third-party services that are not provided by Hootsuite but which Customer may access or use in connection with the Services.

(f) “Europe” means, for the purposes of this DPA, the European Economic Area and its Member States, Switzerland, and the United Kingdom (“UK”).

(g) “European Data Protection Laws” means all data protection and privacy laws and regulations of Europe that are applicable to the Processing of Customer Personal Data under the Agreement, including: (i) the EU General Data Protection Regulation (“GDPR”); (ii) any applicable national implementations of the GDPR; (iii) the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, the “UK GDPR”); and (iv) the Swiss Federal Act on Data Protection Act of 2020 and its Ordinance (“Swiss FADP”); in each case as may be amended, superseded, or replaced from time to time.

(h) “Hootsuite” means the Hootsuite entity that is party to the Agreement, being Hootsuite Inc. (111 East 5th Avenue, 3rd Floor, Vancouver, British Columbia, Canada V5T 4L1), Sparkcentral Europe NV (Kempische Steenweg 311 b6.01, 3500 Hasselt, Belgium), Heyday Technologies Inc. (1100 avenue des Canadiens-de-Montréal, Bureau, 150 Montreal, Quebec, Canada, H3B 2S2), Talkwalker S.à r.l. (33 avenue John F. Kennedy, L-1855, Luxembourg), Talkwalker Inc. (3616 Far West Blvd., Suite 117 #419, Austin, TX 78731), Talkwalker Pte. Ltd. (9, Raffles Place, #26-01 Republic Plaza, Singapore 048619) or Talkwalker KK (Ark Hills South Tower 16F, 1-4-5 Roppongi, Minato-ku Tokyo, 13, 106-0032, Japan).

(i) “Process” or “Processing” means any operation or set of operations that are performed on Customer Personal Data, whether or not by automated means, including the collection, use, and disclosure of Customer Personal Data.

(j) “Restricted Transfer” means a transfer of Customer Personal Data originating from Europe to a country that does not provide an adequate level of protection for personal data within the meaning of applicable European Data Protection Laws.

(k) “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data Processed by Hootsuite in connection with the provision of the Services. This does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

(l) “Services” means the services provided by Hootsuite to Customer as set forth in the Agreement or associated Order Form or Authorisation Form (as applicable).

(m) “SCCs” means the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021, as may be amended, superseded, or replaced from time to time.

(n) “Subprocessor” means any third-party processor engaged by Hootsuite or its Affiliates to assist in providing the Services to Customer in accordance with the Agreement and this DPA. Subprocessors do not include Hootsuite’s or its Affiliates’ employees, contractors, or consultants.

(o) “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

(p) “US Privacy Laws” means all United States federal and state data protection and privacy laws that are applicable to the Processing of Customer Personal Data under the Agreement, including without limitation: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any implementing regulations relating to the same (together, the “CCPA”); (ii) the Virginia Consumer Data Protection Act ("CDPA"); (iii) the Colorado Privacy Act ("CPA"); (iv) the Utah Consumer Privacy Act (“UCPA”); (v) the Connecticut Data Privacy Act ("CTDPA"); the Montana Consumer Data Privacy Act (“MCDPA”); (vii) the Texas Data Privacy and Security Act (“TDPSA”); (viii) the Oregon Consumer Privacy Act (“OCPA”); (ix) the Iowa Consumer Data Protection Act (“ICDPA”); (x) the Delaware Personal Data Privacy Act (“DPDPA”); (xi) the Nebraska Data Privacy Act (“NDPA”); (xii) the New Jersey Data Privacy Act (“NJDPA”); (xiii) the Tennessee Information Protection Act (“TIPA”); (xiv) the Maryland Online Data Privacy Act (“MODPA”); (xv) the New Hampshire Privacy Act (“NHPA”); and (xvi) the Minnesota Consumer Data Privacy Act (“MCDPA”); in each case when effective and as may be amended, superseded, or replaced from time to time.

Apéndice 1: Descripción del procesamiento

This Appendix describes the processing of Customer Personal Data by the parties in connection with the Services and forms an integral part of the Agreement. Unless otherwise defined herein, capitalized terms in this Appendix will have the same meaning ascribed to them in the Agreement.

(A) List of parties

Data Exporter:
Nombre:	The data exporter is the entity identified as “Customer” in the Agreement.
Dirección:	The address is set out in the Agreement.
Nombre, cargo y datos de contacto de la persona de contacto:	The contact information is as set out in the Agreement.
Activities relevant to data transferred under these Clauses:	Actividades de procesamiento al recibir los servicios según lo establecido en el acuerdo
Rol (controlador/procesador):	Controlador

Data Importer:
Nombre:	The data importer is the applicable Hootsuite entity, as set out under Section 8 of the DPA.
Dirección:	The address of the applicable Hootsuite entity, as set out under section 8 of the DPA.
Nombre, cargo y datos de contacto de la persona de contacto:	Jennifer Ma, Directora Sénior de Privacidad y Cumplimiento de Producto y Oficial de Protección de Datos
Activities relevant to data transferred under these Clauses:	Processing activities in providing the Services as set forth in the Agreement
Rol (controlador/procesador):	Procesador

(B) Description of the processing & transfer

Servicios
Categories of data subjects or consumers:	- Customer’s employees, consultants, or contractors authorized to use the Services. - Individuals whose personal data or personal information is included in (i) social media and other messaging services (e.g., WhatsApp, WeChat, X, Facebook, Instagram, TikTok, SMS); (ii) chat communications, including posts, communications, messages, pages or feeds; and (iii) other public sources (e.g., Global News Group); and which is processed on behalf of Customer in connection with the Services.
Categorías de datos personales o información personal:	The information that is processed through the Services is determined and controlled by Customers in their sole discretion and may include the following categories: All Services - Identification data (e.g., name, social media identifier, username, user ID, profile information, geolocation data) - Contact details (e.g., name, email address, telephone number) - Social media content and other internet/platform user generated content (e.g., status updates, posts, comments, pages, profiles, likes, feeds, items on blog or forum containing keywords and characteristics) Hootsuite Services - Other individual information (e.g., age, gender, employer, profession, geographic location, education, financial status, habits, interests and preferences) - Email, documents, user generated content (e.g., messages, posts, photos, videos comments, pages, profiles, feeds or communications on social media sites/networks) and other data in an electronic form - Customer inputs and outputs for artificial intelligence enabled Services - Content, communications, messages, data, and other information not described above that is sent or received by Customer through the Services - Categories of personal data described in the Hootsuite Inbox products, Hootsuite chatbot products, and Hootsuite Listening products Sparkcentral Services; Hootsuite Inbox products - Messaging content that individuals choose to share (e.g., social media messages, in-app messages, SMS) - Social media and messaging metadata (e.g., number of social media followers, number of posts, number of tweets) Heyday Services; Hootsuite chatbot products - Conversational data (e.g., conversations retrieved and processed through Customer’s website or other supported messenger services, and order information) - Device and browsing data (e.g., IP address, number of visits to website, number of pages viewed, time spent, chat navigation, users tags) Talkwalker Services; Hootsuite Listening products -Social media and internet users publicly-available personal characteristics (e.g., age, gender, interests and preferences, professional and educational background, photos and videos) - Any other brand monitoring related information published on a publicly available social media or internet site that contains personal information
Datos sensibles (si aplica) y restricciones o salvaguardias aplicadas:	The information that is processed through the Services is determined and controlled by Customers and may include the following sensitive data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, or data relating to offenses, criminal convictions or security measures. See Appendix 2 for applied restrictions and safeguards for sensitive data.
Frecuencia de la transferencia:	Permanente
Naturaleza del procesamiento:	Collection, storage, organization, modification, retrieval, disclosure, communication, and other uses in performance of the Services as set out in the Agreement.
Purpose(s) and subject matter of the transfer and further Processing:	Processing activities in performance of the Services as set out in the Agreement, including: - Providing access to the Hootsuite, Sparkcentral, Heyday, and/or Talkwalker Services; - Delivering, maintaining, and updating functionalities as licensed, configured, and used by Customer and authorized users; - Monitoring system performance, security, and availability in real-time; - Identifying, diagnosing, and resolving technical issues, bugs, and errors, including performing testing and quality assurance; - Facilitating integrations with authorized third-party applications and services; and - Other processing activities necessary for the performance of the Services in accordance with Customer’s documented instructions.
Período y duración durante los cuales se procesarán y conservarán tus datos personales o información personal:	In accordance with Section 9 of the DPA.

For the purposes of the SCCs, the competent supervisory authority shall be determined in accordance with the GDPR.

Appendix 2: Security Measures

This Appendix describes the technical and organizational measures to be implemented by Hootsuite and forms an integral part of the Agreement. Unless otherwise defined herein, capitalized terms in this Appendix will have the same meaning ascribed to them in the Agreement.

The technical and organizational measures (“TOMs”) to be implemented (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described for the applicable Services at the following link https://www.hootsuite.com/legal/security-practices. The following table provides examples of the TOMs implemented by Hootsuite.

Type of TOMs	Descripción de tus TOMs
Measures of pseudonymisation and encryption of personal data	Pseudonymisation Processing of personal data is limited within the Services. For example, when data is being processed (e.g., retrieved and analyzed), and where feasible, a unique ID is used as an identifier rather than the full personal data fields such as account user’s first and last name; and their business email address). Encryption Data provided by customers to Hootsuite is encrypted during transit and at rest to mitigate against security threats at industry standard levels.
Medidas para garantizar la confidencialidad, integridad, disponibilidad y resiliencia continuas de los sistemas y servicios de procesamiento	Access controls - Access control policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts have been implemented. - Identification and segregation of conflicting duties and areas of responsibility, such as separation of duties is implemented. - A current and accurate inventory of computer accounts is maintained. - The principles of ‘need-to-know’ and ‘least privilege’ are enforced and user access rights are reviewed on a regular basis to identify excessive privileges. - A limit of login attempts is enforced. - Remote access to production systems and other sensitive network segments require connection through a VPN. Authentication - Passwords require a defined minimum complexity. Initial passwords must be changed after the first login. - Access to the systems used by Hootsuite employees and contract personnel is controlled by multi-factor authentication (MFA). - Single sign-on (SSO) has been implemented company-wide to ensure greater and more centralized access control to the systems used by Hootsuite employees and contract personnel. Personnel practices -All employees are bound by confidentiality agreements and Hootsuite’s security and privacy policies. Upon onboarding and at least annually thereafter, all employees receive security and privacy training. - Pre-employment screening (which may include criminal background screening), commensurate with the sensitivity of the role, and where permissible by law, is conducted. Intrusion Detection and Monitoring - Intrusion detection mechanisms are used to monitor the Services for unauthorized intrusions. - Firewalls are configured according to industry best practices, and ports not utilized for delivery of the Hootsuite Services are blocked by configuration with our data center provider. - Vulnerability scans are performed on production and commercially reasonable efforts are taken to remediate any findings that present a material risk to the Hootsuite environment. - Screen lockouts are enforced and full disk encryption is implemented for company laptops.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Disaster Recovery Customer data is stored redundantly at multiple locations in Hootsuite’s hosting provider’s data centers to ensure availability; and there are backup and restoration procedures to allow recovery from a major disaster. Backups Customer Content and application source code is automatically backed up at least on a nightly basis. Hootsuite’s operations team is alerted in the event of any failure with this system.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Security team A dedicated Security leader and Security team oversees, monitors and tests the technical and organizational measures implemented for the Services. Audits and Certifications - Independent validation of the existence and maturity of its cyber security program and privacy program through the following certifications: ∙ISO/IEC 27001:2022 Framework for managing information security ∙ISO/IEC 27701:2019 Privacy controls for protecting personal information ∙ISO/IEC 27017:2015 Security guidelines for cloud services ∙ISO/IEC 27018:2019 Protection of personal data in public clouds - An annual SOC 2 Type II audit performed by an independent third-party to test the effectiveness of the technical and organizational measures in place. Hootsuite Services security-related audits and certifications also include: - The SOC 3 report outlines information related to Hootsuite’s internal controls for security. - Hootsuite has achieved compliance with the UK Cyber Essentials program. - Hootsuite is authorized for use under the U.S. government’s Federal Risk and Authorization Management Program, a certification process that is audited against the NIST SP 800-53 standard.
Measures for user identification and authorization	Logs - Logs that record details of transmissions of data from IT systems that store or process personal data and user access to the Services are monitored and reviewed by the Security team to verify authorized access. - All system logs that contain important information, such as authentication, network access logs, etc. are collected in a central repository and monitored by a dedicated team for suspicious activity. Encryption and Firewalls - All public facing interfaces are secured via industry standard encryption and firewalls. - Production systems are only accessible after MFA. - Firewalls (e.g., Web Application Firewall, Network Firewalls) are used and monitored continuously on production systems. Access Control - Role-based access control is enforced in accordance with ‘need-to-know’ and ‘least privilege’ principles
Measures for the protection of data during transmission	The Services support the latest industry-standard secure cipher suites and protocols to encrypt all traffic in transit. Hootsuite currently supports TLS 1.2 or above on its web traffic. Remote access to production systems and some other sensitive network segments is only accessible via a VPN tunnel, which requires MFA and is end-to-end encrypted.
Measures for the protection of data during storage	Customer Content is encrypted at rest (using AES with 128 or 256-bit encryption), where appropriate and having regard to the nature of the content and associated risks. Access controls (as further described above) are implemented to restrict access only to authorized personnel on a ‘need-to-know’ and ‘least privilege’ basis for the purpose of maintaining the Services.
Measures for ensuring physical security of locations at which personal data are processed	Cloud service provider security Hootsuite uses Amazon Web Services (AWS) for its production data centers to provide the Hootsuite, Sparkcentral and Heyday Services. AWS has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1. Amazon Web Services' certification and compliance information may be accessed from the AWS Security website and the AWS Compliance website. Hootsuite uses Hetzner for its production data centers to provide the Hootsuite Listening Services and the Talkwalker Services. Hetzner has the ISO 27001 certification. Hootsuite office security All Hootsuite offices where personal data may be processed have: - Electronic access control systems to protect the main entry and security areas - Monitoring of the facility by security services and access logging to the facility - Video surveillance of security-relevant security areas, such as entrances and exits - Central assignment and revocation of access authorisations - Identification of all visitors by verification of their identity card and registration (a log of visitors is kept) - Mandatory identification within the security areas for all employees and visitors - Visitors must be accompanied by employees at all times.
Measures for ensuring events logging	All systems used in the provision of the Hootsuite Services, including firewalls, routers, network switches, intrusion detection systems, anti-malware services and operating systems, log information to secure log servers to enable security reviews and analysis. See also: Intrusion Detection and Monitoring above for more details
Measures for ensuring system configuration, including default configuration	Production servers, databases, and cloud security configurations are hardened in line with internal configuration guidelines and in accordance with the Configuration Management Policy. The configuration and builds of systems are managed in code via our Configuration Management Systems. Changes to configuration sets require peer review and approval. New instances are created from pre-configured and hardened ‘base images’.
Measures for internal IT and IT security governance and management and Measures for certification/assurance of processes and products	Hootsuite implements and maintains industry-standard security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. There is a dedicated Security leader and team that implements the security policies and standards, and oversees annual audits and certifications as referenced above (for example, SOC 2 Type II, UK Cyber Essentials program, FedRAMP authorization, ISO 27001 depending on the relevant entity it relates to).
Measures for ensuring data minimisation	Access to personal data is restricted on a ‘need-to-know’ and ‘least privilege’ basis. Data exporters (customers) are data controllers of the data they choose to upload onto the Services and may decide to limit the amount of data being processed. Access to production servers is controlled through role-based access controls.
Measures for ensuring data quality	Data is retrieved from social media networks in real-time using APIs and the data accuracy and quality will be dependent on the source data from the social networks. Data exporters (customers) are data controllers of the data they choose to upload onto the Services and may update or amend the data to ensure data quality.
Measures for ensuring limited data retention	To maintain data accuracy and minimize data retention, and where applicable to the Services, data retrieved from social networks is only temporarily stored for display. A Records Retention and Destruction Policy is in place and data is retained as long as required to provide the Services, for record keeping purposes, to comply with legal obligations, resolve disputes, and enforce the terms for the Services. Data deletion processes are in place for data subject deletion requests.
Measures for ensuring accountability	A dedicated security leader and team is responsible for ensuring appropriate security and data protection policies and procedures are implemented and adhered to. Hootsuite has appointed a Data Protection Officer who, together with the Privacy team, oversees the privacy program. At the Executive level, leaders are regularly updated on data protection matters and may be involved in providing strategic input into Hootsuite’s data protection practices. Employees undergo annual privacy and security training. A process has been implemented to promptly respond to and manage data subject requests, such as requests for access and deletion of their information. Hootsuite observes privacy by design principles, including conducting privacy impact assessments and reviews when implementing new product functionality, and new processes.
Measures for allowing data portability and ensuring erasure	Customers may request the return or deletion of all personal data and copies of such data in its custody or control. Processes are in place for data subject deletion requests. For data portability, there are “Data Exporting” options within the Services where Customer content may be exported into CSV formats.
Subprocessor Information	See: https://www.hootsuite.com/legal/subprocessor-list

If you require a written and signed agreement, please click here, complete your customer details, and electronically sign the addendum.