LEGAL / LEGAL SUPPORT
Data Processing Agreement
All capitalized terms in this DPA shall have the same meaning as defined in the Agreement and in the Applicable Law.
1. Definitions and Interpretation
The following terms shall have the following meanings:
1.1 Applicable Data Protection Laws means, to the extent applicable:
(i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”), the UK Data Protection Act 2018 (“UK GDPR”), as well as any other laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom; and (ii) all privacy and data protection laws and regulations, worldwide (whether, national, state, provincial, local or otherwise), applicable to the Processing of Personal Data under the Agreement, as may be amended, extended, re-enacted, or interpreted from time-to-time; and including without limitation, any applicable jurisdiction-specific terms specified in Schedule 3.
1.2 Data Subject means the identified or identifiable person to whom Personal Data relates;
1.3 Personal Data means “any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws;
1.4 Process, Processing or Processed means “any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws;
1.5 Purpose means the services and the associated Processing of Personal Data as defined in Schedule 1 to this Agreement;
1.6 Standard Contractual Clauses or SCCs means the “Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” as adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914);
1.7 Terms of Service means the legal agreement between the Controller as the user and the Processor, that governs the Controller's limited, non-exclusive and terminable right to the use of the Hotjar Site and Platform as defined in the Terms of Service.
1.8 UK Addendum to the SCCs means the United Kingdom Addendum B.1.0 to the Standard Contractual Clauses issued by the United Kingdom Commissioner’s Office.
2.1 Hotjar is a Processor and You are a Controller (both as defined in the GDPR).
2.2 The Parties have agreed that the Controller will act as the sole Controller of the Personal Data and that the Processor renounces to any rights it may have to act as a data controller of the Personal Data held by the Controller.
2.3 The Parties have agreed that it may be necessary for the Processor to Process certain Personal Data on behalf of the Controller; in light of this Processing, the Parties have agreed to enter into this DPA to address the compliance obligations imposed upon the Controller pursuant to the Applicable Data Protection Laws.
2.4 The Parties agree that the provision of the services under Hotjar’s Terms of Service may qualify as commissioned data Processing as per sec. 28 of the General Data Protection Regulation 2016/679.
2.5 The Processor is appointed by the Controller to Process such Personal Data for and on behalf of the Controller as is necessary to provide the Processing services, and as may subsequently be agreed to by the Parties in writing. Any such subsequent agreement shall be subject to the provisions of this DPA.
2.6 The Controller shall Process Personal Data in accordance with the requirements of the Applicable Data Protection Laws. For the avoidance of doubt, the Controller’s instructions for the Processing of Personal Data shall comply with the Applicable Data Protection Laws and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable Data Protection Laws. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires the Personal Data.
2.7 The Controller shall establish and have any and all required legal basis in order to collect, Process and transfer to Hotjar the Personal Data, and to authorize the Processing by Hotjar, and for Hotjar’s Processing activities on Your behalf.
3. Duration of Processing
3.1 Subject to any section of this DPA and/or the Agreement dealing with the duration of the Processing and the consequences of its expiration or termination, Hotjar will Process Personal Data pursuant to this DPA and the Agreement for the duration of the Agreement, unless otherwise agreed upon in writing by the Parties.
4. Data Processing
4.1 The Processor shall Process Personal Data for the Purpose as described in the Terms of Service, as entered into between the Parties, on behalf of and under the direction of the Controller and as summarized in Schedule 1.
4.2 The Personal Data will be physically stored exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Hotjar may require to Process Personal Data on a global basis where access needs to be provided to authorized personnel of Hotjar, its Affiliate or authorized sub-processor as necessary for the performance of the Platform, including to countries outside the European Economic Area (EEA) and/or the United Kingdom (“Third Countries”). Customer hereby approves the transfer of Personal Data to the locations stated in the sub-processor list and acknowledges that the basis of such transfer between jurisdictions is acceptable. Any such transfer is subject to compliance with the technical and organisational measures as set out in this Agreement.
4.3 If, as a Controller, You are situated in a country outside the EU and the EEA and Your processing of Personal Data is not subject to the GDPR, the SCCs shall be incorporated in this DPA.
4.4 If, as a Controller, You are situated in the United Kingdom (UK), the SCCs shall apply together with the UK Addendum to the SCCs, in relation to the transfer of Personal Data from the United Kingdom and shall be incorporated in this DPA.
4.5 Depending on how the Controller chooses to use the Hotjar Platform, the subject matter of Processing of Personal Data may cover different types of Personal Data. The categories may vary depending on the specific product and how You choose to configure it and may include:
Observe & Ask:
Hotjar Unique User ID;
device screen resolution;
device type (unique device identifiers), operating system, and browser type;
console logs and errors;
geographic location (country only);
preferred language used to display the Hotjar-enabled site;
mouse events (movements, location and clicks);
keypresses (suppressed by default);
referring URL and domain;
date and time when Your website was accessed and specific event on Your website occured;
user attributes that you may choose to share with us via Identify API
any Personal Data provided in the feedback, survey or poll responses.
any Personal Data shared in the research screener responses;
Personal Data Tester provides to create their profile with Us and demographic information of the Tester, this may include but is not limited to name, country, phone number, age, gender, nationality, education background, job title, marital status, public facebook or linkedin profile (shared voluntarily);
any Personal Data included in the session content (audio, video or text format);
Data concerning education and profession;
file attachments that may contain Personal Data;
survey, feedback and assessment messages;
other Personal Data as added by the Controller from time to time.
4.6 The group of Data Subjects affected by the Processing of their Personal Data under this DPA may include:
Observe & Ask:
End-users of the Controller’s websites which make use of the Platform provided by the Processor.
authorized users such as Testers, Affiliates and other participants (including but not limited to your employees, freelancers or contractors) from time to time to whom the Controller has granted the right to access the Platform in accordance with the terms of the Agreement;
any other categories of Data Subjects as added by the Controller from time to time.
4.7 Sale of Personal Data is strictly prohibited and the Processor shall not sell Personal Data. The Processor shall not disclose or transfer Personal Data to a third party or other parties in a manner that would constitute “selling” under Applicable Data Protection Laws (e.g., CCPA).
5. Technical and Organizational Measures
5.1 The Processor shall establish data security in accordance with the Applicable Data Protection Laws. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, must be taken into account.
5.2 The Processor has laid down the technical and organizational measures, in Schedule 2 of this Agreement.
5.3 The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time. In so doing, the security level of the defined measures must not be reduced.
6. Data Subject Requests and Hotjar’s Assistance
6.1 The Processor may not, on its own authority, rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless this is required by law or the Processor’s Terms of Service), but shall only do so on documented instructions from the Controller and in accordance to data retention rules associated to the Controller’s Subscription Plan.
6.2 If a Data Subject applies directly to the Processor with a request to exercise their right under Applicable Data Protection Laws, the Processor must forward this request to the Controller without delay. Hotjar will provide reasonable assistance to the Controller in fulfilling their obligation to respond to any such request.
6.3 Upon the Controller’s request, the Processor shall provide the Controller with reasonable cooperation and assistance needed to fulfill the Controller’s obligation under the GDPR to carry out a data protection impact assessment and, where necessary, a prior consultation related to the Controller’s use of the Processor’s Platform, to the extent that the Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Processor.
7. Quality Assurance and other Obligations of the Processor
7.1 The Processor shall comply with all statutory requirements applicable when carrying out this Agreement. In particular, the Processor ensures compliance with the following requirements:
a. the Processor has appointed a data protection officer, who shall perform such duties in compliance with the Applicable Data Protection Laws. The data protection officer can be contacted via e-mail on firstname.lastname@example.org;
b. the Processor shall keep Personal Data logically separate to data Processed on behalf of any other third party;
c. the Processor and any person acting under its authority shall process the Personal Data in accordance with the Processor’s Terms of Service and on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
d. the Processor ensures that its personnel (whether legal or natural) engaged in the Processing of Personal Data have committed themselves to maintaining the confidentiality of the Personal Data.
e. the Processor and the Controller shall cooperate, on request, with the supervisory authority in the performance of its tasks;
f. Hotjar shall inform You immediately if We receive any complaint, notice or communication that relates directly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation, unless prohibited from doing so by Law.
g. the Processor shall undertake reasonable efforts to support the Controller if the Controller is subject to an inspection by the supervisory authority, an administrative or summary offense or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with this Agreement;
h. the Processor shall periodically monitor the internal processes and the technical and organizational measures to ensure that Processing is in accordance with the requirements of Applicable Data Protection Laws and the protection of the rights of the Data Subject; and
i. The Processor shall verify the technical and organizational measures conducted as part of the Controller’s monitoring rights referred to Schedule 2 of this DPA.
8. Monitoring Rights of the Controller
8.1 Upon reasonable prior written notice of no less than thirty (30) days, and no more than once during any consecutive twelve (12)-month period, the Controller has the right, after consultation with the Processor, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. These rights of the Controller shall not extend to facilities which are operated by sub-processors, sub-contractors or any Third Parties which the Processor may use to attain its Purpose and provide its Platform. The Processor shall ensure that the Processing activities carried out by any sub-processors, sub-contractors or any Third Parties which the Processor may use to attain its Purpose and provide its Platform meet the requirements laid down in this DPA and in Applicable Data Protection Laws.
8.2 The Processor shall ensure that the Controller is able to verify compliance with the obligations of the Processor in accordance with the Applicable Data Protection Laws. The Processor undertakes to provide to the Controller all reasonably necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures as mentioned in Schedule 2 within a reasonable timeframe.
8.3 Evidence of the implementation of any measures in this regard may also be presented in the form of up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, internal audit, the data protection officer, the IT security department or quality auditors) or suitable certification by way of an IT security or data protection audit or by other measures provided by law.
9. Notification of Security Breaches by the Processor
9.1 The Processor shall assist the Controller in complying with the statutory obligations regarding the security and protection of Personal Data and shall make appropriate documentation in this regard. This includes, in particular, the obligation:
a. to ensure an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the Processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events;
b. to notify the Controller without undue delay after having become aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data ("Security Breach"). In consultation with the Controller, the Processor shall take appropriate measures to secure the data and limit any possible detrimental effect on the Data Subjects;
c. to co-operate with the Controller and provide the Controller with any information which the Controller may reasonably request relating to the Security Breach. The Processor shall investigate the Security Breach and shall identify, prevent and make reasonable efforts to mitigate the effects of any such Security Breach and, with the Controller’s prior agreement, to carry out any recovery or other action necessary to remedy the Security Breach;
d. to assist the Controller by appropriate measures with regard to the Controller’s obligation to inform Data Subjects and competent authorities in case of a Security Breach; and
e. to assist the Controller with regard to the Controller’s obligation to provide information to the Data Subject concerned and to immediately provide the Controller with all relevant information in this regard.
10. Authority of the Controller to Issue Instructions
10.1 The Personal Data may only be handled under the terms of this DPA, in alignment with the Processor’s Terms of Service, and under the instructions issued by the Controller. Under the terms of this DPA, the Controller retains a general right of instruction as to the nature, scope and method of data Processing, which may be supplemented with individual instructions. Instructions are deemed to be provided by the Controller by way of selecting the desired product and/or the desired configuration of the Platform settings or by way of instructions via electronically communicated text in writing or in text form.
10.2 The Processor must not use the data for any other purpose and is particularly forbidden to disclose the data to third parties. No copies or duplicates may be produced without the knowledge of the Controller. This does not apply to backup copies where these are required to assure proper data Processing, or to any data required to comply with statutory retention rules.
10.3 The Processor shall inform the Controller immediately if it believes that the instructions may cause infringement of Applicable Data Protection Laws. The Processor may then postpone the execution of the relevant instruction until it is confirmed or changed by the Controller’s representative.
11. Deletion and Return of Personal Data
11.1 Upon completion of the contractual work as laid down in the Agreement or when requested by the Controller, and within a reasonable time which shall not exceed thirty (30) calendar days, or any other timeline as specified in the product description, the Processor must delete, anonymize or return to the Controller all documents in its possession and all work products and data produced. The same applies to any test data.
11.2 The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making.
11.3 Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller’s obligation to respond to a Data Subject’s request under the Applicable Data Protection Laws. The obligation to delete the Data Subject’s Personal Data shall, at all times, remain with the Controller. For the avoidance of doubt, the Processor will not undertake any data deletion efforts for and on behalf of the Controller other than as described the Terms of Service.
12.1 The Controller will indemnify the Processor in respect of all liabilities, costs and expenses suffered or incurred by the Processor in its capacity as Processor of the Personal Data of the Controller arising from (i) any Security Breach in the terms of this Agreement if such Security Breach was caused by the Controller or (ii) any negligent act or omission by the Controller in the exercise of the rights granted to it under the Applicable Law provided that:
a. the Processor, within reasonable time, notifies the Controller of any actions, claims or demands brought or made against it;
b. the Processor will not compound, settle or admit to any actions, claims or demands without the consent of the Controller except by order of a court of competent jurisdiction;
c. the Controller shall be entitled at its own cost to defend or settle any proceedings;
d. unless otherwise restricted or limited by any legislation in the applicable jurisdiction, the Controller’s maximum aggregate liability under this DPA shall, in no case exceed the total of three (3) times annual Customer fees or ten thousand euro (EUR 10,000), whichever is greater; and
e. nothing in this DPA shall restrict or interfere with the Controller’s rights against the Processor or any other person in respect of contributory negligence.
The Processor’s right to claim damages shall be forfeited if the Processor fails to give written notice of any damages that may be sustained as aforesaid within ten (10) business days from the occurrence and knowledge thereof or commences to make good such damages before written notice is given as aforesaid.
Nothing in this Clause 12.1 shall lead to a liability of the Controller for acts or omissions of the Processor on its own accord and independently of the instructions given to it by the Controller. Therefore, this clause shall not be applicable to any liabilities, costs or expenses that have arisen solely out of negligence or willful act, default or omission of the Processor, its employees, contractors, sub-contractors or any other person outside the Controller’s control.
12.2 The Processor will indemnify the Controller in respect of all liabilities, costs and expenses suffered or incurred by the Controller in its capacity as controller of the data of the Processor arising from (i) any Security Breach in the terms of this Agreement if such Security Breach was caused by the Processor or (ii) any negligent act or omission by the Processor in the exercise of the rights granted to it under the Applicable Law provided that:
a. The Controller, within reasonable time, notifies the Processor of any actions, claims or demands brought or made against it concerning any alleged Security Breach;
b. The Processor shall be entitled at its own cost to defend or settle any proceedings;
c. Unless otherwise restricted or limited by any legislation in the applicable jurisdiction, the Processor’s maximum aggregate liability under this DPA shall, in no case exceed the total of three (3) times annual Customer fees or ten thousand euro (EUR 10,000), whichever is greater; and
d. Nothing in this DPA shall restrict or interfere with the Processor’s rights against the Controller or any other person in respect of contributory negligence.
12.3 In the event of a breach of this DPA caused by the actions of a sub-processor, the Processor shall assign the right to the Controller to take action under the sub-processor contract as it deems necessary in order to protect and safeguard Personal Data. The Processor acknowledges and agrees that it shall remain liable to the Controller for any breach of the terms of this DPA or any sub-processor contract by any sub-processor and other subsequent third-party processors appointed by it.
13.1 ‘Sub-Processing’, in the meaning of this DPA, does not include ancillary services, such as telecommunication services, postal/transport services. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced ancillary services to sub-processors.
13.2 The Controller agrees to the commissioning of the following sub-processors on the condition of a contractual agreement in accordance with Applicable Data Protection Laws.
13.3 With regard to the engagement of sub-processors that are located or may process Personal Data in countries outside the EEA, the Controller authorizes the Processor to conclude in his name with the sub-processors standard contractual clauses as approved by the European Commission for the transfer of personal data to Third Countries.
13.4 Outsourcing to further sub-processors or changing any existing sub-processors is permissible if the Processor informs the Controller of the identity of the sub-processor and the scope of the planned Sub-Processing in writing or in text form and the Controller does not object to the planned Sub-Processing in writing or in text form within ten (10) business days as from giving notice by the Processor. The Controller shall not unreasonably object to the planned Sub-Processing. In addition, the following provisions apply:
a. the transfer of Personal Data to the sub-processor and the sub-processor’s commencement of the data Processing shall only be undertaken after compliance with all requirements has been achieved;
b. if the sub-processor provides the agreed service outside the EU/EEA, the Processor shall ensure compliance with Applicable Data Protection Laws; and
c. the Processor shall impose on the sub-processor the same or materially the same data protection obligations as set out in this DPA, in particular with regard to the provision of sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the Applicable Data Protection Laws.
13.5 With respect to each sub-processor, the Processor will before the sub-processor first Processes any data of the Controller, carry out adequate due diligence to ensure that the sub-processor is capable of providing the level of protection for the Personal Data required by this DPA and shall ensure that the agreement between the Processor and the relevant sub-processor, is governed by a written contract including terms which offer at least the same level of protection for the Controller as those set out in this DPA and meets the requirements of article 28(3) of the GDPR.
SCHEDULE 1 : Description of Processing Operations
Hotjar is a digital experience insights platform that provides visual behavior insights, in-the-moment feedback, and 1:1 interviews, all in one place. By combining A) Analysis, B) Feedback tools, and C) user interviews, Hotjar gives our customers the ‘big picture’ of how to improve their site’s experience and its performance and aids them in their product development process. The Analyses tools (Observe) allow you to measure and observe user behavior (what users do) while the Feedback tools (Ask) allow you to hear what your users say (Voice of the User / Customer). Engage lets you easily schedule, run, record and share user interviews.
With this toolset, Hotjar allows its users to analyze and understand the behavioral patterns of their visitors and customers across web properties through the use of analytics and feedback tools. The sole purpose of collecting this data is that of improving the functionality of their website and / or apps and enhancing the overall users and / or customer experience.
SCHEDULE 2 : Technical and Organizational Measures
The Processor warrants and undertakes in respect of all the Personal Data that is Processes on behalf of the Controller that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organizational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
Such measures shall include, but are not limited to, physical access control, logical access control (i.e. non-physical access control measures such as passwords), data access control, data transfer control, input control, availability measures, and data separation; in particular at least the measures set out in the Hotjar Privacy & Security Help Center.
The Processor shall provide the Controller, upon request, with adequate proof of compliance (e.g. the relevant parts of the Processor’s agreements with its data center provider).
For more detailed information on the latest state-of-the-art measures adopted by our hosting provider, please refer to the following link :https://aws.amazon.com/security/.
SCHEDULE 3 – Jurisdiction specific terms
The definition of “Applicable Data Protection Laws” includes the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et. seq. and California Privacy Rights Act of 2020 (together, “CCPA”).
Except as described otherwise, the definitions of: “Controller” includes “Business”; "Processor" includes “Service Provider”; “Data Subject” includes “Consumer”; “Personal Data” includes “Personal Information”; in each case as defined under CCPA.
Hotjar acknowledges and confirms that it does not receive or process any Personal Data as consideration for any services or other items that Hotjar provides to Customer under the Agreement. Hotjar shall not have, derive, or exercise any rights or benefits regarding Personal Data Processed on Customer’s behalf, and may retain, use, and disclose Personal Data solely for the purposes for which such Personal Data was provided to it, as stipulated in the Agreement and this DPA. Hotjar represents and warrants that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Data Processed hereunder, without Customer’s prior written consent, nor taking any action that would cause any transfer of Personal Data to or from Hotjar under the Agreement or this DPA to qualify as “selling” such Personal Data under the CCPA.
Hotjar certifies that its sub-processors are Service Providers under CCPA, with whom Hotjar has entered into a written contract that includes terms substantially similar to this DPA. Hotjar conducts appropriate due diligence on its sub-processors.
Hotjar will implement and maintain appropriate security measures to the nature of the personal data it processes as set forth in Schedule 2 (Security) of this DPA.
Hotjar’s obligations regarding data subject requests apply to Consumer’s rights under the CCPA.
Previous Versions of this Data Processing Agreement