Updated 4 February 2025

This Data Processing Agreement (“DPA”) is an integral and indivisible part the Terms of Service for Business Accounts (hereinafter referred to as “Agreement”) between Hopoti Software Oy (“Hopoti”) and the holder of a business account on Hopoti’s services that is entering into the Agreement (the “Seller”) (each a “Party” and together the “Parties”). This DPA shall apply insofar as Hopoti Processes Personal Data in providing its Services to the Seller (each capitalized term as defined below). The terms of this DPA apply in addition to the terms of the Agreement (including limitation of liability) and, to the extent of any conflict with the Agreement, the terms of this DPA shall prevail with regard to the subject matter herein. This DPA supersedes and replaces any other data processing terms between the Parties. If Seller sells its business to a new entity, the Parties agree that this DPA will apply automatically to Hopoti’s continued processing of Personal Data on behalf of the new entity.
​

Terms that are capitalized but not defined herein shall have the meanings given to them under applicable Data Protection Laws, provided that “Controller” is deemed to include “Business,” “Processor” is deemed to include “Service Provider,” and “Data Subject” is deemed to include “Consumer.” The following terms are defined as follows:

a. “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 and the United Kingdom Data Protection Act of 2018 (each, the “GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and including its regulations (“CCPA”). For the avoidance of doubt, if the Parties’ Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.

b. “Personal Data” means “personal data,” “personal information,” and analogous terms as defined under applicable Data Protection Laws that Hopoti Processes to provide the Services.

c. “Personal Data Breach” means accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

d. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

e. “Services” means services that Hopoti provides to Seller, which include hosting a Seller-specific website for the Seller’s products or services and providing booking services, as set forth in the Agreement.

f. “Subcontractor” means any third party that Hopoti engages to Process Personal Data to provide the Services.
​
​

a. Seller is the Controller of Personal Data and Hopoti is the Processor. Each Party shall comply with the provisions of Data Protection Laws applicable to it in its respective role.

b. Hopoti shall Process Personal Data only on behalf of the Seller in order to provide the Services in accordance with the Agreement and as permitted under this DPA and any other written instructions provided by Seller. Hopoti shall only Process Personal Data for the specific business purposes enumerated in the Agreement.

c. To the extent required by Data Protection Laws, Hopoti shall, at the Seller’s expense, provide Seller with reasonable assistance in meeting Seller’s obligations under Data Protection Laws, including in relation to any legally required data protection impact assessment or consultation with supervisory authorities.

d. More details concerning the Processing are described in Section 10 below.
​

Seller authorizes Hopoti to engage Subcontractors in accordance with this DPA and applicable Data Protection Laws. Hopoti will obligate Subcontractors to comply with the principles of data processing and obligations defined in this DPA, and Hopoti shall be as responsible for the work performed by Subcontractors as if Hopoti were performing the work. Hopoti shall provide Seller with a written notification before Hopoti changes or acquires new Subcontractors without undue delay. In the event that Seller objects to changing or acquiring new Subcontractors, Hopoti shall have the right to terminate the Agreement with a notice period of thirty (30) days.
​

Personal Data may be transferred outside the European Union or the European Economic Area in accordance with Data Protection Laws. Seller authorizes Hopoti to implement the standard clauses regarding transferring data outside the EU adopted by the Commission on the Seller’s behalf whenever necessary. Seller shall have the right to obtain information regarding the location of the Processing of Personal Data from Hopoti at any time.
​

Personal Data that Hopoti Processes under this DPA shall be considered confidential. Hopoti shall maintain the confidentiality of Personal Data and shall not transfer or disclose Personal Data to a third party or use Personal Data for other purposes than the agreed purposes. Hopoti also agrees that it shall not disclose Personal Data to its employees, contractors, or Subcontractors except as necessary for Hopoti to provide the Services, and any person authorized to Process Personal Data shall be under an appropriate legal or contractual duty to maintain the confidentiality of Personal Data. This “Confidentiality” section shall remain valid even in the event that the Agreement is terminated.
​

a. Hopoti agrees to implement appropriate technical and organisational measures designed to prevent a Personal Data Breach, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the likelihood and severity of risks to the rights and freedoms of Data Subjects in the event of a Personal Data Breach.

b. Hopoti shall make available to Seller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by Seller or a third-party auditor appointed by Seller, as required under Data Protection Laws. Each Party shall bear its own costs in relation to an audit. Nothing in this subsection requires Hopoti to disclose any confidential or proprietary information or any information irrelevant to the purposes of the audit, to take measures that in Hopoti’s reasonable discretion would compromise its security, or to breach any legal or contractual obligation to which Hopoti is subject.

c. At the end of the Services or upon Seller’s reasonable earlier request, Hopoti shall delete or return Personal Data, at Seller’s choice, except as otherwise required by applicable law or for Hopoti’s reasonable security or data backup purposes.
​

In the event that Hopoti becomes aware of a Personal Data Breach, it shall notify Seller in writing without undue delay and shall provide Seller with the following details regarding the Personal Data Breach without undue delay as they become known to Hopoti:
​

a. a description of the Personal Data Breach; a description of the likely consequences of the Personal Data Breach; and

b. a description of actions Hopoti has taken in response to the Personal Data Breach and, where applicable, the actions to mitigate the possible adverse effects of the Personal Data Breach.
​

As required by Data Protection Laws, Hopoti shall assist Seller with appropriate technical and organizational measures to fulfil Seller’s obligations to respond to requests by Data Subjects to exercise their rights regarding their Personal Data under Data Protection Laws, such as access, correction, and deletion rights. Hopoti shall notify Seller of any such requests submitted directly to Hopoti. Hopoti shall have the right to charge a fee for the time used in assisting Seller with a time-based rate according to the current price list.
​

Capitalized terms in this section not otherwise defined in the DPA are defined as in the CCPA. To the extent that the CCPA applies to Hopoti’s Processing of Personal Data:

c. Seller has the right to take reasonable and appropriate steps to (i) ensure that Hopoti Processes Personal Data in a manner consistent with Seller’s obligations under the CCPA, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data.

Nature of the Processing: Hopoti performs standard Processing operations as necessary to provide its Services and abide by the Agreement and applicable law, such as collecting, using, handling, disclosing, storing, and deleting Personal Data.

Duration of Processing: Hopoti Processes Personal Data as long as necessary to provide its Services, comply with applicable law, for security and backup purposes, and as otherwise permitted under the Agreement, including this DPA, or any other written instructions issued by Seller.

The relevant Data Subjects are Hopoti users who book services through and otherwise engage with Seller’s specific website(s).

The categories of Personal Data that Hopoti Processes on behalf of Seller to provide its Services may include, without limitation: