Data Processing Agreement (DPA)
Do I need to sign the DPA?
By using Hyvor Talk, you agree to Terms in our Terms of Service and this GDPR DPA (if applicable to you). Therefore, signing is optional.
How do I sign if required by my organization?
Here is the link to a PDF version of this document. Fill in the Company Details in Page 1 and sign in Page 6 and send the document to [email protected] from your account email with the title "DPA". We will sign and send a copy back to you.
Hyvor Talk is operated by HYVOR, a company based in France. As a European company, it is extremely important for us to process and store data securely in accordance with the strong GDPR privacy rules.
HYVOR provides Customers with the Hyvor Talk commenting system. Hyvor Talk collects personal data from users who visit and choose to comment on the websites that load Hyvor Talk. Hyvor Talk provides the ability for Customers to access these personal data to some level.
This Data Processing Agreement (“Agreement“) is an addendum to our Terms of Service of Hyvor Talk and is signed between
11 RUE CARNOT
94270 LE KREMLIN-BICETRE
(the “Company”) and
The parties agree as follows:
- “You”, "Company", or “Customer” means the company or organization that uses Hyvor Talk on their website and signs this contract.
- “EEA” means the European Economic Area;
- “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- “GDPR” means EU General Data Protection Regulation 2016/679;
- “Agreement” means this Data Processing Agreement and all Schedules;
- “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
- “Data controller”, “Data processor”, “Data subject”, "Personal data” and “Processing” shall be interpreted in accordance with applicable Data Protection Legislation.
- "Terms" means Hyvor Talk Terms of Service.
Applicability of DPA
This DPA applies where and only to the extent that Hyvor Talk Commenting System (talk.hyvor.com) processes Personal Data on your behalf in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
This DPA only applies to the Hyvor Talk Service of HYVOR.
Roles and Responsibilities
Hyvor Talk and Customer both act as a Data Controller. User data collection depends on whether the Customer uses Single Sign-on. EXHIBIT 1 of this document describes data that Hyvor Talk collects and makes available to the Customer.
Both parties shall be responsible for ensuring they have complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including but not limited to the EU Data Protection Legislation
Customers shall process the Personal Data for the purposes described in EXHIBIT 1, except where required by applicable law.
Customer shall integrate Hyvor Talk on their websites securely using the best practices mentioned in our documentation. Customer shall securely communicate with Hyvor Talk when transmitting personal data (ex: Single Sign-on). Customer shall implement other appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
Personal Data Breach
HYVOR shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
HYVOR shall co-operate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Data Subject Rights
HYVOR shall promptly notify Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III GDPR, and shall provide full details of that request. HYVOR shall reasonably co-operate as requested by Customer to enable Customer to comply with any exercise of rights by a data subject under Chapter III GDPR in respect of Personal Data.
Deletion of data
Upon termination or expiry of the Agreement, Customer shall delete the Personal Data (including copies) then in Customer's possession, except to the extent that Customer is required by applicable law to retain some or all of the Personal Data.
Customer hereby provides general authorization for HYVOR to subcontract the Processing of Personal Data to Subprocessors. HYVOR shall be liable for the acts and omissions of its Sub-processors to the same extent as if the acts and omissions were performed by HYVOR.
The current list of Sub-processors can be found on the EXHIBIT 2 of this document. An up-to-date list is available at the public online version of this DPA at https://talk.hyvor.com/docs/dpa.
If Customer has legitimate reason under Data Protection Laws to object to a new Sub-processor, Customer shall provide written notice of such objection to HYVOR. If Customer objects, HYVOR and Customer will discuss a commercially reasonable resolution. If no commercially reasonable resolution can be reached within thirty (30) days, either party may terminate the applicable Services that cannot be provided by HYVOR without the use of the objected Sub-processor.
Security Reports and Audits
HYVOR shall maintain records of its security standards. HYVOR shall further provide written responses (on a confidential basis) to all reasonable requests for information made by you, including responses to information security and audit questionnaires, that you (acting reasonably) consider necessary to confirm HYVOR's compliance with this DPA, provided that you shall not exercise this right more than once per year.
HYVOR stores and processes data of all Customers within the European Union in data centers in Frankfurt, Germany. HYVOR shall implement appropriate safeguards to protect the Personal Data in accordance with the requirements of Data Protection Laws.
HYVOR acknowledges that Customer may disclose the privacy provisions in this DPA and the Terms to any judicial or regulatory body upon their lawful request.
Except as amended by this DPA, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and this DPA, the terms of this DPA will control.
The DPA is effective as of the 1st of July and replaces and supersedes any previously agreed data processing agreement between you and Hyvor Talk relating to the GDPR. Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.
EXHIBIT 1 - Data Processing Details
Hyvor Talk is operated by HYVOR and provides a commenting system for the Customer to use on their websites and applications. Visitors may react, vote, and comment within the comments section, which requires authentication and collection of personal data. Customer may select one the following authentication methods:
- Hyvor Login (at hyvor.com)
- Single Sign-on (SSO)
|How data is collected||User data is collected at hyvor.com when the User creates an account. HYVOR will share name, username, IP address, and other profile-related public data to the Customer.||User data is collected by the Customer on their website, and then shared with Hyvor Talk securely using HMAC digital signatures. The Customer agrees that they have the right to share|
|What data can Customer Access||Name, username, IP address, activity (comments, reactions, etc.) on Customer's website||All personal data shared with Hyvor Talk, activity on Customer's website.|
|Deleting Data||The User can delete their Hyvor account, which will delete their personal details. The Customer can delete activity on their website, but cannot delete user accounts.||Email request or API|
Customer can disable IP Address collection through the Moderation Console.
EXHIBIT 2 - Sub-Processors
|Entity Name||Sub-processing activities||Terms||Entity country|
|DigitalOcean, LLC1||Cloud Hosting & Storage||Terms||USA|
|Mailgun2||Email Service Provider||Terms||USA|
|Helpspace||Customer Email Support||Terms||Germany|
- We only utilize DigitalOcean's data centers in Europe
- Mailgun is configured for short-lived logs and no-tracking