Honeycomb Data Processing Addendum to the Terms of Service
Last Updated: Nov 13, 2023
This Data Processing Addendum (“DPA”) is incorporated into and forms a part of the Honeycomb Terms of Service available at https://www.honeycomb.io/terms/, as amended from time to time (the “Terms of Service), entered into between you and Hound Technology, Inc., d/b/a Honeycomb (“Honeycomb”). This DPA is effective as of the date you accept the Terms of Service (“Effective Date”), and amends, supersedes and replaces any prior data processing agreements that you and Honeycomb may have previously entered into in connection with services provided by Honeycomb under the TOS or a prior version thereof. In the event of any conflict between the terms of this DPA and the terms of the Terms of Service, the terms of this DPA prevail with regard to the specific subject matter of this DPA. Capitalized terms used herein without definition will have the meanings given in the Terms of Service.
Notwithstanding the foregoing, for enterprises or other organizations that have entered into a separate written agreement with Honeycomb (an “Enterprise Agreement”) and an associated data processing agreement or addendum in relation thereto (an “Enterprise DPA”), the Enterprise DPA that such enterprise or other organization has entered into with Honeycomb in connection with such Enterprise Agreement will continue in full force and effect and will not be superseded or replaced by this DPA.
1. DEFINITIONS
1.1. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Data.
1.2. “Data Protection Laws” means any law, statute, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity with jurisdiction, that is applicable to and binding on the processing of Your Data by a party, including, as applicable, the Regulation 2016/670 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), as amended or replaced from time to time, the UK Data Protection Act 2018 and the GDPR as it forms part of the laws of the United Kingdom by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the California Consumer Privacy Act of 2018, California Civil Code § 1798.100 et seq. (“California Consumer Privacy Act” or “CCPA”), and the California Privacy Rights Act (“CPRA”).
1.3. “Standard Contractual Clauses” means (a) for transfers from the EEA where you are acting as a controller and Honeycomb is acting as a processor, Module 2 of the standard clauses for the transfer of personal data as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission’s Decision 2021/914 of 4 June 2021, and (b) for transfers from the EEA where you are acting as a processor and Honeycomb is acting as a sub-processor, Module 3 of the standard clauses for the transfer of personal data as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission’s Decision 2021/914 of 4 June 2021. For transfers from the UK, the foregoing applicable Module of the Standard Contractual Clauses, as modified by the UK Addendum, will apply.
1.4. “UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0) issued by the Information Commissioners Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded or replaced.
1.5. “Your Data” means the personal data (as defined in applicable Data Protection Laws) that is uploaded or otherwise submitted to the Service under your account with Honeycomb.
Terms such as “data subject”, “personal data”, “processing”, “controller”, “processor”, “sub-processor”, and “supervisory authority” shall have the meaning ascribed to them in the Data Protection Laws.
2. DATA PROCESSING
2.1. Scope and Roles. This DPA will apply when Honeycomb processes Your Data on your behalf as part of the Service. For purposes of the GDPR and UK GDPR when applicable, Honeycomb will process Your Data as either a processor or sub-processor to you, and you will act as either a controller or processor of Your Data, as applicable. For purposes of the CCPA when applicable, Honeycomb will process Your Data as a service provider to you, and you will act as either a business or a service provider of Your Data.
2.2. Your Instructions. Honeycomb will process Your Data solely: (a) on the documented instructions from you as set forth in this DPA and the Terms of Service, including all processing as authorized therein and as is otherwise necessary for the provision of the Service thereunder, which you acknowledge and agree shall constitute your complete instructions with respect to Honeycomb’s Processing of Your Data, and (b) as required by Data Protection Laws or any other legal obligation to which Honeycomb is subject, provided that Honeycomb will inform you (unless prohibited by law) of the applicable legal requirement before any such processing. Additional instructions outside the scope of this DPA or the Terms of Service are subject to Honeycomb’s agreement in writing and may be subject to additional fees. In the event that Honeycomb determines any of your instructions are in violation of Data Protection Laws, it will promptly inform you thereof; provided, however, that you acknowledge and agree that, taking into account the nature of the processing hereunder, it is unlikely that Honeycomb can form an opinion with respect to whether your instructions are in violation of Data Protection Laws.
2.3. No Sales of Your Data. Without limiting the generality of the foregoing, for purposes of processing Your Data subject to the CCPA, Honeycomb will not: (a) “sell” or “share” Your Data, each such term used herein as defined by the CCPA; (b) retain, use, or disclose Your Data for any purpose, including any commercial purpose, except as permitted under this DPA, the Terms of Service, or the CCPA and (c) retain, use, or disclose Your Data outside of the direct business relationship between Honeycomb and you, except as permitted by the CCPA.
2.4. Data Subject and Regulator Requests. If Honeycomb receives a request from a data subject or a regulator regarding Honeycomb’s processing of Your Data, Honeycomb will attempt to redirect such request to you. You acknowledge that the Service provides technical and organizational measures to enable you to respond to any such requests. In the event that you are unable to respond to any such requests using the measures made available via the Service, then, taking into account the nature of the processing, Honeycomb will assist you in fulfilling your obligations in relation to data subject requests under applicable Data Protection Laws; provided, however that such assistance beyond the technical and organizational measures provided by Honeycomb may be subject to additional fees.
2.5. Retention. Upon your written request, Honeycomb will destroy all of Your Data in its possession when you delete your account on the Service. Notwithstanding the foregoing, any destruction shall be subject to all applicable laws, regulations and Honeycomb’s compliance policies.
2.6. Confidentiality. Honeycomb will not disclose Your Data to any third party without your consent, except as necessary to maintain or provide the Service or as necessary to comply with applicable law or a valid court order or similar request or requirement from a competent governmental authority. If requested or required by a competent governmental authority to disclose Your Data, to the extent legally permissible and practicable, Honeycomb will provide you with sufficient prior written notice in order to permit you the opportunity to oppose any such disclosure.
2.7. Personnel. Honeycomb will restrict access to Your Data to its and its affiliates’ personnel, representatives and advisors, and those of its sub-processors, who need access to Your Data to provide the Service or to exercise Honeycomb’s rights under the Terms of Service or this DPA. Honeycomb informs all such personnel, representatives, or advisors of the confidential nature of Your Data and will confirm all such personnel, representatives, or advisors are subject to confidentiality obligations before enabling access to Your Data.
2.8. Further Assistance. Taking into account the nature of the processing and the information available to Honeycomb, Honeycomb will provide reasonable assistance to you in complying with your obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation. Any such assistance is subject to Honeycomb’s written agreement and may be subject to additional fees.
2.9. Information Security. Taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of data subjects, Honeycomb will implement and maintain technical and organizational measures designed to protect the confidentiality, integrity and availability of the Your Data that meet or exceed the requirements of Data Protection Laws.
2.10. Compliance. Each party will comply with all laws, rules, and regulations applicable to it and binding with respect to the performance of this DPA, including applicable Data Protection Laws. Without limiting the foregoing, you warrant that Your Data as submitted to the Service for processing by Honeycomb has been lawfully collected, including with respect to any required consents or notices, and that you are authorized to instruct Honeycomb to process Your Data as set forth in this DPA and the Terms of Service.
3. AUDIT
Upon your request, Honeycomb will make available to you Honeycomb’s most recent SOC 2 Type II audit report, or other report substantially similar thereto, prepared by an independent third-party auditor on Honeycomb’s behalf (“Honeycomb Audit Report”). The Honeycomb Audit Report will be considered Honeycomb’s confidential information and you may not disclose such Honeycomb Audit Report to any other person. To the extent that your audit requirements under applicable Data Protection Laws cannot reasonably be satisfied through review of the Honeycomb Audit Report or other information or responses provided by Honeycomb, then, subject to reasonable written notice from you, which shall include an explanation regarding the insufficiency of the Honeycomb Audit Report and other information or responses provided by Honeycomb, you may request an additional audit be conducted on your behalf by a third party auditor. If Honeycomb declines to follow your instructions regarding such additional audit, you are entitled to terminate the Terms of Service in accordance with their terms. If Honeycomb agrees to your additional instructions regarding the additional audit, any such audit will be limited to what is reasonably necessary to verify Honeycomb’s compliance and will be carried out at mutually agreed times during regular business hours. In connection with any such additional audit, the auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by Honeycomb; (b) comply with reasonable and applicable on-site policies and procedures provided by Honeycomb; and (c) not unreasonably interfere with Honeycomb’s business activities. You are responsible for all costs and fees relating to such audit, including reasonable costs and fees for time expended by Honeycomb in support of such audit. All information obtained during any request for information or audit pursuant to this Section 3 will be considered Honeycomb’s confidential information and may not be shared by you with any other person. The third-party auditor may only disclose to you specific violations of this DPA, if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
4. SUBPROCESSORS
You hereby provide general authorization to Honeycomb’s use of sub-processors to process Your Data. A list of sub-processors currently engaged by Honeycomb is available at https://honeycomb.io/subprocessors. Honeycomb will inform you by updating the website at least thirty (30) days prior to engaging a new sub-processor.. You may reasonably object to any new sub-processor during the fourteen (14) day period following any such update to Honeycomb’s sub-processor list by sending Honeycomb a written notice, describing your objection with reasonable detail as to your concerns, in which case Honeycomb may recommend a commercially reasonable change in your use of the Services to avoid processing by such sub-processor. If you do not agree to such change, then you may terminate the Services impacted by the sub-processor. If you do not object during such fourteen (14) day period, such new sub-processor shall be deemed accepted. Honeycomb will enter into written agreements with each sub-processor containing reasonable provisions relating to the implementation of technical and organizational measures in compliance with Data Protection Laws. Honeycomb will remain liable for acts and omissions of its sub-processors in connection with the provision of the Service.
5. DATA TRANSFERS
5.1. Location of Processing. Honeycomb primarily processes Your Data within the United States. You acknowledge that Honeycomb may, without your prior written consent, transfer Your Data to a foreign jurisdiction provided such transfer is either (a) to a country or territory which has been formally recognized by the relevant authority with jurisdiction over Your Data (such as the European Commission with respect to Your Data that is subject to GDPR or the Information Commissioner’s Office with respect to Your Data that is subject to the UK GDPR) as affording Your Data an adequate level of protection or (b) the transfer is otherwise safeguarded by mechanisms recognized and approved by such relevant authority from time to time, including as set forth in Sections 5.2 or 5.3 below.
5.2. Data Privacy Framework. Honeycomb has adopted the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce and has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Where required by applicable Data Protection Laws, Honeycomb relies on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, for transfers of Your Data from the EEA and UK to countries not deemed adequate by the applicable data protection authorities. If there is any conflict between the terms in this DPA and the EU-U.S. DPF Principles, the Principles shall govern.
5.3. Standard Contractual Clauses. In the event that the EU-U.S. DPF and/or the UK Extension thereto become invalidated or if Honeycomb informs you that it is no longer adopting the EU-U.S. DPF and/or the UK Extension thereto, the applicable Standard Contractual Clauses will be deemed incorporated herein by reference and executed by the parties and will apply to transfers of Your Data by you to Honeycomb from the EEA and/or UK. For purposes of the Standard Contractual Clauses, Honeycomb will be deemed the “data importer” and you will be deemed the “data exporter.” The relevant information in Attachment A to this DPA will apply as the Annexes to the Standard Contractual Clauses with respect to Your Data that is subject to the GDPR, and the relevant information in Attachment B to this DPA will apply as the Annexes to the Standard Contractual Clauses with respect to Your Data that is subject to the UK GDPR. If and to the extent any provision of this DPA conflicts with the Standard Contractual Clauses or UK Addendum, the latter shall prevail.
5.4. Further Alternative Mechanisms. If the parties are no longer relying on the EU-U.S DPF and/or the UK Extension thereto and are instead relying upon the Standard Contractual Clauses for data transfer, and the Standard Contractual Clauses become invalidated after the effective date of this DPA, then the parties will cooperate in good faith to promptly amend this DPA to render their use of the Standard Contractual Clauses compliant, if practicable, or incorporate an alternative data transfer mechanism that complies with applicable Data Protection Laws.
5.5. Customer as Processor. Notwithstanding the foregoing, where you are acting as a processor with respect to Your Data, you will fulfill Honeycomb’s obligations to your controllers under the applicable transfer mechanism (including, without limitation, the Standard Contractual Clauses and/or the UK Addendum, if applicable) as you acknowledge Honeycomb may not know the identity of such controllers or have a direct relationship therewith.
6. INCIDENT MANAGEMENT
6.1. General. Honeycomb will notify you of any Data Breach of which it becomes aware without undue delay and will investigate the Data Breach and take any actions that are reasonably necessary to address the Data Breach, including measures to mitigate damage, as required by law and as appropriate under the circumstances.
6.2. Notification Details. Honeycomb’s notification of a Data Breach, to the extent known and disclosure thereof is permitted, will include: (a) the nature of the Data Breach; (b) the date and time upon which the Data Breach took place and was discovered; (c) the number of data subjects affected by the incident; (d) the categories of Personal Data involved; (e) the measures – such as encryption, or other technical or organizational measures – that were taken to address the incident, including measures to mitigate the possible adverse effects; (f) the name and contact details of the data protection officer or other contact; and (g) a description of the likely consequences of the data breach.
6.3. Coordination. Honeycomb will reasonably assist you in fulfilling your obligations to notify data subjects and the relevant authorities in relation to a Data Breach, provided that nothing in this section shall prevent either party from complying with its obligations under Data Protection Laws. The parties agree to coordinate in good faith on developing the content of any related public statements.
7. MISCELLANEOUS
7.1. Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Terms of Service.
7.2. This DPA will continue in force until expiration or termination of the Terms of Service. Termination of this DPA shall not discharge the parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA.
7.3. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not
invalidate or render unenforceable such provision in any other jurisdiction. The parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.
7.4. Any modifications to this DPA shall be of no force or effect unless agreed by authorized representatives of both parties in writing.
Attachment A to the Honeycomb DPA
Information for Data Transfers from the EEA
SECTION I
Information for Data Transfers from the EEA
SECTION I
The parties hereby agree to the following options within the Standard Contractual Clauses:
Clause 7: The parties decline to use the optional docking clause.
Clause 9: The parties agree to Option 1 for Clause 9(a). The time period for notification of change of a sub-processor shall be 14 days.
Clause 11: The independent dispute resolution body option is hereby deleted.
Clause 17: The governing law shall be the courts of Ireland.
Clause 18: The parties agree that the forum and jurisdiction shall be the courts of Ireland.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: You, the Honeycomb customer who accepts the Terms of Service
Address: As entered into your Honeycomb account
Contact person’s name, position and contact details: As entered into your Honeycomb account
Activities relevant to the data transferred under these Clauses: Receiving access to the Service as described in the Terms of Service.
Signature and date: As of the Effective Date of the DPA.
Role (controller/processor): Controller or processor, as applicable
Data importer(s):
Name: Hound Technology, Inc., d/b/a Honeycomb
Address: As specified in the Terms of Service
Contact person’s name, position and contact details: As specified in the Terms of Service
Activities relevant to the data transferred under these Clauses: Providing access to the Service as described in the Terms of Service.
Signature and date: Accepted as part of the Terms of Service, as of the Effective Date
Role (controller/processor): Processor or sub-processor, as applicable
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
The data subjects could include your customers, employees, suppliers or other end users, based on what data you choose to submit to the Service.
Categories of personal data transferred
At your discretion, based on the data you choose to submit to the Service.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Your Data may include sensitive data, at your discretion
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Your Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the DPA of the Terms of Service.
Nature of the processing
As described in the Terms of Service.
Purpose(s) of the data transfer and further processing
The data importer will process Your Data to provide the Service.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of Terms of Service until deleted in accordance with the provisions of the DPA or Terms of Service.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The Irish Data Protection Commission.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The data importer will implement and maintain security controls that include the following:
- Physical Access Controls
- System Access Controls
- Data Access Controls
- Transmission Controls
- Input Controls
- Job Controls
- Availability Controls
- Separation Controls
ANNEX III – LIST OF SUB-PROCESSORS
As described in Section 4 of the DPA.
Attachment B to the Honeycomb DPA
Information for Data Transfers from the UK
SECTION I
The parties hereby agree to the following options within the Standard Contractual Clauses and the UK Addendum:
SCCs Clause 7: The parties decline to use the optional docking clause.
SCCs Clause 9: The parties agree to Option 1 for Clause 9(a). The time period for notification of change of a sub-processor shall be 14 days.
SCCs Clause 11: The independent dispute resolution body option is hereby deleted.
SCCs Clause 17: The governing law shall be the courts of England and Wales.
SCCs Clause 18: The parties agree that the forum and jurisdiction shall be the courts of England and Wales.
UK Addendum, Tables 1 – 3, Part 1: The parties agree these tables shall be deemed completed using the information contained below in the Annexes to this Attachment B.
ANNEX I
A. LIST OF PARTIES
As set forth in Annex I, Section A to Attachment A.
B. DESCRIPTION OF TRANSFER
As set forth in Annex I, Section B to Attachment A.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The Information Commissioner’s Office.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
As set forth in Annex II to Attachment A.
ANNEX III – LIST OF SUB-PROCESSORS
As set forth in Annex III to Attachment A.