This Data Processing Addendum explains the data protection terms that apply when customers use HeyStream and we process personal data on their behalf as a processor or service provider.
It is designed to cover the standard processor obligations customers usually expect for a B2B SaaS product, while keeping the document readable and public-facing.
- This addendum applies where HeyStream processes personal data on a customer's behalf in connection with the service.
- The customer remains responsible for its instructions, lawful basis, notices, permissions, and the accuracy of the personal data it submits.
- HeyStream will process customer personal data only on documented instructions, keep it confidential, implement appropriate security measures, and assist with privacy obligations as required by law.
- HeyStream may use subprocessors to operate the service, and the current operational list is published on the Subprocessors page.
- International transfers will be handled using an appropriate lawful transfer mechanism where required.
Purpose and scope
This Data Processing Addendum, or DPA, forms part of the agreement between you and HEY SUMMIT LTD for the provision of HeyStream where we process personal data on your behalf.
This DPA applies only to customer personal data that HeyStream processes as a processor or service provider in connection with the service. It does not apply to personal data that HeyStream processes as a controller for its own business purposes, such as account administration, billing, security, support, or direct customer relationship management.
If there is a conflict between this DPA and the main commercial agreement solely in relation to data protection matters, this DPA will control to that extent.
Roles of the parties
You act as the controller or business for the customer personal data you submit to HeyStream, except where applicable law expressly states otherwise.
HeyStream acts as your processor or service provider and will process customer personal data only to provide, secure, support, maintain, and improve the service in accordance with your documented instructions, this DPA, and applicable law.
Customer instructions and responsibilities
Your use of the service, account settings, configuration choices, integration choices, and written instructions to us together form your documented instructions for processing.
You are responsible for making sure your instructions are lawful and that you have an appropriate legal basis, notices, permissions, and rights for the collection and use of customer personal data through HeyStream.
You must not instruct HeyStream to process customer personal data in a way that violates applicable data protection law. If we believe an instruction is unlawful, we may notify you and suspend the affected processing until the issue is resolved.
Details of processing
Subject matter: the provision of HeyStream's live streaming, registration, audience CRM, replay, messaging, and related support services.
Duration: for as long as HeyStream processes customer personal data on your behalf under the applicable agreement, plus any limited retention period required for backups, security, legal obligations, or dispute resolution.
Nature of processing: collection, organization, storage, hosting, retrieval, consultation, transmission, synchronization, analysis, deletion, and other processing needed to operate the service according to your configuration and use.
Purpose of processing: to provide the service, including event operations, registrations, attendee management, live and replay delivery, audience engagement, follow-up workflows, integrations, customer support, security, and reliability.
Categories of personal data: may include names, email addresses, profile details, registration responses, CRM fields, communication history, event participation data, viewing-session data, chat or Q&A content, technical identifiers, and other data you choose to submit to the service.
Categories of data subjects: may include your users, administrators, presenters, moderators, attendees, leads, prospects, customers, contacts, and other individuals whose personal data you or your users submit to HeyStream.
Confidentiality and personnel
HeyStream will ensure that persons authorized to process customer personal data are subject to appropriate confidentiality obligations.
Access to customer personal data will be limited to personnel and contractors who need that access for the permitted purposes described in this DPA.
Security measures
HeyStream will implement appropriate technical and organizational measures designed to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the state of the art, implementation cost, nature of processing, and the risks involved.
Those measures include, as appropriate to the service and risk profile, controls such as access management, authentication controls, logical separation, monitoring, vulnerability management, infrastructure protections, secure transmission practices, backup and recovery processes, and incident response procedures.
- role-based or limited access to systems and production data
- authentication and credential-management controls
- logging, monitoring, and security-oriented operational practices
- network, platform, and infrastructure protections appropriate to the hosting environment
- backup, resilience, and recovery measures designed to support service continuity
- processes for testing, reviewing, and updating security measures over time
Subprocessors
You authorize HeyStream to use subprocessors to provide and support the service, provided that HeyStream remains responsible for their performance of the relevant processing obligations to the extent required by law.
HeyStream will impose data protection obligations on subprocessors that are appropriate to the nature of the processing and materially protective of customer personal data.
HeyStream's current operational subprocessors are listed on the Subprocessors page. We may update that list from time to time as our service providers change.
International transfers
Where customer personal data is transferred outside the UK, EEA, or another jurisdiction that requires transfer safeguards, HeyStream will use an appropriate lawful transfer mechanism for that transfer, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, an adequacy decision, or another valid mechanism recognized by applicable law.
To the extent a transfer mechanism requires supplementary steps or cooperation, the parties will work in good faith to implement them in a commercially reasonable manner.
Assistance with data protection obligations
Taking into account the nature of the processing and the information available to us, HeyStream will provide reasonable assistance to help you respond to requests from data subjects to exercise their rights under applicable data protection law.
HeyStream will also provide reasonable assistance, as appropriate to the service and information available to us, with your obligations relating to security of processing, personal data breach notifications, data protection impact assessments, and consultations with supervisory authorities.
Where the assistance requested requires material additional time or cost beyond what is included in the standard service, we may charge reasonable fees for that assistance, provided we tell you in advance where practicable.
Security incidents
HeyStream will notify you without undue delay after becoming aware of a confirmed personal data breach affecting customer personal data processed under this DPA.
That notification will include the information reasonably available to us about the nature of the incident, the likely consequences, and the measures taken or proposed to address it. We may provide information in phases as it becomes available.
HeyStream's notification of or response to a security incident is not an admission of fault or liability.
Deletion and return of data
Upon termination or expiry of the applicable agreement, HeyStream will delete or return customer personal data in accordance with the functionality of the service, your documented instructions, and our retention practices, unless applicable law requires us to retain some or all of the data.
You acknowledge that residual copies may remain for a limited period in backups, logs, disaster recovery systems, or legal archives, after which they will be deleted or overwritten in the ordinary course.
Information rights and audits
HeyStream will make available information reasonably necessary to demonstrate compliance with this DPA and applicable processor obligations.
Where required by applicable law and where reasonable information cannot satisfy the request, you may request an audit of HeyStream's relevant processing activities no more than once per year, or more frequently if required by a supervisory authority or following a confirmed security incident materially affecting your customer personal data.
Any audit must be conducted on reasonable notice, during normal business hours, in a manner that minimizes disruption, is subject to appropriate confidentiality restrictions, and does not require access to other customers' data, confidential security details beyond what is reasonably necessary, or information that would create a security, legal, or confidentiality issue.
Liability
The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the main agreement, unless applicable law requires otherwise.
Contact and supplementary terms
HEY SUMMIT LTD operates HeyStream. Our registered office is 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ, and our company number is 11538852.
If you need a signed version of this DPA, a negotiated enterprise DPA, or additional transfer terms for procurement purposes, contact us at [email protected].
See also our Privacy Policy, Subprocessors page, and Terms of Service.