Skip to main content
Last Updated: January 2026 This Data Processing Agreement (“DPA”) is incorporated into and forms part of the agreement (the “Agreement”) between HoopAI, Inc. (“HoopAI,” “we,” “us”) and the entity identified in the Agreement (“Customer,” “you”) for the provision of the HoopAI platform and related services.
This DPA applies automatically to all customers whose use of the HoopAI platform involves the Processing of Personal Data subject to Applicable Data Protection Laws. By using the Services, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its authorized affiliates.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
TermDefinition
AccountThe Customer’s account on the HoopAI platform, created upon registration and governed by the Agreement.
AffiliateAny entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” means direct or indirect ownership of more than 50% of the voting interests.
Applicable Data Protection LawsAll laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, the United States, and any other applicable jurisdiction, applicable to the Processing of Personal Data under this DPA.
Contracted ProcessorA Sub-processor engaged by HoopAI or a further Sub-processor to process Customer Personal Data on behalf of Customer.
Customer Personal DataAny Personal Data that is Processed by HoopAI on behalf of Customer in the course of providing the Services under the Agreement.
GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
Restricted TransferA transfer of Customer Personal Data from Customer (or its Affiliate) to HoopAI (or its Sub-processor) where such transfer would be prohibited by Applicable Data Protection Laws in the absence of appropriate safeguards.
SCCsThe standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission or other competent authority.
ServicesThe HoopAI platform and any related services provided to Customer under the Agreement, including CRM, marketing automation, communications, AI-powered features, payments, and related functionality.
Sub-processorAny third party appointed by or on behalf of HoopAI to Process Customer Personal Data on behalf of Customer in connection with the Agreement.
The following terms shall have the meanings given in the GDPR, irrespective of whether the GDPR applies to the particular Processing:
TermDefinition
ControllerThe natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Customer is the Controller.
Data SubjectAn identified or identifiable natural person to whom Personal Data relates.
Personal DataAny information relating to an identified or identifiable natural person that is Processed by HoopAI as part of Customer Personal Data.
Personal Data BreachA breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise Processed.
ProcessingAny operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
ProcessorA natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For purposes of this DPA, HoopAI is the Processor.

2. Scope and Applicability

This DPA applies to the Processing of Customer Personal Data by HoopAI on behalf of Customer in connection with the provision of the Services. This DPA applies to all Customer Personal Data regardless of whether it relates to Data Subjects located in the European Economic Area, the United Kingdom, or any other jurisdiction.
This DPA shall remain in effect for the duration of the Agreement. HoopAI will Process Customer Personal Data until the relationship terminates as specified in the Agreement, and all Customer Personal Data is deleted or returned in accordance with this DPA.
This DPA applies to all Processing of Customer Personal Data by HoopAI under the Agreement. The details of the Processing, including subject matter, nature and purpose, types of Personal Data, and categories of Data Subjects, are set out in Exhibit A below.
The parties acknowledge and agree that with regard to the Processing of Customer Personal Data:
  • Customer is the Controller and determines the purposes and means of Processing Customer Personal Data.
  • HoopAI is the Processor and Processes Customer Personal Data only on behalf of and in accordance with Customer’s documented instructions.

3. Processing of Customer Personal Data

Each party shall comply with all Applicable Data Protection Laws in the performance of this DPA. For the avoidance of doubt, Customer shall be solely responsible for compliance with Applicable Data Protection Laws in respect of (a) the lawfulness of its instructions to HoopAI regarding the Processing of Customer Personal Data, and (b) making all required disclosures and obtaining all necessary consents and authorizations from Data Subjects.
HoopAI shall Process Customer Personal Data only in accordance with Customer’s documented instructions, unless Processing is required by applicable law to which HoopAI is subject. In such case, HoopAI shall inform Customer of that legal requirement before the relevant Processing, unless that law prohibits such information on important grounds of public interest. Customer instructs HoopAI to Process Customer Personal Data for the following purposes:
  • Processing in accordance with the Agreement, applicable Order Forms, and Statements of Work
  • Processing initiated by authorized users in their use of the Services
  • Processing to comply with other documented, reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement
Customer’s use of AI-powered features within the Services (including AI agents, content generation, and automated workflows) constitutes documented instructions to Process Customer Personal Data through such features. Customer is responsible for configuring AI features in compliance with Applicable Data Protection Laws.
HoopAI shall:
  • Process Customer Personal Data only for the purposes described in this DPA and as further documented in Customer’s written instructions
  • Not Process Customer Personal Data for any purpose other than as set forth herein, unless (a) Customer and HoopAI have agreed to additional written instructions, or (b) Processing is required by applicable law
  • Promptly inform Customer if, in HoopAI’s opinion, an instruction infringes Applicable Data Protection Laws

4. Personnel

HoopAI shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Customer Personal Data, ensuring that all such individuals are subject to enforceable confidentiality obligations.
HoopAI shall ensure that access to Customer Personal Data is limited to those personnel who require such access to perform the Services and to comply with Applicable Data Protection Laws in the context of that individual’s assigned duties.
HoopAI shall ensure that all persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. HoopAI shall ensure such persons Process Customer Personal Data only as necessary and in accordance with this DPA.

5. Security of Processing

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, HoopAI shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Appendix I of this DPA.
HoopAI shall maintain administrative safeguards including, but not limited to:
  • Documented information security policies reviewed and updated at least annually
  • Security awareness training for all personnel with access to Customer Personal Data
  • Background checks for employees in accordance with applicable law
  • Incident response procedures and a designated incident response team
  • Vendor risk management for all Sub-processors
HoopAI shall maintain technical safeguards including, but not limited to:
  • Encryption of Customer Personal Data in transit (TLS v1.2 or higher) and at rest (AES-256 CBC)
  • Multi-factor authentication capabilities
  • Intrusion detection and prevention systems
  • Firewall protection and network segmentation
  • Regular vulnerability scanning and patch management
HoopAI shall maintain organizational safeguards including, but not limited to:
  • Role-based access controls operating on the principle of least privilege
  • Physical security measures for data centers and office facilities
  • Business continuity and disaster recovery plans
  • Regular testing and evaluation of the effectiveness of security measures
Customer acknowledges that HoopAI’s security measures are subject to technical progress and development. HoopAI may update or modify its security measures from time to time, provided that such updates do not result in a material decrease in the overall level of security of the Services.

6. Sub-processors

Customer provides a general written authorization for HoopAI to engage Sub-processors to Process Customer Personal Data in connection with the Services. HoopAI maintains a current list of Sub-processors at hoopai.com/sub-processors, which includes the identities and locations of all Sub-processors.
HoopAI shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days prior to such changes. Notification shall be provided via email to the address associated with Customer’s Account or through the Services.
Customer may object to HoopAI’s use of a new Sub-processor by notifying HoopAI in writing within 30 days after receipt of HoopAI’s notification. If Customer reasonably objects on data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, HoopAI shall, at its discretion:
  • Cease using the objected-to Sub-processor for Processing Customer Personal Data, or
  • Take the corrective steps requested by Customer and proceed with the Sub-processor, or
  • Enable Customer to terminate the affected portion of the Services without penalty
If Customer does not object within the 30-day period, Customer is deemed to have accepted the new Sub-processor.
Where HoopAI engages a Sub-processor, HoopAI shall:
  • Carry out adequate due diligence to ensure the Sub-processor is capable of providing the level of protection required by this DPA
  • Enter into a written agreement with the Sub-processor imposing data protection obligations no less protective than those set out in this DPA
  • Ensure that each Sub-processor is bound by the same obligations regarding Customer Personal Data as HoopAI
HoopAI shall remain fully liable to Customer for the performance of each Sub-processor’s obligations in accordance with this DPA. Where a Sub-processor fails to fulfill its data protection obligations, HoopAI shall remain liable to Customer for the Sub-processor’s actions and omissions as if HoopAI had performed the services of the Sub-processor itself.

7. Data Subject Rights

Taking into account the nature of the Processing, HoopAI shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including:
  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making and profiling
HoopAI shall promptly notify Customer if HoopAI receives a request from a Data Subject in respect of Customer Personal Data. HoopAI shall not respond to any such Data Subject request without Customer’s prior written instructions, unless required to do so by applicable law.
The HoopAI platform provides self-service tools to assist Customer in fulfilling Data Subject rights requests:
ToolFunction
Contact ExportExport all data associated with a contact in machine-readable format
Contact DeletionPermanently delete a contact and all associated Personal Data
Conversation HistoryAccess and export all conversation records for a Data Subject
Consent ManagementView and manage consent records for marketing communications
Data ModificationUpdate or correct Personal Data within contact records

8. Personal Data Breaches

HoopAI shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification shall be provided to the email address associated with Customer’s Account.
The notification shall, to the extent available, describe:
  • The nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Customer Personal Data records concerned
  • The name and contact details of HoopAI’s data protection officer or other contact point where more information can be obtained
  • The likely consequences of the Personal Data Breach
  • The measures taken or proposed to be taken by HoopAI to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects
HoopAI shall cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach. Where it is not possible to provide all required information at the time of the initial notification, HoopAI shall provide such information in phases without further undue delay.
HoopAI’s obligation to report or respond to a Personal Data Breach under this Section is not and will not be construed as an acknowledgement by HoopAI of any fault or liability with respect to the Personal Data Breach.

9. Data Protection Assessments

HoopAI shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, to the extent required under Applicable Data Protection Laws, taking into account the nature of the Processing and information available to HoopAI.
Such assistance may include:
  • Providing information about HoopAI’s Processing activities, technical and organizational measures, and Sub-processors
  • Assisting Customer in ensuring compliance with its obligations under Articles 35 and 36 of the GDPR (or equivalent provisions under other Applicable Data Protection Laws)
  • Making available relevant documentation, including security certifications and audit reports

10. Deletion or Return of Customer Personal Data

HoopAI shall provide Customer with the technical means to retrieve and export Customer Personal Data during the term of the Agreement through the platform’s built-in export functionality.
Upon cessation of the Services or upon Customer’s written request, HoopAI shall, at Customer’s election:
  • Return a complete copy of all Customer Personal Data to Customer in a commonly used, machine-readable format, and/or
  • Delete all Customer Personal Data, including all existing copies, unless applicable law requires storage of the Customer Personal Data
Upon termination of the Agreement, Customer data will be retained for a maximum of 30 days to allow for data export. After this period, all Customer Personal Data will be permanently deleted from HoopAI systems, including backups, within 90 days unless a longer retention period is required by law.
Any Customer Personal Data retained in archived backup systems shall be securely isolated and protected from any further Processing, except to the extent necessary to comply with applicable law. Such archived data shall be deleted in accordance with HoopAI’s standard backup rotation schedules.
Upon request, HoopAI shall provide written confirmation of the deletion of Customer Personal Data.

11. Audit Rights

HoopAI shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, subject to the terms of this Section.
Audits shall be:
  • Conducted no more than once per calendar year, unless required by a supervisory authority or following a Personal Data Breach
  • Carried out during normal business hours with reasonable advance notice (at least 30 days)
  • Subject to reasonable confidentiality obligations
  • Conducted in a manner that minimizes disruption to HoopAI’s operations
  • At Customer’s expense, unless the audit reveals material non-compliance by HoopAI
HoopAI may satisfy audit requests by providing:
  • SOC 2 Type II audit reports or equivalent third-party certifications
  • Results of penetration tests (summary form)
  • Written responses to reasonable audit questionnaires
  • Remote access to relevant documentation and records
Where such reports or certifications are sufficient to address Customer’s reasonable audit concerns, Customer agrees to accept them in lieu of an on-site audit.

12. Restricted Transfers

To the extent that the Processing of Customer Personal Data involves a Restricted Transfer, the parties shall comply with the obligations set forth in the applicable Standard Contractual Clauses (SCCs), which are hereby incorporated by reference into this DPA. For transfers from the EEA, the SCCs approved by the European Commission (Decision 2021/914) shall apply.
HoopAI may rely on its certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework (as applicable) as a valid transfer mechanism for Restricted Transfers to the United States.
Where neither SCCs nor the Data Privacy Framework provide an adequate basis for a Restricted Transfer, the parties shall cooperate in good faith to implement an alternative legally recognized transfer mechanism that provides adequate safeguards for Customer Personal Data.
HoopAI shall implement supplementary technical and organizational measures as may be necessary to ensure that the level of protection afforded to Customer Personal Data meets the requirements of Applicable Data Protection Laws, including encryption, pseudonymization, and access controls.

13. No Selling of Customer Personal Data

Customer retains all rights, title, and interest in and to Customer Personal Data. HoopAI shall not sell, rent, lease, or otherwise make available Customer Personal Data to any third party except as expressly authorized in the Agreement or as instructed by Customer. HoopAI shall not retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement, or as otherwise permitted by Applicable Data Protection Laws.

14. Amendment

HoopAI reserves the right to update or modify this DPA from time to time to reflect changes in Applicable Data Protection Laws or HoopAI’s Processing activities. HoopAI shall provide Customer with at least 14 days’ prior written notice of any material changes to this DPA. Customer’s continued use of the Services after the effective date of any changes constitutes acceptance of the updated DPA. If Customer does not agree to the changes, Customer may terminate the affected Services in accordance with the Agreement.

Exhibit A — Details of Processing

Parties

RoleEntity
Data Exporter (Controller)Customer, as identified in the Agreement
Data Importer (Processor)HoopAI, Inc., a company incorporated in the State of Delaware, with offices in Dallas, Texas, United States
Contact for Data Protectionprivacy@hoopai.com

Processing Details

ElementDescription
Subject MatterProvision of the Services as described in the Agreement, including CRM, marketing automation, AI-powered features, communications, payment processing, and related functionality
Nature of ProcessingCollection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, combination, restriction, erasure, and destruction
Purpose of ProcessingTo provide, maintain, and improve the Services, including facilitating Customer’s use of the HoopAI platform for customer relationship management, communications, marketing, automation, and payments
DurationFor the term of the Services Agreement, plus the post-termination data retention period specified in Section 10
Frequency of ProcessingRegular and repeating, on a continuous basis for the duration of the Agreement

Categories of Data Subjects

CategoryDescription
Customer personnelEmployees, agents, contractors, and representatives of Customer who access the HoopAI platform
Businesses contracting with CustomerBusiness entities and their representatives whose data Customer manages through the Services
End usersIndividuals whose Personal Data is entered into, stored within, or transmitted through the platform by Customer, including contacts, leads, website visitors, calendar participants, payment payers, and AI agent interaction participants

Categories of Personal Data

CategoryExamples
Identity dataFull name, email address, phone number, mailing address, company name, job title
Communication dataEmail content, SMS/MMS messages, chat transcripts, call recordings, voicemail
Calendar dataAppointment details, booking form responses, participant information
Financial dataTransaction amounts, billing information, last four digits of payment card, invoices
Behavioral dataWebsite activity, engagement metrics, workflow execution logs, consent records
AI interaction dataConversation transcripts with AI agents, intent data, actions taken
Any other Personal DataAny additional Customer Personal Data provided by Customer or its end users through the Services

Retention

Customer Personal Data is retained for the duration of the Services Agreement plus the post-termination period described in Section 10. Customer may delete Personal Data at any time using the platform’s built-in tools.

Appendix I — Technical and Organizational Security Measures

HoopAI implements and maintains the following technical and organizational measures to protect Customer Personal Data:

Encryption

MeasureDetails
Encryption at restAES-256 CBC encryption for all stored Customer Personal Data
Encryption in transitTLS v1.2 or higher (SSL/HTTPS) for all data transmissions

Confidentiality

MeasureDetails
Endpoint protectionEnterprise endpoint detection and response (EDR) deployed across all workstations and servers
Access controlsRole-based access control (RBAC) enforcing the principle of least privilege
Cloud infrastructureHosted on AWS and Google Cloud with SOC 2 and ISO 27001 certifications
PersonnelConfidentiality agreements, background checks, and regular security training

Availability and Resilience

MeasureDetails
Backup granularity5-minute backup granularity with point-in-time recovery capability
RedundancyGeographically distributed data centers with automated failover
Business continuityDocumented disaster recovery and business continuity plans tested regularly

Testing and Evaluation

MeasureDetails
Penetration testingAnnual third-party penetration testing
Vulnerability scanningRegular automated vulnerability scans with timely remediation
Patch managementStructured patch management program for timely application of security updates

User Identification and Authentication

MeasureDetails
Authentication tokensEncrypted tokens for session management and API access
RBACRole-based access control at application and infrastructure levels
Password policyStrong password requirements enforced across all accounts
MFAMulti-factor authentication available for all user accounts

Data Transmission Protection

MeasureDetails
ProtocolSSL/HTTPS enforced for all platform communications
Minimum standardTLS v1.2 or higher required for all connections
API securityAuthenticated and encrypted API endpoints

Data Storage Protection

MeasureDetails
EncryptionAES-256 CBC encryption for all data at rest
Key managementHardware security modules (HSMs) for cryptographic key management
Data segregationLogical separation of customer data within multi-tenant architecture

Physical Security

MeasureDetails
Data centersAWS and Google Cloud managed facilities with SOC 2, ISO 27001, and physical access controls
AccessBiometric access controls, 24/7 surveillance, and security personnel at all data center locations

Logging and Monitoring

MeasureDetails
Cloud loggingGoogle Cloud Operations Suite and AWS CloudWatch for infrastructure monitoring
Audit logsComprehensive audit logging of all administrative actions and data access events
SIEMSecurity information and event management with 24/7 monitoring

Configuration Management

MeasureDetails
Version controlAll infrastructure and application configurations managed through version control
Standardized imagesHardened, standardized server images deployed across all environments
Change managementDocumented change management procedures for all production changes

IT Governance

MeasureDetails
Internal securityIn-house security team responsible for security operations
MSSP SOCThird-party managed security service provider (MSSP) Security Operations Center (SOC)
Policy reviewAnnual review and update of all information security policies

Certifications

CertificationDetails
HIPAAHIPAA Seal of Compliance for healthcare-related data processing

Additional Measures

MeasureDetails
Data minimizationProcessing limited to what is necessary for the specified purposes
Data qualityMechanisms to ensure accuracy and currency of Customer Personal Data
Data retentionAutomated retention policies with configurable deletion schedules
AccountabilityDocumented policies, procedures, and training to demonstrate compliance
Portability and erasureSelf-service export and deletion tools available to Customer

Exhibit B — Jurisdiction-Specific Terms

The following jurisdiction-specific terms supplement this DPA and apply to the extent Customer Personal Data is subject to the data protection laws of the specified jurisdictions.
To the extent HoopAI Processes Customer Personal Data subject to the Australian Privacy Act 1988 (Cth) (“Australian Privacy Act”):
  • References to “Personal Data” include “personal information” as defined in the Australian Privacy Act
  • HoopAI shall comply with the Australian Privacy Principles (APPs) to the extent applicable to its role as a Processor
  • HoopAI shall not transfer Customer Personal Data outside of Australia unless it has taken reasonable steps to ensure the recipient does not breach the APPs, or an exception under APP 8.2 applies
  • In the event of a data breach that is likely to result in serious harm to any individual, HoopAI shall cooperate with Customer in complying with the Notifiable Data Breaches scheme under Part IIIC of the Australian Privacy Act
To the extent HoopAI Processes Customer Personal Data subject to the Brazilian General Data Protection Law (Lei Geral de Protecao de Dados — “LGPD”), Law No. 13,709/2018:
  • References to “Personal Data” include “dados pessoais” as defined in the LGPD
  • HoopAI, as the “operador” (operator), shall Process Customer Personal Data only in accordance with Customer’s documented instructions as the “controlador” (controller)
  • HoopAI shall assist Customer in complying with Data Subject rights under Articles 17-22 of the LGPD
  • HoopAI shall implement security measures in accordance with Article 46 of the LGPD
  • International transfers of Customer Personal Data shall be conducted in compliance with Chapter V of the LGPD
To the extent HoopAI Processes Customer Personal Data subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or substantially similar provincial legislation:
  • References to “Personal Data” include “personal information” as defined in PIPEDA
  • HoopAI shall implement safeguards that are appropriate to the sensitivity of the Customer Personal Data
  • HoopAI shall assist Customer in responding to access requests from individuals under Principle 9 of Schedule 1 to PIPEDA
  • Customer acknowledges that Customer Personal Data may be Processed in the United States and consents to such transfer, subject to HoopAI maintaining adequate protections as described in this DPA
  • HoopAI shall notify Customer of any breach of security safeguards involving Customer Personal Data that creates a real risk of significant harm to an individual
To the extent HoopAI Processes Customer Personal Data subject to the GDPR:
  • Where Customer Personal Data is transferred from the EEA to HoopAI in a jurisdiction not deemed to provide an adequate level of data protection by the European Commission, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) shall apply as follows:
    • Module Two (Controller to Processor) shall apply where Customer is a Controller and HoopAI is a Processor
    • Module Three (Processor to Processor) shall apply where Customer is a Processor acting on behalf of a third-party Controller and HoopAI is a Sub-processor
  • The SCCs shall be deemed completed as follows:
    • Clause 7: The optional docking clause shall apply
    • Clause 9(a): Option 2 (general written authorization) shall apply, with a prior notice period of 30 days
    • Clause 11: The optional language shall not apply
    • Clause 17: Option 1 shall apply, governed by the law of Ireland
    • Clause 18(b): Disputes shall be resolved before the courts of Ireland
  • Annex I of the SCCs shall be deemed completed with the information set out in Exhibit A of this DPA
  • Annex II of the SCCs shall be deemed completed with the information set out in Appendix I of this DPA
To the extent HoopAI Processes Customer Personal Data subject to the Swiss Federal Act on Data Protection (“FADP”):
  • References to “Personal Data” include “personal data” as defined in the FADP
  • The SCCs (as set forth in the EEA section above) shall also apply to transfers of Customer Personal Data from Switzerland, with the following modifications:
    • References to the “GDPR” shall be interpreted as references to the FADP
    • References to “EU,” “Union,” and “Member State” shall be interpreted as references to Switzerland
    • The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC)
    • The governing law and forum shall be Switzerland
To the extent HoopAI Processes Customer Personal Data subject to the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018:
  • References to the “GDPR” shall include the UK GDPR
  • Where Customer Personal Data is transferred from the United Kingdom to HoopAI in a jurisdiction not deemed to provide an adequate level of data protection, the International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner’s Office) shall apply
  • The competent supervisory authority shall be the UK Information Commissioner’s Office (ICO)
  • References to applicable law shall include the laws of England and Wales
To the extent HoopAI Processes Customer Personal Data subject to U.S. state privacy laws:California (CCPA/CPRA)
  • For purposes of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), HoopAI is a “service provider” and Customer is a “business”
  • HoopAI shall not sell or share Customer Personal Data as those terms are defined under the CCPA
  • HoopAI shall not retain, use, or disclose Customer Personal Data for any purpose other than providing the Services, or as otherwise permitted by the CCPA
  • HoopAI shall not combine Customer Personal Data with Personal Data that HoopAI receives from or on behalf of another person or collects from its own interaction with the Data Subject, except as permitted by the CCPA
  • HoopAI shall comply with applicable obligations under the CCPA and grant Customer the same level of privacy protection as required by the CCPA
  • HoopAI shall notify Customer if it determines it can no longer meet its obligations under the CCPA
Other U.S. State Privacy Laws
  • To the extent Customer Personal Data is subject to other U.S. state privacy laws (including but not limited to the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Montana Consumer Data Privacy Act, and other applicable state laws), HoopAI shall Process Customer Personal Data in accordance with the applicable requirements of such laws
  • HoopAI shall assist Customer in responding to consumer rights requests under applicable state privacy laws
  • HoopAI shall implement and maintain reasonable security practices and procedures appropriate to the nature of the Customer Personal Data

Contact

For questions about this Data Processing Agreement, contact us at:
  • Email: privacy@hoopai.com
  • Address: HoopAI, Inc., Attn: Data Protection, Dallas, Texas, United States
Last modified on March 6, 2026