1. Data Processing Agreement (“DPA”).
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to the privacy notice ("Privacy Notice") and the
and any of its affiliates (“Processor”), in accordance to which Processor provides certain services ("Services") to user ("Controller"),
as set forth in detail in the TOU.
This DPA applies to the extent that the GDPR is applicable to the Processing of Personal Data of Data Subjects by the Processor, in the
Processor's performance under the Terms.
Capitalized terms not otherwise defined herein shall have the meaning set forth below:
3.1. Controller and Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party”.
3.2. The following terms shall have the same meaning as in the GDPR: "Data Subject", "Member State", "Personal Data",
"Personal Data Breach", "Processing" and "Supervisory Authority".
3.3. "Applicable Laws" means (a) European Union or Member State laws with respect to any Processed Personal Data in respect of which
Controller is subject to EU Data Protection Laws; (b) any other applicable law with respect to any Processed Personal Data in
respect of which the Controller is subject to any other Data Protection Laws; and (c) the European Commission’s decision that
Israel offers adequate data protection for transfers from the EEA and the EU-US Privacy Shield Framework;
3.4. "Processed Personal Data" means any Personal Data Processed by Processor on behalf of Controller in accordance with the Terms
and the DPA;
3.5. "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of
any other applicable country as agreed in writing between the Parties, including in Israel;
3.6. "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as
amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
3.7. "GDPR" means EU General Data Protection Regulation 2016/679;
3.8. "Sub-Processor" means any person (including any third party and any Processor affiliate, but excluding an employee of Processor
or any of its sub-contractors) appointed by or on behalf of Processor to Process Personal Data on behalf of the Controller in
connection with this DPA and/or the Terms;
4. Processing of Personal Data on behalf of Controller.
4.1. Controller sets forth the details of the Processing of Processed Personal Data, as required by Article 28(3) of the GDPR in
Appendix A (Details of Processing of Processed Personal Data), attached hereto. Processor shall not Process Processed Personal
Data other than on the
Controller’s instructions in this DPA, unless such Processing is required by Applicable Laws to which the Processor is subject.
4.2. Controller shall instruct Processor (and authorize Processor to instruct each Sub Processor) to (i) Process Processed Personal
Data; and (ii) in particular, transfer Processed Personal Data to any country or territory, all as reasonably necessary for the
provision of the Services under the Terms, and in accordance with Applicable Laws.
4.3. Controller warrants and represents that it is and will remain duly and effectively authorized to give the instruction set out
herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the
Terms are in effect and for any additional period during which Processor is lawfully processing the Processed Personal Data.
4.4. Without derogating from Controller’s obligations hereunder, Controller may only provide to Processor, or otherwise have Processor
(or anyone on its behalf) process, such Personal Data which is explicitly permitted under Processor’s Privacy Notice
("Permitted Personal Data"). Solely Controller shall be liable for any data which is made available to Processor in excess of the
Permitted Personal (“Non-Permitted Data”). Processor obligations under the Terms and/or under this DPA shall not apply to any such
5.1. Processor shall, in relation to the Processed Personal Data, implement appropriate technical and organizational measures to provide
an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR.
5.2. Processor shall take reasonable steps to ensure that access to the Processed Personal Data is limited on a need to know/access basis
, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory
obligations of confidentiality in connection with their access/use of Processed Personal Data.
6.1. Controller authorizes Processor to appoint Sub-Processors in accordance with the provision of this DPA and the Terms.
6.2. Processor may continue to use those Sub-Processors already engaged by Processor as of the date of this DPA. It is acknowledged
and agreed that as of the date of this DPA Processor uses certain Sub-Processors; a list of such Sub-Processors will be provided
6.3. Processor may appoint new Sub-Processors and shall give notice of the appointment of any new Sub-Processor, whether by general or
specific reference to such Sub-Processor (e.g., by name or type of service), including relevant details of the Processing to be
undertaken by the new Sub-Processor.
If, within seven (7) days of such notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to
the proposed appointment, Processor shall not appoint for the processing of Processed Personal Data the proposed Sub-Processor until
reasonable steps have been taken to address the objections raised by Controller, and Controller has been provided with a reasonable
written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections then
Controller and/or Processor may, by written notice to the other Party, with immediate effect, terminate the TOU to the extent that
it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination.
6.4. Before any Sub-Processor first Processes Processed Personal Data, Processor shall take reasonable steps to ensure that the
Sub-Processor is committed to provide the level of protection for Processed Personal Data required by the Terms, e.g., by way
of reviewing the privacy policies and/or other relevant terms, which should meet the requirements of Applicable Laws and offer
materially similar level of protection for Processed Personal Data as those set out in this DPA.
7. Data Subjects' Rights.
7.1. Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject
rights under Data Protection Laws (e.g., for access, rectification, deletion of Processed Personal Data, etc.).
Taking into account the nature of the Processing, Processor shall reasonably endeavor to assist Controller insofar as feasible,
to fulfil Controller's said obligations with respect to such Data Subject requests, as applicable, at Controller’s sole expense.
7.2. Processor shall (i) promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in
respect of Processed Personal Data; and (ii) not respond to that request, except on the written instructions of Controller or as
required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by
Applicable Laws, inform Controller of that legal requirement before it responds to the request.
8. Personal Data Breach.
8.1. Processor shall notify Controller without undue delay upon Processor becoming aware of any Personal Data Breach affecting Processed
Personal Data, in connection with the Processing of such Processed Personal Data by the Processor. Processor shall provide
Controller with all information in Processor’s possession to assist Controller to meet any obligations to inform Data Subjects or
Data Protection authorities of the Personal Data Breach under the Data Protection Laws.
8.2. At the written request of the Controller and at Controller’s sole expense, Processor shall reasonably cooperate with Controller and
take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the
investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation.
9.1. At the written request of the Controller, and at Controller's sole expense, the Processor shall provide reasonable assistance to
Controller, with any data protection impact assessments or prior consultations with Supervising Authorities or other competent
data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to
Processing of Processed Personal Data by the Processor.
10. Deletion or Return of Processed Personal Data.
10.1. Subject to the terms hereof, Processor shall promptly and in any event within up to sixty (60) days of the date of cessation of
any Services pursuant to the Terms involving the Processing of Processed Personal Data (the "Cessation Date"), delete or
pseudonymize all copies of those Processed Personal Data, except such copies as authorized including under this DPA or required
to be retained in accordance with Applicable Laws.
10.2. Processor may retain Processed Personal Data to the extent authorized or required by Applicable Laws, provided that Processor
shall ensure the confidentiality of all such Processed Personal Data and shall ensure that it is only processed for such legal
10.3. Upon Controller’s prior written request, Processor shall provide written certification to Controller that it has complied with
this Section 9.
11. Audit Rights
11.1. Subject to the terms hereof, once in each calendar year, Processor shall make available to a reputable auditor mandated by
Controller in coordination with Processor, upon prior written request, within normal business hours at Processors premises,
such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections,
by such reputable auditor mandated by the Controller in relation to the Processing of the Processed Personal Data by the
Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
11.2. Controller shall give Processor reasonable prior written notice of any audit or inspection to be conducted under this Section and
shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to
minimize) any damage, injury or disruption to the Processors' premises, equipment, personnel and business while its personnel are
on those premises in the course of such an audit or inspection. Controller and Processor shall mutually agree upon the scope,
timing and duration of the audit or inspection in addition to the reimbursement rate for which Controller shall be responsible.
12. General Terms.
12.1. Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the laws of the State
of Israel and shall be handled at a competent court in Tel Aviv-Yaffo.
12.2. Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the Parties, including
agreements entered into after the date of this DPA, the provisions of this DPA shall prevail.
12.3. Changes in Data Protection Laws. Controller may by at least forty-five (45) calendar days' prior written notice to Processor,
request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent
authority under any applicable Data Protection Law, to allow Processing of those Processed Personal Data to be made (or continue
to be made) without breach of that Data Protection Law, and if Controller gives notice with respect to its request to modify this
DPA hereunder Processor shall make commercially reasonable efforts to accommodate such modification request, and Controller shall
not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the
Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with
the variations made herein.
12.4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and
in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability,
while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the
invalid or unenforceable part had never been contained therein.
Details of Processing of Processed Personal Data (As required by Article 28(3) of the GDPR)
1. Subject matter and duration of the Processing of Processed Personal Data:
The subject matter and duration of the Processing of the Processed Personal Data are set forth in the Terms and this DPA.
2. The nature and purpose of the Processing of Processed Personal Data is rendering Services, as detailed and defined in the TOU and the
3. The types of Processed Personal Data to be Processed are as detailed in the Privacy Notice.
4. The categories of Data Subject to whom the Processed Personal Data relates to are as follows: natural persons who are end users of
the Controller's or any other third parties' services.
5. The obligations and rights of Controller are as set forth in the GDPR.