Data Processing Agreement

According to LEG-23-0003 DPA for Customers V. 1.0

This Data Processing Agreement (“DPA“), forms part of the SAAS SERVICES ORDER AGREEMENT, hereinafter referred as the “Principal Agreement“) between Customer (hereinafter referred as the “Controller“) acting on its own behalf and Company (hereinafter referred as the “Processor“) acting on its own behalf;

 

The terms used in this Agreement shall have the meanings set forth in this Agreement. Terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.  Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

 

1.      Definitions

In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

“Sub-processor” means any Data Processor (including any third party) appointed by the Processor to process the Controller’s Personal Data on behalf of the Controller.

“Data Protection Laws” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“EU GDPR”), the EU GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together the “GDPR), the Swiss Federal Act on Data Protection of June 19, 1992, as revised from time to time (“FADP”) , as well as data protection laws applicable to Processor in the processing of Controller Personal Data under this Agreement.

“Erasure” means the removal or destruction of Personal Data such that it cannot be recovered or reconstructed.

“EEA” means the European Economic Area.

“Third Country means any country outside the EEA, the United Kingdom or Switzerland except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries or by the relevant data protection authorities of the United Kingdom or Switzerland, as applicable.

“Controller Personal Data” means the data described in Annex 3 and any other Personal Data processed by Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement. The terms Personal Data and Controller’s Personal Data have the same meaning in the context of this Agreement.

“Personal Data Breach” means a breach of leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.

“Services” means the services to be supplied by the Processor to the Controller pursuant to the Principal Agreement.

“Products” means the products to be supplied by the Processor to the Controller pursuant to the Principal Agreement.

 

2.      Data Processing Terms

In the course of providing the Services and/or Products to the Controller pursuant to the Principal Agreement, the Processor may process Controller personal data on behalf of the Controller as per the terms of this Agreement. The Processor agrees to comply with the following provisions with respect to any Controller personal data.

The Controller has obligations for the data to be processed and will ensure it has a legal basis for doing so, and will maintain the rights of the individuals.

The Processor shall maintain all the technical and organizational measures to comply with the requirements set out in the Agreement and Annex 1.

 

3.      The Data to be Processed

This Agreement makes clear that the data as set out in Annex 3, and only this data is covered by this Agreement.

4.       Processing of Controller’s Personal Data

The Processor shall only process Controller Personal Data for the purposes of the Principal Agreement. The Processor shall not process, transfer, modify, amend or alter the Controller Personal Data or disclose or permit the disclosure of the Controller personal data to any third party other than in accordance with Controller’s documented instructions, unless processing is required by applicable laws to which Processor is subject.  The Processor shall, to the extent permitted by such law, inform the Controller of that legal requirement before processing the Personal Data and comply with the Controller’s instructions to minimize, as much as possible, the scope of the disclosure.

Controller undertakes that:

  • The Controller Personal Data provided to Processor pursuant to the Principal Agreement and this Agreement for performance of the Services, was obtained and is provided to Processor lawfully and that there is a documented legal basis for the processing of Controller Personal Data by Controller and by Processor, respectively. For avoidance of doubt, Controller is responsible to ensure the lawfulness of the provision of the Controller Personal Data to Processor; regardless of if Controller obtained the Controller Personal Data as controller, processor or sub-processor of the Controller Personal Data.
  • All required consents, or alternative legal basis, were provided or obtained, as the case may be, from the data subjects prior to provision of the Controller Personal Data to Processor.
  • Its instructions to Processor with respect to the processing shall be lawful and compliant with any applicable law.

 

5.      Reliability and Non–Disclosure

The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller personal data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Controller Personal Data.

The Processor must ensure that all individuals which have a duty to process Controller Personal Data:

 

  • Are informed of the confidential nature of the Controller Personal Data and are aware of Processor’s obligations under this Agreement and the Principal Agreement in relation to the Controller Personal Data;
  • Have undertaken appropriate training in relation to the Data Protection Laws;
  • Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
  • Are subject to user authentication and logon processes when accessing the Controller Personal Data in accordance with this Agreement, the Principal Agreement and the applicable Data Protection Laws.

 

6.      Personal Data Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures (as set out in Annex 1) to ensure a level of security appropriate to the risk, including but not limited to:

  • Pseudonymization and encryption;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident; and
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.

 

7.      Sub-Processing

As of the Agreement Effective Date, the Controller hereby grants general written authorisation to the Processor to engage those Sub-processors set out in Annex 2 (Authorised Sub-processors). The Processor shall not engage any Sub-processors to process Controller Personal Data other than with prior notice to Controller.  If, within thirty (30) days of receipt of that notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the engagement of such Sub-processor: (i) Processor shall work with Controller in good faith to propose, if reasonably possible, a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and (ii) where such change cannot be made within a reasonable time, Controller may, by providing a thirty (30) days written notice to Processor, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor without any liability on behalf of Processor.

With respect to each Sub-Processor, the Processor shall:

 

  • Provide the Controller with full details of the processing to be undertaken by each Sub-processor.
  • Carry out adequate due diligence on each Sub-processor to ensure that it can provide the level of protection for Controller Personal Data, including without limitation, sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of this Agreement.
  • Include terms in the contract between the Processor and each Sub-processor which are similar as those set out in this Agreement.
  • If the contract with the Sub-processor involves the transfer of Controller’s Personal Data outside of the EEA, the United Kingdom or Switzerland to Third Countries, ensure that such transfer complies with the requirements for international data transfers under applicable Data Protection Laws.
  • Remain fully liable to the Controller for any failure by each Sub-processor to fulfil its obligations in relation to the processing of any Controller’s Personal Data.

 

8.      Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate measures for the fulfilment of the Controller’s obligation to respond to requests for exercising data subject rights.

The Processor shall promptly notify the Controller if it receives a request from a data subject, the supervisory authority and/or other competent authority under any applicable Data Protection Laws with respect to Controller Personal Data.

The Processor shall cooperate as reasonably requested by the Controller to enable the Controller to comply with any exercise of rights by a data subject under applicable Data Protection Laws with respect to Controller Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws with respect to Controller Personal Data or this Agreement, which shall include:

  • The provision of available data requested by the Controller within any reasonable timescale specified by the Controller in each case, including full details and copies of the complaint, communication or request and any Controller’s Personal Data it holds in relation to a data subject.
  • Where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by the Data Protection Laws.
  • Implementing any additional measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.

 

9.      Personal Data Breach

The Processor shall notify the Controller without undue delay and, in any case, within forty-eight (48) hours upon becoming aware of a Personal Data Breach. The Processor will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws.  Such notification shall as a minimum:

  • Describe the nature of the Personal Data Breach, the categories and numbers of data subject affected, and the categories and numbers of Personal Data records concerned;
  • Communicate the name and contact details of the Processor’s Data Protection Officer, Privacy Officer or other relevant contact from whom more information may be obtained;
  • Describe the estimated risk and the likely consequences of the Personal Data Breach; and
  • Describe the measures taken or proposed to be taken to address the Personal Data Breach.

The Processor shall co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach. In the event of a Personal Data Breach, the Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by EU or Member State law to which the Processor is subject, in which case the Processor shall, to the extent permitted by such law, inform the Controller of that legal requirement and provide a copy of the proposed notification.

 

10.   Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments which are required under GDPR and with any prior consultations to any supervisory authority of the Controller. In each case due consideration must be given to the nature of the data processed on behalf of the Controller.

 

11.     Erasure or return of Controller Personal Data

Processor shall promptly and, in any event, within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of Controller Personal Data by Processor; or (ii) termination of the Principal Agreement, at the choice of Controller (such choice to be notified to Processor in writing) either:

  • Return a complete copy of all Controller Personal Data to the Controller by secure file transfer and securely erase all other copies of Controller Personal Data processed by the Processor or any Authorised Sub-Processor; or
  • Securely wipe all copies of Controller Personal Data processed by Processor or any Authorised Sub-Processor and, if requested by Controller provide a written certification to the Controller that it has complied fully with the requirements of section Erasure or Return of Controller Personal Data.

Processor may retain Controller Personal Data to the extent required by applicable laws, and only to the extent and for such period as required by such laws, and always provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

 

12.    Audit rights

Processor shall make available to the Controller, upon request, all information necessary to demonstrate compliance with this Agreement and allow for, and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller of any premises where the Processing of Controller Personal Data takes place.  The Processor shall permit the Controller or another auditor mandated by the Controller to inspect and audit in order that the Controller may satisfy itself that the provisions of this Agreement are being complied with.  The Processor shall provide cooperation to the Controller with respect to any such audit. Any audit performed by Controller or another auditor mandated by the Controller shall be subject to the Processor’s confidentially obligations and shall not be more frequent than annually. Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section Audit (Audit Rights) infringes the GDPR or other applicable Data Protection Laws.

 

13.   International Transfers of Controller Personal Data

Processor shall not process Controller’s data nor permit any Authorised Sub-Processor to process the data in a Third Country, unless authorized in writing by Controller in advance, via an amendment to this Agreement. Notwithstanding the above, Controller hereby provides general written authorization to Processor to engage the Sub-processors set out in Annex 2 in order to process Controller’s data in the applicable Third Countries.

Controller acknowledges that Processor is located in Israel, a country that has been deemed adequate by the EU Commission and by the United Kingdom’s Adequacy Regulations. All transfers of Controller Personal Data from the EEA, Switzerland or the United Kingdom to Processor are made pursuant to such adequacy rulings.

14.    General Terms

Subject to this section, the parties agree that this Agreement shall terminate automatically upon termination of the Principal Agreement or expiry or termination of all service contracts entered into by the Processor with the Controller, pursuant to the Principal Agreement, whichever is later.

Any obligation imposed on the Processor under this Agreement in relation to the Processing of Personal Data shall survive any termination or expiration of this Agreement.

This DPA shall be governed by the governing law of Israel.

With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including but not limited to the Principal Agreement, the provisions of this Agreement shall prevail with regard to the Controller Personal Data.

Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.