DATA PROCESSING AGREEMENT

This Data Processing Agreement (the “DPA”) is entered into by and between Datarails, whether a company incorporated in the State of Israel or in the U.S., as shall be defined in our the Terms of Service or the respective order form (the “Company” or, for purposes of this engagement, the “Processor”), forms an integral part of the Terms of Service between the Company and the Customer, which shall be deemed for purposes of this engagement as the “Controller”.

All capitalized terms shall have the meaning ascribed to them in the Terms of Service, unless expressly provided otherwise in this Data Processing Agreement. In the event of a conflict between the Terms of Service and this DPA, the terms of this DPA shall control over processing of Customer Personal Data (as defined below).

The Customer and the Company hereby agree as follows:

1.1 “Applicable Data Protection Laws” means applicable privacy and data protection laws in connection with the processing of personal data conducted pursuant to the Terms of Service, including without limitation (to the extent applicable), (a) GDPR (as defined below); (b) Israel Privacy Protection Law, 5741-1981, and the regulations promulgated thereunder; (c) CCPA (as defined below); and (d) guidance issued by any relevant supervisory authority or implementing, amending, or supplementing the above laws, rules and regulations, whether in effect now or in the future.

1.2 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.

1.3 “Customer” as used in this DPA shall mean collectively, the Customer party that enter into the Terms of Service, its affiliates and any of the End Users.

1.4 “Customer Personal Data” means any Personal Data provided by Customer and processed by the Company solely on Customer’s behalf, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or natural person, or for purposes of the CCPA, with a consumer or household, to the extent that such information is protected as “personal information” (or an analogous variation of such term) under Applicable Data Protection Laws.
1.5 “Data Subject Requests” means any requests from a Data Subject related to access, rectification, suppression, limitation, objection, portability and erasure of Personal Data or other requests authorized under Applicable Data Protection Law.
1.6 “Designated Contact” for reporting Security Events, Data Subject Requests, and Personal Data Breach of the Processed Data, means (a) support@datarails.com and such additional contact as designated by the Company; and (b) the Customer’s email included in the applicable order form and/or such additional contact as designated by the Customer.

1.7 “GDPR” means EU General Data Protection Regulation 2016/679.
1.8 “Personnel” means Company or Customer’s employees, contractors, subcontractors, agents, representatives and end users.
1.9 “Processed Data” means any Personal Data Processed by the Company on behalf of the Customer pursuant to or in connection with the Terms of Service;
1.10 “Security Event” means any attempt or activity that (a) is made to gain unauthorized access to Processed Data; (b) interferes with the operation of any Company’s systems or Customer’s systems containing the Company or the Company third-party data or information; or (c) may otherwise compromise the security or privacy of the Processed Data or its disclosure.
1.11 “Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.
1.12 The terms, “Controller” “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the Applicable Data Protection Laws.

2. DATA PROTECTION AND PRIVACY OF PERSONAL DATA

In addition to the other obligations set forth hereunder, each of Customer and Company shall:
2.1 comply with its respective obligations under Applicable Data Protection Laws in relation to all Customer Personal Data that may be processed in the performance and operation of this DPA. Without derogating from the generality of the foregoing, Customer and the Company acknowledge and agree:

2.1.1. that with regard to the processing of Customer Personal Data performed solely on behalf of Customer, the Company is a Service Provider and receives Customer Personal Data pursuant to the business purpose of providing the Services to Customer in accordance with the Terms of Service.

2.1.2. that in no event shall the transfer of Customer Personal Data from Customer to the Company pursuant to the Terms of Service constitute a sale of information to the Company, and that nothing in the Terms of Service shall be construed as providing for the sale of Customer Personal Data to the Company.
2.1.3. that the Company is prohibited from using or disclosing Customer Personal Data for any purpose other than the specific purpose of performing the Services specified in the Terms of Service, the permitted business purposes set under applicable law, and as required underApplicable Data Protection Laws.

2.2. the processing operations to be carried out in the performance of this DPA conform to the description set out under “Details of Processing” attached hereto as Annex A;

2.3. process the Customer Personal Data solely on the documented instructions of Customer, in order to supply the services and as otherwise necessary to perform its obligations under the Terms of Service including with regard to transfers of Customer Personal Data to a third country outside its current location;

2.4. any transfer of Personal Data of persons located in the European Union or the European Economic Area to other countries, requires the prior written consent of the Controller and may only take place if there is an appropriate level of data protection by complying with the special requirements as set forth in the GDPR. The Controller acknowledges that the Processor is located in Israel and in the U.S. and hereby consents to the transfer of Personal Data to Israel in accordance with the contractually agreed service, but only to the extent that there is an adequate level of data protection in Israel according to an EU adequacy decision, or subject to the execution of standard contractual clauses; and

2.5. shall immediately inform the other party if, in its opinion, an instruction pursuant to the Terms of Service infringes Applicable Data Protection Laws.

3. DATA SUBJECT RIGHTS

3.1. The Company shall provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s access, erasure or opt-out requests and objections. The Company shall not be liable in respect of any claim regarding Data Subject rights.

3.2. The Company shall promptly notify the Customer’s Designated Contact if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of the Processed Data; and ensure it responds to that request as required by Applicable Data Protection Laws (but the Company will not itself respond other than to confirm receipt of the request, to inform the data subject, authority or other third party that their request has been forwarded to Customer, and/or to refer them to Customer, except per reasonable instructions from Customer).

3.3. The Company will also reasonably assist Customer with the resolution of any request or inquiries that Customer receives from data protection authorities relating to the Company, unless the Company elects to object such requests directly with such authorities.

4. PERSONAL DATA BREACH AND SECURITY EVENTS

4.1. The Company shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach or a Security Event affecting the Processed Data. The Company shall not be liable in respect of any claim of Personal Data Breach or a Security Event.

4.2. Unless otherwise mandated by Applicable Data Protection Laws, the Customer shall instruct the Company if to report or inform Data Subjects of the Personal Data Breach, pursuant to the requirements under Applicable Data Protection Laws.

4.3. The Company shall take reasonable commercial steps in the investigation, mitigation and remediation of each such Personal Data Breach or a Security Event.

5. SUBPROCESSORS AND PERSONNEL

5.1. Customers shall ensure Personnel authorized to Process the Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5.2. Both parties will disclose the Processed Data only to those Personnel who have the need to know such Processed Data in connection with the performance of the Terms of Service.

5.3. Customer hereby grants to the Company a general written authorization to use sub-processors for the provision of the Service, provided that:

5.3.1. the Company shall ensure that it engages such sub-processors by written agreement;

5.3.2. the sub-processor complies with its obligations under the Applicable Data Protection Laws relating to any Customer Personal Data and has sufficient organizational and technical measures in place to guarantee the protection of Customer Personal Data against unauthorized or unlawful processing; and

5.3.3. the Company will notify the Customer of any intended changes concerning the addition or replacement of a sub-processor thereby giving the Customer the opportunity to object to the addition or replacement within fourteen (14) days of the notification.

6. SECURITY

6.1. Company shall ensure the security of the Customer Personal Data that it processes in accordance with the requirements of Applicable Data Protection Law.

6.2. Both parties, taking into account the technical progress and further development, implementation costs and the nature, scope, circumstances and purposes of processing, as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons, shall take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk;

6.3. Both parties shall use best efforts to ensure (a) that any Processed Data that is inaccurate or incomplete is erased or rectified; (b) establish an audit trail to document whether and by whom Processed Data have been entered into, modified in, or removed; and (c) retain the Processed Data only as long as is necessary.

7. RECORDS AND AUDITS

7.1. In connection with the processing of Customer Personal Data, the Company shall, during the term of engagement with the Customer, provide the Customer with information reasonably necessary to demonstrate compliance with the obligations laid down in the Applicable Data Protection Laws, within reasonable times.

7.2. Should Applicable Data Protection Laws require Customer to perform an audit on the Company for compliance purposes, and only during the term of the engagement with Customer, the Company shall allow for and contribute to audits and inspections, conducted by the Customer or another auditor mandated by the Customer, provided that: (i) the auditor or anyone on its behalf shall enter into a confidentiality undertaking towards Company in a form submitted or reasonable agreed by Company; (ii) the audit shall not be conducted more than once every twelve months; (iii) the Customer must provide a sixty (60) days’ prior written notice; (iv) the audit may be conducted only during business hours, shall cause minimal disruption to the Company’s business and no trade secrets will be disclosed to auditors during such audit; and (v) the purpose of the audit shall be limited only to compliance with Applicable Data Protection Laws.
8. GENERAL
8.1. This DPA shall be governed by the laws applicable to the Terms of Service or as shall be otherwise set forth in the order form.

8.2. The provisions of this DPA shall survive termination or expiration of the Terms of Service, for as long as the Company shall process Customer Personal Data.

Annex A

Details of the Processing of the Personal Data (as required by Article 28(3) GDPR):

A. Subject matter and duration of the processing of the Personal Data: shall be as set forth in the order form, according to the scope of Service and the Term, as both defined in the Terms of Service.

B. The nature and purpose of the processing of the Personal Data:
1. For the Company to perform its obligations pursuant to the Terms of Service;
2. For delivery and provision of the Service to the Customer;

3. For customer support and technical troubleshooting;

4. To comply with applicable law, including law enforcement requests.

C. The types of the Personal Data to be processed: name, phone number, email address, position, transactions, usage details, including URLs visited, events triggered on defined actions such as page loads, clicks, logins and purchases, IP addresses, cookies, analytics data and, as otherwise provided by the Customer:
____________________________.
D. The categories of Data Subject to whom the Personal Data relates: current, former and potential employees and subcontractors of the Customer and other authorized users of the Services and, as otherwise provided by the Customer: ____________________________.

E. Sub-Processors:

The current list of sub-processors will be provided by the Company to the Customer upon the Customer’s request.