Data Processing Addendum
Last Revised: November 2024
This Data Processing Addendum (“DPA”) is an agreement the customer identified in the applicable Order Form (“Customer” or “Data Controller”) and Nilus OS Ltd. (“Company” or “Data Processor”). The Parties agree that this DPA shall be added as an addendum to the Subscription Agreement which is part of the Order Form executed between the Parties, according to which the Company shall provide to the Customer certain data processing services, as described therein (respectively, the “Services” and the “Services Agreement”). Data Controller and Data Processor shall be collectively referred to as the “Parties”, and each a “Party”.
- Definitions. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:some text
- “Affiliate(s)” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership of either Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Applicable Laws” means any applicable law, including Data Protection Laws, to which Data Processor is subject with respect to any Personal Data;
- “Data Protection Laws” means all applicable data privacy and data protection laws, rules and regulations, in each case, as amended, adopted, or superseded from time to time.
- “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), which is Processed by Data Processor or any of Data Processor’s Sub-processors on behalf of Data Controller as part of the performance of the Services under the Services Agreement;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Sub-processor” means any third party (but excluding any personnel member of Data Processor) appointed by or on behalf of Data Processor to Process Personal Data for the benefit of Data Controller as part of the performance of the Services under the Services Agreement;
- “Supervisory Authority” any applicable regulatory authority responsible for the enforcement of Data Protection Laws; and
- “Term” shall have the meaning ascribed to it under Section 12 below.
- Processing of Personal Data.some text
- Data Processor, and any person acting under its authority, will carry out the Personal Data Processing activities, including with regard to transfers of Personal Data to a third country or an international organisation, only for the following purposes: (i) to provide the Services, in accordance with the Services Agreement and other reasonable documented instructions provided by the Data Controller, where such instructions are consistent with the terms of the Services Agreement (collectively, the “Instruction(s)”); (ii) as permitted under this DPA; and (iii) as required under Applicable Law, in which case Data Processor shall, to the extent permitted by Applicable Law, inform Data Controller of such legally required Processing of Personal Data, unless that law prohibits such information on important grounds of public interest.
- Data Controller instructs Data Processor (and authorizes Data Processor to instruct each of its Sub-processors) to process the Personal Data, as reasonably necessary for the provision of the Services and in accordance with the Services Agreement and this DPA. Additional instructions outside the scope of this DPA and the Services Agreement require prior written agreement between Data Controller and Data Processor and will include any additional fees that may be payable by the Data Controller to the Data Processor for carrying out such instructions.
- Data Controller hereby acknowledges that as part of the provision of the Services hereunder, Data Processor may collect, disclose, publish, share and otherwise use fully anonymized, de-identified and de-identifiable data, including statistical data, analytics, trends and other aggregated data which derives from the Personal Data Processed by the Data Processor as part of the provision of the Services, all as required for the Data Processor's legitimate purposes, including without limitation in order to provide, maintain, operate and improve the Services and for research purposes. Data Processor agrees not to use said anonymized data in a form that identifies the Customer or any Data Subject. The Data Controller hereby agrees and acknowledges that such processing activities (including the anonymization and de-identification of Personal Data) will not be considered as performed outside the scope of the Instructions provided by the Data Controller hereunder.
- Data Processor will notify Data Controller if Data Processor is of the opinion that a written Instruction received from Data Controller is in violation of Applicable Law and/or in violation of contractual duties under the Services Agreement.
- Data Controller shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Data Controller acquired the Personal Data. Data Controller warrants and undertakes that the Personal Data has been collected, Processed and transferred to the Data Processor in accordance with the laws applicable to Data Controller, including, if required by applicable Data Protection Laws, that Data Controller has received all required consents from the applicable Data Subjects for the Processing carried out by the Data Processor under this DPA and that the Data Subjects have been informed that their Personal Data could be transmitted to a third country outside of their jurisdiction.
- Exhibit 1 of this DPA sets forth certain information regarding Data Processor’s Processing activities of the Personal Data.
- Data Subjects. some text
- Data Processor shall promptly notify Data Controller if Data Processor receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including without limitation the right of access, rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), and shall not respond to such request without Data Controller’s prior written consent, except to confirm that such request relates to Data Controller.
- Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to any Data Subject Request and agrees to provide reasonable assistance and comply with reasonable instructions from Data Controller related to any Data Subject Request.
- Supervising Authorities. Data Processor shall provide reasonable assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities, as required by Data Protection Laws, in each case solely in relation to the Processing of Personal Data by Data Processor and all by taking into account the nature of the Processing and information available to the Data Processor. Data Controller acknowledges and agrees that assistance with data protection impact assessments and prior consultations by Data Processor may result in additional fees (which will be notified to Data Controller in advance).
- Security. some text
- Data Processor shall treat Personal Data as confidential information and will not disclose, make available or transfer the Personal Data to any third party, other than as permitted under this DPA.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor has implemented, and will maintain, adequate technical and organizational security measures in order to ensure a level of security of the Personal Data appropriate to that risk, including those measures stipulated in Exhibit 2 of this DPA. The technical and organizational security measures are aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing.
- The technical and organizational security measures implemented by the Data Processor are subject to technical progress and development, and Data Processor may update or modify the technical and organizational security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- Security Breach Notification.some text
- Data Processor shall notify Data Controller without undue delay, and in any case within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting the Personal Data.
- Data Processor shall provide Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Supervising Authorities and/or Data Subjects of the Personal Data Breach under the Data Protection Laws, taking into account the nature of Processing and the information available to Data Processor, including with the following information: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; and (c) a description of the measures taken, or proposed to be taken, to address the Personal Data Breach, including measures to mitigate its possible adverse effects. To the extent Data Processor does not have full information about the Personal Data Breach at the time of the initial notification, Data Processor shall provide an initial notification and then supplement that with additional information as it becomes available.
- Audit.
- During the Term, Data Processor shall keep records of its Processing activities to the extent required under applicable Data Protection Laws.
- During the Term and upon request, Data Processor shall make available to Data Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in applicable Data Protection Laws and this DPA and allow for and contribute to audits, including inspections, conducted by Data Controller or another auditor mandated by Data Controller, all at Data Controller's sole expense and only in order to ensure Data Processor’s compliance with the obligations laid down in applicable Data Protection Laws and this DPA. If and to the extent Data Controller engages third parties to conduct the audit, such third parties must be bound to strict confidentiality obligations. Notwithstanding the above, Data Controller shall only be entitled to conduct such inspection during business hours and no more than once during one calendar year, provided that Data Controller shall be entitled to conduct such inspections at any time if it reasonably suspects Data Processor to be in material breach of its obligations under this DPA and that nothing in this Section shall limit the timing and scope of any audit required to be conducted by applicable Data Protection Laws.
- Data Controller shall provide Data Processor reasonable prior written notice of any audit or inspection to be conducted under this Section and shall avoid (and ensure that each of its auditors avoids) causing any damage, injury or disruption to Data Processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such audit or inspection.
- It is agreed that a copy of this DPA may be forwarded to the relevant Supervisory Authority, if required under applicable Data Protection Laws. Furthermore, the Parties agree that such authority has the right to conduct an audit of the Parties with respect to the subject matter of this DPA.
- Nothing in this DPA will require Data Processor either to disclose to Data Controller (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Data Processor; (ii) Data Processor’s internal accounting or financial information; (iii) any trade secret of Data Processor; or (iv) any information that, in Data Processor’s sole discretion, could compromise the security of any of Data Processor’s systems or premises or cause Data Processor to breach obligations under any Applicable Law or its obligations to any third party.
- Sub-processing.some text
- Data Controller hereby (i) grants Data Processor a general authorization to engage (and permits each Sub-processor appointed in accordance with this Section to engage) Sub-processors for the purpose of providing the Services; (ii) agrees that Affiliates of Data Processor may be used as Sub-processors; and (iii) confirms that Data Processor may continue to use those Sub-processors already engaged by Data Processor as of the Effective Date of this DPA, which are detailed in Exhibit 1 (“Existing Sub-processors”).
- Data Processor can at any time and without justification appoint a new Sub-processor, provided that prior to engaging any Sub-processor:
(a) Data Processor will provide a fourteen (14) days’ prior notice to Data Controller regarding the engagement of a new Sub-processor, and the Data Controller does not reasonably object to such changes within that timeframe under legitimate and documented grounds. If Data Controller’s objection to an engagement of a Sub-processor is legitimate, Data Processor shall either refrain from using such Sub-processor in the context of the Processing of Personal Data, or shall notify Data Controller that it is unable to provide the Services without the use of such Sub-processor and therefore it will suspend or restrict the Services (or an applicable part thereof) with immediate effect.
(b) Data Processor ensures that it has in place a sub-processing agreement between Data Processor and the Sub-processor, that is no less protective with respect to Data Controller’s interest and protection of Personal Data than this DPA. Upon Data Controller’s request, Data Processor shall provide Data Controller with an updated list of Sub-processors.
- Where the Sub-processor fails to fulfil its personal data protection obligations with respect to the Personal Data, Data Processor shall remain fully liable to Data Controller for the performance of that Sub-processor’s obligations.
- Transfers. Data Controller hereby authorizes Data Processor to transfer the Personal Data across international borders, provided that in each case such transfer complies with applicable Data Protection Laws and that the Data Processor has put in place the necessary safeguards, as required by applicable Data Protection Laws, to facilitate such transfer.
- Personnel. Data Processor will be responsible for using qualified personnel with data protection training to provide the Services and ensure that Data Processor’s access to the Personal Data is limited only to those personnel who require such access to perform the Services. Data Processor shall obligate its personnel to Process the relevant Personal Data only in accordance with this DPA. Data Processor will further ensure that its personnel authorised to Process the Personal Data on its behalf: (i) will do so only on a need-to-know basis; and (סii) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they will keep confidential and will not make available any Personal Data to any third party, other than as permitted herein.
- Deletion and Return of Personal Data. Within thirty (30) calendar days following the termination of the Services Agreement and/or this DPA, Data Processor will delete and instruct its Sub-processors to delete, all existing copies of the Personal Data which are in its possession, unless instructed by the Data Controller, by way of a prior written notice, to return such data, in which case the Data Processor shall return a copy of the Personal Data to the Data Controller and delete all remaining copies of the Personal Data which are in its possession. Notwithstanding the foregoing, Data Processor may retain the Personal Data, to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- Term. This DPA shall become effective upon execution or acceptance of the Services Agreement (“Effective Date”) and shall remain in full force until the later of the date when Data Processor ceases to Process the Personal Data or termination of the Services Agreement (the “Term”). All provisions of this DPA, which by their language or nature should survive the termination of this DPA, will survive the termination of this DPA.
- Limitation of Liability. Data Processor’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Services Agreement governing the Services.
- Changes to this DPA. The Parties may amend this DPA from time to time by mutual agreement of both Parties.
- Miscellaneous. (i) This DPA represents the complete agreement concerning the subject matter hereof; (ii) except where explicitly agreed otherwise in writing by the Parties, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Services Agreement and any other agreements which may be entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail; (iii) the Parties to this DPA hereby agree to the governing law and the choice of jurisdiction stipulated in the Services Agreement with respect to any disputes or claims arising under this DPA; (iv) nothing in this DPA reduces either Party’s obligations under the Services Agreement in relation to the protection of Personal Data; and (v) should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
EXHIBIT 1
DETAILS OF PROCESSING OF PERSONAL DATA
- Subject matter of the Processing: Providing customers with the Services set out in the Services Agreement.
- Duration: The period in which the Services Agreement is in effect.
- The purpose of the Processing: Providing customers with the Services, which include for example, syncing, normalizing, and matching customer data from the customers’ banks, payment providers, ERPs, and internal systems to perform reconciliation and reporting.
- Nature of the Processing: Collection of customer data from customers’ internal properties and/or from customers’ accounts in third parties’ properties, followed by organisation and structuring of such data as part of the Services.
- Type of Personal Data: Personal data may include names, email, and purchase information (e.g. details concerning amounts and times of products or services purchased, but excluding payment method details).
- Categories of data subjects: Customers’ end users who have purchased customers’ products and/or services.
- Existing Sub-processors: some text
- AWS
- Rutter
EXHIBIT 2
TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organizational security measures implemented by Data Processor according to Section 5 of the DPA:
- Access Control of Processing Areas:
Data Processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data are processed or used. This is accomplished by:
- establishing security areas;
- protection and restriction of access paths;
- securing ata processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- restrictions on physical keys for office access;
- all access to the data centre where Personal Data are hosted is logged, monitored, and tracked;
- the data centre where Personal Data are hosted is secured by a security alarm system, and other appropriate security measures.
- Access Control to Data Processing Systems:
Data Processor implements suitable measures in order to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- identification of the terminal and/or the terminal user to the data importers systems;
- automatic time-out of user terminal if left idle, identification and password required to reopen;
- automatic turn-off of the user ID when several erroneous passwords are entered, log file of events, (monitoring of break-in-attempts);
- issuing and safeguarding of identification codes;
- dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions; and
- all access to data content is logged, monitored, and tracked.
- Access Control to Use Specific Areas of Data Processing Systems:
Data Processor commits that the persons entitled to use its data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished by:
- employee policies and training in respect of each employee’s access rights to the Personal Data;
- allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
- monitoring capability in respect of individuals who delete, add or modify the Personal Data;
- effective and measured disciplinary action against individuals who access Personal Data without authorization;
- release of data to only authorized persons;
- control of files, controlled and documented destruction of data; and
- policies controlling the retention of back-up copies.
- Transmission Control:
Data Processor implements suitable measures in order to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
- certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers) is also encrypted within the system; and
- monitoring of the completeness and correctness of the transfer of data (end-to-end check).
- Input Control:
Data Processor implements suitable measures in order to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed. This is accomplished by:
- an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
- authentication of the authorized personnel;
- protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
- utilization of user codes (passwords);
- automatic log-off of user ID's that have not been used for a substantial period of time; and
- proof established within data importers’ organization of the input authorization;
- electronic recording of entries.
- Job Control:
Data Processor implements suitable measures in order to ensure that the Personal Data are processed strictly in accordance with the Instructions of Data Controller. This is accomplished by:
- ensuring clear Instructions to Data Processor regarding the scope of any Processing of Personal Data. This is limited to specific system development and database management requirements of the data exporter (for example, the creation of new reporting templates, where Processing of data in necessary in order to test those reporting templates); and
- granting regular access and control rights to Data Controller, on appropriate notice and in accordance with Data Controller’s security polices and accompanied by Data Processor.
- Availability Control:
Data Processor implements suitable measures in order to ensure that Personal Data are protected from accidental destruction or loss and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. This is accomplished by:
- infrastructure redundancy: two clustered database servers are used for storing the data
- Data backup is stored in different regions and available for restore in case of failure.
- Separation of Processing for Different Purposes:
Data Processor implements suitable measures in order to ensure that data collected for different purposes can be processed separately. This is accomplished by:
- access to data is separated through application security for the appropriate users;
- modules within the Data Processor’s data base separate which data is used for which purpose, i.e. by functionality and function;
- at the database level, data is stored in different normalized tables, separated per module or function they support; and
- interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.
- Data Security:
9.1 Data Processor implements suitable measures in order to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and the Services and the pseudonymisation and encryption of Personal Data. This is accomplished by:
- Database encryption with KMS
- E2E encryption
- Data Processor also implements a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. This is accomplished by:
- Third party penetration tests
- Third party vulnerability tests
- Access controls
- Disaster recovery
- Risk assessments
- Malware detection
- Information security policy and steering committee
- SOC2 type 2 compliance and annual audit
This Data Processing Addendum (“DPA”) is an agreement the customer identified in the applicable Order Form (“Customer” or “Data Controller”) and Nilus OS Ltd. (“Company” or “Data Processor”). The Parties agree that this DPA shall be added as an addendum to the Subscription Agreement which is part of the Order Form executed between the Parties, according to which the Company shall provide to the Customer certain data processing services, as described therein (respectively, the “Services” and the “Services Agreement”). Data Controller and Data Processor shall be collectively referred to as the “Parties”, and each a “Party”.
- Definitions. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:some text
- “Affiliate(s)” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership of either Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Applicable Laws” means any applicable law, including Data Protection Laws, to which Data Processor is subject with respect to any Personal Data;
- “Data Protection Laws” means all applicable data privacy and data protection laws, rules and regulations, in each case, as amended, adopted, or superseded from time to time.
- “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), which is Processed by Data Processor or any of Data Processor’s Sub-processors on behalf of Data Controller as part of the performance of the Services under the Services Agreement;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Sub-processor” means any third party (but excluding any personnel member of Data Processor) appointed by or on behalf of Data Processor to Process Personal Data for the benefit of Data Controller as part of the performance of the Services under the Services Agreement;
- “Supervisory Authority” any applicable regulatory authority responsible for the enforcement of Data Protection Laws; and
- “Term” shall have the meaning ascribed to it under Section 12 below.
- Processing of Personal Data.some text
- Data Processor, and any person acting under its authority, will carry out the Personal Data Processing activities, including with regard to transfers of Personal Data to a third country or an international organisation, only for the following purposes: (i) to provide the Services, in accordance with the Services Agreement and other reasonable documented instructions provided by the Data Controller, where such instructions are consistent with the terms of the Services Agreement (collectively, the “Instruction(s)”); (ii) as permitted under this DPA; and (iii) as required under Applicable Law, in which case Data Processor shall, to the extent permitted by Applicable Law, inform Data Controller of such legally required Processing of Personal Data, unless that law prohibits such information on important grounds of public interest.
- Data Controller instructs Data Processor (and authorizes Data Processor to instruct each of its Sub-processors) to process the Personal Data, as reasonably necessary for the provision of the Services and in accordance with the Services Agreement and this DPA. Additional instructions outside the scope of this DPA and the Services Agreement require prior written agreement between Data Controller and Data Processor and will include any additional fees that may be payable by the Data Controller to the Data Processor for carrying out such instructions.
- Data Controller hereby acknowledges that as part of the provision of the Services hereunder, Data Processor may collect, disclose, publish, share and otherwise use fully anonymized, de-identified and de-identifiable data, including statistical data, analytics, trends and other aggregated data which derives from the Personal Data Processed by the Data Processor as part of the provision of the Services, all as required for the Data Processor's legitimate purposes, including without limitation in order to provide, maintain, operate and improve the Services and for research purposes. Data Processor agrees not to use said anonymized data in a form that identifies the Customer or any Data Subject. The Data Controller hereby agrees and acknowledges that such processing activities (including the anonymization and de-identification of Personal Data) will not be considered as performed outside the scope of the Instructions provided by the Data Controller hereunder.
- Data Processor will notify Data Controller if Data Processor is of the opinion that a written Instruction received from Data Controller is in violation of Applicable Law and/or in violation of contractual duties under the Services Agreement.
- Data Controller shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Data Controller acquired the Personal Data. Data Controller warrants and undertakes that the Personal Data has been collected, Processed and transferred to the Data Processor in accordance with the laws applicable to Data Controller, including, if required by applicable Data Protection Laws, that Data Controller has received all required consents from the applicable Data Subjects for the Processing carried out by the Data Processor under this DPA and that the Data Subjects have been informed that their Personal Data could be transmitted to a third country outside of their jurisdiction.
- Exhibit 1 of this DPA sets forth certain information regarding Data Processor’s Processing activities of the Personal Data.
- Data Subjects. some text
- Data Processor shall promptly notify Data Controller if Data Processor receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including without limitation the right of access, rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), and shall not respond to such request without Data Controller’s prior written consent, except to confirm that such request relates to Data Controller.
- Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to any Data Subject Request and agrees to provide reasonable assistance and comply with reasonable instructions from Data Controller related to any Data Subject Request.
- Supervising Authorities. Data Processor shall provide reasonable assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities, as required by Data Protection Laws, in each case solely in relation to the Processing of Personal Data by Data Processor and all by taking into account the nature of the Processing and information available to the Data Processor. Data Controller acknowledges and agrees that assistance with data protection impact assessments and prior consultations by Data Processor may result in additional fees (which will be notified to Data Controller in advance).
- Security. some text
- Data Processor shall treat Personal Data as confidential information and will not disclose, make available or transfer the Personal Data to any third party, other than as permitted under this DPA.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor has implemented, and will maintain, adequate technical and organizational security measures in order to ensure a level of security of the Personal Data appropriate to that risk, including those measures stipulated in Exhibit 2 of this DPA. The technical and organizational security measures are aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing.
- The technical and organizational security measures implemented by the Data Processor are subject to technical progress and development, and Data Processor may update or modify the technical and organizational security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- Security Breach Notification.some text
- Data Processor shall notify Data Controller without undue delay, and in any case within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting the Personal Data.
- Data Processor shall provide Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Supervising Authorities and/or Data Subjects of the Personal Data Breach under the Data Protection Laws, taking into account the nature of Processing and the information available to Data Processor, including with the following information: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; and (c) a description of the measures taken, or proposed to be taken, to address the Personal Data Breach, including measures to mitigate its possible adverse effects. To the extent Data Processor does not have full information about the Personal Data Breach at the time of the initial notification, Data Processor shall provide an initial notification and then supplement that with additional information as it becomes available.
- Audit.some text
- During the Term, Data Processor shall keep records of its Processing activities to the extent required under applicable Data Protection Laws.
- During the Term and upon request, Data Processor shall make available to Data Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in applicable Data Protection Laws and this DPA and allow for and contribute to audits, including inspections, conducted by Data Controller or another auditor mandated by Data Controller, all at Data Controller's sole expense and only in order to ensure Data Processor’s compliance with the obligations laid down in applicable Data Protection Laws and this DPA. If and to the extent Data Controller engages third parties to conduct the audit, such third parties must be bound to strict confidentiality obligations. Notwithstanding the above, Data Controller shall only be entitled to conduct such inspection during business hours and no more than once during one calendar year, provided that Data Controller shall be entitled to conduct such inspections at any time if it reasonably suspects Data Processor to be in material breach of its obligations under this DPA and that nothing in this Section shall limit the timing and scope of any audit required to be conducted by applicable Data Protection Laws.
- Data Controller shall provide Data Processor reasonable prior written notice of any audit or inspection to be conducted under this Section and shall avoid (and ensure that each of its auditors avoids) causing any damage, injury or disruption to Data Processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such audit or inspection.
- It is agreed that a copy of this DPA may be forwarded to the relevant Supervisory Authority, if required under applicable Data Protection Laws. Furthermore, the Parties agree that such authority has the right to conduct an audit of the Parties with respect to the subject matter of this DPA.
- Nothing in this DPA will require Data Processor either to disclose to Data Controller (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Data Processor; (ii) Data Processor’s internal accounting or financial information; (iii) any trade secret of Data Processor; or (iv) any information that, in Data Processor’s sole discretion, could compromise the security of any of Data Processor’s systems or premises or cause Data Processor to breach obligations under any Applicable Law or its obligations to any third party.
- Sub-processing.some text
- Data Controller hereby (i) grants Data Processor a general authorization to engage (and permits each Sub-processor appointed in accordance with this Section to engage) Sub-processors for the purpose of providing the Services; (ii) agrees that Affiliates of Data Processor may be used as Sub-processors; and (iii) confirms that Data Processor may continue to use those Sub-processors already engaged by Data Processor as of the Effective Date of this DPA, which are detailed in Exhibit 1 (“Existing Sub-processors”).
- Data Processor can at any time and without justification appoint a new Sub-processor, provided that prior to engaging any Sub-processor:
(a) Data Processor will provide a fourteen (14) days’ prior notice to Data Controller regarding the engagement of a new Sub-processor, and the Data Controller does not reasonably object to such changes within that timeframe under legitimate and documented grounds. If Data Controller’s objection to an engagement of a Sub-processor is legitimate, Data Processor shall either refrain from using such Sub-processor in the context of the Processing of Personal Data, or shall notify Data Controller that it is unable to provide the Services without the use of such Sub-processor and therefore it will suspend or restrict the Services (or an applicable part thereof) with immediate effect.
(b) Data Processor ensures that it has in place a sub-processing agreement between Data Processor and the Sub-processor, that is no less protective with respect to Data Controller’s interest and protection of Personal Data than this DPA. Upon Data Controller’s request, Data Processor shall provide Data Controller with an updated list of Sub-processors.
- Where the Sub-processor fails to fulfil its personal data protection obligations with respect to the Personal Data, Data Processor shall remain fully liable to Data Controller for the performance of that Sub-processor’s obligations.
- Transfers. Data Controller hereby authorizes Data Processor to transfer the Personal Data across international borders, provided that in each case such transfer complies with applicable Data Protection Laws and that the Data Processor has put in place the necessary safeguards, as required by applicable Data Protection Laws, to facilitate such transfer.
- Personnel. Data Processor will be responsible for using qualified personnel with data protection training to provide the Services and ensure that Data Processor’s access to the Personal Data is limited only to those personnel who require such access to perform the Services. Data Processor shall obligate its personnel to Process the relevant Personal Data only in accordance with this DPA. Data Processor will further ensure that its personnel authorised to Process the Personal Data on its behalf: (i) will do so only on a need-to-know basis; and (סii) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they will keep confidential and will not make available any Personal Data to any third party, other than as permitted herein.
- Deletion and Return of Personal Data. Within thirty (30) calendar days following the termination of the Services Agreement and/or this DPA, Data Processor will delete and instruct its Sub-processors to delete, all existing copies of the Personal Data which are in its possession, unless instructed by the Data Controller, by way of a prior written notice, to return such data, in which case the Data Processor shall return a copy of the Personal Data to the Data Controller and delete all remaining copies of the Personal Data which are in its possession. Notwithstanding the foregoing, Data Processor may retain the Personal Data, to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- Term. This DPA shall become effective upon execution or acceptance of the Services Agreement (“Effective Date”) and shall remain in full force until the later of the date when Data Processor ceases to Process the Personal Data or termination of the Services Agreement (the “Term”). All provisions of this DPA, which by their language or nature should survive the termination of this DPA, will survive the termination of this DPA.
- Limitation of Liability. Data Processor’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Services Agreement governing the Services.
- Changes to this DPA. The Parties may amend this DPA from time to time by mutual agreement of both Parties.
- Miscellaneous. (i) This DPA represents the complete agreement concerning the subject matter hereof; (ii) except where explicitly agreed otherwise in writing by the Parties, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Services Agreement and any other agreements which may be entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail; (iii) the Parties to this DPA hereby agree to the governing law and the choice of jurisdiction stipulated in the Services Agreement with respect to any disputes or claims arising under this DPA; (iv) nothing in this DPA reduces either Party’s obligations under the Services Agreement in relation to the protection of Personal Data; and (v) should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
EXHIBIT 1
DETAILS OF PROCESSING OF PERSONAL DATA
- Subject matter of the Processing: Providing customers with the Services set out in the Services Agreement.
- Duration: The period in which the Services Agreement is in effect.
- The purpose of the Processing: Providing customers with the Services, which include for example, syncing, normalizing, and matching customer data from the customers’ banks, payment providers, ERPs, and internal systems to perform reconciliation and reporting.
- Nature of the Processing: Collection of customer data from customers’ internal properties and/or from customers’ accounts in third parties’ properties, followed by organisation and structuring of such data as part of the Services.
- Type of Personal Data: Personal data may include names, email, and purchase information (e.g. details concerning amounts and times of products or services purchased, but excluding payment method details).
- Categories of data subjects: Customers’ end users who have purchased customers’ products and/or services.
- Existing Sub-processors: some text
- AWS
- Rutter
EXHIBIT 2
TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organizational security measures implemented by Data Processor according to Section 5 of the DPA:
- Access Control of Processing Areas:
Data Processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data are processed or used. This is accomplished by:
- establishing security areas;
- protection and restriction of access paths;
- securing ata processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- restrictions on physical keys for office access;
- all access to the data centre where Personal Data are hosted is logged, monitored, and tracked;
- the data centre where Personal Data are hosted is secured by a security alarm system, and other appropriate security measures.
- Access Control to Data Processing Systems:
Data Processor implements suitable measures in order to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- identification of the terminal and/or the terminal user to the data importers systems;
- automatic time-out of user terminal if left idle, identification and password required to reopen;
- automatic turn-off of the user ID when several erroneous passwords are entered, log file of events, (monitoring of break-in-attempts);
- issuing and safeguarding of identification codes;
- dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions; and
- all access to data content is logged, monitored, and tracked.
- Access Control to Use Specific Areas of Data Processing Systems:
Data Processor commits that the persons entitled to use its data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished by:
- employee policies and training in respect of each employee’s access rights to the Personal Data;
- allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
- monitoring capability in respect of individuals who delete, add or modify the Personal Data;
- effective and measured disciplinary action against individuals who access Personal Data without authorization;
- release of data to only authorized persons;
- control of files, controlled and documented destruction of data; and
- policies controlling the retention of back-up copies.
- Transmission Control:
Data Processor implements suitable measures in order to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
- certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers) is also encrypted within the system; and
- monitoring of the completeness and correctness of the transfer of data (end-to-end check).
- Input Control:
Data Processor implements suitable measures in order to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed. This is accomplished by:
- an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
- authentication of the authorized personnel;
- protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
- utilization of user codes (passwords);
- automatic log-off of user ID's that have not been used for a substantial period of time; and
- proof established within data importers’ organization of the input authorization;
- electronic recording of entries.
- Job Control:
Data Processor implements suitable measures in order to ensure that the Personal Data are processed strictly in accordance with the Instructions of Data Controller. This is accomplished by:
- ensuring clear Instructions to Data Processor regarding the scope of any Processing of Personal Data. This is limited to specific system development and database management requirements of the data exporter (for example, the creation of new reporting templates, where Processing of data in necessary in order to test those reporting templates); and
- granting regular access and control rights to Data Controller, on appropriate notice and in accordance with Data Controller’s security polices and accompanied by Data Processor.
- Availability Control:
Data Processor implements suitable measures in order to ensure that Personal Data are protected from accidental destruction or loss and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. This is accomplished by:
- infrastructure redundancy: two clustered database servers are used for storing the data
- Data backup is stored in different regions and available for restore in case of failure.
- Separation of Processing for Different Purposes:
Data Processor implements suitable measures in order to ensure that data collected for different purposes can be processed separately. This is accomplished by:
- access to data is separated through application security for the appropriate users;
- modules within the Data Processor’s data base separate which data is used for which purpose, i.e. by functionality and function;
- at the database level, data is stored in different normalized tables, separated per module or function they support; and
- interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.
- Data Security:
9.1 Data Processor implements suitable measures in order to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and the Services and the pseudonymisation and encryption of Personal Data. This is accomplished by:
- Database encryption with KMS
- E2E encryption
- Data Processor also implements a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. This is accomplished by:
- Third party penetration tests
- Third party vulnerability tests
- Access controls
- Disaster recovery
- Risk assessments
- Malware detection
- Information security policy and steering committee
- SOC2 type 2 compliance and annual audit
This Data Processing Addendum (“DPA”) is an agreement the customer identified in the applicable Order Form (“Customer” or “Data Controller”) and Nilus OS Ltd. (“Company” or “Data Processor”). The Parties agree that this DPA shall be added as an addendum to the Subscription Agreement which is part of the Order Form executed between the Parties, according to which the Company shall provide to the Customer certain data processing services, as described therein (respectively, the “Services” and the “Services Agreement”). Data Controller and Data Processor shall be collectively referred to as the “Parties”, and each a “Party”.
- Definitions. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:some text
- “Affiliate(s)” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership of either Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Applicable Laws” means any applicable law, including Data Protection Laws, to which Data Processor is subject with respect to any Personal Data;
- “Data Protection Laws” means all applicable data privacy and data protection laws, rules and regulations, in each case, as amended, adopted, or superseded from time to time.
- “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), which is Processed by Data Processor or any of Data Processor’s Sub-processors on behalf of Data Controller as part of the performance of the Services under the Services Agreement;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Sub-processor” means any third party (but excluding any personnel member of Data Processor) appointed by or on behalf of Data Processor to Process Personal Data for the benefit of Data Controller as part of the performance of the Services under the Services Agreement;
- “Supervisory Authority” any applicable regulatory authority responsible for the enforcement of Data Protection Laws; and
- “Term” shall have the meaning ascribed to it under Section 12 below.
- Processing of Personal Data.some text
- Data Processor, and any person acting under its authority, will carry out the Personal Data Processing activities, including with regard to transfers of Personal Data to a third country or an international organisation, only for the following purposes: (i) to provide the Services, in accordance with the Services Agreement and other reasonable documented instructions provided by the Data Controller, where such instructions are consistent with the terms of the Services Agreement (collectively, the “Instruction(s)”); (ii) as permitted under this DPA; and (iii) as required under Applicable Law, in which case Data Processor shall, to the extent permitted by Applicable Law, inform Data Controller of such legally required Processing of Personal Data, unless that law prohibits such information on important grounds of public interest.
- Data Controller instructs Data Processor (and authorizes Data Processor to instruct each of its Sub-processors) to process the Personal Data, as reasonably necessary for the provision of the Services and in accordance with the Services Agreement and this DPA. Additional instructions outside the scope of this DPA and the Services Agreement require prior written agreement between Data Controller and Data Processor and will include any additional fees that may be payable by the Data Controller to the Data Processor for carrying out such instructions.
- Data Controller hereby acknowledges that as part of the provision of the Services hereunder, Data Processor may collect, disclose, publish, share and otherwise use fully anonymized, de-identified and de-identifiable data, including statistical data, analytics, trends and other aggregated data which derives from the Personal Data Processed by the Data Processor as part of the provision of the Services, all as required for the Data Processor's legitimate purposes, including without limitation in order to provide, maintain, operate and improve the Services and for research purposes. Data Processor agrees not to use said anonymized data in a form that identifies the Customer or any Data Subject. The Data Controller hereby agrees and acknowledges that such processing activities (including the anonymization and de-identification of Personal Data) will not be considered as performed outside the scope of the Instructions provided by the Data Controller hereunder.
- Data Processor will notify Data Controller if Data Processor is of the opinion that a written Instruction received from Data Controller is in violation of Applicable Law and/or in violation of contractual duties under the Services Agreement.
- Data Controller shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Data Controller acquired the Personal Data. Data Controller warrants and undertakes that the Personal Data has been collected, Processed and transferred to the Data Processor in accordance with the laws applicable to Data Controller, including, if required by applicable Data Protection Laws, that Data Controller has received all required consents from the applicable Data Subjects for the Processing carried out by the Data Processor under this DPA and that the Data Subjects have been informed that their Personal Data could be transmitted to a third country outside of their jurisdiction.
- Exhibit 1 of this DPA sets forth certain information regarding Data Processor’s Processing activities of the Personal Data.
- Data Subjects. some text
- Data Processor shall promptly notify Data Controller if Data Processor receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including without limitation the right of access, rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), and shall not respond to such request without Data Controller’s prior written consent, except to confirm that such request relates to Data Controller.
- Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to any Data Subject Request and agrees to provide reasonable assistance and comply with reasonable instructions from Data Controller related to any Data Subject Request.
- Supervising Authorities. Data Processor shall provide reasonable assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities, as required by Data Protection Laws, in each case solely in relation to the Processing of Personal Data by Data Processor and all by taking into account the nature of the Processing and information available to the Data Processor. Data Controller acknowledges and agrees that assistance with data protection impact assessments and prior consultations by Data Processor may result in additional fees (which will be notified to Data Controller in advance).
- Security. some text
- Data Processor shall treat Personal Data as confidential information and will not disclose, make available or transfer the Personal Data to any third party, other than as permitted under this DPA.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor has implemented, and will maintain, adequate technical and organizational security measures in order to ensure a level of security of the Personal Data appropriate to that risk, including those measures stipulated in Exhibit 2 of this DPA. The technical and organizational security measures are aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing.
- The technical and organizational security measures implemented by the Data Processor are subject to technical progress and development, and Data Processor may update or modify the technical and organizational security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- Security Breach Notification.some text
- Data Processor shall notify Data Controller without undue delay, and in any case within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting the Personal Data.
- Data Processor shall provide Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Supervising Authorities and/or Data Subjects of the Personal Data Breach under the Data Protection Laws, taking into account the nature of Processing and the information available to Data Processor, including with the following information: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; and (c) a description of the measures taken, or proposed to be taken, to address the Personal Data Breach, including measures to mitigate its possible adverse effects. To the extent Data Processor does not have full information about the Personal Data Breach at the time of the initial notification, Data Processor shall provide an initial notification and then supplement that with additional information as it becomes available.
- Audit.some text
- During the Term, Data Processor shall keep records of its Processing activities to the extent required under applicable Data Protection Laws.
- During the Term and upon request, Data Processor shall make available to Data Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in applicable Data Protection Laws and this DPA and allow for and contribute to audits, including inspections, conducted by Data Controller or another auditor mandated by Data Controller, all at Data Controller's sole expense and only in order to ensure Data Processor’s compliance with the obligations laid down in applicable Data Protection Laws and this DPA. If and to the extent Data Controller engages third parties to conduct the audit, such third parties must be bound to strict confidentiality obligations. Notwithstanding the above, Data Controller shall only be entitled to conduct such inspection during business hours and no more than once during one calendar year, provided that Data Controller shall be entitled to conduct such inspections at any time if it reasonably suspects Data Processor to be in material breach of its obligations under this DPA and that nothing in this Section shall limit the timing and scope of any audit required to be conducted by applicable Data Protection Laws.
- Data Controller shall provide Data Processor reasonable prior written notice of any audit or inspection to be conducted under this Section and shall avoid (and ensure that each of its auditors avoids) causing any damage, injury or disruption to Data Processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such audit or inspection.
- It is agreed that a copy of this DPA may be forwarded to the relevant Supervisory Authority, if required under applicable Data Protection Laws. Furthermore, the Parties agree that such authority has the right to conduct an audit of the Parties with respect to the subject matter of this DPA.
- Nothing in this DPA will require Data Processor either to disclose to Data Controller (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Data Processor; (ii) Data Processor’s internal accounting or financial information; (iii) any trade secret of Data Processor; or (iv) any information that, in Data Processor’s sole discretion, could compromise the security of any of Data Processor’s systems or premises or cause Data Processor to breach obligations under any Applicable Law or its obligations to any third party.
- Sub-processing.some text
- Data Controller hereby (i) grants Data Processor a general authorization to engage (and permits each Sub-processor appointed in accordance with this Section to engage) Sub-processors for the purpose of providing the Services; (ii) agrees that Affiliates of Data Processor may be used as Sub-processors; and (iii) confirms that Data Processor may continue to use those Sub-processors already engaged by Data Processor as of the Effective Date of this DPA, which are detailed in Exhibit 1 (“Existing Sub-processors”).
- Data Processor can at any time and without justification appoint a new Sub-processor, provided that prior to engaging any Sub-processor:
(a) Data Processor will provide a fourteen (14) days’ prior notice to Data Controller regarding the engagement of a new Sub-processor, and the Data Controller does not reasonably object to such changes within that timeframe under legitimate and documented grounds. If Data Controller’s objection to an engagement of a Sub-processor is legitimate, Data Processor shall either refrain from using such Sub-processor in the context of the Processing of Personal Data, or shall notify Data Controller that it is unable to provide the Services without the use of such Sub-processor and therefore it will suspend or restrict the Services (or an applicable part thereof) with immediate effect.
(b) Data Processor ensures that it has in place a sub-processing agreement between Data Processor and the Sub-processor, that is no less protective with respect to Data Controller’s interest and protection of Personal Data than this DPA. Upon Data Controller’s request, Data Processor shall provide Data Controller with an updated list of Sub-processors.
- Where the Sub-processor fails to fulfil its personal data protection obligations with respect to the Personal Data, Data Processor shall remain fully liable to Data Controller for the performance of that Sub-processor’s obligations.
- Transfers. Data Controller hereby authorizes Data Processor to transfer the Personal Data across international borders, provided that in each case such transfer complies with applicable Data Protection Laws and that the Data Processor has put in place the necessary safeguards, as required by applicable Data Protection Laws, to facilitate such transfer.
- Personnel. Data Processor will be responsible for using qualified personnel with data protection training to provide the Services and ensure that Data Processor’s access to the Personal Data is limited only to those personnel who require such access to perform the Services. Data Processor shall obligate its personnel to Process the relevant Personal Data only in accordance with this DPA. Data Processor will further ensure that its personnel authorised to Process the Personal Data on its behalf: (i) will do so only on a need-to-know basis; and (סii) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they will keep confidential and will not make available any Personal Data to any third party, other than as permitted herein.
- Deletion and Return of Personal Data. Within thirty (30) calendar days following the termination of the Services Agreement and/or this DPA, Data Processor will delete and instruct its Sub-processors to delete, all existing copies of the Personal Data which are in its possession, unless instructed by the Data Controller, by way of a prior written notice, to return such data, in which case the Data Processor shall return a copy of the Personal Data to the Data Controller and delete all remaining copies of the Personal Data which are in its possession. Notwithstanding the foregoing, Data Processor may retain the Personal Data, to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- Term. This DPA shall become effective upon execution or acceptance of the Services Agreement (“Effective Date”) and shall remain in full force until the later of the date when Data Processor ceases to Process the Personal Data or termination of the Services Agreement (the “Term”). All provisions of this DPA, which by their language or nature should survive the termination of this DPA, will survive the termination of this DPA.
- Limitation of Liability. Data Processor’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Services Agreement governing the Services.
- Changes to this DPA. The Parties may amend this DPA from time to time by mutual agreement of both Parties.
- Miscellaneous. (i) This DPA represents the complete agreement concerning the subject matter hereof; (ii) except where explicitly agreed otherwise in writing by the Parties, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Services Agreement and any other agreements which may be entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail; (iii) the Parties to this DPA hereby agree to the governing law and the choice of jurisdiction stipulated in the Services Agreement with respect to any disputes or claims arising under this DPA; (iv) nothing in this DPA reduces either Party’s obligations under the Services Agreement in relation to the protection of Personal Data; and (v) should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
EXHIBIT 1
DETAILS OF PROCESSING OF PERSONAL DATA
- Subject matter of the Processing: Providing customers with the Services set out in the Services Agreement.
- Duration: The period in which the Services Agreement is in effect.
- The purpose of the Processing: Providing customers with the Services, which include for example, syncing, normalizing, and matching customer data from the customers’ banks, payment providers, ERPs, and internal systems to perform reconciliation and reporting.
- Nature of the Processing: Collection of customer data from customers’ internal properties and/or from customers’ accounts in third parties’ properties, followed by organisation and structuring of such data as part of the Services.
- Type of Personal Data: Personal data may include names, email, and purchase information (e.g. details concerning amounts and times of products or services purchased, but excluding payment method details).
- Categories of data subjects: Customers’ end users who have purchased customers’ products and/or services.
- Existing Sub-processors: some text
- AWS
- Rutter
EXHIBIT 2
TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organizational security measures implemented by Data Processor according to Section 5 of the DPA:
- Access Control of Processing Areas:
Data Processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data are processed or used. This is accomplished by:
- establishing security areas;
- protection and restriction of access paths;
- securing ata processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- restrictions on physical keys for office access;
- all access to the data centre where Personal Data are hosted is logged, monitored, and tracked;
- the data centre where Personal Data are hosted is secured by a security alarm system, and other appropriate security measures.
- Access Control to Data Processing Systems:
Data Processor implements suitable measures in order to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- identification of the terminal and/or the terminal user to the data importers systems;
- automatic time-out of user terminal if left idle, identification and password required to reopen;
- automatic turn-off of the user ID when several erroneous passwords are entered, log file of events, (monitoring of break-in-attempts);
- issuing and safeguarding of identification codes;
- dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions; and
- all access to data content is logged, monitored, and tracked.
- Access Control to Use Specific Areas of Data Processing Systems:
Data Processor commits that the persons entitled to use its data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished by:
- employee policies and training in respect of each employee’s access rights to the Personal Data;
- allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
- monitoring capability in respect of individuals who delete, add or modify the Personal Data;
- effective and measured disciplinary action against individuals who access Personal Data without authorization;
- release of data to only authorized persons;
- control of files, controlled and documented destruction of data; and
- policies controlling the retention of back-up copies.
- Transmission Control:
Data Processor implements suitable measures in order to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
- certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers) is also encrypted within the system; and
- monitoring of the completeness and correctness of the transfer of data (end-to-end check).
- Input Control:
Data Processor implements suitable measures in order to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed. This is accomplished by:
- an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
- authentication of the authorized personnel;
- protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
- utilization of user codes (passwords);
- automatic log-off of user ID's that have not been used for a substantial period of time; and
- proof established within data importers’ organization of the input authorization;
- electronic recording of entries.
- Job Control:
Data Processor implements suitable measures in order to ensure that the Personal Data are processed strictly in accordance with the Instructions of Data Controller. This is accomplished by:
- ensuring clear Instructions to Data Processor regarding the scope of any Processing of Personal Data. This is limited to specific system development and database management requirements of the data exporter (for example, the creation of new reporting templates, where Processing of data in necessary in order to test those reporting templates); and
- granting regular access and control rights to Data Controller, on appropriate notice and in accordance with Data Controller’s security polices and accompanied by Data Processor.
- Availability Control:
Data Processor implements suitable measures in order to ensure that Personal Data are protected from accidental destruction or loss and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. This is accomplished by:
- infrastructure redundancy: two clustered database servers are used for storing the data
- Data backup is stored in different regions and available for restore in case of failure.
- Separation of Processing for Different Purposes:
Data Processor implements suitable measures in order to ensure that data collected for different purposes can be processed separately. This is accomplished by:
- access to data is separated through application security for the appropriate users;
- modules within the Data Processor’s data base separate which data is used for which purpose, i.e. by functionality and function;
- at the database level, data is stored in different normalized tables, separated per module or function they support; and
- interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.
- Data Security:
9.1 Data Processor implements suitable measures in order to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and the Services and the pseudonymisation and encryption of Personal Data. This is accomplished by:
- Database encryption with KMS
- E2E encryption
- Data Processor also implements a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. This is accomplished by:
- Third party penetration tests
- Third party vulnerability tests
- Access controls
- Disaster recovery
- Risk assessments
- Malware detection
- Information security policy and steering committee
- SOC2 type 2 compliance and annual audit