Data Processing Agreement
DATA PROCESSING EXHIBIT
This Data Processing Exhibit (the “Exhibit” or “DPA”) is entered into by and between Anecdotes A.I Ltd., a company number 516160165, incorporated under the laws of the State of Israel, having its registered office at 146 Begin Road, Tel-Aviv, Israel (the “Company” or, for purposes of this engagement, the "Processor"), forms an integral part of the Terms of Use (the "Terms of Use") between the Company and the Customer, which shall be deemed for purposes of this engagement as the "Controller".
All capitalized terms shall have the meaning ascribed to them in the Terms of Use unless expressly provided otherwise in this Exhibit. In the event of a conflict between the Terms of Use and this Exhibit, the terms of this Exhibit shall prevail in connection with Personal Data matters.
The Customer and the Company hereby agree as follows:
1. DEFINITIONS
1
"Applicable Data Protection Laws"means applicable privacy and data protection laws in connection with the processing of personal data conducted pursuant to the Terms of Use, including without limitation (to the extent applicable), (a) GDPR, (b) Israel Privacy Protection Law, 5741-1981, and the regulations promulgated there under, and (c) guidance issued by any relevant supervisory authority or implementing, amending, or supplementing the above laws, rules and regulations, whether in effect now or in the future.
2
"Customer" as used in this Data Processing Exhibit shall mean collectively, the Customer receiving the services and its affiliates.
3
"Data Subject Requests" means any requests from a Data Subject related to access, rectification, suppression, limitation, objection, portability and erasure of Personal Data or other requests authorized under Applicable Data Protection Law.
4
"Designated Contact" for reporting Security Events, Data Subject Requests, and Personal Data Breach to the Processed Data. Means (i) info@anecdotes.ai and such additional contact as designated by the Company, and (ii) [Customer's valid email address] and such additional contact as designated by the Customer.
5
"GDPR" means EU General Data Protection Regulation 2016/679.
6
"Personnel" means Company or Customer's employees, contractors, subcontractors, agents and representatives.
7
"Processed Data" means any Personal Data Processed by the Company on behalf of the Customer pursuant to or in connection with the Terms of Use.
8
"Security Event" means any attempt or activity that (i) is made to gain unauthorized access to Processed Data; (ii) interferes with the operation of any Company Systems or Customer Systems containing the Company or the Company third-party data or information; or (iii) may otherwise compromise the security or privacy of the Processed Data or its disclosure.
9
The terms, “Controller” "Data Subject", "Personal Data", "Personal Data Breach", "Processing", “Processor” and "Supervisory Authority" shall have thesame meaning as in the Applicable Data Protection Laws.
2. DATA PROTECTION AND PRIVACY OF PERSONAL DATA
In addition to the other obligations set forth hereunder, each of Customer and Company shall:
1
comply with its respective obligations under Applicable Data Protection Laws in relation to all Customer Personal Data that may be processed in the performance and operation of this Exhibit;
2
the processing operations to be carried out in the performance of this Exhibit conform to the description set out under details of processing hereunder;
3
process the Customer Personal Data solely on the documented instructions of Customer, in order to supply the services and as otherwise necessary to perform its obligations under the Terms of Use including with regard to transfers ofCustomer Personal Data to a third country outside its current location;
4
not Process Customer Personal Data in any country outside the United States or Israel (support access) without the prior written consent of Customer; and
5
immediately inform the other party if, in its opinion, an instruction pursuant to the Terms of Use infringes Applicable Data Protection Laws.
3. DATA SUBJECT RIGHTS
1
The Company shall provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's Requests. As the company is not responsible for receiving Data Subject consents, the Company shall not be liable in respect of any claim regarding Data Subject rights.
2
The Company shall promptly notify the Customer's Designated Contact if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of the Processed Data; and ensure it responds to that request as required by Applicable Data Protection Laws.
4. PERSONAL DATA BREACH AND SECURITY EVENTS
1
The Company shall notify the Customer without undue delay, and no later than 72 hours, upon becoming aware of a Personal Data Breach or a Security Event affecting the Processed Data.
2
The Company shall not be liable in respect of any claim of Personal Data Breach or a Security Event, and in no case will be liable for indirect damage caused to Customer and arising from the Data Breach.
3
4
5
6
4
5
6
Company’s aggregate liability arising out of or relating to this DPA will not exceed the amount of fees actually paid by Customer to the Company for the applicable services under the Terms of Use and this DPA in the twelve (12) months prior to the act that gave rise to the alleged liability.
Company’s cooperation or obligation to report or respond to Data Breaches under this DPA shall not, by itself, be deemed an acknowledgment by the Company of any fault or liability of the Company with respect to a Data Breach.
Unless otherwise mandated by Applicable Data Protection Laws or any other applicable regulation, the Customer shall instruct the Company if to report or inform Data Subjects of the Personal Data Breach, pursuant to the requirements under Applicable Data Protection Laws.
The Company shall take steps in the investigation, mitigation and remediation of each such Personal Data Breach or a Security Event.
Company’s cooperation or obligation to report or respond to Data Breaches under this DPA shall not, by itself, be deemed an acknowledgment by the Company of any fault or liability of the Company with respect to a Data Breach.
Unless otherwise mandated by Applicable Data Protection Laws or any other applicable regulation, the Customer shall instruct the Company if to report or inform Data Subjects of the Personal Data Breach, pursuant to the requirements under Applicable Data Protection Laws.
The Company shall take steps in the investigation, mitigation and remediation of each such Personal Data Breach or a Security Event.
5. SUBPROCESSORS AND PERSONNEL
1
Customers shall ensure Personnel authorized to Process the Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
2
Both parties will disclose the Processed Data only to those Personnel who have the need to know such Processed Data in connection with the performance of the Terms of Use.
3
Customer hereby grants to the Company a general written authorization to use sub-processors set out in this exhibit for the provision of the services, provided that:
3.1
the Company shall ensure that it engages such sub-processors by written Terms and Conditions containing data processing and security obligations no less favorable to Customer than those contained in the Terms of Use
3.2
the sub-processor complies with its obligations under the Applicable Data Protection Laws relating to any Customer Personal Data and has sufficient organizational and technical measures in place to guarantee the protection of Customer Personal Data against unauthorized or unlawful processing; and
3.3
3.4
3.5
3.4
3.5
the Company will notify the Customer of any intended changes concerning the addition or replacement of a sub-processor thereby giving the Customer the opportunity to object to the addition or replacement within fourteen (14) days of the notification.
In the event Customer objects to a new Sub-processor, Company will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer within thirty (30) days of Customer’s written notice of objection.
Company will be liable for the acts and omissions of its Sub-processors provided that the Sub-processors have not breached their contractual obligations to the Company.
In the event Customer objects to a new Sub-processor, Company will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer within thirty (30) days of Customer’s written notice of objection.
Company will be liable for the acts and omissions of its Sub-processors provided that the Sub-processors have not breached their contractual obligations to the Company.
6. SECURITY
1
Company shall ensure the security of the Customer Personal Data that it processes in accordance with the requirements of Applicable Data Protection Law.
2
Both parties shall implement appropriate technical and organizational measures to ensure the protection of the Personal Data.
3
Both parties shall use best efforts to ensure (i) that any Processed Data that is inaccurate or incomplete is erased or rectified; (ii) establish an audit trail to document whether and by whom Processed Data have been entered into, modified in, or removed; and (iii) retain the Processed Data only as long as is necessary.
7. RECORDS AND AUDITS
1
In connection with to its processing of Customer Personal Data, the Company shall, during the term of the Terms of Use, provide the Customer with information reasonably necessary to demonstrate compliance with the obligations laid down in the Applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, provided that:
1.1
The Customer gives at least thirty (30) days' prior written notice to conduct such audit or inspection;
1.2
The auditor is subject to binding obligations of confidentiality; and
1.3
The audit or inspection is undertaken so as to cause minimal disruption to the Company's business and other customers.
1.4
The provisions of this Data Processing Exhibit shall survive termination or expiration of the Terms of Use.
8. DETAILS OF THE PROCESSING
1
Details of the Processing of the Personal Data (as required by Article 28(3) GDPR):
1.1
Subject matter and duration of the processing of the Personal Data: shall be as set forth in the Proposal, according to the scope of Services and the Term, as both defined in the Terms of Use.
1.2
The nature and purpose of the processing of the Personal Data:
i
For delivery and provision of the Services to the Customer;
ii
For delivery and provision of the Services to the Customer;
iii
For customer support and technical trouble shooting;
iv
To comply with applicable law, including law enforcement requests.
2
The types of the Personal Data to be processed: name, phone number, email address, position, transactions, usage details, including URLs visited, events triggered on defined actions such as page loads, clicks, logins and purchases, IP addresses, cookies, analytics data.
3
The categories of Data Subject to whom the Personal Data relates: current, former and potential employees and subcontractors of the Customerand other authorized users of the Services.
4
SubProcessors: The current list of sub-processors can be found in the following link.
Last updated on June 12, 2023