DATA PROCESSING ADDENDUM


This Data Processing Addendum (the “DPA”) is entered into by and between Kendo Ltd. incorporated under the laws of the State of Israel, (the “Company” or the “Processor“) and the Customer (or the “Controller“).

All capitalized terms shall have the meaning ascribed to them in the Terms, unless expressly provided otherwise in this DPA.  In the event of a conflict between the Terms and this DPA, the terms of this DPA shall control over Processing of Personal Data.

The Customer and the Company hereby agree as follows:



DEFINITIONS

  1. “Affiliate” means an entity, whether now or in the future, that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the Company. For this purpose, “control” means ownership of at least fifty percent of the voting shares or the power to direct or cause the direction of, the management, governance or policies of an entity.
  2. “Applicable Data Protection Laws” means all applicable local, state, federal, and international privacy, including without limitation, GDPR, Israel Privacy Protection Law, 5741-1981 and the regulations promulgated thereunder, and applicable confidentiality, consumer protection, advertising, electronic mail, data security, data localization and other similar laws, rules, and regulations, whether in effect now or in the future.
  3. “Company System(s)” means any information technology systems, whether owned, contracted, rented or leased (including any third-party hosted solutions) by or on behalf of the Company.
  4. “Customer” as used in this DPA shall mean collectively, the Customer party that enter into the Terms and its affiliates.
  5. “Data Subject Requests” means any requests from a Data Subject related to access, rectification, suppression, limitation, objection, portability and erasure of Personal Data or other requests authorized under Applicable Data Protection Law.
  6. “GDPR” means EU General Data Protection Regulation 2016/679.
  7. “Personnel” means a Party’s employees, contractors, subcontractors, agents, and representatives.
  8. “Processed Data” means any Personal Data Processed by the Company on behalf of the Customer pursuant to or in connection with the Terms.
  9. “Security Event” means any attempt or activity that (i) is made to gain unauthorized access to Customer’s  Confidential Information or Processed Data; (ii) interferes with the operation of any Company Systems or Customer Systems containing the Company or the Company third-party data or information; or (iii) may otherwise compromise the security or privacy of Customer’s Confidential Information or Processed Data or disclosure of Customer’s Confidential Information or Processed Data.
  10. “Unauthorized Access” means any accidental, unauthorized or improper access to the Processed Data or to Customer’s Confidential Information.
  11. The terms, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” shall have the same meaning as in the Applicable Data Protection Laws.


DATA PROTECTION AND PRIVACY OF PERSONAL DATA

  1. The Company shall comply with all Applicable Data Protection Laws as a Processor of the Processed Data.
  2. The processing operations to be carried out in the performance of this DPA conform to the description set out under “Schedule I – Details of Processing” hereunder
  3. The Company shall process the Customer Personal Data solely pursuant to the Customer’s documented instructions, in order to supply the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers of Customer Personal Data to a third country outside its current location
  4. The Customer will ensure that it has any and all authorizations, consents, and certifications which are necessary under Applicable Data Protection Laws in order to control the Processing of the Personal Data as a Controller, as evidenced by its written records.
  5. The Company shall not Process Customer Personal Data in any country outside Israel, the USA, the UK, or the EEA without the prior written consent of the Customer.
  6. The Parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Processed Data, ensuring in each case that access is strictly limited to those individuals who need to know or to access the relevant Processed Data, as strictly necessary for the purposes of the Terms, and to comply with Applicable Data Protection Laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
  7. The Company shall adhere to the obligations under Applicable Data Protection Laws including, without limitation, obligations regarding (i) data protection (including data protection impact assessments as defined in the GDPR); (ii) Data Subject Requests; (iii) Security Events; (iv) data transfers outside Israel or the EEA and other adequate countries; and (v) cooperation or consultancy with the relevant regulatory or supervisory authorities.
  8. Company will (i) use best efforts to ensure that any Processed Data that is inaccurate or incomplete is erased or rectified; (ii) ensure that all appropriate and legally required technical, physical and organizational security measures, are taken to protect the Processed Data against accidental or unlawful destruction, loss, damage, alteration or Unauthorized Access; (iii) establish an audit trail to document whether and by whom Processed Data has been entered into, modified in, or removed; and (iv) retain the Processed Data only as long as is necessary.


DATA SUBJECT RIGHTS

  1. The Company shall provide Data Subject rights to the Data Subject as required according to the Applicable Data Protection Laws. The Customer shall not be liable in respect of any claim regarding Data Subject rights with regards to the processing of the Processed Data.
  2. Taking into account the nature of the Processing, the Company shall apply appropriate technical and organizational measures to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws.

The Company shall:

  1. Promptly notify the Customer’s designated contact if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of the Processed Data; and
  2. Ensure it responds to that request as required by Applicable Data Protection Laws.


PERSONAL DATA BREACH

  1. The Company shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting the Processed Data. The Customer shall not be liable in respect of any claim of Personal Data Breach.
  2. The Company shall take reasonable commercial steps in the investigation, mitigation, and remediation of each such Personal Data Breach.


DISCLOSURES AND SECURITY EVENTS

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall in relation to the Processed Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
  2. In assessing the appropriate level of security, the Company shall take into account in particular the risks that are presented by Processing, in particular from a Personal Data Breach.
  3. Company shall report to the Customer’s designated contact:
  1. Unauthorized access to the Processed Data within one (1) day of discovery of such access or earlier if required by law or regulation.
  2. Any successful Security Event affecting the Processed Data within 24 hours upon discovery or earlier if required by law or regulation.
  • The loss of any privacy or security certification of a Customer System or a material finding of any internal or external security assessment of a Company System that poses a significant risk of a Security Event within five (5) days or earlier if required by law or regulation.
  1. Company shall use its best efforts to remedy any unauthorized access to the Processed Data or any Security Event in a timely manner.
  2. The Customer may terminate without penalty the Terms or any Services for breach if it determines that       Company’s remediation action with regard to unauthorized access to Company Confidential Information or the Processed Data or a Security Event is insufficient.


THIRD-PARTY PERSONNEL

  1. The Company shall not appoint (or disclose any Processed Data to) any subprocessor unless required and authorized by the Customer.
  2. The Company shall not transfer the Processed Data to any third party.
  3. Company will disclose the Processed Data only to that Personnel who have the need to know such Processed Data in connection with the performance of the Terms and shall ensure that its Personnel who provide or access Company Systems or the Processed Data are obligated to comply with Applicable Data Protection Laws and the obligations set forth under this DPA prior to accessing Company Systems or the Processed Data.
  4. Company shall be solely responsible for its Personnel’s compliance with the Terms and this DPA and the acts and omissions of its Personnel to the same extent as if the acts were performed by Company.


RECORDS/AUDITS/ASSESSMENTS

During the term of this DPA and for a period of the later of seven (7) years or any regulatory requirements from the date of the termination or expiration of the Terms or this DPA, Company shall keep records, logs, reports audit trails, and any other relevant documentation regarding the Services under the Terms, with the exception of Personal Data (if the Services permit Company to store any Personal Data) that will be deleted at the latest upon the termination of the Terms.



COMPLIANCE

  1. If the Company is not compliant, or reasonably believes that it is not or is unable to comply with its obligations under this DPA, the Company shall (i) promptly notify the Company of its non-compliance or inability to comply; (ii) conduct an assessment of the reasons for and circumstances surrounding such noncompliance; and (iii) use best efforts and take all necessary actions to achieve compliance and to mitigate the impact of its noncompliance on the Services and Processed Data. Notwithstanding the above, the Customer may terminate the Terms or any PO without penalty at any time during the period of Company’s noncompliance.
  2. A breach of this DPA shall be deemed a breach of the Terms. Company acknowledges that, notwithstanding any other provisions of the Terms, a material breach by Company or its Personnel of this DPA could cause irreparable harm and shall give the Customer the right to (i) terminate the Terms and all Services immediately without penalty in the event of a material breach, and (ii) pursue any remedies the Customer may have in law or in equity.


ADDITIONAL PROVISIONS

  1. At the expiration or termination of the Terms or when requested earlier by the Customer, Company shall (i) return to the Customer, or upon the Customer’s written request destroy, all Processed Data; and (ii) ensure that any device or system which stored or contained the Processed Data is wiped, overwritten, or removed, in accordance with all Applicable Data Protection Laws and in a manner which verifies the Processed Data is rendered completely unrecoverable.
  2. Duration. This DPA will remain in force as long as the Company processes data on behalf of the Customer under the Service Terms and all exhibits.


SCHEDULE I – DETAILS OF PROCESSING

Details of Processing of the Personal Data (as required by Article 28(3) GDPR):

Subject matter and duration of the processing of the Personal Data: shall be as set forth in the PO, according to the scope of Services and the Term, as both defined in the Terms.

The nature and purpose of the processing of the Personal Data:

  1. For the Company to perform its obligations pursuant to the terms and conditions.
  2. For delivery and provision of the Services to the Customer.
  3. For customer support and technical troubleshooting.
  4. To comply with applicable law, including law enforcement requests.

The types of Personal Data to be processed: name, phone number, postal address, email address, position, position details, social media URLs, employer name, employer URLs, transactions, usage details, including URLs visited, events triggered on defined actions such as page loads, clicks, logins and purchases, IP addresses, cookies, analytics data.

The categories of Data Subject to whom the Personal Data relates: current, former and potential employees and subcontractors of the Customer and other authorized users of the Services.

The controller has authorized the use of the following sub-processors:

  1. Hosting service provider DigitalOcean located in the United States
  2. Database service provider MongoDB located in the United States
  3. Payment service provider BlueSnap located in the United States
  4. Analytics service provider Google Analytics located in the United States