Data Protection Agreement
This Data Protection Agreement (the “DPA”) ) forms an integral part of the Terms of Service and Privacy Policy (the “Agreement”) and/or any other agreement, order, statement of work, and/or other legally binding instrument in connection with the provision of Services by and between Kndy’s Technologies Ltd., a company incorporated under the laws of the State of Israel, with main office at 30 Be Yehuda St.,Tel Aviv, Israel (“Service Provider”) the provider of Services under the Agreement, and the recipient of the Services under the Agreement (“User”).
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
1. DEFINITIONS
1.1. "Data Subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2. "the User Personal Data" means any Personal Data that Service Provider Process on behalf of the User.
1.3. "Personal Data" means data about an identified or identifiable Data Subject, also referred to as "Personal Data" pursuant to Privacy Laws and Regulations.
1.4. The “Platform” as defined in the Agreement.
1.5. "Privacy Laws and Regulations" means any applicable law or regulation pertaining to the protection of privacy and Personal Data in any relevant jurisdiction.
1.6. "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2. PERSONAL DATA PROCESSING
2.1. Scope and Roles. This DPA applies to all Personal Data Processed by Service Provider as part of Service Provider’s provision of services regarding the Platform. In this context, to the extent that Privacy Laws and Regulations apply to the Personal Data that Service Provider Processes on behalf of the User, or the User customers under the Agreement, the User and its Affiliates are the data controller or the data processor, and Service Provider is engaged by the User as a data processor, or as sub-data processor, as applicable.
2.2. Instructions for Service Provider’s Processing of Personal Data. Service Provider will only Process the User Personal Data for the purpose facilitating User’s use of the Platform and in accordance also to the provisions of the Agreement where applicable. The User instructs Service Provider to Process the User Personal Data for the following purposes: (i) Processing for the purpose of providing the services to the User under the Agreement; and (ii) Processing to comply with other reasonable and lawful instructions provided by the User where such instructions are consistent with the terms of the Agreement. Processing of the User Personal Data outside the scope of the Agreement will require prior written agreement from the Service Provider.
2.3. Notwithstanding the above, User will be solely responsible for: (a) providing any required notices, obtaining and documenting any required consents and/or authorizations to/from Data Subjects and/or other third parties, and obtaining and documenting the explicit consent, or written release of the individuals who are the subject processing data Service Provider; (b) securing an appropriate legal basis under applicable law (including the Data Protection Laws), as necessary for Service Provider to Process User Personal Data as a Processor on User’s behalf; (c) ensuring that User Personal Data is accurate and up to date; and (d) User’s decisions and actions concerning the Processing of such User Personal Data. Service Provider will inform User, if in its opinion any User’s instruction violates any provision under Data Protection Laws, and will be under no obligation to follow such instruction, until the matter is resolved following a good-faith discussion between the Parties.
3. USE OF OTHER PROCESSORS.
Service Provider shall be entitled to employee any sub-processors with access to the Usaer Personal Data, in order to carry out its obligations under this DPA, and such sub-processor will be bound by the Service Provider’s obligations under this Agreement.
4. SERVICE PROVIDER'S ASSISTANCE AND NOTICES
4.1. Assistance in Compliance. Service Provider will reasonably cooperate with the User and provide necessary assistance to the User in connection with –
4.1.1. Any required notification to the User clients, supervising authorities or Data Subjects as applicable, taking into account the nature of Processing and the information available to Service Provider;
4.1.2. Impact assessments and prior consultation that the User conducts;
4.1.3. Requests to exercise data subjects' rights, complaints and inquiries pursuant to this Agreement.
4.2. Service Provider Notices. Unless prohibited under applicable laws, Service Provider will notify the User of:
4.2.1. Any official competent supervisory proceedings regarding the Processing of the User Personal Data conducted by Service Provider;
5. RIGHTS OF DATA SUBJECTS
5.1. Inquiries, requests and complaints. Service Provider will provide reasonable and timely assistance to the User, to enable the User to respond to any supervising authorities or Data Subjects requests in connection with the Processing of the User’s Personal Data under the Agreement.
5.2. Information obligation. If any such communication related to the Processing of the User Personal Data is made directly to Service Provider, Service Provider will inform the User about such communication, provide the User all related details and will refer the communication for User’s handling.
6. SERVICE PROVIDER PERSONNEL
6.1. Limitation of Access. Service Provider will ensure that Service Provider’s access to the User Personal Data is limited only to those personnel who require such access to perform the Agreement.
6.2. Confidentiality. Service Provider will impose appropriate contractual obligations upon its personnel engaged in the Processing of the User Personal Data, including relevant obligations regarding confidentiality, data protection and data security.
7. TRANSER OF PERSONAL DATA
7.1. Adequacy obligation. At all times, Service Provider will provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of applicable Privacy Laws and Regulations.
7.2. Service Provider is allowed (and allowed to authorize its Subprocessors) to transfer User Personal Data outside of the EEA and UK in the following cases: (a) Customer Personal Data is transferred to the UK or a country within the European Union or to a country (such as Israel) which is approved by the European Commission or by a UK Secretary of State as ensuring an adequate level of protection (“Approved Jurisdictions”); (b) subject to the entry into the Standard Contractual Clauses or any other lawful mechanism by the transferor and the transferee with respect to the transfer of User Personal Data; or (c) if the transfer falls within a permitted derogation under the Data Protection Laws.
8. DELETION OF USER PERSONAL DATA
8.1. Service Provider will delete all User Personal Data within reasonable time after the termination of the Agreement, including by de-identifying thereof. Customer shall have a right, throughout the term of the Agreement, to instruct Service Provider in writing to delete any part of the Customer Personal Data.
8.2. Notwithstanding Section 8.1, Service Provider may retain User Personal Data as necessary in connection with its routine backup and archiving procedures, to ensure compliance with its legal obligations and its continuing obligations under applicable laws, to use such data to protect Service Provider, its affiliates or any person on their behalf in court and administrative proceedings and to the extent and for such period as required by a subpoena or other judicial or administrative order, or if otherwise required by law. Service Provider will ensure the confidentiality of all such User Personal Data and will ensure that such User Personal Data is only Processed as necessary for the purposes specified in the applicable laws requiring its storage and for no other purpose.
9. SECURITY
9.1. Security Controls. Service Provider will establish, implement, and maintain an industry standard information security program that includes administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of the User Personal Data, pursuant to Service Provider’s information security policy and in accordance with applicable Privacy Laws and Regulations, including without limitation safeguards related to: physical and environmental security measures, information transmission, periodic risk assessments, passwords, access control and authorization, responsibilities and accountability, encryption algorithms, secured software, web security, development and maintenance, incident management, fault and intrusion detection, vendors' security audits, secured information destruction and disposal, mitigation of vulnerabilities, back-up and business continuity, host services monitoring, employees confidentiality and background checks.
10. POLICIES AND AUDITS
Service Provider will contribute to any data audits reasonably required by any competent Authority. Any audits will be performed off-site and in the event that any such audit is required on site, User will coordinate with Service Provider 60 days in advance and arrive to Service Ptovider’s premises. Any access to Service Provider’s premises or systems will be limited solely to User Personal Data in accordance with Service Provider’s discretion.
11. SECURITY BREACH MANAGEMENT AND NOTIFICATION
11.1. Breach Prevention and Management. Service Provider will maintain industry standard security incident management policies and procedures, to the extent permitted by law, notify the User of any actual unauthorized access to, acquisition of, or disclosure of the User Personal Data, (a “Security Incident”).
12. TERM AND TERMINATION
12.1. Term. This DPA is effective as of the same date that the Agreement is effective and will continue until the Agreement is expired or terminated, pursuant to the terms therein.
12.2. .
13. MISCELLANEOUS
13.1. Entire Agreement; No Waiver or Assignment. This Agreement sets forth the entire Agreement between the parties and shall supersede all previous communications and agreements between the parties, either oral or written, with respect to the subject matter hereof. This Agreement may be modified only by a written amendment executed by both parties. This Agreement may not be assigned, sold, delegated or transferred in any manner by Service Provider for any reason whatsoever.
13.2. Governing Law and Jurisdiction. This Agreement shall be governed by the laws of the State of Israel, without giving effect to the rules respecting conflicts of laws. The competent courts in Tel Aviv Jaffa, shall have sole and exclusive jurisdiction over any dispute arising from or in connection with this Agreement.
13.3. Severability. In case any provision of this Agreement shall be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.
13.4. Notices. Any message to either party delivered to the addresses above shall be deemed to have been received by the other party within seventy-two (72) hours from the time it was sent in registered mail. If the message was sent by fax or electronic mail, it shall be deemed to have been received within one business day from the time it was sent, provided the other side has actually confirmed its reception.