Icon Icon

PRIVACY RATING

- DATA PROCESSING ADDENDUM -

This Data Processing Addendum (“DPA”) forms an integral part of the commercial agreement or any other agreement (“Agreement”) between Privacy Rating Ltd. and its affiliated companies (“Vendor”) and the entity receiving the services (“Services”) under the Agreement and its affiliates (“Customer”), to reflect the parties’ agreement on the Processing of Customer Personal Data.

In the course of providing the Services to Customer, Vendor may Process Customer Personal Data on behalf of Customer. The parties agree to comply with the following provisions under this DPA with respect to the Processing of Customer Personal Data, as further described herein.

1. DEFINITIONS

Capitalized terms not defined herein will have the meaning set forth in the Agreement or under Privacy Laws and Regulations. Terms under the Agreement apply to this DPA, except that the terms of this DPA will supersede any conflicting terms under the Agreement.

  1. 1.1.“Affiliate” means a corporation which directly controls or is controlled by or is under common control with Customer. As used in this section, control means direct ownership of fifty percent (50%) or more of the shares of stock entitled to vote for the election of directors.
  2. 1.2.“Customer Personal Data” means Personal Data that Vendor Processes on behalf of Customer as part of the provision of Services.
  3. 1.3.“Data Controller” and “Data Processor” will have the same meaning as under the GDPR.
  4. 1.4.“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  5. 1.5.“Personal Data” means any information relating to a Data Subject.
  6. 1.6.“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  7. 1.7.“Personnel” means persons authorized by Vendor to Process Customer’s Personal Data.
  8. 1.8.“Privacy Laws and Regulations” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”).
  9. 1.9.“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
  10. 1.10.“Processor” – as defined under Privacy Laws and Regulations.
  11. 1.11.“Product Data” means, to the extent that provisions under Privacy Laws and Regulations apply to it, data provided to Customer by Vendor as part of the provision of Services under the Agreement.
  12. 1.12.“Vendor Information Security Documentation” means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by Vendor upon request and subject to adequate confidentiality arrangements.

2. DATA PROCESSING

  1. 2.1.Scope and Roles. This DPA applies when Customer Personal Data is Processed by Vendor as part of Vendor’s provision of the Services, as further specified in the Agreement and the applicable order form. In this context, to the extent that provisions under Privacy Laws and Regulations apply to Customer Personal Data, Customer is the Controller or Processor, and Vendor is the Processor or another Processor, as applicable.
  2. 2.2.Subject Matter, Duration, Nature, and Purpose of Processing. Vendor processes Customer Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement and as detailed in EXHIBIT A.
  3. 2.3.Instructions for Vendor’s Processing of Personal Data. Vendor will Process Customer Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs Vendor to Process Customer Personal Data for the following purposes:
    1. 2.3.1.Processing in accordance with the Agreement and applicable order forms, including, without limitation to provide, operate, control, supervise, and safeguard the Services – all integral parts of the provision of the Services to Customer; and,
    2. 2.3.2.Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and comply with applicable Privacy Laws and Regulations. Processing outside the scope of this DPA (if any) will require prior written agreement between Vendor and Customer on additional instructions for Processing, including agreement on any additional fees Customer will pay to Vendor for carrying out such instructions.
  4. 2.4.As required under applicable Privacy Laws and Regulations, Vendor will inform Customer immediately, if in Vendor’s opinion an instruction violates any provision under such applicable Privacy Laws and Regulations and will be under no obligation to follow such instruction, until the matter is resolved following a good-faith discussion between the parties.
  5. 2.5.Vendor will not retain, use, or disclose Customer Personal Data: (i) for any purpose other than for the specific purpose of performing the Service, or (ii) outside of the direct business relationship between Customer and Vendor, except as permitted under the applicable Privacy Laws and Regulations.
  6. 2.6.Customer undertakes to provide all necessary notices to Individuals and receive all necessary permissions and consents, or otherwise secure the required lawful ground of Processing, as necessary for Vendor to process Customer Personal Data on Customer’s behalf under the terms of the Agreement and this DPA, pursuant to the applicable Privacy Laws and Regulations, including with respect to the cross-border of Personal Data.
  7. 2.7.To the extent required under applicable Privacy Laws And Regulations, Customer will appropriately document the Individuals’ notices and consents, or necessary assessment with other applicable lawful grounds of Processing.

3. ASSISTANCE

  1. 3.1.Taking into account the nature of the Processing, Vendor will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subjects’ rights, as required under applicable Privacy Laws and Regulations.
  2. 3.2.Vendor will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Vendor’s Processing of Customer Personal Data under this DPA. Except for negligible costs, Customer will reimburse Vendor with costs and expenses incurred by Vendor in connection with the provision of assistance to Customer under this DPA.

4. VENDOR PERSONNEL

  1. 4.1.Limitation of Access. Vendor will ensure that Vendor’s access to Customer Personal Data is limited to those personnel who require such access to perform the Agreement.
  2. 4.2.Confidentiality. Vendor will impose appropriate contractual obligations upon its personnel engaged in the Processing of Customer Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Vendor will ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of Customer Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Vendor will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.

5. OTHER PROCESSORS

  1. 5.1.Vendor may engage third-party service providers to process Customer Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Vendor with a general authorization to engage Vendor’s authorized Other Processors listed in EXHIBIT C. All Other Processors have entered into written agreements with Vendor that bind them by substantially the same material obligations under this DPA.
  2. 5.2.Vendor may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Vendor will notify the Customer of the intended engagement with the New Processor ten (10) days prior to such engagement. Customer may object to the Processing of Customer Personal Data by the New Processor, for reasonable and explained grounds related to data protection, within five (5) business days following Vendor’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Vendor a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Vendor will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer’s Personal Data.
  3. 5.3.Vendor will be liable for the acts and omissions related to the Processing of Personal Data by its Other Processors to the same extent that Vendor would be liable if performing the Services of each Other Processor, under the terms of the Agreement.

6. ONWARD AND TRANS-BORDER TRANSFER

Transfers by Vendor, or by Vendor’s New Processors or Vendor’s Other processors of Customer Personal Data to a Third Country, as defined under EXHIBIT D (the “Transfer Exhibit”) is subject to the data transfer requirements under the Transfer Exhibit.

7. INFORMATION SECURITY

Vendor will maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Personal Data. Vendor regularly monitors compliance with these safeguards. Vendor will not materially decrease the overall security of the Service during the term of the Agreement. Further information about Vendor’s technical and organizational measures is detailed in EXHIBIT B.

8. AUDIT AND DEMONSTRATION OF COMPLIANCE

Vendor will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Vendor’s obligations under this DPA. Vendor may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Customer are subject to the following terms: (A) the audit will be pre-scheduled in writing with Vendor, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (B) a third-party auditor will execute a non-disclosure and non-competition undertaking toward Vendor; (C) the auditor will not have access to non-Customer data (D) Customer will make sure that the audit will not interfere with or damage Vendor’s business activities and information and network systems; (E) Customer will bear all costs and expenses related to the audit; (F) The auditor will first deliver a draft report to Vendor and allow Vendor reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to the Customer; (G) Customer will receive only the auditor’s report, with Vendor’s comments, without any Vendor ‘raw data’ materials, will keep the audit results in strict confidentiality and will use it solely for the specific purposes of the audit under this DPA; and, (H) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report.

9. SECURITY BREACH MANAGEMENT AND NOTIFICATION

  1. 9.1.Vendor maintains security incident management and breach notification policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer Personal Data which Vendor, or any of Vendor’s Other Processors, Process.
  2. 9.2.Vendor’s notice will at least: (A) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (B) communicate the name and contact details of the Vendor’s data protection team, which will be available to provide any additional available information about the Personal Data Breach; (C) describe the likely consequences of the Personal Data Breach; (D) describe the measures taken or proposed to be taken by Vendor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  3. 9.3.Vendor will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Customer accordingly.

10. DELETION AND RETENTION OF PERSONAL DATA

  1. 10.1.Data Deletion. Within reasonable time after the end of the provision of the Service, Vendor will return Customer Personal Data to Customer or delete such data, including by de-identifying thereof.
  2. 10.2.Data Retention. Notwithstanding, Customer acknowledges and agrees that Vendor may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain data pursuant to legal requirements and to use such data to protect Vendor, its affiliates, agents, and any person on their behalf in court and administrative proceedings.

11. DISCLOSURE OF THE DPA

Vendor may disclose Customer Personal Data: (A) if required by a subpoena or other judicial or administrative order, or if otherwise required by law; or (B) if Vendor deems the disclosure necessary to protect the safety and rights of any person or the general public.

12. ANONYMIZED AND AGGREGATED DATA

Vendor may process data based on extracts of Customer Personal Data on an aggregated and non-identifiable form, for Vendor’s legitimate business purposes, including for testing, development, controls, and operations of the Services, and may share and retain such data at Vendor’s discretion, provided that such data cannot reasonably identify a Data Subject.

13. TERM

This DPA will commence on the same date that the Agreement is effective, or as otherwise provided explicitly under this DPA, and will continue until the Agreement expires or is terminated, pursuant to the terms therein.

14. DISPUTE RESOLUTION

Each Party will create an escalation process and provide a written copy to the other Party within five (5) business days of any dispute arising out of or relating to this DPA. The escalation process will be used to address disputed issues related to the performance of this DPA, including but not limited to technical problems. The Parties agree to communicate regularly about any open issues or process problems that require prompt and accurate resolution as set forth in their respective escalation process documentation. The Parties will attempt in good faith to resolve any dispute arising out of or relating to this DPA, before and as a prior condition for commencing legal proceedings of any kind, first as set forth above in the escalation process and next by negotiation between executives who have authority to settle the controversy and who at a higher level of management than the persons with direct responsibility for administration of this DPA. Any Party may give the other Party written notice of any dispute not resolved in the normal course of business. Within two (2) business days after delivery of the notice, the receiving Party shall submit to the other a written response. The notice and the response will include (a) a statement of each Party’s position and a summary of arguments supporting that position and (b) the name and title of the executive who will represent that Party and of any other person who will accompany the executive. Within five (5) business days after delivery of the disputing Party’s notice, the executives of both Parties shall meet at a mutually acceptable time and place, including telephonically, and thereafter as often as they reasonably deem necessary, to attempt to resolve the dispute. All reasonable requests for information made by one Party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence. The dispute resolution process under this section 14 must be exercised as a pre-condition for initiating legal or administrative proceedings by any of the parties.

15. MISCELLANEOUS

Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both parties. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

EXHIBIT A

- DETAILS OF THE PERSONAL DATA PROCESSING -

(Also Serves As Annex I To The EE SCCs)

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

[Customer, as the data exporter, to fill-in]

  1. Name: _________
    Address: __________
    Contact person’s name, position and contact details: _________
    Activities relevant to the data transferred under these Clauses: _________
    Signature and date: The data exporter’s signature on the DPA or agreement between the parties, applies herein.
    Role (controller/processor): __________

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

  1. Name: Privacy Rating Ltd.
    Address: 91 HaGalil St., Ganey Tikwa, Israel
    Contact person’s name, position and contact details    : Yossi Koren, CEO, yossi@privacy-rating.com
    Activities relevant to the data transferred under these Clauses: Privacy Rating’s software as a service (SaaS) solution for discover, monitor and control of the Customer’s client facing web-application’s communication traffic to external servers’ behavior. The solution includes (i) Privacy Rating’s platform accessed online and hosted on third party servers (public cloud), and (ii) Privacy Rating’s [API and SDK] downloaded and/or installed as part of the Customer’s applications
    Signature and date: The data importer’s signature on the DPA or agreement between the parties, applies herein.
    Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Users of the data exporter’s digital assets.

Categories of personal data transferred

All personal data attributes that the data exporter shares with third parties through the data exporter’s digital assets and manages through the data importer’s services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No special categories of data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous.

Nature of the processing

Provision of the services under the agreement between the parties.

Purpose(s) of the data transfer and further processing

Provision of the services under the agreement between the parties.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Duration of the agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Hosting and ancillary services for the duration of the agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

EXHIBIT B

- TECHNICAL AND ORGANIZATIONAL MEASURES -

(Also Serves as Annex II To The EU SCCs)

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymization and encryption of Personal Information
  • Service Provider will implement a procedure for encrypting Company’s Data in accordance with industry standards and with the level of sensitivity of the processed Company’s Data (at least AES256). Service Provider will follow this procedure throughout the term of the agreement.
  • Service Provider will set adequate procedures for using cloud-based storage services in a Company’s specific environment which will include encryption and adequate access criteria.
  • An additional encryption layer is implemented by Service Provide on the client side and is configurable by the first party. Only metadata, such as the domain name, environment (OS name), and dates, are stored in plaintext.
  • Company’s Data is encrypted from the moment it is created in the user device and remains encrypted until the key holders decrypt it. It is the Company exclusive ability to decide and sets the keys.
  • Service Provider will implement a procedure for Company’s Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Company’s Data and the location of the backup storage.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Service Provider will use measures to guarantee the integrity of Company’s Data in backups, and to maintain the possibility to restore Company’s Data in the event of data loss or destruction. Without limiting the above, to the extent that Service Provider uses backup media, Service Provider will store such media in certified public clouds such as AWS and Azure  utilising their fireproof and waterproof safe environment which is located outside of the facility that contains Company’s Data.
Measures for ensuring the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident
  • Service Provider will securely backup Company’s Data that Service Provider possesses.
  • Service Provider will implement a procedure for Company’s Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Company’s Data and the location of the backup storage. Service Provider will follow this procedure throughout the term of the agreement. Service Provider will use measures to guarantee the integrity of Company’s Data in backups, and to maintain the possibility to restore Company’s Data in the event of data loss or destruction. Without limiting the above, to the extent that Service Provider uses backup media, Service Provider will store such media in public clouds such as AWS and Azure utilising the fireproof and waterproof safe environment which is located outside of the facility that contains Company’s Data.
  • Service Provider will conduct ongoing technical Disaster Recovery sessions to review its related technical operations and to conduct ‘fire drills’ to test it in real time.
  • Service Provider’s disaster recovery and business continuity processes will be approved by Service Provider’s management, disaster recovery and business continuity processes for Customer’s data is based on public clouds such as AWS and Azure utilising their audited by a non-dependent third party on an annual basis and will be practiced on an ongoing basis.
  • Service Provider’s information security officer will ensure the backup of the following data, on a weekly basis, in a manner which guarantees that the possibility to perform data restoration in any given time:
  • Service Provider deploy all of its components automatically. Through the use of such procedures, we are able to respond to an incident in a reliable manner on SLA based.
  • Administration of access to the Company’s Data.
  • Identification and validation of access to the Company’s Data.
  • Control and documentation to Service Provider’s systems which store or process Company’s Data, including user’s identification, time & date of the attempt at access, system attempted to be accessed to and whether access was granted or denied.
  • Security breaches (any event which raises concerns to the integrity of data or use of data without or in excess of access permission).
  • Security of communications (implementing adequate means to protect from unauthorized access and from exploits and malware)
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Service Provider will monitor its systems and build artifacts for security related events and will conduct, at least once a year, penetration test by a credible external security adviser and a penetration test, in order to detect data security related risks.
  • Service Provider will discuss the results of the assessment and test and further review the need to update information security processes. Service Provider will remediate any detected vulnerabilities. Upon Company’s request, Service Provider will present to Company an action plan to remediate the detected vulnerabilities, for Company’s approval.
Measures for user identification and authorisation
  • Service Provider will provide Service Provider’s authorized employees with a unique personal means of identification, which at least will include a user-name and password, pursuant to the password requirements set forth in this document.
  • Service Provider undertakes that the access to Company’s Data will be made via a strong identification mechanism which includes at least two identification means (2FA), based on “something you know” and “something you have”.
  • Service Provider undertakes that an identification means provided to employee or other authorized person, will not be provided to any other employee or other authorized person, not even at a later stage. Service Provider will keep a record of all identifications allocated to authorized personnel and will operate an identification verification measures prior to the grant of access to Company’s Data.
  • Service Provider will immediately block access to the Data Systems of any user that has not been active for six months, unless such user was created for support and maintenance purposes only.
  • Service Provider will immediately block access to the Data Systems of any of Service Provider’s authorized personnel that completed their involvement in performing the agreement between Com Company and Service Provider.
  • Service Provider will record data logged pursuant to the above, in a secured manner for two years and will submit user’s identification, time & date of the attempt at access, system’s attempted to be accessed to and whether access was granted or denied for External auditor review upon Company’s request.
  • Service Provider will enforce a policy which reduces the risk for passwords’ confidentiality breach. Passwords will be stored in an encrypted manner, in a manner that will keep them illegible. Service Provider will determine an internal procedure for allocating, distributing and storing passwords.
  • Service Provider will set passwords periodic resets. Passwords must include at least 8 characters and will not permit any string which can be easily related to a Service Provider’s employee (e.g. employee’s name, last name, family members’ name, birthdays etc.).
  • Service Provider will appropriately instruct its authorized personnel to protect their passwords’ confidentiality. Service Provider is using public clouds such as AWS and Azure best practices to block a user’s failed access attempts. Service Provider is using public clouds such as AWS and Azure best practices t for password management processes.
Measures for the protection of data during transmission Data transfer between Company and Service Provider, if required, will be made in accordance with the acceptable standards, including additional security using IP Whitelist , encryption, point-to-point communication or other secure and encrypted means such as TLS 1.2 or higher.
Measures for the protection of data during storage
  • Service Provider will encrypt Company Personal Information at rest according to NIST best practices. Encryption standards should be at minimum AES256.
  • Service Provider undertakes that Data Systems’ storage devices is kept encrypted at rest, by certified public cloud services such as AWS and Azure and accessible solely to Service Provider’s authorized personnel on a need-to-know basis.
  • Service Provider will set adequate procedures for using cloud based storage services in a Company’s specific environment which will include encryption and adequate access criteria. To the extent that Company’s Data will be stored abroad, Service Provider undertakes to make sure that its subcontractors, who provide Service Provider with storage services, are carefully vetted with regard to data security, comply with EU data protection regulations are certified with known information security standards, such as ISO27001 or SOC2 Type II, and upon Company’s request, the subcontractors will submit to Company’s information security reports, such as: a SOC2 Report, SOA and PCI Compliance Report.
  • Company’s data is encrypted with symmetric keys managed by the cloud provider.
  • Company’s Data is kept in a way that Separating storage from keys configuration. Will render them unrecoverable until replaced.
  • Service Provider will document and test any received media against anti-virus scans. Service Provider will enforce that any media destruction is made in a manner which will prevent recovery of Company’s Data from the media
Measures for ensuring physical security of locations at which Personal Information are processed
  • Service Provider undertakes to document and store for two years, all computer and network equipment transfer into and out of Service Provider’s facility, or on any other entity’s facilities on the Service Provider’s behalf, which contains Company’s Data.
  • Service Provider is using public clouds such as AWS and Azure’s server farms to store and process customer’s data such that all suppliers and customers entry to the servers farm’s facilities will be controlled, accompanied and logged.
  • Means to control physical entry: Service Provider undertakes that the servers and any equipment used for storage, processing and access to Service Provider’s services or applications, will be protected by adequate means for entry control in a manner that will ensure that only authorized employees will have access thereto.
  • To the extent that Service Provider stores Company’s Data in portable media, Service Provider undertakes to maintain the portable media in a secure and locked place. Service Provider will ensure that the portable media is not exposed to risks, including fire and water
Measures for ensuring events logging
  • Service Provider will log and audit privileged operations (admin, operators) on a regular basis. Each cloud environment, Business Application per Company, collects and keeps track of user’s activities in a centralized hub. Logs including user’s identification, time & date of the attempt at access, system’s attempted to be accessed to and whether access was granted or denied should be stored for at least 24 months.
  • Logs will include at least the following data:
    • Time Stamp
    • Username
    • Source IP
    • What – system was accessed
  • Service Provider will make sure that audit logs cannot be accessed or tampered by unauthorized personnel.
  • Service Provider will have the ability to send/fetch logs to Company’s SIEM system on authentication and authorization.
  • Service Provider will have intrusion detection solutions and the ability to generate the relevant security alerts upon detection.
  • Service Provider will implement a procedure for responding, managing and reporting security incidents which are related or may be related to Company’s Data.
  • Service Provider will keep a record of any security incident that Service Provider becomes aware of, which will include the date of the event, the identity of the reporter, the identity of persons reported to and consequences of the event.
  • Service Provider will keep each security incident record for two years following the occurrence of the event.
  • Service Provider will report the security incident according to agreed SLA. and will continue providing Company with any additional information in relation to the security incident that Service Provider becomes aware of, or upon Company’s request.
  • Service Provider will implement a procedure for the restoration of lost or corrupted Company’s Data due to security breach. The aforementioned procedures will require accurate records of all performed restoration processes and Company’s prior written approval for any restoration processes.
  • Service Provider will hold a discussion, on a annually basis, about security incidents and review the necessity to update relevant procedures
Measures for ensuring system configuration, including default configuration
  • Company’s client-side SDK has default configuration for back-end systems (public cloud) outage communication down-time
  • Also, Company’s client-side SDK get periodic checks for the latest configuration by the back-end systems (public cloud)
  • Service Provider backend systems use templates, after deployment, it employs built-in ways to preserve configuration states for restoration and distribution.
Measures for internal IT and IT security governance and management
  • Service Provider is using Azure Active Directory to manage system access.
  • Service Provider products and vendors, with the exception of Gitlab and Slack, employ SSO integrations to access pre-existing users from other providers during authentication. Thus the Service Provider’s user administration is centralized.
  • Service Provider’s login flows into the public cloud infrastructure it using, is monitored for unusual behaviours and protected by 2FA.
  • Corporate guidelines for appropriate usage of IT systems and general data security. All staff members must go through annual general security and privacy awareness training. In order to safeguard the confidentiality, integrity, availability, and authenticity of the data and information systems and to guarantee the efficacy of security controls over data and information systems that support operations, the company limits and protects the processing of personal data. For the preservation of evidence and in case of audits, the company will retain records of its technological and organizational measures.
Measures for certification/assurance of processes and products
  • Starting at Hiring, every employee goes through checks for their certifications, her/his working environment is scrutinized for unauthorized, malicious and compromised components, they commit to split professional from personal usage and continuously and at any-time maintain recent updates for their OS, browsers and other web and non-web Applications.
  • During Developing processes, is closely adhere to the methods mentioned by Microsoft SDL: https://www.microsoft.com/en-us/securityengineering/sdl/practices
  • Service Provider is always seeking to rely on software components from certified sources or open-source components that undergoes security scans from certified sources
  • Service Provider is using backend components such as storage, CDN, VMs, Functions and API Gateways, having public cloud certification.
  • AWS S3 and Azure Storage Blobs which are certified by AWS and Azure.
Measures for ensuring data minimization
  • Service Provider collects 3 types of data: Operational, Transactional and Personal.
  • Operational data contains current Company’s End-User environment such as OS and Browser version and Masked IP Address to be used against abuse and to determine relevant country regulations (GDPR, CCPA etc.). This data does not get encrypted with the additional encryption layer, and may minimised even more as may be requested by Company.
  • Transactional data contains the destinations of the data collected by External/third-party tool from the Company’s End-User’s devices (like “googe.com”) in terms of URL. For the purpose to generate discovery and alerts of violation to Company. This data does not get encrypted with the additional encryption layer.
  • Personal Data contains all the parameters values that was sent to any external/third-party tool. This data is encrypted with additional layer of encryption and can only be read by authorized parties who create and holds the encryption keys. Some aggregation and check might be saved in plain text, such as if the value is a valid Credit Card structure (stored as true/false) or score of variances of the data rounded (stored as a decimal number)
  • Service Provider is taking special care to design collection clear-data only from places with rigid structure into our Operational and Transactional data, while collecting any Personal data in free form data will undergo the Personal Data treatment of 2-layer encryption.
Measures for ensuring data quality N\A
Measures for ensuring limited data retention
  • Service Provider is giving Company, the ability to manually select the maximum retention period of the cloud backup for databases and data storage. After the specified duration elapse, the backup will be removed.
  • Service Provider is using public clouds such as AWS and Azure’s best practices for secured destruction processes and will delete Company’s Data utilizing those secure methods that render the data unreadable and unrecoverable. Upon Company’s request Service Provider will issue a certification of such data destruction
Measures for allowing data portability and ensuring erasure
  • Service Provider is creating the storages as designated to be used by a single tenant.
  • An erasure request by Company, will result in erasure of any storage and backups and other auxiliary components of that single tenant.
  • Company’s data is encrypted at rest by the public cloud provider such as AWS and Azure, resulting that, deleting the encryption key managed by the cloud will render all data as unrecoverable before replaced by the cloud.

EXHIBIT C

- LIST OF APPROVED OTHER PROCESSORS -

(Also Serves as Annex III to the EU SCCs)

Name of Sub-Processor Address Description of the Processing DPO/Privacy Contact details
AWS Ireland Public Cloud Services Via Global Customer Support
CommIT Israel Cloud Service Provider (AWS) lior.bialik@comm-it.com eladk@cloudvalley.io
Azure Ireland Public Cloud Services Via Global Customer Support
Ness AT Israel Cloud Service Provider (Azure) alon.hadad@ness-tech.co.il
SoftLink Israel Client-Side (SDK) SW Developer natalie@qprivacy.com
Real Commerce Israel Front-End and UI SW Developer hilak@realcommerce.co.il nilid@realcommerce.co.il
Jacob Shaham Israel Sales and Marketing SME jacob@privacy-rating.com
The list of approved processors will be provided per request and after signing a MNDA between Privacy Rating and the requesting party.

EXHIBIT D

- CROSS-BORDER PERSONAL DATA TRANSFER -

1. DEFINITIONS

Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.

  1. 1.1.“EU SCCs” means the Standard Contractual Clauses pursuant to EU Commission Decision C(2021)3972 (“EU SCCs”).
  2. 1.2.“FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (Status as of 1 March 2019) as replaced by its amendment of September 25, 2020 (effective as of September 1, 2023).
  3. 1.3.“IDTA” means the International Data Transfer Agreement, issued by the ICO in accordance with section 119A of the Data Protection Act 2018, or any other applicable standard contractual clauses issued, approved, or otherwise recognized by the ICO.
  4. 1.4.“Swiss SCCs” means the applicable standard contractual clauses issued, approved, or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).
  5. 1.5.“Third Country” means a country outside the European Economic Area (“EEA”), the UK or Switzerland, which was not acknowledged by the EU Commission, a UK Secretary of State or the FDPIC (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 45 of the UK GDPR or the equivalent.
  6. 1.6.A “Transfer” means a transfer by Vendor, Vendor’s New Processors or Vendor’s Other Processors of: (1) GDPR-governed Customer Personal Data transferred outside the EEA (“EEA Transferred Data”); (2) UK-GDPR governed Customer Personal Data transferred outside the UK (“UK Transferred Data”); and, (3) FADP-governed Customer Personal Data transferred outside of Switzerland (“Swiss Transferred Data”, and with EEA and UK Transferred Data: “Transferred Data”).
  7. 1.7.“UK Addendum” means the UK addendum published by the Information Commissioner’s Office’s (“ICO”) in accordance with section 119A(1) of the Data Protection Act of 2018, incorporating the EU SCCs.

2. EEA Transfers

Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:

  1. 2.1.In Clause 7, the optional docking clause will apply.
  2. 2.2.If applicable – in clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.
  3. 2.3.In clause 11, the optional language will not apply.
  4. 2.4.In clause 17, Option 1 will apply, and the EU SCC will be governed by the Irish law.
  5. 2.5.In clause 18(b), disputes will be resolved before the courts of Ireland.
  6. 2.6.Annexes (I)-(III) to the EU SCCs will be completed with the relevant details in EXHIBITS A-C to this DPA.

3. UK Transfers

Transfers of UK Transferred Data to a Third Country, will be made –

  1. 3.1.In accordance with the EU SCCs as detailed in section 2 above, as amended by the UK Addendum, which is incorporated by reference to this DPA, with the necessary changes made as detailed in sections 12-15 to the UK Addendum; or,
  2. 3.2.if the EU SCCs as implemented above cannot be used to lawfully Transfer UK Transferred Data, the IDTA will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in EXHIBITS A-B.

4. Swiss Transfers

Transfers of Swiss Transferred Data to a Third Country, will be made –

  1. 4.1.In accordance with the EU SCCs as detailed in section 2 above, as recognized by the FDPIC on August 27, 2021, with the following modifications: (A) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State law’ will be interpreted as references to ‘Switzerland’, and ‘Swiss law’, as applicable; and, (B) references to ‘Competent supervisory authority’ and ‘Competent courts’ will be interpreted as references to the FDIPC and Competent courts in Switzerland; or,
  2. 4.2.if the EU SCCs as implemented above cannot be used to lawfully Transfer Swiss Transferred Data in compliance with the FADP, the Swiss SCCs will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in EXHIBITS A-B.

5. Supplemental Measures

In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Vendor undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:

  1. 5.1.Technical and Organizational Measures. Vendor will implement and maintain the technical and organizational measures, as specified in EXHIBIT B, which is attached and incorporated by reference to this DPA, with a purpose to protect Customer Personal Data against any processing for national security or other government purposes that go beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances.
  2. 5.2.Contractual Measures. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory authority requests access to such data (“Request”), and unless required by a valid court order or if otherwise Vendor may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of imminent threat to lives, Vendor will:
    1. 5.2.1.not purposefully create back doors or similar programming that could be used to access EEA Transferred Data;
    2. 5.2.2.not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data; and,
    3. 5.2.3.upon Customer’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies Vendor has received in the 6 months preceding to Customer’s request.
    4. 5.2.4.notify Customer upon receiving a request by a government agency to access Customer Personal Data to enable Customer to take necessary actions, communicate directly with the relevant authority and to respond to the request. If Vendor is prohibited by law to notify the Customer of such request, Vendor will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.

6. Future Adequacy

As applicable, if: (A) the Adequacy Recognition is invalidated or otherwise terminated by the EU Commission or a UK Secretary of State; (B) the EU SCC are invalidated or are no longer in effect; or (C) any other Transfer safeguard used for the Transfer of Transferred Data is no longer in effect for any reason, then Vendor will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful Transfer of Transferred Data by Vendor, Vendor’s Other Processors, Vendors’ New Processors, or equivalents thereof.

Enforcing Data Privacy by Design for Third Parties

Sep 10 2021

How QP helps you take action.

Do you know where your data is?

Sep 6 2021

Why consumer trust and third-party tools do not need to be mutually exclusive.

Facebook Isn’t the (Whole) Problem

Sep 1 2021

It’s Time for Companies to Take Back Control of Their Data

YOUR RULES SHOULD RULE.

Take back data privacy control today.

Request Demo

Background