This Data Processing Addendum (“DPA”) forms an integral part of the commercial agreement or any other agreement (“Agreement”) between Privacy Rating Ltd. and its affiliated companies (“Vendor”) and the entity receiving the services (“Services”) under the Agreement and its affiliates (“Customer”), to reflect the parties’ agreement on the Processing of Customer Personal Data.
In the course of providing the Services to Customer, Vendor may Process Customer Personal Data on behalf of Customer. The parties agree to comply with the following provisions under this DPA with respect to the Processing of Customer Personal Data, as further described herein.
Capitalized terms not defined herein will have the meaning set forth in the Agreement or under Privacy Laws and Regulations. Terms under the Agreement apply to this DPA, except that the terms of this DPA will supersede any conflicting terms under the Agreement.
Transfers by Vendor, or by Vendor’s New Processors or Vendor’s Other processors of Customer Personal Data to a Third Country, as defined under EXHIBIT D (the “Transfer Exhibit”) is subject to the data transfer requirements under the Transfer Exhibit.
Vendor will maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Personal Data. Vendor regularly monitors compliance with these safeguards. Vendor will not materially decrease the overall security of the Service during the term of the Agreement. Further information about Vendor’s technical and organizational measures is detailed in EXHIBIT B.
Vendor will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Vendor’s obligations under this DPA. Vendor may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Customer are subject to the following terms: (A) the audit will be pre-scheduled in writing with Vendor, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (B) a third-party auditor will execute a non-disclosure and non-competition undertaking toward Vendor; (C) the auditor will not have access to non-Customer data (D) Customer will make sure that the audit will not interfere with or damage Vendor’s business activities and information and network systems; (E) Customer will bear all costs and expenses related to the audit; (F) The auditor will first deliver a draft report to Vendor and allow Vendor reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to the Customer; (G) Customer will receive only the auditor’s report, with Vendor’s comments, without any Vendor ‘raw data’ materials, will keep the audit results in strict confidentiality and will use it solely for the specific purposes of the audit under this DPA; and, (H) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report.
Vendor may disclose Customer Personal Data: (A) if required by a subpoena or other judicial or administrative order, or if otherwise required by law; or (B) if Vendor deems the disclosure necessary to protect the safety and rights of any person or the general public.
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
[Customer, as the data exporter, to fill-in]
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Categories of data subjects whose personal data is transferred
Users of the data exporter’s digital assets.
Categories of personal data transferred
All personal data attributes that the data exporter shares with third parties through the data exporter’s digital assets and manages through the data importer’s services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No special categories of data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
Provision of the services under the agreement between the parties.
Purpose(s) of the data transfer and further processing
Provision of the services under the agreement between the parties.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of the agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Hosting and ancillary services for the duration of the agreement.
Identify the competent supervisory authority/ies in accordance with Clause 13:
Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
|Measures of pseudonymization and encryption of Personal Information||
|Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services||
|Measures for ensuring the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident||
|Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing||
|Measures for user identification and authorisation||
|Measures for the protection of data during transmission||Data transfer between Company and Service Provider, if required, will be made in accordance with the acceptable standards, including additional security using IP Whitelist , encryption, point-to-point communication or other secure and encrypted means such as TLS 1.2 or higher.|
|Measures for the protection of data during storage||
|Measures for ensuring physical security of locations at which Personal Information are processed||
|Measures for ensuring events logging||
|Measures for ensuring system configuration, including default configuration||
|Measures for internal IT and IT security governance and management||
|Measures for certification/assurance of processes and products||
|Measures for ensuring data minimization||
|Measures for ensuring data quality||N\A|
|Measures for ensuring limited data retention||
|Measures for allowing data portability and ensuring erasure||
|Name of Sub-Processor||Address||Description of the Processing||DPO/Privacy Contact details|
|AWS||Ireland||Public Cloud Services||Via Global Customer Support|
|CommIT||Israel||Cloud Service Provider (AWS)||firstname.lastname@example.org email@example.com|
|Azure||Ireland||Public Cloud Services||Via Global Customer Support|
|Ness AT||Israel||Cloud Service Provider (Azure)||firstname.lastname@example.org|
|SoftLink||Israel||Client-Side (SDK) SW Developeremail@example.com|
|Real Commerce||Israel||Front-End and UI SW Developerfirstname.lastname@example.org email@example.com|
|Jacob Shaham||Israel||Sales and Marketing SMEfirstname.lastname@example.org|
Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.
Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:
Transfers of UK Transferred Data to a Third Country, will be made –
Transfers of Swiss Transferred Data to a Third Country, will be made –
In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Vendor undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:
Why consumer trust and third-party tools do not need to be mutually exclusive.