This Data Processing Addendum (the “Addendum”) forms part of the underlying agreement, inclusive of any amendments to the underlying agreement, by which the company who provides the service to you or purchased the rights to use the service (the “Company”) provides the Service to you (“you”, the “Customer”) and reflects the parties’ agreement with regard to the Processing of Personal Data (as defined below) in accordance with the requirements of the applicable Privacy Laws and Cyfox Privacy Policy. All capitalized terms not defined herein shall have the meaning set forth in the Terms of Service (the “Terms”).

WHEREAS, Company is involved in incidentally processing certain personal data for Customer for the provision of the Service, pursuant to the Terms signed between the parties, and the parties wish to regulate Company’s processing of such personal data, through this Addendum.

THEREFORE, the Parties have agreed as follows:

1. Processing. Company is prohibited from using or disclosing the Customer Data for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to perform Customer’s processing instructions; (b) selling the Customer Data; and (c) using or disclosing the Customer Data outside of the direct business relationship between the parties. The company certifies that it understands the restriction specified in this subsection and will comply with it. For the avoidance of doubt, Company may process Service Data, create and use Metrics for any purpose it deems appropriate (as the terms are defined in the Terms) and may process Customer Data for machine learning and AI development purposes.

2. Data Subject Requests. Company will follow Customer’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Customer Data, such as accessing their restricting its processing. Company will pass on to Customer requests that it receives (if any) from data subjects regarding their information processed by Company. Company shall notify Customer of the receipt of such request as soon as possible, and no later than five (5) business days from the receipt of such request, together with the relevant details.

3. Disclosure. Unless legally prohibited, Company will provide Customer within reasonable time, notice of any request it receives from an Authority (as defined below) to produce or disclose Customer Data it has Processed on Customer’s behalf, so that Customer (or its customer) may contest or attempt to limit the scope of production or disclosure request.

4. Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Company’s processing of Customer Data, Company shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Customer Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

5. Data Breaches. Company shall without undue delay, and in any event within 72 hours, notify Customer of any actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, that it becomes aware of regarding the Customer Data that it Processes. Company shall investigate the breach and take all available measures to mitigate the breach and prevent its reoccurrence. Company will reasonably cooperate in good-faith with Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.

6. Subcontracting to suppliers. Customer authorizes Company to subcontract any of its Service-related activities which involve Processing the Customer Data. Company shall ensure that the third party is bound by substantially same obligations of the Company under this Part and shall supervise compliance thereof, and Company shall remain fully liable vis-à-vis the Customer for the performance of any such third party that fails to fulfil its obligations.

7. Data Return and Deletion. Upon Customer’s request, Company will delete the Customer Data processed on Customer’s behalf under this Addendum from its own and its Processor’s systems, if applicable, or, at Customer’s choice, return such Customer Data or delete existing copies, within 30 business days of receiving a request to do so. Customer acknowledges and agrees that the Service shall automatically delete Customer Data within 60 days as of the termination of the Terms. Upon Customer’s request, Processor will furnish written confirmation that the Customer Data has been deleted or returned pursuant to this Section.

​

1.1. “Authority” means any supervisory authority with authority under Privacy Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.

1.2. “Customer” means the relevant entity that has entered into an agreement with Company to receive the Service, and if applicable, any of its Authorized Affiliates that have signed the Terms or any Order Forms related thereto.

1.3. “Customer Data” has the same meaning as in the Terms.

1.4. “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

1.5. “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.

1.6. “Data Subject” means the individual to whom Personal Data relates (including Customer’s employee).

1.7. “Data Subject Request” means a Data Subject’s request to access, correct, amend, transfer, block or delete that person’s Personal Data consistent with that person’s rights under Privacy Laws.

1.8. “Instructions” means all provisions of the Terms, any Order Form, and any written amendments to either, concerning the Processing of Customer Data.

1.9. “Personal Data” has the meaning set forth in Privacy Laws, namely (and without limitation) any information relating to an identified or identifiable person, including sensitive data, where such data is submitted to Company as part of the Service.

1.10. “Privacy Laws” means all applicable laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Terms, and including the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) as of its effective date and the United Kingdom's Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”).

1.11. “Process”, “Processes” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, transfer, dissemination by means of transmission, distribution or otherwise making available, merging, linking as well as blocking, erasure or destruction.

1.12. “Service(s)” has the same meaning as in the Terms.

1.13. “Standard Contractual Clauses” means where the GDPR applies the Standard Contractual Clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council pursuant to Commission implementing decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”);

1.14. “Subprocessor” means any Data Processor engaged by Company for Processing or having authorized access to Personal Data as part of the subcontractor’s role in delivering the Service.

2.1. Subject-matter of the Processing. The Processing is carried out in an automated Processing using the Service provided by the Company. The Processing operations are further set out below (Details of Data Processing).

2.2. Duration of the Processing. The Processing begins and ends with performance of the Service for Customer, as specified in the Instructions.

2.3. Nature and Purpose of the Processing. The purpose and object of the Processing of Personal Data by Company is to perform and provide the Service pursuant to the Instructions, as specified in the Terms and this Addendum, on behalf of and for the benefit of Customer, Service Data and Metrics, as further described in the Service Privacy Policy

2.4. Type of Personal Data and Categories of Data Subjects. The type of personal data and categories of affected Data Subjects are set out below (Details of Data Processing).

3.1. Controller Processor Relationship. Other than the data Company process as a Controller, such as Service Data and Metrics, as further described in the Service Privacy Policy, Company shall only Process Personal Data on behalf of the Customer while providing the Services. The parties acknowledge that with regard to the Processing of Personal Data as between the parties, Customer acts as the Data Controller and Company acts as the Data Processor (e.g., even where Customer is a data processor on behalf of another data controller, as between the parties to the Terms, Customer will act as the Data Controller).

3.2. Instructions. Company shall only Process Personal Data on behalf of and in accordance with the Instructions of Customer, as part of the Services, and shall protect Personal Data as Confidential Information. Customer shall ensure that its Instructions to Company shall comply with Privacy Laws. The Instructions are Customer’s complete and final instructions to Company for the Processing of Personal Data as part of the Service. Any additional or alternate instructions must be agreed upon separately with prior written agreement between Customer and Company. The foregoing applies unless Company is otherwise required by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest) or where it process data for Service Data and Metrics, as further described in the Service Privacy Policy

3.3. Where Company believes that compliance with any Customer’s Instructions infringes Privacy Laws, Company shall immediately notify Customer thereof.

3.4. Commitment to Confidentiality. Company shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have committed themselves to confidentiality. Company shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Terms.

3.5. Compliance with Laws. Each party will comply with all laws, regulations and rules applicable to it in the performance of this Addendum, including Privacy Laws. Without prejudice to the foregoing, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which Customer acquired Personal Data and shall establish the legal basis for Processing under Privacy Laws, including by providing all notices and obtaining all consents as may be required under Privacy Laws, in order for Company to Process Personal Data on behalf of the Customer pursuant to the Instructions.

4.1. Security Controls Company shall implement appropriate technical and organizational measures to protect and safeguard the Customer Data that is processed as part of the Services, against Personal Data Breaches (as defined under the Privacy Laws). In addition, Customer shall have in place and shall comply with documented written policies and procedures, periodically reviewed, covering the administrative, physical and technical safeguards in place and relevant to the access, use, loss, alteration, disclosure, storage, destruction and control of information. Such policies and procedures will include encryption of data, virus detection and firewall utilization.

Company will make available to Customer all information in its disposal necessary to demonstrate compliance with the obligations under Privacy Laws.

6.1. Data Subject Requests. Company will follow Customer’s instructions to accommodate Data Subjects’ Requests to exercise their rights in relation to their Personal Data processed as part of the Service, to the extent Customer, in its use of the Service, does not have the ability to do so. To the extent legally permitted, Company will notify Customer of any Data Subject Request it receives (if any) from Data Subjects regarding their Personal Data Processed by Company as part of the Service. Company shall notify Customer of the receipt of such request as soon as possible, and no later than five (5) business days from the receipt of such request, together with the relevant details. Company shall not respond to any such Data Subject Request without Customer’s prior written approval. Company shall provide Customer with assistance in relation to handling of a Data Subject Request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Service. If legally permitted, Customer shall be responsible for any actual, reasonable costs arising from Company’s provision of such assistance.

6.2. Authority Requests. Company shall promptly notify Customer of all enquiries from an Authority that Company receives which relate to the Processing of Customer’s Data as part of the Service or the provision to or receipt of the Service by Customer, unless prohibited from doing so by law or by the Authority.

7.1. Appointment of Subprocessors. Customer acknowledges and specifically authorizes Company’s use of its Subprocessors existing as of the Effective Date, as detailed in the List of Sub-processors. Customer hereby gives a general authorization to further Subprocessors, provided Company follows the following procedure:

7.1.1. In any event where the Company engages another Processor, the Company will ensure that substantially equivalent data protection obligations as set out in this Addendum are imposed on that other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Privacy Laws. Where the other Processor fails to fulfil its data protection obligations, the Company shall remain fully liable to Customer for the performance of that other Processor’s obligations.

7.1.2. Company and its other Processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., EU SCC or UK Addendum, as applicable).

Upon becoming aware of Personal Data Breach (as defined by Privacy Laws) related to Customer Data and that materially infringes Privacy Laws, Company shall without undue delay, and in any event within seventy-two (72) hours, notify Customer of such Personal Data Breach. Company shall investigate the breach and take all available measures to mitigate the breach and prevent its reoccurrence. Company will reasonably cooperate in good-faith with Customer on issuing any statements or notices regarding such breaches, to Authorities and Data Subjects. Notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.

Company will reasonably assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate (and if needed). Customer shall be responsible for the actual, reasonable costs for Company’s provision of such assistance by Company.

Upon Customer’s request, Company will delete the Customer Data, including, Personal Data, Processed on Customer’s behalf for the provision of the Service under this Addendum and Terms, if stored from its own and its Processor’s systems, or, at Customer’s choice, return such Personal Data and delete existing copies if they exist in its own systems, within 30 business days of receiving a request to do so. Customer acknowledges and agrees that the Service shall automatically delete Customer Data sixty (60) days as of the termination of the Terms.

​

1. This ‎Part 3 applies if the CPRA (as defined below) applies to the Customer.

2. Capitalized terms used in this Part 3 but not defined in this Addendum have the meaning ascribed to them in the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq., Cal. Civ. Code §1798.140 or the regulations at 11 C.C.R. §7000 et seq., collectively, the “CPRA”).

3. The parties acknowledge and agree that Company is a Service Provider. To that end, and unless otherwise required by law:

1.1 Company will process, retain, use, and disclose Personal Information on behalf of the Customer, only as necessary to provide the Service as specified in the Terms. The parties agree that Customer is disclosing the Customer’s Data to Company only for the purpose of properly performing the Service, Support Services, or for any commercial purpose other than as reasonably necessary to provide the Service, to comply with other reasonable and lawful instructions provided by Customer, for processing of Service Data and Metrics, as further described in the Service Privacy Policy, or as otherwise permitted under 11 CCR §7051I (the “Business Purpose”).

1.2. Company shall not sell or share Customer‘s Personal Information; retain, use or disclose Customer’s Data for any commercial purpose outside of the direct business relationship between the parties, or for any purpose other than the Business Purposes, unless expressly permitted by the CPRA. Company certifies that it understands its obligations under the applicable Data Protection Law and will comply with them.

1.3. Company is prohibited from combining the Customer’s Data with other Personal Information about the Customer, or on behalf of another person, or that it Collects from its own interaction with a Consumer, unless expressly permitted by the CPRA.

1.4. If Company receives a request from a California Consumer of the Customer, about his or her Personal Information, Company shall not comply with the request itself, but shall inform the Consumer that Company’s basis for denying the request is that Company is merely a Service Provider that follows Customer’s instruction, and inform the Consumer that they should submit the request directly to the Customer and provide the Consumer with the Customer’s contact information.

1.5. Commensurate with the nature of Company’s services to Customer and in accordance with Customer’s specified instructions to Company, Company shall help Customer to comply with California Consumers requests made pursuant to the CPRA of which Company is informed of by Customer.

2. At Customer’s direction, Company shall delete or return to Customer the Personal Information it has Processed on Customer’s behalf from its own and its service provider’s systems, shortly after it completes the requested Service, and upon Customer’s request, will furnish written confirmation that the Personal Information has been deleted pursuant to this Section, unless retention of the Personal Information is required by law.

3. Company shall comply with all applicable sections of the CPRA and shall provide, with respect to the Personal Information it Collects pursuant to the Terms, the same level of privacy protection as required of Businesses by the CPRA, and as follows:

3.1. Company shall cooperate with Client in responding to and complying with Consumers’ requests made pursuant to the CPRA, such as assisting Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Consumer rights under the CPRA.

3.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Company’s processing of Personal Information of the Customer, as well as the nature of personal information processed for Customer, Company shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure (including data breaches), in accordance with Cal. Civ. Code §1798.81.5, and commensurate with the 18 Critical Security Controls published by the Center for Internet Security (CIS).

4. Company grants Customer the right to take reasonable and appropriate steps to ensure that Company uses the Customer’s Data in a manner consistent with Customer’s obligations under the CPRA. Customer may, in coordination with Company, monitor Company’s compliance with the Terms through measures, including, but not limited to ongoing manual reviews and automated scans of Company’s system, at least once every 12 months. Company shall perform regular internal or third-party assessments, audits, or other technical and operational testing of its security procedures and practices at least once every 12 months. Upon the reasonable request of Customer, Company shall make available to Customer all information in its possession necessary to demonstrate Company’s compliance with the obligations in this clause.

5. Company shall promptly notify Customer once it makes a determination that it can no longer meet its obligations under the CPRA.

6. Company grants Customer the right, upon notice, including under Section ‎‎‎7, to take reasonable and appropriate steps to stop and remediate Company’s unauthorized use of Customer’s Data.

7. Company shall ensure that each person involved in Processing the Customer’s Data it collects pursuant to the Terms is subject to a contractual or statutory duty of confidentiality with respect to that Customer’s Data.

​

1. Definitions. In this Part, the following terms shall be interpreted as follows:

1.1. The “Applicable Law” – shall mean the Israeli Protection of Privacy Law, 5741-1981 (hereinafter – the “Privacy Law”) and the regulations promulgated thereunder (and in particular the Protection of Privacy Regulations (Information Security), 5777 - 2017), the guidelines of the Registrar of Databases, and in particular Guidelines No. 2/2011 regarding the use of outsourcing for processing of personal data, as well as any legislative or administrative provision or directive that will apply to the Company in connection with Processing Personal Data.

1.2. "Database" - a collection of Personal Data held by physical, magnetic or optical means.

1.3. “Personal Data” means Customer Data that relates to an individual, and which is Processed by Company in the course of Service.

1.4. "Processing" (and its derivatives, including, but not limited “o "Processor") – the collection, access, retention, modification, use, disclosure and transfer of Personal Data.

2. General Provisions

2.1. Customer is the sole owner of the Databases containing the Personal Data, and nothing contained in this Part shall be deemed to constitute the grant of proprietary rights to the Company in the Personal Data.

3. Company’s obligations regarding the processing of Personal Data

3.1. Company shall process the Personal Data for Customer solely in accordance with Customer’s instructions, and only in the manner determined in this Part 4, for processing Service Data and Metrics, as further described in the Service Privacy Policy and for no other purpose, unless expressly instructed by Customer to do so.

3.2. Company undertakes to manage access rights to Personal Data, including providing its users with ‘Least Privileges’ based on their ‘Need to Know’, for the purpose of carrying out their tasks, and shall take measures in order prevent access by unauthorized individuals to Personal Data. In addition, Company must maintain an up-to-date listing of all authorized individuals of the Database and prevent access to any individual who does not have the need to be exposed to the Personal Data.

3.3. Company shall not grant access to the Personal Data to its employees, consultants or anyone acting on its behalf, before: (a) reviewing and confirming that their background and personal integrity and reliability are suitable for a position granting them access to Personal Data; and (b) binding them to a letter of undertaking in order to maintain the confidentiality, security of information and privacy of the data subjects whose details are included in the Database.

4. Disclosure and transfer of Personal Data

4.1. Company shall not disclose any Personal Data that the Company processed for Customer to any person or entity without Customer’s prior written consent, except to the extent required for the performance of Customer’s instructions in accordance with this Part 4.

4.2. If Company desires to disclose Personal Data to a subcontractor of the Company or use a subcontractor to Process Personal Data (each, a "Sub-contractor"), then prior to such disclosure, the Company shall enter into a written, valid and enforceable agreement with the Sub-Contractor containing substantially adequate protective terms on data security.

4.3. Company shall use accepted encryption mechanisms for each transfer of Personal Data to a third party and for any remote access to the Database Systems.

5. Retention and return of Personal Data

5.1. Each Party declares and undertakes that it shall take appropriate information security measures, when applicable, in order to ensure the integrity, availability, confidentiality and reliability of the Personal Data.

6. Transfer of Personal Data to foreign jurisdiction

6.1. Company shall comply with the law applicable to the transfer of Personal Data to foreign jurisdictions, including but not limited to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001.

7. General cooperation

Company shall cooperate with Customer and Customer’s client in providing information and assistance reasonably requested by Customer in connection with data security issues and practices and supplementary documents, so as to allow Customer to properly address information security, privacy and regulatory matters relating to the Database.

​