SaaS Enterprise Terms

These SaaS Enterprise Terms, together with its Schedules, and the Order executed by the parties (together, the “Agreement”) governs the use by the entity set forth in the Order (“Customer”) of Swish’s proprietary ITSM hyper automation intelligence platform accessible on a Software as a Software basis (the “Platform”) and Swish’s standard end-user documentation for the Platform which is made available to customers (the “Documentation”). Your use of the Platform is expressly conditioned on your compliance and consent with this Agreement. By accessing or using the Platform, you are indicating that you agree to be bound by this Agreement. Swish reserves the right to modify or discontinue the Platform or any feature or functionality thereof at any time without notice.

WHEREAS Customer desires to receive a right to access and use the Platform; and WHEREAS Swish agrees to provide to Customer access to use the Platform in consideration for the Fees and in accordance with the terms and conditions set forth in this Agreement. NOW, THEREFORE, the parties hereby agree as follows:

 

1.      Platform

1.1.    License.

Subject to the terms of this Agreement, Swish shall provide Customer a limited, non-exclusive, revocable, non-sublicensable, non-transferable right to access and use the Platform. The Platform is intended for business use. Customer’s license to use the Platform is limited to such number of tickets as stated in the Order and any additional capacity purchased by the Customer. All rights and licenses not expressly granted by this Agreement are reserved by Swish. Customer is responsible for the activities of all users who access or use the Platform through its account and Customer shall ensure that any such user will comply with the terms of this Agreement and any Swish policies. In providing the access to the Platform Swish shall comply with the Service Level Agreement (SLA) attached as Schedule A.

1.2.    Third Party Features.

The Platform may contain services, features and functionalities linking Customer to, or providing Customer with, certain functionality and access to third party services and content, including using service providers for cloud infrastructure and hosting services. Customer acknowledges that Swish is not responsible for such third party services. If Customer shall have any problems resulting from use of any third party services, or should customer suffer data loss or other losses as a result of problems with any other service providers or any third-party services, Swish will not be responsible unless the problem was the direct result of its actions.

2.      Intellectual Property Rights; Privacy

2.1.    Swish Technology. All intellectual property rights in the Platform and any part thereof and any and all derivatives, modifications, enhancements, changes and improvements thereof (the “Swish Technology”) lie exclusively with Swish. No title to or ownership of any proprietary rights related to the Swish Technology is transferred to Customer. All rights not explicitly granted to Customer are reserved by Swish.

2.2.    Swish Trademarks. All trademarks and all other marks, trade names, service marks, illustrations, images, or logos appearing in connection with the Platform are and shall remain, the exclusive property of Swish and are subject to the protection granted by applicable laws.

2.3.    Restrictions. Customer shall not (i) attempt to infiltrate, hack, reverse engineer, decompile, or disassemble the Swish Technology, or derive or attempt to create or derive, by reverse engineering or otherwise, the source code from any object code supplied hereunder, nor shall it permit any third party to do so; (ii) resell, lease, sublicense or distribute the Swish Technology to any person; (iii) represent that it possess any proprietary interest in the Swish Technology; (iv) use the name, trademarks, trade-names, and logos of Swish; (v) sub-license its right to access and use the Platform or otherwise provide remote access to the Platform to any third party; and (vi) use the Platform to provide third parties with managed services or provide remote access to the Platform to any person. Furthermore, Customer shall not use any robot, spider, scraper, deep link or other similar automated data gathering or extraction tools, program, algorithm or methodology to access, acquire, copy or monitor the Platform or any portion thereof.

2.4.    Privacy. If Swish receives and processes Personal Data (as defined in the DPA) from Customer or anyone on its behalf, Swish shall comply with the Data Processing Addendum (the “DPA”) attached to this Agreement as Schedule B and incorporated into and made a part of this Agreement.

 

3.      Content

3.1.    License to Swish. Customer hereby grants Swish a limited, non-exclusive license to use, copy and reproduce any materials and data used or uploaded by Customer when using the Platform (the “Content”) solely to the extent required to perform the Platform. Customer acknowledges and agrees that Swish will not be liable for any Content and any use thereof, including, without limitation, for any errors or omissions, or for any infringement of third party’s rights, loss or damage of any kind incurred as a result of the use or display of any Content. The Content is and shall remain Customer’s property and shall be used at Customer’s sole and absolute responsibility. The Platform is not intended to be used as storage, backup or archiving services. It is the Customer’s responsibility to back up the Content and the Customer is responsible for any lost or unrecoverable Content. Swish does not screen Content and is not responsible for any use of the Content.

3.2.    Warranties and Covenants. Customer hereby warrants, represents and covenants that: (i) the copying, uploading and use of the Content does not infringe upon any third party’s rights, including intellectual property rights and privacy rights; (ii) it has fully complied with any third-party licenses, permits and authorizations required in connection with the Content; (iii) the Content does not contain any viruses, worms, Trojan horses or other harmful or destructive code or content; (iv) the Content is not obscene, libelous, offensive, vulgar, pornographic, profane, or otherwise inappropriate as determined by Swish at its sole discretion; and (v) the Content is not illegal or encourage illegal activity.

 

4.      Fees

4.1.    Fees. In consideration for the access and use of the Platform, Customer shall pay Swish a subscription fee as set forth in the Order (the “Fees”). All payments shall be due and payable in advance, in U.S. dollars within 30 days of the invoice receipt issued by Swish. Unless otherwise set forth in the Order, billing for the Fees will be on an annual recurring basis in advance, during the subscription period, as further detailed in the Order. Additionally, if Customer’s use of the Platform exceeds the capacity or usage metrics set forth in the applicable Order or otherwise requires the payment of additional fees (per the terms of the Order), Customer will be billed for such excess capacity or usage and will pay the additional fees in accordance with the price and the payments terms set forth in the Order for the remainder of the entire subscription period in advance. Amounts that are not paid in accordance with the terms stated in this Agreement and in the Order will be subject to a late charge of 1.5% per month. Swish may suspend or discontinue Customer’s access to the Platform in case of Customer’s failure to pay the Fees on the date due. All payments under this Agreement are non-refundable.

4.2.    Tax. All amounts payable to Swish are exclusive of all taxes, levies or similar governmental charges (including value added tax, sales tax), however designated, and any such taxes will be paid by Customer, except for taxes based on the net income of Swish. Any taxes to be charged to Customer by Swish and remitted to tax authorities by Swish shall be separately stated on any invoices or statement of fees submitted to Customer. If under applicable law taxes are required to be withheld, Customer shall pay Swish an amount such that the net amount after withholding of taxes shall equal the amount that would have been otherwise payable under this Agreement.

 

5.      Mutual Warranties.

Each party represents and warrants that (i) this Agreement constitutes a legal, valid and binding obligation of it, enforceable against it in accordance with the terms of this Agreement, and (ii) its execution and delivery of this Agreement and its performance hereunder will not violate any applicable law, rule or regulation.

 

6.      Swish Warranties.

Swish warrants that the Platform shall materially conform to the functional specifications in the Documentation. Swish’s sole liability and Customer’s exclusive remedy for any breach of this warranty shall be to use reasonable commercial efforts to remedy any such non-conformance in accordance with the SLA, provided that (i) Customer is not otherwise in breach of this Agreement, and (ii) Customer has reported to Swish the claimed failure promptly upon discovery. The express warranty and obligations specified in this Section shall not apply if the Platform or any part thereof (a) were altered, modified, or adjusted in any manner by Customer or a third party not under Swish’s control, without Swish’s prior written consent, or (b) were not used, operated or maintained in accordance with this Agreement or the Documentation, or (c) fail to function due to a malfunction of Swish’s hardware, software or connectivity

 

7.      Confidentiality.

During the Term each party may have access to certain non-public proprietary, confidential or trade secret information or data of the other party, whether furnished before or after the Effective Date, and regardless of the manner in which it is furnished, which given the totality of the circumstances, a reasonable person or entity should have reason to believe is proprietary, confidential, or competitively sensitive (together, the “Confidential Information”). Confidential Information shall exclude any information that (i) is now or subsequently becomes generally available in the public domain through no fault or breach on the part of receiving party; (ii) the receiving party can demonstrate in its records to have had rightfully in its possession prior to disclosure of the Confidential Information by the disclosing party; (iii) receiving party rightfully obtains from a third party who has the right to transfer or disclose it, without default or breach of this Agreement; or (iv) the receiving party can demonstrate in its records to have independently developed, without breach of this Agreement or any use of or reference to the Confidential Information. The receiving party agrees: (a) not to disclose the disclosing party’s Confidential Information to any third parties other than to its, directors, officers, employees, advisors or consultants (collectively, the “Representatives”) on a strict “need to know” basis only and provided that such Representatives are bound by written agreements to comply with the confidentiality obligations as protective as those contained herein; (b) not to use or reproduce any of the disclosing party’s Confidential Information for any purposes except to carry out its rights and responsibilities and exercise its rights under this Agreement; (c) to keep the disclosing party’s Confidential Information confidential using at least the same degree of care it uses to protect its own confidential information, which shall in any event not be less than a reasonable degree of care. Notwithstanding the foregoing, if receiving party is required by legal process or any applicable law, rule or regulation, to disclose any of disclosing party’s Confidential Information, then prior to such disclosure, receiving party will give prompt written notice to disclosing party so that it may seek a protective order or other appropriate relief.  

 

8.      Disclaimer of Warranties.

EXCEPT AS EXPLICITLY SET FORTH IN THIS AGREEMENT, SWISH PROVIDES THE USAGE OF THE PLATFORM TO CUSTOMER ON AN “AS IS” BASIS, WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR PARTICULAR PURPOSE OR ACCURACY. SWISH DOES NOT WARRANT THAT THE PLATFORM OR ANY SERVICES RELATED THERETO WILL BE DELIVERED OR PERFORMED ERROR-FREE OR WITHOUT INTERRUPTION.

 

9.      Indemnification

9.1.    Indemnification by Customer. Customer shall defend, indemnify and hold harmless Swish and its officers, directors, employees, consultants, affiliates, subsidiaries and agents from and against any and all claims, liabilities, damages, losses and expenses, including reasonable attorneys’ fees, arising out of or in any way connected with (i) Customer’s violation of any third party right, including without limitation any intellectual property right, confidentiality, or privacy rights; or (ii) any claim asserted against Swish in connection with the Content used or uploaded by Customer through the Platform.

9.2.    Indemnification by Swish. Swish shall defend, indemnify and hold harmless Customer and its officers, directors, employees, consultants, affiliates, subsidiaries and agents from and against any claims, losses, costs, damages, fees or expenses (including reasonable legal fees and expenses) to the extent resulting from any claims, actions, suits or proceedings brought by a third party alleging that the Platform infringes intellectual property rights of such third party (an “IP Claim”). If the Platform becomes, or in Swish’s opinion is likely to become, the subject of an IP Claim, then Swish may, at its sole option and expense (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Claim; or (c) if options (a) and (b) cannot accomplished despite Swish’s reasonable efforts, then the Company may discontinue providing the Platform and refund the fees for the unused portion of the subscription term.  Notwithstanding the foregoing, the Company shall have no responsibility for an IP Claim resulting from or based on: (i) modifications to the Platform made by a party other than Swish or its designee; (ii) combination or use of the Platform with equipment, devices or software not supplied or authorized by Swish or not in accordance with the Swish’s instructions. THE FOREGOING TERMS STATE SWISH’S SOLE AND EXCLUSIVE LIABILITY AND THE CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIMS OF INTELLECTUAL PROPERTY INFRINGEMENT.

9.3.    Indemnification Procedure. As a condition to the defense set forth above, the indemnified party shall (i) give the indemnifying party prompt notice of any such claim made against it, (ii) grant the indemnifying party sole control of the defense and settlement of any such claim; and (iii) provide the indemnifying party with all reasonable information and assistance, at the indemnifying party’s expense.

 

10.   Limitation of Liability.

TO THE EXTENT PERMITTED BY LAW, IN NO EVENT WILL NEITHER PARTY BE LIABLE FOR LOST PROFITS, LOSS OF USE, LOSS OF CONTENT, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED, AND ON ANY THEORY OF LIABILITY, WHETHER FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY), OR OTHERWISE, WHETHER OR NOT SWISH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SWISH’S MAXIMUM TOTAL AGGREGATE LIABILITY UNDER, ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE PLATFORM SHALL NOT EXCEED THE FEES PAID BY CUSTOMER DURING THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. THESE EXCLUSIONS WILL NOT APPLY IN THE CASE OF INDEMNITY OBLIGATIONS FOR INTELLECTUAL PROPERTY INFRINGEMENT, BREACH OF CONFIDENTIALITY OR WILLFUL MISCONDUCT.

 

11.   Term; Termination.

This Agreement commences on the date of the Order and will continue in effect for the subscription period set forth in the Order, following which the Agreement will automatically renew for successive subscription periods, provided however that the Customer may terminate this Agreement at any time during an evaluation period which commences on the effective date of the Order and continues for a period of three months thereafter.  Each party may terminate the Agreement by giving no less than 30 days written notice prior to the expiry of the applicable subscription period (the “Term”). Either party may terminate this Agreement by giving written notice to the other party if: (i) the other party breaches a material provision of this Agreement and fails to cure the breach within 30 days after being given written notice thereof; (ii) the other party is judged bankrupt or insolvent, makes a general assignment for the benefit of its creditors, a trustee or receiver is appointed for such party; or any petition by or on behalf of such party is filed under any bankruptcy or similar laws. Upon termination or expiration of this Agreement for any reason whatsoever, Customer will immediately cease use of the Platform and both parties shall promptly return any and all of the other party’s Confidential Information that it may then have in its possession. Sections ‎2, ‎7, ‎8, ‎9, ‎10, and ‎12 shall survive any expiration or termination of this Agreement.

 

12.   Miscellaneous.

This Agreement, sets forth the entire understanding between the parties with respect to the subject matter herein, and supersedes all prior and contemporaneous written agreements and discussions concerning the subject matter of this Agreement. In the case of conflict between the Agreement and Order, the Order shall prevail. Customer agrees that Swish may disclose the fact that Customer is a client of Swish. While this Agreement is in effect, the Customer grants Swish the right to reference Customer’s company name and logo in marketing materials and on Swish’s website until Customer’s use of the Platform is discontinued. The failure of either party to enforce at any time the provisions of this Agreement shall not be interpreted to be a waiver of such provisions or of the right of such party to enforce each and every such provision. No waiver or modification of this Agreement shall be valid unless in writing signed by each party.  This Agreement is governed by and construed in accordance with the laws of the State of Israel, without regard to the principles of conflict of laws. Any and all disputes and controversies arising out of or in connection with the Agreement shall be brought exclusively before the competent courts of the Tel Aviv, Israel. If any provision of this Agreement is determined to be void or unenforceable by a court of competent jurisdiction, such clause shall be interpreted as necessary to give maximum force to the provisions thereof, and the validity and enforceability of the remainder of this Agreement shall not be affected. All notices given under this Agreement shall be in writing and shall be deemed to have been duly given: when delivered, if delivered by messenger during normal business hours of the recipient; when sent, if sent by email during normal business hours of the recipient; or on the third business day following posting, if posted by international air mail. Customer may not assign its rights under this Agreement to any third party. Any purported assignment contrary to this section shall be void.

Schedule A

Service Level Agreement

This Service Level Agreement (“SLA”) sets forth Swish’s undertakings towards Customer with respect to the availability of the Platform, and is incorporated into and made a part of the Agreement entered by and between Swish and Customer.

Except as otherwise defined herein, all capitalized terms in this SLA shall have the definitions set forth in the Agreement.

1.   Help Desk Support
1.1                Swish shall provide help desk support to assist Customer in Platform’s normal usage operation and incident response, via the following means of communication: support@swish.ai

“Business Hours” are Sunday to Thursday, from 9 a.m. to 6 p.m. Israel time.  

 

2.   Incidents
2.1                Incident Reporting. When reporting an incident of a suspected error, Customer shall provide Swish with sufficient details to enable Swish to accurately diagnose and reproduce such an incident.

2.2                Reporting Mechanism. Customer shall report all Platform’s incidents using Swish’s Support Email set forth herein or enter the incident on the Swish Service Platform.

2.3                Incident Classification; Initial Response. The following incident Classification Table definitions are used for classifying incidents encountered by Customer when using the Platform. Response times are measured by Swish from the time the incident is received by Swish with sufficient details about the incident.

Incident ClassificationCriteriaResponse
Severity 1 (Critical)The problem is affecting time-critical applications using real-time bidirectional orchestration with “live” production work at a standstill. The Platform is completely unusable and no workaround is currently known. Swish will acknowledge receiving the incident report with a return email within 4 hours during Business Hours and non-Business Hours. Swish will use its best efforts to resolve the incident, and will continuously work on a solution to the incident upon Swish’s acknowledgement of receiving the reported incident.
Severity 2 (High)The Platform is functional but with some errors.wish will acknowledge receiving the reported Incident with a return email within 8 hours during Business Hours. Swish will use its best efforts to resolve the incident, and will begin working on a solution to the incident during Business Hours.
Severity 3 (Medium)The Platform does not function as designed, but all key technical functionalities are available. Swish will provide a workaround to the incident as soon as practicable and a full solution to the incident will be provided based upon a mutually agreed-upon timetable. The parties agree that the solution can be provided as part of a change in working procedure, periodic bug fix, patch or revision.
Severity 4 (Low)The Platform is functioning but has problems of little or no consequence to the Customer’s daily business process.Swish will keep a record of such incidents and upon Swish discretion may provide solutions from time-to-time with no commitments.

3.   Availability Level
Swish will provide 99% availability (“Uptime”) over monthly periods. Uptime will be calculated on a monthly basis using the following formula: [(Total Minutes – Downtime) / Total Minutes] * 100 > 99%.

Swish shall not be liable for “Excluded Downtime” in the above calculation which is defined as:

Scheduled and emergency downtime for maintenance for which Swish provides Customer, to the extent reasonably possible, with at least 5 days’ prior notice for any maintenance impacting usability of the Platform and as soon as practicable for non-impacting maintenance or where Customer Service Request is agreed with the Customer to be implemented by Swish with less than 5 days’ notice; and

Any downtime caused by: (i) Customer’s failure to use the Platform in accordance with instructions included in the Documentation; (ii) negligence, misuse, abuse or mishandling of the Platform by Customer or any third party on its behalf; (iii) inappropriate environmental conditions or failure of Customer to maintain the configuration environment set out in the Documentation or any technical issue unrelated to the Platform; (iv) denial of service (DoS) attacks and other attempts to hack or any interruption which is caused by a third party cloud hosting facility which hosts the Platform.

If the Platform fails to meet the Uptime availability in a particular calendar month, other than due to Excluded Downtime,  Customer will be entitled to a credit as set forth below (each an “Uptime Credit”).  Any Uptime Credit issued for a particular month will be calculated as a percentage of the actual subscription fees for such month and will be determined as follows:

Monthly Uptime PercentageCalendar Days of subscription added to the end of the subscription term, at no charge to the Customer
< 99.% - ≥ 95.0%1
< 95.0% - ≥ 90.0%7
< 90.0%30

In order to receive any of the Uptime Credit Customer will notify Swish within 30 days from the time Customer becomes eligible to receive an Uptime Credit.

Exhibit B

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms an integral part of the Agreement (“Main Agreement”) between Swish.ai Ltd. (“Company”) and between the counterparty agreeing to these terms (“Customer”; each “Party” and together “Parties”) and applies to the extent that Company processes Personal Data on behalf of the Customer, in the course of its performance of its obligations under the Main Agreement.

If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.

 

All capitalized terms not defined herein shall have the meaning set forth in the Main Agreement.

1.     Definitions

1.1   “Approved Jurisdiction” means a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

1.2   “Data Protection Laws” means, any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), and any amendments or replacements to the foregoing.

1.3   “Data Subject” means an individual to whom Personal Data relates. Where applicable, a Data Subject shall be deemed a “Consumer” as this term is defined under the CCPA.

1.4   “EEA” means those countries that are member of the European Economic Area.

1.5   “Permitted Purposes” mean any purposes in connection with Company performing its obligations under the Main Agreement.

1.6   “Security Incident” shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For the avoidance of doubt, any Personal Data Breach (as defined under the GDPR) will comprise a Security Incident.

1.7   “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Company’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Company’s business activities.

1.8   “Standard Contractual Clauses” mean Module 2 or 3, as applicable, of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021.

1.9   “Sub-Processor(s)” mean any Affiliate, agent or assignee of Company that may process Personal Data pursuant to the terms of the Main Agreement, and any unaffiliated processor, vendors or service provider engaged by Company.

1.10   The terms “Business”, “Controller”, “Personal Data”, “Processor”, “Process”, “Processing” and “Service Provider” shall have the meanings ascribed to them in the Data Protection Law, as applicable.

 

2.     Application of this DPA

2.1   This DPA will only apply to the extent all of the following conditions are met:

(A)   Company processes Personal Data that is made available by the Customer in connection with the Main Agreement (whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer);

(B)   Data Protection Laws apply to the processing of Personal Data.

2.2   This DPA will only apply to the services for which the Parties agreed to in the Main Agreement (“Services”), which incorporates the DPA by reference.

 

3.     Parties’ Roles

3.1   In respect of the Parties’ rights and obligations under this DPA regarding the Personal Data, the Parties hereby acknowledge and agree that the Customer is the Controller or Processor (as well as, as applicable, the Business or Service Provider, as these terms are defined under the CCPA) and Company is a Processor or Sub-Processor (as well as, as applicable, the Service Provider, as this term is defined under the CCPA), and accordingly:

(A)   Company agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA;

(B)   The Parties acknowledge that the Customer discloses Personal Data to Company only for the performance of the Services and that this constitutes a valid business purpose for the processing of such data.

3.2   If Customer is a Processor, Customer warrants to Company that Customer’s instructions and actions with respect to the Personal Data, including its appointment of Company as another Processor and concluding the Standard Contractual Clauses, have been authorized by the relevant Controller.

3.3   Notwithstanding anything to the contrary in the DPA, Customer acknowledges that Company shall have the right to collect, use and disclose data:

(A)   collected in the context of providing the Services to Customer including but not limited to for the purposes of billing, record-keeping and other legitimate business purposes, such as account management, customer support, protection against fraudulent or illegal activity and the prevention of misuse of the Services, and for the purpose of establishment, exercise and defense of legal claims.

(B)   collected in the context of using the Services, for the purpose of analytics, market research, product improvement and development, provided however that the foregoing shall be based solely on the processing of aggregated or anonymized information.

3.4   To the extent that any data referred under section 3.3 is considered Personal Data, then Company shall be regarded as an independent Controller of such data under applicable Data Protection Laws and its processing by Company shall be outside the scope of this DPA.

 

4.     Compliance with Laws

4.1   Each Party shall comply with its respective obligations under the Data Protection Law.

4.2   Company shall provide reasonable cooperation and assistance to Customer in relation to Company’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under the Data Protection Law.

4.3   Company agrees to notify Customer promptly if it becomes unable to comply with the terms of this DPA and take reasonable and appropriate measures to remedy such non-compliance.

4.4   Throughout the duration of the DPA, Customer agrees and warrants that:

(A)   Personal Data has been and will continue to be collected, processed and transferred by Customer in accordance with the relevant provisions of the Data Protection Law;

(B)   Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Company and shall provide Company only instructions that are lawful under Data Protection Law;

(C)    the processing of Personal Data by Company for the Permitted Purposes, as well as any instructions to Company in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law; and that

(D)   The Customer has informed Data Subjects of the processing and transfer of Personal Data pursuant to the DPA and obtained the relevant consents or lawful grounds thereto (including without limitation any consent required in order to comply with the Processing Instructions and the Permitted Purposes).

 

5.     Processing Purpose and Instructions

5.1   The subject matter of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, shall be as set out in the Agreement, or in the attached Annex 1, which is incorporated herein by reference.

5.2   Company shall process Personal Data only for the Permitted Purposes and in accordance with Customer’s written Processing Instructions (unless waived in a written requirement), the Agreement and the Data Protection Law, unless Company is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).

5.3   To the extent that any Processing Instructions may result in the Processing of any Personal Data outside the scope of the Agreement or the Permitted Purposes, then such Processing will require prior written agreement between Company and Customer, which may include any additional fees that may be payable by Customer to Company for carrying out such Processing Instructions. Company shall immediately inform Customer if, in Company’s opinion, an instruction is in violation of Data Protection Law.

5.4   Additional instructions of the Customer outside the scope of the Agreement require prior and separate agreement between Customer and Company, including agreement on additional fees (if any) payable to Company for executing such instructions.

5.5   Company shall not sell, retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Services or outside of the direct business relationship between the Parties, including for a commercial purpose other than providing the Services, except as required under applicable laws, or as otherwise permitted under the CCPA (if applicable) or as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA (as applicable), as reasonably determined by Company. Company’s performance of the Services may include disclosing Personal Data to Sub-Processors where this is relevant in accordance with this DPA. The Company certifies that it, and any person receiving access to Personal Data on its behalf, understand the restrictions contained herein

 

6.     Reasonable Security and Safeguards

6.1   Company represents, warrants, and agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed or processed by Company in connection with this Agreement, and (ii) to protect such data from Security Incidents. Such Security Measures include, without limitation, the security measures set out in Annex 2.

6.2   The Security Measures are subject to technical progress and development and Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by Customer.

6.3   Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who has access to and processes Personal Data. Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.4   Company is responsible for performing its obligations under the Agreement in a manner which enables Company to comply with Data Protection Law, including implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

 

7.     Security Incidents

7.1   Upon becoming aware of a Security Incident, Company will notify Customer without undue delay and will provide information relating to the Security Incident as reasonably requested by Customer. Company will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Security Incident.

 

8.     Security Assessments and Audits

8.1   Company audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted by Company’s internal audit team or by third party auditors engaged by Company, and will result in the generation of an audit report (“Report”), which will be Company’s confidential information.

8.2   Company shall, upon reasonable and written notice and subject to obligations of confidentiality, no more than once a year and in normal business hours, allow its data processing procedures and documentation to be inspected by Customer (or its designee), at Customer’s expense, in order to ascertain compliance with this DPA; Company shall cooperate in good faith with such audit requests by providing access to relevant knowledgeable personnel and documentation.

8.3   At Customer’s written request, and subject to obligations of confidentiality, Company may satisfy the requirements set out in this section by providing Customer with a copy of the Report so that Customer can reasonably verify Company’s compliance with its obligations under this DPA.

 

9.     Cooperation and Assistance

9.1   If Company receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under applicable Data Protection Law, Company will promptly redirect the request to Customer. Company will not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so. The Customer is responsible for verifying that the requestor is the data subject whose information is being sought. Company bears no responsibility for information provided in good faith to Customer in reliance on this subsection.

9.2   If Company receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, Company shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. It is hereby clarified however that if no such response is received from Customer within three (3) business days (or otherwise any shorter period as dictated by the relevant law or authority), Company shall be entitled to provide such information.

9.3   Notwithstanding the foregoing, Company will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data. Customer shall cover all costs incurred by Company in connection with its provision of such assistance.

9.4   Upon reasonable notice, Company shall:

(A)   taking into account the nature of the processing, provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject’s rights, at Customer’s expense;

(B)   provide reasonable assistance to the Customer in ensuring Customer’s compliance with its obligation to carry out data protection impact assessments or prior consultations with data protection authorities with respect to the processing of Personal Data, provided, however, that if such assistance entails material costs or expenses to Company, the Parties shall first come to agreement on Customer reimbursing Company for such costs and expenses.

 

10.   Use of Sub-Processors

10.1  Customer provides a general authorization to Company to appoint (and permit each Sub-Processor appointed in accordance with this Clause to appoint) Processors and/or Sub Processors in accordance with this Clause.

10.2  Company may continue to use those Sub-Processors already engaged by Company as at the date of this Agreement, subject to Company, in each case as soon as practicable, meeting the obligations set out in this Clause.

10.3  Company can at any time appoint a new Sub-Processor provided that Customer is given ten (10) days’ prior notice (such notice may be given through Company’s Services) and the Customer does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with Data Protection Laws. If, in Company’s reasonable opinion, such objections are legitimate, Company shall either refrain from using such Sub-Processor in the context of the processing of Personal Data or shall notify Customer of its intention to continue to use the Sub-Processor. Where Company notifies Customer of its intention to continue to use the Sub-Processor in these circumstances, Customer may, by providing written notice to Company, terminate the affected portion of the Main Agreement.

10.4  With respect to each Sub-Processor, Company shall ensure that the arrangement between Company and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection as those set out in this DPA and meets the requirements of article 28(3) of the GDPR and/or of the CCPA (as applicable);

10.5  Company will be responsible for any acts, errors or omissions by its Sub-Processors, which may cause Company to breach any of its obligations under this DPA.

10.6  Company will only disclose Personal Data to Sub-Processors for the specific purposes of carrying out the Services on Company’s behalf. Company does not sell or disclose Personal Data to third parties for commercial purposes, except as required under applicable laws.

 

11.   Transfer of EEA resident Personal Data outside the EEA

11.1  To the extent that Company processes Personal Data outside the EEA, then the Parties shall be deemed to enter into the Standard Contractual Clauses, subject to any amendments contained in Exhibit A, in which event the Customer shall be deemed as the Data Exporter and the Company shall be deemed as the Data Importer (as these terms are defined therein).

11.2  Company may transfer Personal Data of residents of the EEA outside the EEA (“Transfer”), only subject to the following:

(A)   the Transfer is necessary for the purpose of Company carrying out its obligations under the Agreement, or is required under applicable laws; and

(B)   the Transfer is done: (i) to an Approved Jurisdiction, or (ii) subject to appropriate safeguards (for example, through the use of the Standard Contractual Clauses, or other applicable frameworks), or (iii) in accordance with any of the exceptions listed in the Data Protection Law (in which event Customer will inform Company which exception applies to each Transfer and will assume complete and sole liability to ensure that the exception applies).

 

12.   Data Retention and Destruction

12.1  Company will only retain Personal Data for the duration of the Agreement or as required to perform its obligations under the Agreement, or has otherwise required to do so under applicable laws or regulations. Following expiration or termination of the Agreement, Company will delete or return to Customer all Personal Data in its possession as provided in the Agreement, except to the extent Company is required under applicable laws to retain the Personal Data. The terms of this DPA will continue to apply to such Personal Data. This section shall not apply to the activities that are the subject matter of section 3.1 herein.

12.2  Notwithstanding the foregoing, Company shall be entitled to maintain Personal Data following the termination of this Agreement for statistical and/or financial purposes provided always that Company maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal data.

12.3  Notwithstanding the foregoing, Company shall be entitled to retain Personal Data solely for the establishment or exercise of legal claims, and/or in aggregated and anonymized form, for whatever purpose.

 

13.   General

13.1  Any claims brought under this DPA will be subject to the terms and conditions of the Main Agreement, including any exclusions and limitations set forth therein.

13.2  In the event of a conflict between the Main Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.

13.3  Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the Parties; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Company. Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.

Exhibit A - SCC

1.     If Customer is a Controller – the Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module Two); if Customer is a Processor – the Parties shall be deemed to enter into the Processor to Processor Standard Contractual Clauses (Module Three).

 

2.     This Exhibit A sets out the Parties’ agreed interpretation of their respective obligations under Module Two or Module Three of the Standard Contractual Clauses (as applicable).

 

3.     The Parties further agree that for the purpose of transfer of Personal Data between the Customer (Data Exporter) and the Company (Data Importer), the following shall apply:

 

3.1.   Clause 7 of the Standard Contractual Clauses shall not be applicable.

 

3.2.   In Clause 9, option 2 shall apply.

 

3.3.   In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

 

3.4.   In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of the state of Israel.  

 

3.5.   In Clause 18(b) the Parties choose the courts of the state mentioned in section 3.4 above as their choice of forum.

 

4.     The Parties shall complete Annexes I–II below, which are incorporated in the Standard Contractual Clauses by reference.

ANNEX 1 TO DPA

A.     Identification of Parties

 

“Data Exporter”: the Customer;

“Data Importer”: the Company.

 

B.     Description of Transfer

 

Data Subjects

The Personal Data transferred concern the following categories of Data Subjects (please specify):

X Customer’s end-users

☐ Customer’s employees

☐ Customer’s customers

☐ Other: ________

 

Categories of Personal Data

The Personal Data transferred concern the following categories of data (please specify):

X Contact information (name, age, gender, address, telephone number, email address etc.)

☐ Financial and payment data (e.g. credit card number, bank account, transactions)

☐ Governmental IDs (passport, driver’s license)

X Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps)

☐ Geo-location information

☐ Other: ________

 

Special Categories of Data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

X None

☐ Genetic or biometric data

☐ Health data

☐ Racial or ethnic origin

☐ Political opinions, religious or philosophical beliefs

☐ Other: ________

 

The frequency of the transfer

The frequency of the transfer:

☐ One-off

X Continuous

 

Nature of the processing

☐ Collection

☐ Recording

X Organization or structuring

X Storage

☐ Adaptation or alteration

X Retrieval

X Consultation

☐ Disclosure, dissemination or otherwise making available

X Analysis

☐ Erasure or destruction

☐ Other: ________

 

Purpose of the transfer and further processing

As defined in the Agreement.

 

Retention period

Personal Data will be retained for the term of the Agreement.

ANNEX 2 TO DPA

Description of the technical and organizational measures implemented by the data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

 

Security Management

Recipient maintains a written information security management system (ISMS), in accordance with this Annex, that includes policies, processes, enforcement and controls governing all storage/processing/transmitting of Personal Data, designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonable foreseeable and internal risks to security and authorized access to Recipient Network, and (c) minimize security risks, including through risk assessment and regular testing. The information security program will include the following measures:

●      Recipient actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.

●      To the extent Recipient process cardholder or payment data (such as payment or credit cards), Recipient will maintain its ISMS in accordance with the PCI DSS standard, augmented to cover Personal Data, or such other alternative standards that are substantially equivalent to PCI DSS for the establishment, implementation, and control of its ISMS. Additionally, Recipient will be assessed against PCI DSS annually by an on-site assessment carried out by an independent QSA (Qualified Security Assessor) and upon Company’s request, not to exceed once annually, Recipient will provide Company with PCI DSS attestation of compliance. 

 

Maintain an Information Security Policy

Recipient’s ISMS is based on its security policies that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant Parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:

●      Maintaining security policies and procedures;

●      Secure development, operation and maintenance of software and systems;

●      Security alert handling;

●      Security incident response and escalation procedures;

●      User account administration;

●      Monitoring and control of all systems as well as access to Personal Data.

 

Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. For service providers with whom Personal Data is shared or that could affect the security of Personal Data a process has been set up that includes initial due diligence prior to engagement and regular (typically yearly) monitoring.

Personal Data has implemented a risk-assessment process that is based on ISO 27005.

 

Secure Networks and Systems

Recipient has installed and maintains a firewall configurations to protect Personal Data that controls all traffic allowed between Recipient’s (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.

Recipient does not use vendor-supplied defaults for system passwords and other security parameters on any systems and has developed configuration standards for all system components consistent with industry-accepted system hardening standards.

 

Protection of Personal Data

Recipient keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.

Recipient uses strong encryption and hashing for Personal Data anywhere it is stored. Recipient has documented and implemented all necessary procedures to protect (cryptographic) keys used to secure stored Personal Data against disclosure and misuse. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols. 

 

Vulnerability Management Program

Recipient protects all systems against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.

Recipient develops and maintains secure systems and applications by:

●      Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities,

●      Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle,

●      Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.

 

Implementation of Strong Access Control Measures

 

“Recipient Network” means the Recipient’s data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Recipient to process or store Personal Data.

The Recipient Network will be accessible to employees, contractors and any other person as necessary to provide the services to the Company. Recipient will maintain access controls and policies to manage what access is allowed to the Recipient Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Recipient will maintain corrective action and incident response plans to respond to potential security threats.

Recipient strictly restricts access to Personal Data on a need to know basis to ensure that critical data can only be accessed by authorized personnel. This is achieved by:

●      Limiting access to system components and Personal Data to only those individuals whose job requires such access; and

●      Establishing and maintaining an access control system for system components that restricts access based on a user’s need to know, with a default “deny-all” setting.

 

Recipient identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for its actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.

 

User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.

Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.

 

Restriction of Physical Access to Personal Data

Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.

Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.

 

Regular Monitoring and Testing of Networks

All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis (at least daily) as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in cases of unauthorized access or anomalies of access. Audit trails for critical systems are kept for a year.

 

Security of systems and processes is regularly tested, at least yearly. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. Security testing includes:

●      Processes to test rogue wireless access points;

●      Internal and external network vulnerability tests that are carried out at least quarterly. An external, qualified party carries out the external network vulnerability tests;

●      External and internal penetration tests using Recipient’s penetration test methodology that is based on industry-accepted penetration testing approaches that cover all the relevant systems and include application-layer as well as network-layer tests

 

All test results are kept on record and any findings are remediated in a timely manner.

Recipient does not allow penetration tests carried out by or on behalf of its customers.

In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.

 

Incident Management

Recipient has implemented and maintains an incident response plan and is prepared to respond immediately to a system breach. Incident management includes:

●      Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,

●      Specific incident response procedures,

●      Analysis of legal requirements for reporting compromises,

●      Coverage of all critical system components,

●      Regular review and testing of the plan,

●      Incident management personnel that is available 24/7,

●      Training of staff,

●      Inclusion of alerts from all security monitoring systems,

●      Modification and evolution of the plan according to lessons learned and to incorporate industry developments.

Recipient has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that are maintained and regularly tested. Data backup processes have been implemented and are tested regularly.

 

Physical Security

Physical Access Controls

Physical components of the Recipient Network are housed in nondescript facilities (“Facilities”). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.

 

Limited Employee and Contractor Access

Recipient provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Recipient or its affiliates.

 

Physical Security Protections

All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Recipient also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, etc.) with door contacts, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

 

Continued Evaluation

Recipient will conduct periodic reviews of the Security of its Recipient Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Recipient will continually evaluate the security of its Recipient Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.