Data Processing Agreement

Annex A

  • Definitions

The following terms shall have the meanings set out below:

Agreement” shall mean the commercial written agreement signed between Company and Zoon Analytics, to which this DPA is annexed.

Company” shall mean the party engaging with Zoom Analytics hereunder. 

Controller” and “Processor” shall refer to the parties identified in Annex A1 to this DPA as serving in roles of Data Controller and a Data Processor accordingly.

"Controller Supplied Personal Data" shall mean Personal Data provided by or otherwise collected or attained on behalf Controller for the purpose of providing the Processor’s Services.

Data Protection Laws” shall mean all of the following: (a) Regulation EU 2016/679 (General Data Protection Regulation) of the European Union (“GDPR”) and any data protection laws substantially amending, replacing or superseding the GDPR and to the extent applicable, the data protection or privacy laws of any other country, if applicable; (b) Israeli Protection of Privacy Law 5741-1981 and all regulations promogulated thereunder, including, without limitation, Israeli Privacy Protection Regulations (Data Security), 5777-2017; (c) any laws pertaining to data protection and privacy otherwise applicable to either of the Parties or any of the actions contemplated hereunder

Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, use, or access to, Controller Supplied Personal Data transmitted, stored or otherwise Processed by Processor.

 

Process/Processing”, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Special Categories of Personal Data” shall have the same meaning as in the Data Protection Laws.

“Services" shall mean the services provided by Processor to Controller under the commercial agreement to which this DPA is annexed.

Supervisory Authority” shall mean a national supervising authority established pursuant to the Data Protection Laws;

“Zoom Analytics” shall mean Zoom Analytics, Ltd, Israeli Private Company No. 515078814.

  • Processing of Personal Data
  1. In the course of providing the Services to Controller pursuant to the Agreement Processor may Process Personal Data on behalf of Controller only in strict compliance with the provisions set out in this DPA and the Data Protection Laws.
  2. Processor shall only Process Controller Supplied Personal Data for the purpose of providing the Services pursuant to the Agreement, and shall not Process, transfer, modify, amend, alter, disclose or permit the disclosure of Controller Supplied Personal Data to any third party other than in accordance with Controller’s written instructions (whether provided in the Agreement, in the Exhibits to this DPA or otherwise). 
  3. Processor shall immediately inform Controller if, in its opinion, an instruction pursuant to this DPA infringes the GDPR or other provision of the Data Protection Laws.
  4. If Processor cannot comply with Controller’s instructions pertaining to the Processing or otherwise to the Controller Provided Personal Data, for whatever reasons, or is required under applicable law to Process the Controller Supplied Personal Data other than on instructions of the Controller, Processor agrees to inform the Controller promptly, and Controller shall be entitled to suspend the Processing or terminate the Agreement.
  5. Notwithstanding the aforesaid, Controller acknowledges and agrees that: (1) Processor is required under Article 31 of the GDPR to cooperate, on request, with the Supervisory Authority in the performance of its tasks; and (2) Processor is required under Article 30 of the GDPR to keep certain records pertaining to its processing activities and make them available to the Supervisory Authority on request. 
  6. Without derogating from the generality of the aforesaid, it is hereby acknowledged and agreed that Controller alone shall determine at all times the scope of the Controller Supplied Personal Data provided to or otherwise collected or attained by Processor hereunder. 
  7. Processor shall not change or amend any Controller Supplied Personal Data other than pursuant to Controller’s instructions and in compliance therewith.
  8. Controller undertakes not to provide Processor with, and to implement such technical and organizational measures to prevent dissemination of any Personal Data in excess of the Controller Supplied Personal Data specified in writing by Controller hereunder. In particular, and without derogating from the generality of the aforesaid, Processor shall not be provided by or through Controller hereunder with any Personal Data referred to in paragraph 1 of Article 9 GDPR (“Special Categories of Data”).
  9. It is hereby acknowledged and agreed, and Company specifically consents that due to Zoom Analytics being an Israeli company subject to the Israeli law (1) Zoom Analytics is required under the Israeli Protection of Privacy Law 5741-1981 (“Israeli Privacy Law”) to provide to an inspector nominated by the Registrar appointed pursuant to that law (the “Israeli Registrar”), information and documents pertaining to databases handled by Zoom Analytics; (2) Zoom Analytics is required to report severe data breaches as such term is defined under the Israeli Privacy Protection Regulations (Data Security), 5777-2017, to the Israeli Registrar, and, upon instruction thereof also to the Data Subjects; (3) Data Subjects are entitled under Israeli Privacy Law to inspect any information about them kept in a database, and, if they find that the information is not correct, not complete, not clear or not up to date request Zoom Analytics to amend or delete the information. Zoom Analytics shall notify Company in writing immediately upon receiving any request provided for in the above sub-sections (2) and (3) of this paragraph.   
  • Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Processor who may have access to the Controller Supplied Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access it, as strictly necessary for the purpose of providing the Services. Processor shall ensure that each individual is informed of the confidential nature of the Controller Supplied Personal Data and are aware of Processor's obligations with respect thereto, that each individual is subject to confidentiality undertakings or professional or statutory obligations of confidentiality and is subject to user authentication and log-on processes when accessing the Controller Supplied Personal Data.

  • Security

Each Party shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the circumstances and risks involved in transmitting, storing or otherwise Processing Personal Data and shall take all measures required under Data Protection Laws (including pursuant to Article 32 GDPR). 

  • Sub-processing

Processor shall not engage any Data Processors to Process Controller Provided Personal Data other than with the prior written consent of Controller, and pursuant to the requirements of the Data Protection Laws including, without limitation the fulfillment of the requirements set out in Article 28 (2) and (4) of the GDPR.

As of the date of the Agreement, Controller hereby authorizes Processor to engage those Sub-processors set out in Exhibit 1 hereto (if any).

  • Data Subject Requests 
  1. Processor shall assist Controller by implementing appropriate technical and organizational measures to facilitate the fulfillment of Controller’s obligation (as a Data Controller) under Data Protection Laws, including the GDPR. 
  2. Processor shall promptly notify Controller if it receives a request from a Data Subject or any Supervisory Authority or any other competent court or authority under the applicable law in respect of Controller Provided Personal Data. 
  3. Processor shall cooperate as requested by Controller to enable Controller to comply with any exercise of rights by a Data Subject under any Data Protection Laws in respect of Controller Provided Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Controller Provided Personal Data.
  • Personal Data Breach
  1. Processor shall notify Controller promptly and without undue delay upon becoming aware of or reasonably suspecting a Personal Data Breach, and shall provide Controller with sufficient information which allows Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall: 
    1. describe the nature of the Personal Data Breach, the Data Subjects concerned, and the Personal Data records concerned; 
    2. communicate the name and contact details of Processor’s officer from whom more information may be obtained; and
    3. describe the measures taken or proposed to be taken to address the Personal Data Breach. 
  2. Processor shall cooperate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach. 
  • Deletion or return of Controller Provided Personal Data 
  1. Keeping with the GDPR principles of data minimization, Processor shall only retain such Controller Provided Personal Data which is adequate, relevant and limited to what is necessary for the provision of the Services. Without derogating from the generality of the aforesaid, Processor shall re-asses the scope and type of data thus retained upon any change to the Services or the Controller’s instructions pertaining thereto.
  2. Keeping with the GDPR principle of accuracy and with the GDPR principle of data minimization, Controller hereby instructs Processor to, and Processor undertakes and warrants that it shall, upon any update by Controller of the Controller Provided Personal Data, verify and re-asses any Controller Provided Personal Data previously received or otherwise collected or attained by Processor hereunder, and, accordingly, amend or delete any inaccurate or excessive Controller Provided Personal Data. 
  3. Processor shall cease Processing, as soon as reasonably practicable upon the termination or expiry of the Agreement or the applicable Service.
  4. Processor shall promptly, upon Controller’s request, and in any event within 90 (ninety) calendar days of the termination of this Agreement: delete all copies thereof which are in Processor’s possession or control. 
  5. Notwithstanding the aforesaid, Processor may retain Controller Provided Personal Data to the extent and for such periods as required by applicable law and always provided that: (i) Processor shall ensure the safeguarding thereof; and (ii) Processor shall ensure that such Controller Provided Personal Data is only Processed as necessary for the purposes specified in the law or regulation requiring its storage and for no other purpose. 
  • Audit 

Without prejudice to any other general rights to audit under the Agreement and in addition to those rights, Processor: 

  1. will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the Controller’s auditor, subject to complying with Processor’s reasonable security limitations regarding way of access to sensitive data, and will rend reasonable assistance to the auditor in the performance of such audits, in order to ascertain compliance with the Data Protection Laws;
  2. Will provide Controller with all information necessary to demonstrate compliance with the Data Protection Laws.
  • Data Impact Assessment

Processor shall provide reasonable assistance to Controller with any data protection impact assessment which is required to be performed thereby under the Data Protection Laws (including pursuant to Article 35 GDPR) and with any prior consultations with the Supervisory Authority under Article 36 GDPR or pursuant to any other provision of the Data Protection Laws.

  • Restricted Transfer

Processor shall not (and shall procure that its sub-processors shall not) under any circumstances transfer Controller Provided Personal Data outside the European Union unless authorized in writing by the Controller to do so, and provided further that such transfer shall be made either: (i) pursuant to the provisions of Article 45 GDPR, to a country (such as the State of Israel) or territory recognized by the EU Commission as ensuring an adequate level of protection (“Transfer on the Basis of Adequacy Decision”); or (ii) pursuant to the provisions of Article 46 GDPR, to a third party contractually bound by the EU model contract clauses adopted by the EU Commission in decision 2010/87/EU (“Transfers Subject to Appropriate Safeguards”). 

  • Indemnit

Each Party (the “Indemnifying Party”) agrees to defend, indemnify and hold the other Party and its officers, directors, employees and agents (jointly, the “Indemnified Party”) harmless against any loss, damage, expense, or cost, including reasonable attorneys’ fees (including allocated costs for in-house legal services) to the extent such are directly arising out of any: (i) claim, demand, proceeding, or lawsuit by a third party; or (ii) any corrective or punitive action taken by a Supervisory Authority; based on any act or omission of the Indemnifying Party (including, without limitation, its subsidiaries, affiliates, successors and assigns) in breach of the Data Protection Laws. The aforesaid undertaking shall be subject to the Indemnified Party: (i) providing the Indemnifying Party with prompt and detailed notice of any claim or cause of action upon which it intends to base a claim of indemnification hereunder; (ii) providing reasonable assistance and cooperation to enable the Indemnifying Party to defend the action or claim hereunder; and (iii) allowing the Indemnifying Party to control the defense and all related settlement negotiations, although the Indemnifying Party will consult with the Indemnified Party on any such matter and require its approval, not to be unreasonably withheld or delayed, prior to, and as a condition for agreeing to any settlement or compromise of the claim.

  • General
  1. The scope, subject matter and duration of the Processing and Controller’s instructions are set out in this DPA and and in Exhibits1 and 2 thereto.  
  2. Without derogating from any other undertaking pursuant to this DPA pertaining to such matters, each of the Parties shall cooperate and render reasonable assistance to the other in meeting any requirement under the Data Protection Laws, and any requirement of a Supervisory Authority, including, without limitation: (i) submitting itself to audits and risk assessments (including data protection impact assessment), as might be required or advisable under the Data Protection Laws; (ii) cooperating in any review and investigation carried out by a Supervisory Authority; (iii) providing access to any information, system, premises or personnel reasonably required to demonstrate or confirm its compliance with the Data Protection Laws; (iv) complying with any requirement made by a Supervisory Authority;  and (v) promptly informing the other Party of any actual or suspected Personal Data Breach, and cooperating with the other party in the investigation and mitigation thereof and in complying with any applicable reporting duties stemming therefrom (including, without limitation, to Supervisory Authorities, stakeholders and insurers).

 

Signed

 

Company

   

Zoom Analytics

 

Signed by:

   

Signed by:

 

Title:

   

Title:

 

Date:

   

Date:

 

Exhibit 1: Personal Data Processing - Controller’s instructions 

Controller

 

Processor

Zoom Analytics Ltd.

Subject matter and purpose of Processing

Real-time engagement of website visitors to the Controller’s website(s). 


Storage of collected information for a limited time for archival purposes.

Type of Personal Data to be Processed

Contact details (full name, email, company’s name, phone)

Transmission data (IP address, device identification information (e.g. MAC), login time)

Behavioral data (Data Subject’s web page views, actions and interaction with web-site objects including links and forms).  

Are Special Categories (Art. 9 GDPR) included? (if so – specify) 

No. 

Categories of Data Subjects

Visitors to Controller’s website(s) 

Details of Processing to be done

See Subject Matter & Purpose above

Details of cross border transfer(s) allowed, if any

Israel (Zoom Analytics) and countries of the authorized sub-processors as specified in Exhibit 2 

Is Processor authorized to use another processor (either general or specific)?

Only as specified in Exhibit 2

Legal provisions applicable to Processor pursuant to which it might be required to process the Personal Data other than on documented instructions from the Controller? (if so – specify) 

As specified in Exhibit 2 of the DPA

Duration of the Processing

As specified in the Agreement

 

Signed

Controller

   

Processor

 

Signed by:

   

Signed by:

 

Title:

   

Title:

 

Date:

   

Date:

 

 

Exhibit 2: Authorized Sub-processor

 

Annex B: Roles

  • Data Protection Officer (“DPO”) in accordance with Art. 37 of the Regulation (EU) 2016/679 ("GDPR”):

Zoom Analytics

Company



 

 

  • EU representative in accordance with Art. 27 GDPR (if applicable):

 

Zoom Analytics

Company