DATA PROCESSING ADDENDUM

This Data Protection Addendum (“DPA”) is an agreement between Aspecto Ltd., a company incorporated in Israel, under company number 516098894 and having its registered office at 23 Shoken St., Tel Aviv, Israel ("Aspecto" or "Data Processor") and you or the entity you represent (“Customer”, “Data Controller”). 

This DPA supplements Aspecto’s Software-as-a-Service Terms of Use available at https://resources.aspecto.io/legal/terms-of-use.html, as updated from time to time, between Customer and Aspecto (the “Agreement”) as Aspecto is required to Process Personal Data (as defined below) on behalf of Customer in connection with the Agreement. Aspecto and Customer shall each be referred to as a “party” and collectively, as the “parties”. The parties agree, stipulate and declare as follows:        

The terms used in this DPA shall have the meanings set forth in this DPA. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.  

In consideration of the mutual obligations set out herein, the Parties agree that the terms and conditions set out below shall be added as a DPA to the Agreement. Except where the context requires otherwise, references in this DPA to the Agreement are to the Agreement as amended, and including, this DPA.

  1. Definitions

  1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

  1. "Applicable Laws" means (a) European Union law or any laws of a member state of the European Union in respect of which Aspecto or Customer is subject to; and (b) any Israeli and other applicable law in respect of which Aspecto or Customer is subject to;

  2. "Customer Personal Data" means any Personal Data which may be processed by Aspecto on behalf of Customer, pursuant to or in connection with the Agreement;

  3. "Data Protection Legislation"

GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and the relevant Israeli applicable law.

  1. "EU" means the European Union;

  2. "EEA" means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;

  3. "GDPR" means EU General Data Protection Regulation 2016/679;

  4. "Services" means the services as defined in the Agreement;

  5. "Sub-processor" means any person (excluding an employee of Aspecto or any of its sub-contractors) appointed by or on behalf of Aspecto to Process Personal Data on behalf of Customer in connection with the Agreement;

  6. "Supervisory Authority" means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation; and

  7. "Term" means the term of the Agreement, as defined therein.

  1. The terms "Controller", "Processor", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", and "Processing" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

  1. Processing of Customer Personal Data

  1. The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the GDPR and that Aspecto is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints Aspecto as an authorised sub-processor, which shall not change the obligations of the parties under this DPA as Aspecto will remain a Processor in any such event. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.

  2. Aspecto shall process Customer's Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which Aspecto is subject. In which case, Aspecto shall notify Customer if, in its opinion, any instruction infringes any Data Protection Legislation, unless such legislation prohibits such notification. Such notification will not constitute a general obligation on the part of Aspecto to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.

  3. Customer warrants and represents that it is and will, at all relevant times, remain duly and effectively authorised to give the instruction set out in Section 2.2, including on behalf of each relevant Customer Affiliate.

  4. Customer warrants that it has all the necessary rights to provide the Personal Data to Aspecto for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the Data Protection Law support the lawfulness of the Processing. To the extent required by the Data Protection Legislation, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal bases set forth in the Data Protection Legislation supports the lawfulness of the processing, that any necessary Data subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to Aspecto, and Aspecto will act pursuant to Customer's instructions as seems appropriate.

  5. Annex 1 to this DPA sets out certain information as required by Article 28(3) of the GDPR according to, Personal Data may be processed by Aspecto. Customer warrants it is an accurate reflection of the Processing activities pursuant to this DPA and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which Aspecto finds appropriate to provide the required Services.

  1. Confidentiality

Without prejudice to any existing contractual arrangements between the parties, Aspecto shall ensure that any person that it authorises to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.

  1. Security

  1. Taken into account the measures required by Article 32 of the GDPR, and the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, Aspecto shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures may be updated by Aspecto from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.

  2. Customer acknowledges that the security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Customer will therefore evaluate the measures as implemented in accordance with section 4 on an on-going basis in order to maintain compliance with the requirements set forth in this section. The parties will negotiate in good faith, the cost, if any, to implement changes required by specific updated security requirements set forth in Data Protection Legislation or by data protection authorities of competent jurisdiction.

  1. Sub-processing

  1. Customer authorises Aspecto to appoint (and permit each Sub-processor to appoint) Sub-processors who are deployed by Aspecto and all in accordance with this DPA and any restrictions in the Agreement.

  2. Aspecto shall inform Customer as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of Sub-processors that will Process any Customer Personal Data ("New Sub-Processor"). If, within 14 calendar days of receipt of that notice, Customer notifies Aspecto in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processor is compliant with Article 28(4) of the GDPR.

  3. In the absence of a resolution, Aspecto will make commercially reasonable efforts to provide Customer with the same level of Service described in the Agreement, without using the objected Sub-Processor to process Customer’s Personal Data.

  4. Where the Customer reasonably argues, that the risks involved with the sub-processing activities are still unacceptable, in the context of Article 28(4) and in relation to the appropriate steps, within the requisite time frame, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such time frame, Customer's sole remedy will be to terminate the Agreement.

  5. With respect to each Sub-processors, Aspecto shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this DPA.

  1. Data Subject Rights

  1. Customer shall comply with requests received from Data Subjects to exercise their rights pursuant to Chapter III of the GDPR, with regard to accessing Customer's Personal Data held by Customer.

  2. When Customer is unable to perform according to section 6.1, and therefore requires Aspecto's assistance, while taking into account the nature of the Processing, Aspecto shall assist Customer, upon Customer's request and at the Customer's cost, by using appropriate technical and organisational measures, insofar as this is possible to comply with requests to exercise Data Subject rights, under the Data Protection Legislation.

  1. Personal Data Breach

  1. When Aspecto becomes aware of an incident that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the incident. Aspecto shall cooperate with Customer and follow Customer's instructions with regard to such incidents, to enable Customer to perform an investigation into the incident, formulate a correct response and take suitable further steps in respect to the incident.

  2. Where the incident is reasonably likely to require a data breach notification by Customer under the Data Protection Legislation, Aspecto will assist Customer with the notification process.

  3. Aspecto shall, at Customer's cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.

  1. Deletion or Return of Customer Personal Data

  1. Subject to section 8.3, Customer may in its discretion by written notice to Aspecto within 30  calendar days of the cessation date, require Aspecto to (a) return a complete copy of all Customer's Personal Data to the Customer; and (b) delete all other copies of Customer's Personal Data Processed by Aspecto. Aspecto shall comply with any such written request within 60 calendar days of the cessation date.

  2. Aspecto shall notify the relevant Sub-processors, processing Personal Data on its behalf, of the termination of the Data Processing DPA.

  3. Aspecto and each Sup-processor may retain Customer's Personal Data to the extent and for such period as required by Applicable Laws. 

  1. Audit Rights

  1. Subject to section 9.2 and 9.3, Aspecto shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR.

  2. Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, Aspecto shall, at the Customer's costs, allow for audits, including inspections, by an auditor mandated by Customer (subject to section 9.3 where auditor shall be subject to written confidentiality obligations in relation to such information) in relation to the Processing of the Customer's Personal Data, provided that:

  1. Customer shall give Aspecto a reasonable notice of any audit or inspection to be conducted; and

  2. Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to Aspecto’s business, in the course of such audit or inspection, while such audits or inspections shall be conducted during normal working hours.

  1. Aspecto may object to an auditor mandated by Customer if the auditor is, in Aspecto’s opinion, not suitably qualified or independent, a competitor of Aspecto, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.

  1. General Terms

Transfers

  1. Information may be transferred to third-party companies and individuals to facilitate Aspecto's services, who are located in a country outside of the EEA. Aspecto shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood of a risk to the rights and freedoms of natural persons. Furthermore, Aspecto shall maintain as appropriate, the specific controls described in Article 32(1), (a) to (d) of the GDPR and including any other controls mandated by applicable Data Protection Legislation or set out in the Agreement. 

  2. To the extent that Aspecto or Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, Aspecto and Customer agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

Liability and Indemnity

  1. Customer shall indemnify Aspecto and will hold Aspecto harmless against all claims, losses, damages and expenses incurred by Aspecto arising out of a breach of this DPA and/or the Applicable Laws by Customer.

Order of Precedence

  1. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement, the provisions of this DPA shall prevail.

Changes in Data Protection Legislation

  1. If any variation is required to this DPA as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this DPA to address such changes, including any resulting charges.

Governing Law and Jurisdiction

  1. This DPA is governed by the laws of the State of Israel. Any disputes arising from or in connection with this DPA, shall be brought exclusively before the competent court of Tel Aviv, Israel, to the exclusion of any other jurisdiction.

Severance

  1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

Subject Matter and Duration of the Processing of Customer's Personal Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this DPA.

The nature and purpose of the Processing of Customer's Personal Data

Aspecto provides a Software as a Service Platform, which enables its customers to improve usage and behavior of micro-services in the environments their operations are executed in (the “Platform”). The provision of the Platform requires a log-in process and thus includes the Processing of Personal Data of individuals who are authorized by Aspecto’s customers to use the Platform as well as may include Personal Data of Aspecto’s customers’ clients.

Special Categories of Personal Data to be Processed [i.e. g racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation]

No Special Category Personal Data is processed by Aspecto.

The Categories of Data Subject to whom the Customer's Personal Data Relates

The categories of Data Subjects are generally Customer’s employees and shall be determined by Customer. Data subjects may also include Customer’s clients and all in accordance with the Services provided by Aspecto.

The Obligations and Rights of Customer and Customer Affiliates

The obligations and rights of Customer are set out in the Agreement and this DPA.