Data Processing Agreement

1. Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:

1.1. Affiliate

Means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest in the subject entity.

1.2. Applicable Law

Means whichever legal regime is applicable to the Processing of Personal Data under this DPA, including, but not limited to:

• 1.2.1. Regulation 2016/679 of the European Parliament and of the Council (GDPR) and laws implementing or supplementing the GDPR;
• 1.2.2. The UK GDPR (Data Protection Act 2018); and/or
• 1.2.3. The Israel Protection of Privacy Law, 1981 (collectively, "Israeli Privacy Law").

1.3. Controller Personal Data

Means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Services Agreement.

1.4. Data Subject

Shall mean the person whose Personal Data is Processed.

1.5. Personal Data

Shall mean Personal Data as defined under the GDPR and ‘Information’ (‘media’) as defined under Israeli Privacy Law, in each case as applicable.

1.6. Processing

Shall be as defined in the GDPR and Israeli Privacy Law, in each case as applicable.

1.7. Standard Contractual Clauses

Means the standard contractual clauses for the transfer of Personal Data to data importers established in third countries pursuant to Regulation (EU) 2016/679.

1.8. Sub Processor

Means any person (excluding an employee of Processor or any Processor Affiliate) appointed by or on behalf of Processor to Process Controller Personal Data.

1.9. The terms “Controller”, “Data Subject”, “Member State”, “Personal Data Breach”, “Processor”, and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.

2. Applicability and Roles of the Parties

2.1. For Processing subject to the GDPR or the UK GDPR: When Controller Personal Data is subject to the GDPR and/or UK GDPR, Controller serves as a Controller of such Personal Data and Processor serves as a Processor on its behalf.

2.2. For Processing subject to Israeli Privacy Law: When Controller Personal Data is subject to Israeli Law, Controller shall be considered the party controlling the database of Controller Personal Data and Processor serves as an outsourced service provider on its behalf.

3. Processing of Controller Personal Data

3.1. For the avoidance of doubt “Processor” in this DPA shall be deemed to designate Keypup SAS. Processor shall Process Controller Personal Data on Controller’s behalf and at Controller’s instructions as specified in the Services Agreement and in this DPA. Processor may use aggregated and/or anonymized data (“Aggregate Data”) for benchmarks and improving the Services.

3.2. Controller sets forth the details of the Processing of Controller Personal Data in Schedule 1.

3.3. To the extent that the Processor Processes Controller Personal Data subject to GDPR in countries outside the EEA that do not provide an adequate level of data protection, the Standard Contractual Clauses shall apply.

3.4. To the extent that the Processor Processes Controller Personal Data subject to the UK GDPR in a country other than the UK, the UK Addendum shall apply.

4. Controller

Controller represents and warrants that it has all necessary rights to provide the Controller Personal Data to Processor. Controller is responsible for obtaining any necessary Data Subject consents to the Processing.

5. Processor Employees

Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need-to-know basis and that all Processor employees receiving such access are subject to confidentiality undertakings.

6. Security

Processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data as set forth in Schedule 2.

7. Personal Data Breach

7.1. Processor shall notify Controller without undue delay and, where feasible, not later than within 48 hours upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data.

7.2. At the written request of the Controller, Processor shall reasonably cooperate with Controller to assist in the investigation, mitigation and remediation of any Personal Data Breach.

8. Sub Processing

8.1. Controller authorizes Processor to appoint Sub Processors in accordance with this Section.

8.2. Processor may continue to use those Sub Processors already engaged by Processor as identified to Controller as of the date of this DPA.

8.3. Processor may appoint new Sub Processors and shall give notice. Controller may object within seven (7) days. If objections are not resolved, either party may terminate the Services Agreement.

8.4. With respect to each new Sub Processor, Processor shall ensure they are committed to the same level of protection required by this DPA.

8.5. Processor shall remain fully liable to the Controller for the performance of any Sub Processor’s obligations.

9. Data Subject Rights

9.1. Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights. Processor shall assist Controller at Controller’s expense.

9.2. Upon receipt of a request from a Data Subject, Processor shall promptly notify Controller and shall not respond except on the documented instructions of Controller.

10. Data Protection Impact Assessment

At Controller’s written request and expense, the Processor shall provide reasonable assistance with data protection impact assessments or prior consultations with Supervisory Authorities.

11. Deletion or Return

Processor shall promptly (within 60 days of cessation of Services) delete, return, or anonymize all copies of Controller Personal Data, unless required by law to retain it.

12. Audit Rights

12.1. Processor shall make available information necessary to demonstrate compliance and allow for audits by a reputable auditor mandated by the Controller.

12.2. Any audit shall be at Controller’s sole expense and subject to confidentiality.

12.3. Controller and Processor shall mutually agree upon the scope, timing, and duration of the audit. Processor need not give access if not given prior written notice, outside normal business hours, or for more than one audit per year (unless there is a genuine compliance concern).

13. Indemnity and Limitation of Liability

Controller shall indemnify Processor against claims arising from a breach of this DPA by Controller. Each party's liability shall be subject to the limitations in the Services Agreement.

14. General Terms

14.1. Governing Law and Jurisdiction: The competent courts of France shall have exclusive jurisdiction. This DPA is governed by the laws of France.

14.2. Order of Precedence: Nothing in this DPA reduces Processor’s obligations under the Services Agreement. In the event of inconsistencies, this DPA prevails over the Services Agreement regarding data protection subject matter.

14.3. Changes in Applicable Law: Controller may request variations to this DPA if required by law changes. Processor shall make reasonable efforts to accommodate.

Schedule 1: Details of Processing

Schedule 2: Binding Security Document

• Firewalls: Processor uses firewalls (IDS/IPS, WAF) to protect internet connections. Access is monitored regularly.
• Vulnerability Management: Patch management, threat notification, vulnerability scanning, and periodic penetration testing.
• Secure Settings: OWASP top 10 framework, encryption procedures, and multiple monitoring systems.
• Access Control: Role-based access, least privilege principle, and audit logs.
• Malware Protection: Antivirus on all workstations.
• Updates: Systems fully managed and updated automatically every month.
• Backups: Full backup availability procedures with redundancy to different zone locations.
• Incident Response: Documented incident response policies including data breach notification.
• Privacy by Design: Principles incorporated at the earliest stage of development.

Annex 1: Authorized Sub-processors

In accordance with clause 8, the Controller has authorized the use of the following sub-processors: