Data Processing Agreement (DPA)

This Data Processing Agreement is made between "Merav" Financial Systems Development Ltd., Jerusalem, Givat Shaul, 12 Beit HaDfus Street ("the Processor") and its clients (the client is the "Controller") for whom it processes personal data as the Processor.

Each of them shall be referred to as a "Party" and together as the "Parties";

Whereas:

1. This Data Processing Agreement (DPA) forms part of any other agreement between the Parties for the provision of certain services by "Merav" to the client, including, but not limited to, software systems for payroll management, attendance, human resources, employee records, mobile applications, and related support and maintenance services (the "Services" or "System").
2. In order for the Controller and its participants to make use of the Services, the Processor must process the personal data ("Personal Data") of the Controller's employees and/or other participants (together: "Data Subjects") using the content created by the Controller in the Services;
3. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council, dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (hereinafter "GDPR"), applies to the processing of personal data;
4. Based on the GDPR, the Parties are required to sign this Data Processing Agreement.

1. Definitions

1.1. In addition to the terms defined above, the following terms shall have the meanings set forth below:

1.2. "DPA": An authorized data protection authority.

1.3. "EEA": The European Economic Area.

1.4. "Personal Data Breach": A security breach leading to the destruction, loss, alteration, unauthorized disclosure, or accidental or unlawful access to personal data.

1.5. "Processing": Actions performed on personal data as defined by the GDPR, including, but not limited to, their storage, display, transfer, deletion, alteration, and transmission.

1.6. "Annex": An annex to this Data Processing Agreement.

1.7. "Services Agreement": The agreement under which the Services are provided, which may include terms of use and/or another type of agreement.

1.8. "Subprocessor": A third party to whom the Processor transfers the processing of personal data, either fully or partially, as subcontracted processing.

2. General Obligations

2.1. Regarding the personal data, the Processor will take appropriate technical and organizational measures to ensure compliance with the GDPR and protect the rights of the Data Subjects.

2.2. The Controller declares that it complies with the GDPR with respect to the personal data processed by the Processor. It is the responsibility of the Controller to comply with the relevant personal data laws regarding the personal data created in or uploaded to the service. This includes, but is not limited to, ensuring there is a legal basis for the processing (e.g., valid consent if required) of the personal data, informing the Data Subjects about the processing of their personal data, and verifying that the Data Subjects are of the legal age to submit their personal data, if applicable.

3. Processing Only According to the Controller’s Instructions

3.1. The purpose of the processing by the Processor is to enable the Processor to provide the services.

3.2. The Processor will process the personal data only according to the written instructions of the Controller, which are the processing activities detailed in Annex 1, or any other reasonable instructions provided by the Controller in writing (which can be included in an email). The Processor will process the personal data beyond the Controller's instructions only if required to do so to comply with a relevant legal obligation. In such case, Section 3.3 below will apply.

3.3. In the event the Processor is required under European law to disclose any personal data, the Processor will immediately notify the Controller and inform the Controller of the relevant legal requirement, unless the legal requirement prohibits the Processor from disclosing such a notification for important public interest reasons. If the Processor is not prohibited from notifying the Controller, the Processor will refrain from disclosing any personal data until the Controller takes steps to obtain a protective order or other appropriate remedy. If such a protective order is not obtained, the Processor will only provide personal data in accordance with a written notice from the Controller, or, in the absence of such notice in a timely manner, the Processor will provide only the personal data it deems necessary to comply with the legal requirement.

3.4. The Processor will notify the Controller if, in the Processor's opinion, any instruction given by the Controller infringes the GDPR, and in such a case, the Processor will not be required to comply with the instruction.

4. Assistance to the Controller

4.1. The Processor shall provide the requested assistance in a reasonable manner by the Controller:

(i) Taking into account the nature of the processing, the Processor shall assist the Controller with appropriate technical and organizational measures, as far as possible, to fulfill the Controller's obligations to respond to Data Subjects' requests to exercise their rights, to the extent that the Processor can do so factually in light of the services. In the event that the Processor receives a request from a Data Subject, it shall forward such a request to the Controller, and the Controller will continue to handle the request;

(ii) Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller in fulfilling the Controller’s obligations related to security, notifying of personal data breaches (see Section 5.4), investigations by the DPA, data protection impact assessments, and prior consultation if required.

Here’s the translation of Section 5 with no parts missing:

5. Security Measures and Personal Data Breaches

5.1. Considering the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in the processing.

5.2. The Data Controller undertakes and guarantees that it will not request Data Subjects to submit special category data or sensitive personal data as defined under applicable laws. This includes, for example: data relating to health, religious beliefs, political opinions, race, ethnic background, sexual preferences or behavior, membership in trade unions, criminal records, biometric data for identification purposes, genetic data. The security measures of the services are not suitable for these types of personal data.

5.3. The Processor shall implement appropriate technical and organizational measures to ensure that personal data can only be accessed by those individuals within its organization who are required to have access for the purpose of providing the services, for example by limiting the number of individuals with access rights.

5.4. On its website, the Processor provides information about its security measures. In addition, at the Controller’s request, the Processor will provide an overview of the existing security measures at the time of the request. The Controller may submit such a request once per calendar year, unless there is a well-founded reason to submit the request more frequently, for example, in the event of a personal data breach.

5.5. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Such notification shall: (i) Include the available information regarding the personal data breach, including, among other things, a description of the breach, its cause; the categories, nature, and estimated quantity of the personal data, and the affected Data Subjects, as well as the extent of the personal data breach; (ii) Explain the impact of the personal data breach on the Controller and the relevant Data Subjects; (iii) Explain the corrective action taken or to be taken by the Processor, the Controller, and/or the Data Subjects, as well as the time frame for completing such action.

5.6. The Processor shall provide the requested cooperation in a reasonable manner by the Controller, and provide the information within its control regarding the notification of the personal data breach to the DPA, and where relevant, to the Data Subjects.

5.7. The Processor is not required to notify any DPA or Data Subjects about a personal data breach, nor to do so unless the Processor explicitly agrees in writing in the case of a specific personal data breach.

5.8. In order to use the services, the Controller must use login credentials to access their account. The Controller must keep these login credentials secure and confidential, as they grant access to personal data. Furthermore, it is the responsibility of the Controller to ensure that the Data Subjects using the services keep their login credentials secure and confidential, as they grant access to their personal data.

6. Confidentiality

6.1. The Processor shall take into account confidentiality with regard to the personal data.

6.2. In this regard, the Processor: (i) Shall not disclose the personal data to any third party unless expressly permitted in this Data Processing Agreement; (ii) Shall implement appropriate technical and organizational measures to ensure that any person who has access to the personal data is informed about confidentiality and is committed to it.

7. Subprocessors

7.1. The Processor may use Subprocessors to process the Personal Data.

7.2. The Processor ensures that Subprocessors: (i) declare that they have implemented appropriate technical and organizational measures to ensure compliance with the GDPR and the protection of Data Subjects' rights; (ii) are contractually obligated to comply with the same obligations set forth in this Data Processing Agreement, as relevant to the Subprocessor’s data processing activities.

7.3. For the avoidance of doubt: if the Controller uses functionality through the Services where a connection is established to services offered to the Controller by third parties, such third parties are not the Processor’s Subprocessors; the Controller has a direct legal relationship with such third parties. For example, such third parties may include social media platforms, email providers, and the Controller's service providers where the Controller has its own account that receives data through platform integrations.

8. Data Export (Transfers Outside the EEA)

8.1. In cases where the processing of personal data by the processor or by any sub-processor on its behalf takes place in any third country, the customer agrees, and the processor undertakes, that such processing shall be subject to a written agreement that includes the Standard Contractual Clauses.

8.2. At all times, the processor will provide an adequate level of protection for personal data, wherever processed, in accordance with the requirements of applicable privacy laws and regulations.

8.3. The processor shall not process or transfer personal data outside the EEA, unless the transfer of personal data is made: (i) to a territory that has been officially recognized by the European Commission as providing adequate protection to personal data ("Adequacy Recognition"); or (ii) in accordance with the relevant terms of the Standard Contractual Clauses.

9. Reporting, Audit Rights

9.1. The Processor shall allow the Controller, subject to the terms of this section, access to its records so that the Controller may audit the Processor’s compliance with the terms of this Data Processing Agreement. The Processor does not allow the Controller to access personal data of Data Subjects who are not the Controller's data subjects.

9.2. The Controller may appoint a third party to conduct the audit. In this case, the Controller shall ensure that the third party is committed to maintaining the confidentiality of the Processor's information to which the third party has access in relation to the audit and shall not disclose it to any third party.

9.3. The Controller may exercise its audit rights under this section no more than once per calendar year. The Controller shall notify the Processor of the audit at least two weeks in advance to allow the Processor to prepare.

9.4. If the audit reveals that the Processor is not meeting its obligations under this Data Processing Agreement, the Processor shall take the measures reasonably requested by the Controller to comply with those obligations.

10. Term and Termination

10.1. The term of this Data Processing Agreement shall be identical to the term of the Service Agreement. Therefore, this Data Processing Agreement shall terminate upon the termination of the Service Agreement.

10.2. If the Service Agreement does not specify its termination date – and thus there is no termination date for this Data Processing Agreement – the following termination grounds apply: Either party may terminate this Data Processing Agreement in the future, without obligation to pay damages, in the event that: (i) The other party files for bankruptcy protection, or such a request is made by a third party; (ii) The other party files for or is granted a payment suspension; (iii) The other party files for insolvency or similar proceedings under applicable law or a receiver is appointed; (iv) The other party ceases to continue its business.

10.3. The parties may at any time jointly decide to terminate this Data Processing Agreement by mutual written agreement.

11. Assistance Upon Termination of Agreement

11.1. The Processor shall process the personal data during the Controller’s use of the services.

11.2. The Controller must ensure that they have extracted and deleted the personal data from their account before the termination of the Service Agreement. After the agreement period ends, the account will be blocked from future use and processing. The termination conditions are the same as the relevant section in the personal contract with the client.

12. Governing Law and Jurisdiction

12.1 This Agreement is governed by the laws of israel.

12.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Israel.

13. Miscellaneous

13.1. The provisions in the Service Agreement apply to the processing of personal data and shall prevail with respect to sections not related to data protection, such as liability. If the Service Agreement includes provisions on data protection, this Data Processing Agreement shall supersede those provisions.

13.2. If the Processor’s activities under this Data Processing Agreement go beyond the normal activities of the Processor for the services, the Processor is entitled to reasonable compensation based on the Processor's standard payment at the time. The Processor shall provide a breakdown of the compensation calculation.

13.3. The Processor may amend or modify this Data Processing Agreement in accordance with the terms of the Service Agreement.

13.4. If any provision of this Data Processing Agreement is determined by a court of competent jurisdiction to be unlawful or unenforceable, that decision shall not affect the validity or enforceability of any other provision of this agreement, and this Data Processing Agreement shall be interpreted as if such provision or provisions had not been included.