1.1. This Data Processing Addendum (“Addendum”)forms an integral part of the Terms of Service (“Agreement”) between the party to such Agreement (the “Company”)and Copilot CX Ltd. (“Licensor”) and applies to the extent that Licensor processes Personal Data, or has access to Personal Data, in the course of its performance under the Agreement.
1.2. Licensor shall qualify as the Data Processor and Company shall qualify as the Data Controller.
All capitalized terms not defined in this Data Protection Addendum have the meanings set forth in the Agreement.
2.1. “Approved Jurisdiction” means a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission.
2.2. “Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2.3. “Data Controller”, “Data Processor”, “data subject”, “process” and “processing” shall have the meanings ascribed to them in the Data Protection Laws.
2.4. “Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”)and the Israeli Protection of Privacy Law, 5741-1981(and any regulation thereof),to the extent applicable.
2.5. “Personal Data” means any information that is about, or can be related to, an identifiable individual. Personal Data includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Personal Data shall be considered Confidential Information
2.6. “Security Measures” means commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity licensor's business, the level of sensitivity of the data collected, handled and stored, and the nature of Licensor’s business activities.
2.7. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission Decision C (2010)593.
2.8. “Sub-Processors” means any affiliate, agent or assign of Licensor that may process Personal Data pursuant to the terms of the Agreement, and any unaffiliated processor engaged by Licensor.
3.1. Each Party shall comply with its respective obligations under the Data Protection Laws.
3.2. Licensor shall process Personal Data in accordance with the Agreement and provide reasonable cooperation and assistance to Company in order to allow Company to comply with its obligations as a Data Controller under Data Protection Laws.
3.3. Licensor agrees to notify Company promptly if it becomes unable to comply with the terms of this Addendum and take reasonable and appropriate measures to remedy such non-compliance.
3.4. Throughout the duration of the Agreement, Company agrees and warrants that:
3.4.1 Personal Data has been and will continue to be collected, processed and transferred by Company in accordance with the relevant provisions of the Data Protection Laws;
3.4.2 the processing of Personal Data by Company, as well as any instruction to Licensor in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Laws;
3.4.3 it has collected Personal Data and transferred such Personal Data to Licensor for processing hereunder fairly and lawfully, pursuant to any applicable Data Protection Laws;
3.4.4 it has informed data subjects of the processing and transfer of Personal Data pursuant to this Addendum and obtained the consent thereto (including without limitation any consent required in order to comply with the Processing Instructions and those purposes detailed herein or in the Agreement) in advance. Company shall promptly inform the Licensor in connection with any change, amendment or request concerning
4.1. Licensor shall process Personal Data only based on Company’s documented Processing Instructions. The Processing Instructions may be received through API or any automatic means incorporated into the Application. Company shall remain liable with respect to any Processing Instruction, provided that Licensor acted in accordance with the Processing Instructions.
4.2. Licensor shall process Personal Data only for the purpose of providing the Services in accordance with the Agreement and the Data Protection Laws. Unless permitted under the Agreement, this Addendum, or applicable law, Licensor shall not otherwise modify, amend, disclose or permit the disclosure of any Personal Data to any third party unless instructed to do so by Company.
4.3. Licensor will not use Personal Data for any use other than as provided in the Agreement or this Addendum. Processing any Personal Data outside the scope of the Agreement or the Processing Instructions will require a written agreement between Licensor and Company, and may include additional fees.
4.4 If Licensor believes any Processing Instructions are not in compliance with applicable law, it will promptly inform the Company.
4.5 Notwithstanding the foregoing, Licensor shall been titled to use the Personal Data for internal, statistical and financial purposes provided however that any personal attributes shall be removed from such Personal Data or on an aggregated basis.
4.6 The Personal Data processed will include: [To be updated as needed]
Personal information of registered users of the Company, use information of the registered users of the Company, purchase information, inquiry information, subscription information, metadata and analytics information, and any other Personal Data collected by the Company.
4.7 The data subjects about whom Personal Data is processed are all Company users and leads
5.1. Licensor represents, warrants, and agrees to use appropriate Security Measures to (i) protect the availability, confidentiality ,and integrity of any Personal Data processed by Licensor in connection with the Agreement; and (ii) protect such data from Breach Incidents.
5.2 Licensor may update or modify the Security Measures from time to time provided that such updates and modifications shall not result in the degradation of the overall Security Measures.
5.3 Licensor shall take reasonable steps to implement appropriate technical and organizational measures and to ensure the reliability of its staff who have access to and process Personal Data. Licensor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Upon becoming aware of a Breach Incident, Licensor will notify Company as soon as reasonably possible and without undue delay, and in any event no later than within 72 hours, and will provide information relating to the Breach Incident as reasonably requested by Company. Licensor will use reasonable endeavors to assist Company in mitigating, where possible, the adverse effects of any Breach Incident
7.1 Licensor audits its compliance against data protection and information security standards on a regular basis, as required by applicable law. Such audits reconducted by Licensor’s internal audit team or by third party auditors engaged by Licensor.
7.2 Licensor shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected annually by Company in order to ascertain compliance with this Addendum. Licensor shall cooperate in good faith with such audit requests by providing access to relevant knowledgeable personnel and documentation.
8.1 If Licensor receives any request from individuals relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Law, (each a “Request”).Licensor shall (unless legally compelled) promptly redirect the Request to Company and follow Company’s reasonable instructions and in the absence of such instructions respond directly to such Request. The Request may be received and communicated to the Company through API or any automatic means incorporated into the Software.
8.2 A response by Licensor to any request from applicable data protection authority, supervisory authority, other government or regulatory entity or is required by law, relating to the processing of Personal Data under the Agreement and the disclosure of Personal Data, shall not be considered to be a breach of this Agreement, provided, however, that Licensor shall (to the extent legally permitted) notify Company upon receipt of such request there of to enable Company to seek a protective order or otherwise prevent or contest such request.
8.3 Notwithstanding the foregoing, Licensor will cooperate with Company with respect to any action taken by it pursuant to such order, demand or request.
8.4 Upon reasonable notice, Licensor shall provide reasonable assistance to Company in:
8.4.1 allowing data subjects to exercise their rights under the Data Protection Law ,including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”),data portability, object to the processing, or the right not to be subject to an automated individual decision-making;
8.4.2 ensuring compliance with any notification obligations of Brach Incidents to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
8.4.3 Ensuring Company’s compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data.
8.4.4 Any such assistance to Company will be solely at Company’s expense and may include additional fees.
9.1. Company acknowledges and agrees that Licensor use the services of Sub-processors listed in Annex A, attached hereto [Licensor will add a list of sub processors] or otherwise specified in the list of Sub-processors on Licensor’s website. The list shall be updated in accordance with this provision.
9.2. Company authorizes Licensor to engage Sub-processors for carrying out specific processing activities of the Services listed in Annex A or on Licensor’s website. To the extent that Licensor wishes to update such list and engage other Sub-processor, it shall provide Company with prior notice through an automatic means (including through Licensor’s website).
9.3. Licensor will enter into an agreement with the Sub-processor containing data protection obligations that are as restrictive as the obligations under this Addendum (to the extent applicable to the services provided by the applicable Sub-processor) or as customary with such Sub-processor.
10.1. Licensor may transfer and process Personal Data to and in other locations around the world where Licensor or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement which transfer shall be deemed approved by the Company hereunder.
10.2. If Licensor or its sub-processor processes Personal Data in a jurisdiction that is not an Approved Jurisdiction, Licensor shall ensure that it has a legally approved mechanism, such as the Standard Contractual Clauses in place to allow forthe international data transfer.
Licensor will only retain Personal Data for as long as Services are provided to Company in accordance with the Agreement. Notwithstanding the foregoing, Licensor shall be entitled to maintain Personal Data following the termination of the Agreement for any purpose as and if required by law provided that Licensor shall be further entitled to further maintain and use such Personal Data on an aggregate basis for internal research and development, statistical and financial purposes after having removed all personally identifiable attributes from such Personal data, so that the Data is completely anonymized and no longer Personal Data.
12.1. Each Party will indemnify and save the other Party and each of its officers, employees and agents or Sub-Processors (subject to Section 9 above) (each a “Indemnified Party”) harmless from and against any losses, claims, actions, suits, proceedings, damages, liabilities or expenses including the aggregate amount paid in reasonable settlement of any actions, suits, proceedings, investigations or claims and the reasonable fees, disbursements and taxes of their counsel in connection with any action, suit, proceeding, investigation or claim that may be made or threatened against any Indemnified Party or in enforcing this indemnity (each a “Claim”) to which an Indemnified Party may become subject insofar as the Claim relate to, is caused by, result from, arise out of or is based upon, directly or indirectly, any failure by the Indemnifying Party to comply with the terms of this Addendum or any Data Protection Law and to reimburse each Indemnified Party forthwith, upon demand, for any cost, fine, damage, reasonable attorneys’ fee or other liability of any nature (whether direct, indirect or consequential) incurred by such IndemnifiedParty in connection with any Claim.
12.2. The rights accorded to the Indemnified Party hereunder shall be in addition to any rights an Indemnified Party mayhave at common law, Data Protection Law or otherwise.
12.3. Section 8.4 of the Agreement shall be incorporated herein by reference and shall be deemed Licensor’s limitation of liability in connection with any Claim indemnified hereunder.
13.1. In the event of a conflict between the Agreement (or any document referred to therein) and this Addendum, theprovisions of this Addendum shall prevail.
13.2. Licensor may modify the terms of this Addendum in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, or (ii) if necessary to comply with Data Protection Laws, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Laws and are customary for the industry. Licensor will provide notice of such changes to Company in advance, and the modified Addendum will become effective, upon Company’s approval. If Company’s approval is not provided within 14 days, Licensor shall be entitled to terminate the Agreement with Company for convenience, without liability to either party for such premature termination.
13.3. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and parties will promptly begin complying with such Data Protection Laws.