This Data Processing Addendum (“Addendum”) supplements and is incorporated by reference into the Master Services Agreement (the “Agreement”). This Addendum is entered into by and between the entity identified in the Order Form as the customer (“Customer”) and ClearMash Solutions Ltd. ("Company") and sets forth the parties' respective obligations regarding the processing of personal data in connection with the Customer’s use of the ClearMash Platforms. In the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall prevail with respect to the processing of personal data.
Capitalized terms used but not defined in this DPA shall have the meaning ascribed to them in the Agreement.
This Addendum applies as follows:
Part | Is applicable and in force? | Determination of applicability |
Part One – General provisions | Always applies and in force |
|
Part Two – EU and UK GDPR DPA | Only if the response to the question on the right is YES, then Part Two applies and is in force. | Is the Customer Data processed by Processor subject to the EU or UK GDPR? Yes/No |
Part Three – US State Laws | Only if the response to the question on the right is YES, then Part Three applies and is in force. | Is the Customer Data processed by Processor subject to a State privacy law in the United States, such as the CPRA? Yes/No |
Part Four – HIPAA BAA | Only if the response to the question on the right is YES, then Part Four applies and is in force. | Is the Customer Data processed by Processor subject to HIPAA?
|
Part Five – Israeli Privacy Protection Regulations (Information Security) | Only if the response to the question on the right is YES, then Part Five applies and is in force. | Is the Customer Data processed by Processor subject to Israeli law? Yes/No |
Part 1 (General Provisions)
1. Scope. This Addendum applies only where Processor is processing personal data included in the Customer Data (as defined in the Agreement) on behalf of the Customer and under the Customer’s instructions. It does not apply to Processor’s processing of personal data to operate the Services, to market or promote its products, or to administer the business or contractual relationship between Processor and the Customer.
2. Processing. Processor is prohibited from retaining, using or disclosing the Customer Data for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to perform Customer’s processing instructions; (b) selling the Customer Data; and (c) using or disclosing the Customer Data outside of the direct business relationship between the parties. Processor undertakes to process the Customer Data in accordance with all limitations and obligations applicable to it herein. For the avoidance of doubt, Customer authorizes Processor to process Customer Data to anonymize or aggregate such data into Anonymized Data, and to use such Anonymized Data for product improvement and development, benchmarking, analytics and insights, related to the Services, as set out in the Agreement.
3. Data Subject Requests. Processor will follow Customer’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Customer Data, including accessing their data, correcting it, restricting its processing or deleting it. Processor will pass on to Customer requests that it receives (if any) from data subjects regarding their information processed by Processor. Processor shall notify Customer of the receipt of any such request as soon as possible, and no later than three (3) business days from the receipt of such request, together with the relevant details. In addition to the above.
4. Disclosure. Unless legally prohibited, Processor will provide Customer prompt notice of any request it receives from authorities to produce or disclose Customer Data it has Processed on Customer’s behalf, so that Customer (or its customer) may contest or attempt to limit the scope of production or disclosure request.
5. Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processor’s processing of Customer Data, Processor shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Customer Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
6. Data Breaches. Processor shall without undue delay, and in any event within 48 hours, notify Customer of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, that it becomes aware of regarding the Customer Data that Processor Processes. Processor will thoroughly investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. Processor will cooperate in good faith with Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.
7. Subcontracting to suppliers. Customer authorizes Processor to subcontract any of its Services-related activities which involve processing the Customer Data. An updated list of Processor's suppliers may be found here, and Processor reserves the right to change it from time to time. Processor shall ensure that any supplier is bound by the same obligations as the Processor under this Part and shall supervise supplier's compliance thereof, and Processor shall remain fully liable for the performance of any supplier that fails to fulfil its obligations.
8. Data Deletion. Following termination or upon Customer’s written request, Processor will delete the Customer Data it has processed on Customer’s behalf under this Addendum from its own and its Processor’s systems, or, at Customer’s choice, return such Customer Data and delete existing copies, within 10 business day of receiving a request to do so. Where Customer has been provided functionality or self-service tools that enable Customer to delete Customer Data, Customer is responsible for deleting such Customer Data using those tools. In that case, Customer may request that Processor delete only the Customer Data that Customer cannot delete using such functionality or tools. Upon Customer’s request, Processor will furnish written confirmation that the Customer Data has been deleted or returned pursuant to this section.
9. Customer obligations
9.2. Customer acknowledges and agrees that Processor and its performance of the Services and its duties under applicable law such as HIPAA, GDPR, Israeli Privacy Protection Regulations (Information Security) and this Addendum are done in reliance on the Customer and Authorized Users’ compliance with the obligations herein. Processor is not liable for any violation or breach of its contractual or legal obligations if the violation or breach resulted from Customer or its Authorized Users' failure to comply with the obligations herein. Customer shall indemnify the Processor and its directors, officers, service providers, and contractors for all liabilities, losses, costs, damages and expenses (including reasonable legal fees) in any claim alleging breach of Processor’s contractual or legal obligations which arise in connection with the Customer or its Authorized Users' failure to comply with obligations herein. The indemnity procedure specified in the Agreement shall apply to the indemnity under this Section 9.2.
10. Data Protection Officer. The Processor's DPO shall serve as Processor's point of contact for the purpose of this Addendum. The DPO's contact details are as follows:
Name: Gal Srour
Email address: [email protected]
Part 2 (EU and UK GDPR DPA)
1. Customer commissions, authorizes and requests that Processor Process Personal Data under the instructions of Customer (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, as well as the UK Data Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as “Data Protection Law”). Capitalized terms used but not defined in this Part 2 shall have the meaning ascribed to them under Data Protection Law.
2. This Part 2 applies only where Processor is Processing Personal Data as a Data Processor on behalf of the Customer and under the Customer’s instructions. It does not apply to Processor’s Processing Personal Data to operate the Services, to market or promote its products, to administer the business or contractual relationship between Processor and the Customer or in other instances where Processor operates as a Data Controller.
3. Processor will Process the Personal Data only on Customer’s behalf (it being understood that Customer acts as the Data Controller), and for as long as Customer instructs Processor to do so.
4. The nature and purposes of the Processing activities are the provision of the Services to the Customer. The Personal Data Processed and the legal basis for processing are determined by the Customer.
5. The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are determined by the Customer and include the Authorized Users of the Customer.
6. As a Data Processor, Processor will Process the Personal Data only as set forth in this Addendum. Processor and Customer are each responsible for complying with the Data Protection Law as applicable to their roles.
7. Processor will Process the Personal Data only on instructions from Customer documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Services. The foregoing applies unless Processor is otherwise required by law to which it is subject (and in such a case, Processor shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Processor shall immediately inform Customer if, in Processor's opinion, an instruction is in violation of Data Protection Law.
8. Processor will make available to Customer, upon request all information at its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.
9. Processor will follow Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Processor will pass on to Customer requests that it receives (if any) from Data Subjects regarding their Personal Data Processed by Processor. Processor shall notify Customer of the receipt of such request as soon as possible, and no later than three (3) business days from the receipt of such request, together with the relevant details.
10. Customer authorizes the Processor to engage sub-processors to carry out specific processing activities, provided that the Processor informs Customer at least 10 business days in advance of any new or substitute sub-processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, the Processor may not engage that new or substitute sub-processor for the purpose of Processing Personal Data. At the outset, Customer authorizes Processor to engage with Processor's current sub-processors, detailed in the list found here.
13. Processor will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
14. Within 21 days of Customer’s written request, Processor shall allow for and contribute to audits, including carrying out inspections conducted by Customer or another auditor mandated by Customer in order to establish the Processor's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards to the Personal Data that Processor processes on behalf of Customer. Such audits or inspections shall be carried out during Processor’s ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to Processor’s business activities, and be subject to confidentiality undertakings satisfactory to the Processor.
15. Processor shall without undue delay, and in any event within 48 hours, notify Customer of any Personal Data Breach (as this term is defined and used in Data Protection Law and applicable regulatory guidelines) that it becomes aware of regarding Personal Data of Data Subjects that Processor Processes. Processor will thoroughly investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. Processor will cooperate in good-faith with Customer on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
16. Processor will assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).
17. Unless legally prohibited, Processor will provide Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Customer’s behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request.
18. Upon Customer’s request, Processor will delete the Personal Data it has Processed on Customer’s behalf under this Addendum from its own and its Processor’s systems, or, at Customer’s choice, return such Personal Data and delete existing copies, within 10 business days of receiving a request to do so. Upon Customer’s request, Processor will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.
Part 3 (US State Laws)
1. Definitions
In this Part Three:
a. “Applicable State Privacy Laws” means the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and other applicable state privacy laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act, as relevant.
b. “Consumer” means a natural person, including a natural person in their professional or work capacity.
c. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
d. “Collect” (and its cognate terms) means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means. This includes obtaining information from the Consumer, either actively or passively, or by observing the Consumer’s behavior or interaction.
e. “Process” (and its cognate terms) means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
f. “Sell” (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for monetary or other valuable consideration.
g. "Share” (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged.
2. Processor’s Obligations. The Parties acknowledge and agree that Processor is a ‘service provider’ and ‘processor’ within the meaning of the terms in Applicable State Privacy Laws. To that end, and unless otherwise required by law:
a. Processor must not Sell Customer Personal Information. Furthermore, Processor must not Share any Customer other than to its sub-processors who assist Processor in the provision of its Services.
b. The parties agree that Customer is disclosing the Personal Information to Processor only for the following limited and specified business purposes: to provide and support the operation of its Services.
c. Processor is prohibited from retaining, using, or disclosing the Personal Information that it Collects for any commercial purpose other than the foregoing business purposes, unless expressly permitted by Applicable State Privacy Laws and this Part Three. Additionally, Processor is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to this Agreement outside the direct business relationship between Processor and Customer, unless expressly permitted by Applicable State Privacy Laws and this Part Three.
d. Processor shall comply with all relevant sections of Applicable State Privacy Laws and shall provide, with respect to Personal Information it Collects, the same level of privacy protection as required by Applicable State Privacy Laws.
e. Processor grants Customer the right to take reasonable and appropriate steps to ensure that Processor uses the Personal Information it Collects in a manner consistent with the obligations under this Part Three and Applicable State Privacy Laws.
f. Processor must promptly notify Customer when it determines that it can no longer meet its obligations under this Part Three or Applicable State Privacy Laws.
g. Processor grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Processor’s unauthorized use of Personal Information.
h. If Processor receives a request from a Consumer about his or her Personal information, Processor shall not comply with the request itself and inform the Consumer that Processor’s basis for denying the request is that the Processor is merely a service provider that follows Customer’s instruction. Processor shall provide the Consumer with the Customer’s contact information and instruct the Consumer to submit the request directly to the Customer.
i. If Customer so requests, Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Consumer rights under Applicable State Privacy Laws.
Part 4 (HIPAA BAA)
1. Introduction. This Part Four is a Processor agreement entered into by and between the Customer and Processor pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, Publ. L. No. 111-5 (“HITECH Act”), and its implementing regulations, including 45 C.F.R. Parts 160 and 164, Subparts A and E (the “Privacy Rule”), Subparts A and C (the “Security Rule”), and Subpart D (the “Breach Notification Rule”) (collectively, and as may be amended from time to time, “HIPAA”). All terms used in this Part Four and not defined herein shall have the meaning set forth in the applicable definition under HIPAA.
2. Scope. This Part 4 applies whenever Processor receives and processes protected health information on behalf of Customer, where Customer is a "Covered Entity" under HIPAA (and Processor is, accordingly, a "Business Associate" for the purpose of this Part 4).
3. Use and Disclosure of Protected Health Information. Processor may not use or disclose “Protected Health Information” (as defined in the Privacy Rule), received from, or received or created on behalf of, Customer, except as follows:
3.1. Processor is permitted to use or disclose Protected Health Information as permitted or required by this Part Four or as required by law.
3.2. Processor is permitted to use or disclose Protected Health Information to provide its Services to Customer, pursuant to the Agreement.
3.3. Processor is permitted to use Protected Health Information for the proper management and administration of the Processor or to carry out the legal responsibilities of the Processor.
3.4. Processor agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customer to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
3.5. Processor may use Protected Health Information to report violations of law to appropriate Federal and state authorities, consistent with § 164.502(j)(1).
4. Safeguards. Processor agrees to use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as permitted or required by this Part Four.
5. Reporting of Disclosures of Protected Health Information. Processor shall, within five (5) calendar days from the date of discovery, report to Customer any use or disclosure of Protected Health Information of which it becomes aware that is other than as provided for in the Agreement or this Part Four, subject to the requirements of the Breach Notification Rule.
6. Agreement by Third Parties. Processor shall ensure, to the extent required by law, that any of its agents, including, but not limited to, subcontractors, to whom it provides Protected Health Information received from, or created or received by Processor on behalf of Customer, agree to substantially the same restrictions and conditions that apply to Processor under this Part Four with respect to such Protected Health Information.
7. Access to Protected Health Information. Processor shall provide access, at the request of Customer, to Protected Health Information in a designated record set (as defined in the Privacy Rule), to Customer, or as directed by Customer, to an individual in order to meet the requirements of 45 C.F.R. § 164.524.
8. Accounting of Disclosures. At the request of Customer, Processor shall make available the information required to provide an accounting to an individual of disclosures of Protected Health Information about that individual, in accordance with 45 C.F.R. § 164.528.
9. Availability of Books and Records. Processor shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from Customer, available to the Secretary of the Department of Health and Human Services (“HHS”) or any other officer or employee of HHS to whom the applicable authority has been delegated, as designated by HHS, for purposes of determining Customer’s compliance with the Privacy Rule.
10. Customer's Obligations. Customer shall promptly notify Processor in writing of (a) any limitation(s) in Customer’s notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Processor’s use or disclosure of Protected Health Information; (b) any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect Processor’s use or disclosure of Protected Health Information; (c) any amendments to Protected Health Information in a designated record set in accordance with 45 C.F.R. § 164.526; and (d) any restriction to the use or disclosure of Protected Health Information that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Processor’s use or disclosure of Protected Health Information. Customer shall not request Processor to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Customer except that Processor may use or disclose Protected Health Information for administrative activities of Processor.
11. Termination. In the event that Processor breaches any material provision contained in this Part Four, Customer shall give Processor at least thirty (30) days’ written notice to cure the breach. In the event that Processor fails to cure the breach within the specified period, Customer may terminate this Addendum and/or the Agreement.
12. Return or Destruction of Protected Health Information upon Termination. Upon termination of this Part Four for any reason, Processor, with respect to Protected Health Information received from Customer, shall:
12.1. Retain only that Protected Health Information which is necessary for Processor to continue its proper management and administration or to carry out its legal responsibilities;
12.2. Return to Customer or destroy all other remaining Protected Health Information that the Processor still maintains in any form;
12.3. Continue to use appropriate safeguards and comply with the Security Rule with respect to electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Processor retains the Protected Health Information;
12.4. Not use or disclose the Protected Health Information retained by Processor other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at Section 3 above which applied prior to termination; and
12.5. Return to Customer or destroy the Protected Health Information retained by Processor when it is no longer needed by Processor for its proper management and administration or to carry out its legal responsibilities.
13. Effect. The terms of this Part Four shall supersede any other conflicting or inconsistent terms in the Addendum, including all exhibits or other attachments thereto and all documents incorporated therein by reference.
14. Amendment. If any of the regulations promulgated under HIPAA are amended or interpreted in a manner that renders this Part Four inconsistent therewith, the parties may amend this Part Four to the extent necessary to comply with such amendments or interpretations.
15. No Third-Party Beneficiaries. Nothing expressed or implied in this Part Four is intended to confer, nor shall anything confer, upon any persons other than Customer and Processor, and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.
Part 5 (Israeli law)
1. Definitions. In this Part Five, the following terms shall be interpreted as follows:
1.1 “Applicable Law” means the Israeli Protection of Privacy Law, 5741-1981 (hereinafter – the “Privacy Law”) and the regulations promulgated thereunder (and in particular the Protection of Privacy Regulations (Information Security), 5777 - 2017), the guidelines of the Registrar of Databases, and in particular Guidelines No. 2/2011 regarding the use of outsourcing for processing of personal data, as well as any legislative or administrative provision or directive that will apply to the Processor in connection with Processing Personal Data.
1.2 "Database" means a collection of Personal Data Processed by digital means.
1.3 “Personal Data” means data relating to an identified or identifiable person; for the purpose herein, an "identifiable person" means someone who can be identified with reasonable effort, directly or indirectly, including by means of an identifier, such as a name, ID number, biometrics, location data, online identifiers, or information pertaining that person's physical, health, economic, social or cultural situation.
1.4 "Processing" (and its derivatives) means any action performed in relation to Personal Data, including receiving, collecting, storing, copying, consulting, disclosing, disclosing, transferring, delivering or providing access to Personal Data.
2. General Provisions
2.1 Customer is the sole owner of the Databases containing the Personal Data, and nothing contained in this Part Five shall be deemed to constitute the grant of proprietary rights to the Processor in the Personal Data.
2.2 Customer may instruct the Processor regarding the manner in which the Personal Data should be Processed, and the Processor undertakes to comply with all of Customer's instructions, as shall be determined from time to time, provided that if the instructions entail material new costs to the Processor, their performance is subject to additional payment as shall be agreed upon by the parties.
2.3 The Processor shall fully cooperate with Customer and provide information and assistance reasonably requested by Customer in connection with data security issues and practices and supplementary documents, so as to allow Customer to properly address information security, privacy and regulatory matters relating to the Database.
3. Processor’s obligations regarding the processing of Personal Data
3.1 The Processor shall process the Personal Data for Customer solely in accordance with Customer’s instructions, and only in the manner determined in this Part Five, and for no other purpose, unless expressly instructed by Customer to do so.
3.2 The Processor undertakes to manage access rights to Personal Data, including providing its users with ‘Least Privileges’ based on their ‘Need to Know’, for the purpose of carrying out their tasks, and shall take measures to prevent access by unauthorized individuals to Personal Data. In addition, the Processor must maintain an up-to-date listing of all authorized individuals of the Database and prevent access to any individual who does not have the need to be exposed to the Personal Data.
3.3 The Processor shall not grant access to the Personal Data to its employees, consultants or anyone acting on its behalf, before: (a) reviewing and confirming that their background and personal integrity and reliability are suitable for a position granting them access to Personal Data; and (b) binding them to a letter of undertaking in order to maintain the confidentiality, security of information and privacy of the data subjects whose details are included in the Database. The Processor shall be liable to Customer for any act and/or omission of itself or any of its employees, advisors, Sub-contractors (as defined below) and anyone else acting on its behalf in connection with the breach of the provisions of this Part Five.
3.4 The Processor shall grant its employees with access to the Database, subject to conducting training activities regarding privacy protection and information security obligations applicable to the Processor by virtue of the Applicable Law and/or this Part Four. Such training shall take place at least once every two years and as soon as possible after recruiting.
3.5 The Processor shall implement security and monitoring measures through which the Processor shall record each access made to the Database Systems (as defined below).
3.6 The Processor shall develop, implement and enforce an information security policy that shall include at least the following issues ("Information Security Policy"):
3.6.1 Mapping of all of the security measures taken by the Processor regarding the Database Systems;
3.6.2 Instructions regarding the manner in which access to the Database is managed and the means of controlling access to Personal Data and the actions taken in it.
3.6.3 Guidelines for individuals authorized to access Personal Data and Database Systems;
3.6.4 A review of the risks to which the Personal Data is exposed to as part of the Processor's ongoing activities;
3.6.5 Instructions regarding the means of recording, monitoring and identifying threats to which the Database systems are exposed, and events in which there is a risk of Breach of Information Security;
3.6.6 Instructions regarding periodic audit reports as stated in section 7 below;
3.6.7 Instructions and procedures regarding periodic backup and restore of the audit data as stated;
3.6.8 Instructions regarding the manner in which development activities in the Database are performed and documented.
3.7 The Processor shall map the operational environment of the Database. In this regard, the Processor shall prepare an inventory list that includes all the data systems, software, interfaces, and infrastructures of hardware components and communications components that the Processor operates in the Database environment for the ongoing operation of the Database (the “Database Systems"). The Processor shall update the list of inventories specified in this Section from time to time and shall only disclose the document to those individuals who require access to it for the performance of their job functions. The Processor shall update the aforesaid list in any case in which substantial changes to the operating environment are made on the Database Systems or in the manner in which data is being Processed.
4. Disclosure and transfer of Personal Data
4.1 The Processor shall not disclose any Personal Data that the Processor processes for Customer to any person or entity without Customer’s prior written consent, except to the extent required for the performance of Customer’s instructions in accordance with this Part Five.
4.2 If Processor desires to disclose Personal Data to a subcontractor of the Processor, or use a subcontractor to Process Personal Data (each, a "Sub-contractor"), then prior to such disclosure, the Processor shall enter into a written, valid and enforceable agreement with the Sub-Contractor containing adequately protective terms on data security. Processor shall provide Customer any information reasonably requested by Customer about Processor’s use of Sub-contractors, about Sub-contractors’ Processing activities for Processor and their data security practices.
4.3 The Processor shall use accepted encryption mechanisms for each transfer of Personal Data to a third party and for any remote access to the Database Systems.
5. Retention and return of Personal Data
5.1 The Processor declares and undertakes that it shall take appropriate information security measures in order to ensure the integrity, availability, confidentiality and reliability of the Personal Data.
5.2 The Processor shall maintain logical separation between the Database Systems and the computer systems used by the Processor which are not directly related to the Processing of Personal Data for Customer. In the event of connection of the Database Systems to the Internet or to another public network, the Processor shall implement appropriate safeguards against information security issues.
5.3 The Processor shall regularly update the Database Systems, including the software, which is installed in the Database Systems, with information security updates. In operating the Database Systems, the Processor shall not use any software or hardware components whose manufacturer does not support their security aspects.
6. Transfer of Personal Data to foreign jurisdiction
6.1 The Processor shall comply with the law applicable to the transfer of Personal Data to foreign jurisdictions, including but not limited to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001.
This Data Processing Addendum (“Addendum”) supplements and is incorporated by reference into the Master Services Agreement (the “Agreement”). This Addendum is entered into by and between the entity identified in the Order Form as the customer (“Customer”) and ClearMash Solutions Ltd. ("Company") and sets forth the parties' respective obligations regarding the processing of personal data in connection with the Customer’s use of the ClearMash Platforms. In the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall prevail with respect to the processing of personal data.
Capitalized terms used but not defined in this DPA shall have the meaning ascribed to them in the Agreement.
This Addendum applies as follows:
Part | Is applicable and in force? | Determination of applicability |
Part One – General provisions | Always applies and in force |
|
Part Two – EU and UK GDPR DPA | Only if the response to the question on the right is YES, then Part Two applies and is in force. | Is the Customer Data processed by Processor subject to the EU or UK GDPR? Yes/No |
Part Three – US State Laws | Only if the response to the question on the right is YES, then Part Three applies and is in force. | Is the Customer Data processed by Processor subject to a State privacy law in the United States, such as the CPRA? Yes/No |
Part Four – HIPAA BAA | Only if the response to the question on the right is YES, then Part Four applies and is in force. | Is the Customer Data processed by Processor subject to HIPAA?
|
Part Five – Israeli Privacy Protection Regulations (Information Security) | Only if the response to the question on the right is YES, then Part Five applies and is in force. | Is the Customer Data processed by Processor subject to Israeli law? Yes/No |
Part 1 (General Provisions)
1. Scope. This Addendum applies only where Processor is processing personal data included in the Customer Data (as defined in the Agreement) on behalf of the Customer and under the Customer’s instructions. It does not apply to Processor’s processing of personal data to operate the Services, to market or promote its products, or to administer the business or contractual relationship between Processor and the Customer.
2. Processing. Processor is prohibited from retaining, using or disclosing the Customer Data for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to perform Customer’s processing instructions; (b) selling the Customer Data; and (c) using or disclosing the Customer Data outside of the direct business relationship between the parties. Processor undertakes to process the Customer Data in accordance with all limitations and obligations applicable to it herein. For the avoidance of doubt, Customer authorizes Processor to process Customer Data to anonymize or aggregate such data into Anonymized Data, and to use such Anonymized Data for product improvement and development, benchmarking, analytics and insights, related to the Services, as set out in the Agreement.
3. Data Subject Requests. Processor will follow Customer’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Customer Data, including accessing their data, correcting it, restricting its processing or deleting it. Processor will pass on to Customer requests that it receives (if any) from data subjects regarding their information processed by Processor. Processor shall notify Customer of the receipt of any such request as soon as possible, and no later than three (3) business days from the receipt of such request, together with the relevant details. In addition to the above.
4. Disclosure. Unless legally prohibited, Processor will provide Customer prompt notice of any request it receives from authorities to produce or disclose Customer Data it has Processed on Customer’s behalf, so that Customer (or its customer) may contest or attempt to limit the scope of production or disclosure request.
5. Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processor’s processing of Customer Data, Processor shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Customer Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
6. Data Breaches. Processor shall without undue delay, and in any event within 48 hours, notify Customer of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, that it becomes aware of regarding the Customer Data that Processor Processes. Processor will thoroughly investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. Processor will cooperate in good faith with Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.
7. Subcontracting to suppliers. Customer authorizes Processor to subcontract any of its Services-related activities which involve processing the Customer Data. An updated list of Processor's suppliers may be found here, and Processor reserves the right to change it from time to time. Processor shall ensure that any supplier is bound by the same obligations as the Processor under this Part and shall supervise supplier's compliance thereof, and Processor shall remain fully liable for the performance of any supplier that fails to fulfil its obligations.
8. Data Deletion. Following termination or upon Customer’s written request, Processor will delete the Customer Data it has processed on Customer’s behalf under this Addendum from its own and its Processor’s systems, or, at Customer’s choice, return such Customer Data and delete existing copies, within 10 business day of receiving a request to do so. Where Customer has been provided functionality or self-service tools that enable Customer to delete Customer Data, Customer is responsible for deleting such Customer Data using those tools. In that case, Customer may request that Processor delete only the Customer Data that Customer cannot delete using such functionality or tools. Upon Customer’s request, Processor will furnish written confirmation that the Customer Data has been deleted or returned pursuant to this section.
9. Customer obligations
9.2. Customer acknowledges and agrees that Processor and its performance of the Services and its duties under applicable law such as HIPAA, GDPR, Israeli Privacy Protection Regulations (Information Security) and this Addendum are done in reliance on the Customer and Authorized Users’ compliance with the obligations herein. Processor is not liable for any violation or breach of its contractual or legal obligations if the violation or breach resulted from Customer or its Authorized Users' failure to comply with the obligations herein. Customer shall indemnify the Processor and its directors, officers, service providers, and contractors for all liabilities, losses, costs, damages and expenses (including reasonable legal fees) in any claim alleging breach of Processor’s contractual or legal obligations which arise in connection with the Customer or its Authorized Users' failure to comply with obligations herein. The indemnity procedure specified in the Agreement shall apply to the indemnity under this Section 9.2.
10. Data Protection Officer. The Processor's DPO shall serve as Processor's point of contact for the purpose of this Addendum. The DPO's contact details are as follows:
Name: Gal Srour
Email address: [email protected]
Part 2 (EU and UK GDPR DPA)
1. Customer commissions, authorizes and requests that Processor Process Personal Data under the instructions of Customer (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, as well as the UK Data Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as “Data Protection Law”). Capitalized terms used but not defined in this Part 2 shall have the meaning ascribed to them under Data Protection Law.
2. This Part 2 applies only where Processor is Processing Personal Data as a Data Processor on behalf of the Customer and under the Customer’s instructions. It does not apply to Processor’s Processing Personal Data to operate the Services, to market or promote its products, to administer the business or contractual relationship between Processor and the Customer or in other instances where Processor operates as a Data Controller.
3. Processor will Process the Personal Data only on Customer’s behalf (it being understood that Customer acts as the Data Controller), and for as long as Customer instructs Processor to do so.
4. The nature and purposes of the Processing activities are the provision of the Services to the Customer. The Personal Data Processed and the legal basis for processing are determined by the Customer.
5. The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are determined by the Customer and include the Authorized Users of the Customer.
6. As a Data Processor, Processor will Process the Personal Data only as set forth in this Addendum. Processor and Customer are each responsible for complying with the Data Protection Law as applicable to their roles.
7. Processor will Process the Personal Data only on instructions from Customer documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Services. The foregoing applies unless Processor is otherwise required by law to which it is subject (and in such a case, Processor shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Processor shall immediately inform Customer if, in Processor's opinion, an instruction is in violation of Data Protection Law.
8. Processor will make available to Customer, upon request all information at its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.
9. Processor will follow Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Processor will pass on to Customer requests that it receives (if any) from Data Subjects regarding their Personal Data Processed by Processor. Processor shall notify Customer of the receipt of such request as soon as possible, and no later than three (3) business days from the receipt of such request, together with the relevant details.
10. Customer authorizes the Processor to engage sub-processors to carry out specific processing activities, provided that the Processor informs Customer at least 10 business days in advance of any new or substitute sub-processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, the Processor may not engage that new or substitute sub-processor for the purpose of Processing Personal Data. At the outset, Customer authorizes Processor to engage with Processor's current sub-processors, detailed in the list found here.
13. Processor will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
14. Within 21 days of Customer’s written request, Processor shall allow for and contribute to audits, including carrying out inspections conducted by Customer or another auditor mandated by Customer in order to establish the Processor's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards to the Personal Data that Processor processes on behalf of Customer. Such audits or inspections shall be carried out during Processor’s ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to Processor’s business activities, and be subject to confidentiality undertakings satisfactory to the Processor.
15. Processor shall without undue delay, and in any event within 48 hours, notify Customer of any Personal Data Breach (as this term is defined and used in Data Protection Law and applicable regulatory guidelines) that it becomes aware of regarding Personal Data of Data Subjects that Processor Processes. Processor will thoroughly investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. Processor will cooperate in good-faith with Customer on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
16. Processor will assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).
17. Unless legally prohibited, Processor will provide Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Customer’s behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request.
18. Upon Customer’s request, Processor will delete the Personal Data it has Processed on Customer’s behalf under this Addendum from its own and its Processor’s systems, or, at Customer’s choice, return such Personal Data and delete existing copies, within 10 business days of receiving a request to do so. Upon Customer’s request, Processor will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.
Part 3 (US State Laws)
1. Definitions
In this Part Three:
a. “Applicable State Privacy Laws” means the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and other applicable state privacy laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act, as relevant.
b. “Consumer” means a natural person, including a natural person in their professional or work capacity.
c. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
d. “Collect” (and its cognate terms) means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means. This includes obtaining information from the Consumer, either actively or passively, or by observing the Consumer’s behavior or interaction.
e. “Process” (and its cognate terms) means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
f. “Sell” (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for monetary or other valuable consideration.
g. "Share” (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged.
2. Processor’s Obligations. The Parties acknowledge and agree that Processor is a ‘service provider’ and ‘processor’ within the meaning of the terms in Applicable State Privacy Laws. To that end, and unless otherwise required by law:
a. Processor must not Sell Customer Personal Information. Furthermore, Processor must not Share any Customer other than to its sub-processors who assist Processor in the provision of its Services.
b. The parties agree that Customer is disclosing the Personal Information to Processor only for the following limited and specified business purposes: to provide and support the operation of its Services.
c. Processor is prohibited from retaining, using, or disclosing the Personal Information that it Collects for any commercial purpose other than the foregoing business purposes, unless expressly permitted by Applicable State Privacy Laws and this Part Three. Additionally, Processor is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to this Agreement outside the direct business relationship between Processor and Customer, unless expressly permitted by Applicable State Privacy Laws and this Part Three.
d. Processor shall comply with all relevant sections of Applicable State Privacy Laws and shall provide, with respect to Personal Information it Collects, the same level of privacy protection as required by Applicable State Privacy Laws.
e. Processor grants Customer the right to take reasonable and appropriate steps to ensure that Processor uses the Personal Information it Collects in a manner consistent with the obligations under this Part Three and Applicable State Privacy Laws.
f. Processor must promptly notify Customer when it determines that it can no longer meet its obligations under this Part Three or Applicable State Privacy Laws.
g. Processor grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Processor’s unauthorized use of Personal Information.
h. If Processor receives a request from a Consumer about his or her Personal information, Processor shall not comply with the request itself and inform the Consumer that Processor’s basis for denying the request is that the Processor is merely a service provider that follows Customer’s instruction. Processor shall provide the Consumer with the Customer’s contact information and instruct the Consumer to submit the request directly to the Customer.
i. If Customer so requests, Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Consumer rights under Applicable State Privacy Laws.
Part 4 (HIPAA BAA)
1. Introduction. This Part Four is a Processor agreement entered into by and between the Customer and Processor pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, Publ. L. No. 111-5 (“HITECH Act”), and its implementing regulations, including 45 C.F.R. Parts 160 and 164, Subparts A and E (the “Privacy Rule”), Subparts A and C (the “Security Rule”), and Subpart D (the “Breach Notification Rule”) (collectively, and as may be amended from time to time, “HIPAA”). All terms used in this Part Four and not defined herein shall have the meaning set forth in the applicable definition under HIPAA.
2. Scope. This Part 4 applies whenever Processor receives and processes protected health information on behalf of Customer, where Customer is a "Covered Entity" under HIPAA (and Processor is, accordingly, a "Business Associate" for the purpose of this Part 4).
3. Use and Disclosure of Protected Health Information. Processor may not use or disclose “Protected Health Information” (as defined in the Privacy Rule), received from, or received or created on behalf of, Customer, except as follows:
3.1. Processor is permitted to use or disclose Protected Health Information as permitted or required by this Part Four or as required by law.
3.2. Processor is permitted to use or disclose Protected Health Information to provide its Services to Customer, pursuant to the Agreement.
3.3. Processor is permitted to use Protected Health Information for the proper management and administration of the Processor or to carry out the legal responsibilities of the Processor.
3.4. Processor agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customer to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
3.5. Processor may use Protected Health Information to report violations of law to appropriate Federal and state authorities, consistent with § 164.502(j)(1).
4. Safeguards. Processor agrees to use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as permitted or required by this Part Four.
5. Reporting of Disclosures of Protected Health Information. Processor shall, within five (5) calendar days from the date of discovery, report to Customer any use or disclosure of Protected Health Information of which it becomes aware that is other than as provided for in the Agreement or this Part Four, subject to the requirements of the Breach Notification Rule.
6. Agreement by Third Parties. Processor shall ensure, to the extent required by law, that any of its agents, including, but not limited to, subcontractors, to whom it provides Protected Health Information received from, or created or received by Processor on behalf of Customer, agree to substantially the same restrictions and conditions that apply to Processor under this Part Four with respect to such Protected Health Information.
7. Access to Protected Health Information. Processor shall provide access, at the request of Customer, to Protected Health Information in a designated record set (as defined in the Privacy Rule), to Customer, or as directed by Customer, to an individual in order to meet the requirements of 45 C.F.R. § 164.524.
8. Accounting of Disclosures. At the request of Customer, Processor shall make available the information required to provide an accounting to an individual of disclosures of Protected Health Information about that individual, in accordance with 45 C.F.R. § 164.528.
9. Availability of Books and Records. Processor shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from Customer, available to the Secretary of the Department of Health and Human Services (“HHS”) or any other officer or employee of HHS to whom the applicable authority has been delegated, as designated by HHS, for purposes of determining Customer’s compliance with the Privacy Rule.
10. Customer's Obligations. Customer shall promptly notify Processor in writing of (a) any limitation(s) in Customer’s notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Processor’s use or disclosure of Protected Health Information; (b) any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect Processor’s use or disclosure of Protected Health Information; (c) any amendments to Protected Health Information in a designated record set in accordance with 45 C.F.R. § 164.526; and (d) any restriction to the use or disclosure of Protected Health Information that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Processor’s use or disclosure of Protected Health Information. Customer shall not request Processor to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Customer except that Processor may use or disclose Protected Health Information for administrative activities of Processor.
11. Termination. In the event that Processor breaches any material provision contained in this Part Four, Customer shall give Processor at least thirty (30) days’ written notice to cure the breach. In the event that Processor fails to cure the breach within the specified period, Customer may terminate this Addendum and/or the Agreement.
12. Return or Destruction of Protected Health Information upon Termination. Upon termination of this Part Four for any reason, Processor, with respect to Protected Health Information received from Customer, shall:
12.1. Retain only that Protected Health Information which is necessary for Processor to continue its proper management and administration or to carry out its legal responsibilities;
12.2. Return to Customer or destroy all other remaining Protected Health Information that the Processor still maintains in any form;
12.3. Continue to use appropriate safeguards and comply with the Security Rule with respect to electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Processor retains the Protected Health Information;
12.4. Not use or disclose the Protected Health Information retained by Processor other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at Section 3 above which applied prior to termination; and
12.5. Return to Customer or destroy the Protected Health Information retained by Processor when it is no longer needed by Processor for its proper management and administration or to carry out its legal responsibilities.
13. Effect. The terms of this Part Four shall supersede any other conflicting or inconsistent terms in the Addendum, including all exhibits or other attachments thereto and all documents incorporated therein by reference.
14. Amendment. If any of the regulations promulgated under HIPAA are amended or interpreted in a manner that renders this Part Four inconsistent therewith, the parties may amend this Part Four to the extent necessary to comply with such amendments or interpretations.
15. No Third-Party Beneficiaries. Nothing expressed or implied in this Part Four is intended to confer, nor shall anything confer, upon any persons other than Customer and Processor, and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.
Part 5 (Israeli law)
1. Definitions. In this Part Five, the following terms shall be interpreted as follows:
1.1 “Applicable Law” means the Israeli Protection of Privacy Law, 5741-1981 (hereinafter – the “Privacy Law”) and the regulations promulgated thereunder (and in particular the Protection of Privacy Regulations (Information Security), 5777 - 2017), the guidelines of the Registrar of Databases, and in particular Guidelines No. 2/2011 regarding the use of outsourcing for processing of personal data, as well as any legislative or administrative provision or directive that will apply to the Processor in connection with Processing Personal Data.
1.2 "Database" means a collection of Personal Data Processed by digital means.
1.3 “Personal Data” means data relating to an identified or identifiable person; for the purpose herein, an "identifiable person" means someone who can be identified with reasonable effort, directly or indirectly, including by means of an identifier, such as a name, ID number, biometrics, location data, online identifiers, or information pertaining that person's physical, health, economic, social or cultural situation.
1.4 "Processing" (and its derivatives) means any action performed in relation to Personal Data, including receiving, collecting, storing, copying, consulting, disclosing, disclosing, transferring, delivering or providing access to Personal Data.
2. General Provisions
2.1 Customer is the sole owner of the Databases containing the Personal Data, and nothing contained in this Part Five shall be deemed to constitute the grant of proprietary rights to the Processor in the Personal Data.
2.2 Customer may instruct the Processor regarding the manner in which the Personal Data should be Processed, and the Processor undertakes to comply with all of Customer's instructions, as shall be determined from time to time, provided that if the instructions entail material new costs to the Processor, their performance is subject to additional payment as shall be agreed upon by the parties.
2.3 The Processor shall fully cooperate with Customer and provide information and assistance reasonably requested by Customer in connection with data security issues and practices and supplementary documents, so as to allow Customer to properly address information security, privacy and regulatory matters relating to the Database.
3. Processor’s obligations regarding the processing of Personal Data
3.1 The Processor shall process the Personal Data for Customer solely in accordance with Customer’s instructions, and only in the manner determined in this Part Five, and for no other purpose, unless expressly instructed by Customer to do so.
3.2 The Processor undertakes to manage access rights to Personal Data, including providing its users with ‘Least Privileges’ based on their ‘Need to Know’, for the purpose of carrying out their tasks, and shall take measures to prevent access by unauthorized individuals to Personal Data. In addition, the Processor must maintain an up-to-date listing of all authorized individuals of the Database and prevent access to any individual who does not have the need to be exposed to the Personal Data.
3.3 The Processor shall not grant access to the Personal Data to its employees, consultants or anyone acting on its behalf, before: (a) reviewing and confirming that their background and personal integrity and reliability are suitable for a position granting them access to Personal Data; and (b) binding them to a letter of undertaking in order to maintain the confidentiality, security of information and privacy of the data subjects whose details are included in the Database. The Processor shall be liable to Customer for any act and/or omission of itself or any of its employees, advisors, Sub-contractors (as defined below) and anyone else acting on its behalf in connection with the breach of the provisions of this Part Five.
3.4 The Processor shall grant its employees with access to the Database, subject to conducting training activities regarding privacy protection and information security obligations applicable to the Processor by virtue of the Applicable Law and/or this Part Four. Such training shall take place at least once every two years and as soon as possible after recruiting.
3.5 The Processor shall implement security and monitoring measures through which the Processor shall record each access made to the Database Systems (as defined below).
3.6 The Processor shall develop, implement and enforce an information security policy that shall include at least the following issues ("Information Security Policy"):
3.6.1 Mapping of all of the security measures taken by the Processor regarding the Database Systems;
3.6.2 Instructions regarding the manner in which access to the Database is managed and the means of controlling access to Personal Data and the actions taken in it.
3.6.3 Guidelines for individuals authorized to access Personal Data and Database Systems;
3.6.4 A review of the risks to which the Personal Data is exposed to as part of the Processor's ongoing activities;
3.6.5 Instructions regarding the means of recording, monitoring and identifying threats to which the Database systems are exposed, and events in which there is a risk of Breach of Information Security;
3.6.6 Instructions regarding periodic audit reports as stated in section 7 below;
3.6.7 Instructions and procedures regarding periodic backup and restore of the audit data as stated;
3.6.8 Instructions regarding the manner in which development activities in the Database are performed and documented.
3.7 The Processor shall map the operational environment of the Database. In this regard, the Processor shall prepare an inventory list that includes all the data systems, software, interfaces, and infrastructures of hardware components and communications components that the Processor operates in the Database environment for the ongoing operation of the Database (the “Database Systems"). The Processor shall update the list of inventories specified in this Section from time to time and shall only disclose the document to those individuals who require access to it for the performance of their job functions. The Processor shall update the aforesaid list in any case in which substantial changes to the operating environment are made on the Database Systems or in the manner in which data is being Processed.
4. Disclosure and transfer of Personal Data
4.1 The Processor shall not disclose any Personal Data that the Processor processes for Customer to any person or entity without Customer’s prior written consent, except to the extent required for the performance of Customer’s instructions in accordance with this Part Five.
4.2 If Processor desires to disclose Personal Data to a subcontractor of the Processor, or use a subcontractor to Process Personal Data (each, a "Sub-contractor"), then prior to such disclosure, the Processor shall enter into a written, valid and enforceable agreement with the Sub-Contractor containing adequately protective terms on data security. Processor shall provide Customer any information reasonably requested by Customer about Processor’s use of Sub-contractors, about Sub-contractors’ Processing activities for Processor and their data security practices.
4.3 The Processor shall use accepted encryption mechanisms for each transfer of Personal Data to a third party and for any remote access to the Database Systems.
5. Retention and return of Personal Data
5.1 The Processor declares and undertakes that it shall take appropriate information security measures in order to ensure the integrity, availability, confidentiality and reliability of the Personal Data.
5.2 The Processor shall maintain logical separation between the Database Systems and the computer systems used by the Processor which are not directly related to the Processing of Personal Data for Customer. In the event of connection of the Database Systems to the Internet or to another public network, the Processor shall implement appropriate safeguards against information security issues.
5.3 The Processor shall regularly update the Database Systems, including the software, which is installed in the Database Systems, with information security updates. In operating the Database Systems, the Processor shall not use any software or hardware components whose manufacturer does not support their security aspects.
6. Transfer of Personal Data to foreign jurisdiction
6.1 The Processor shall comply with the law applicable to the transfer of Personal Data to foreign jurisdictions, including but not limited to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001.