Data processing agreement (‘DPA’)

Last Updated: July 1st, 2021

General and Subject matter and term of the DPA

  1. This DPA forms part of the Terms and Condition of your Principal Agreement (as defined below), Privacy Policy and any other applicable terms governing the use of the services provided to you according to the Principal Agreement (collectively the “Topicx Policies”). The terms of the Topicx Policies shall apply to this DPA as applicable. In the event of contradiction between this DPA and any of Topicx Policies, the provisions of this DPA shall govern. Any capitalized term not defined herein, shall have the meaning ascribed to it in the Topicx Policies.
  2. Subject matter of this DPA is the performance of the services by the Processor: according to the Principal Agreement (as defined below).
  3. The term of this DPA shall commence and terminate along with the term of the principal agreement executed by and between you (the “Processor”) and Topicx Customer Experience Systems Ltd., registration no’ 516223344, of 2, Hamanit St. (the “Controller”) according to which the Processor provides certain services to the Controller (the “Principal Agreement”).
  4. Notwithstanding the above, this DPA may be terminated for important cause by either party with immediate effect. Such important cause may include but is not limited to: if there is a material breach of the provisions of this agreement by the Processor, for example because the Processor is unable or unwilling to comply with data protection instructions issued by the Controller, or the Processor refuses an inspection by the Controller in violation of this contract.

The nature and purpose of the data processing

Controller’s Rights and Obligations

  1. The Controller remains responsible vis-à-vis the data subjects and ensures that the data processing will be carried out in accordance with the relevant provisions of applicable data protection law, including the GDPR as applicable, and therefore shall be the responsible data Controller in terms of applicable data protection laws.
  2. Subject to section X in this agreement, the Controller is the sole responsible to obtaining from the data subjects which are its customers, all the required consents with respect to the processing of their personal data according to this agreement, including their explicit consent for processing special categories of data as defined in the GDPR and profiling, all as applicable according to the applicable law. ANY BREACH OF THIS SECTION BY THE CONTROLLER SHALL BE CONSIDERED AS A MATERIAL BREACH OF THIS AGREEMENT.
  3. The Controller has the right to give further instructions to the Processor concerning the data processing.
  4. For this purpose authorized persons on the part of the Controller to provide instructions shall be those persons the Controller shall notify the Processor during their engagement.
  5. The recipients of the instructions on the part of the Processor are: Lyron Wahrmann.
  6. Changes of the persons entitled to receive or to issue instructions are to be communicated to the respective contractual partner immediately in writing, including in electronic form (e.g. e-mail).
  7. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law. The Processor shall then be entitled to suspend the execution of the relevant instruction until the Controller confirms or changes it. The Controller shall inform the Processor without undue delay, if an error or irregularities in the examination of the contract results have been detected.

Processing, rectification, restriction and erasure of data by the Processor

  1. The Processor may solely process personal data on behalf of the Controller pursuant to this DPA and, as the case may be, according to the instructions of the Controller and exclusively for the purposes stated in this DPA. The Processor may not process personal data for any other purposes unless required under applicable law; in the latter case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  2. Copies or duplicates of the data shall never be created without the knowledge of the Controller, with the exception of copies as far as they are necessary to ensure orderly data processing or orderly performance of (remote) maintenance as well as data required to meet regulatory requirements to retain data.
  3. The Processor ensures that the data provided by the Controller or collected on its behalf will be processed and stored strictly separated from other data stocks of other commissioned processing/orders, whereas a logical separation is sufficient.
  4. The Processor shall not rectify, delete or restrict the processing of the data processed within the scope of the commission on an unauthorized basis, but only according to the documented instructions of the Controller. Where a data subject contacts the Processor directly in this respect, the Processor shall immediately forward this request to the Controller.
  5. Information to third parties or the data subject may only be provided by the Processor with prior written authorization of the Controller.
  6. As far as the scope of services comprises, the deletion concept, right to be forgotten, rectification, data portability and access by the data subject are to be ensured directly by the Processor in accordance with the documented instructions of the Controller.

Quality assurance and other obligations of the Processor

In addition to complying with the provisions of this contract, the Processor haslegal obligations under Articles 28 to 33 GDPR; in this respect, the partiesagree on the following:

Audit rights and assistance obligations

Deletion and return of personal data

Subcontracting

Technical and Organizational Measures

Liability

Miscellaneous

Annex 1: TOMs – Technical and organizational measures

Minimum requirements for the technical and organizational measures (TOM)

Annex 2: Description of the technical-organizational measures (TOM) of the Processor

(If necessary to be replaced by already existing TOM of the Processor.)

1. Confidentiality (Article 32 paragraph 1 lit. b GDPR)
Physical Access Controle.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

Topicx services is deployed on Azure cloud and on Azure data centers (https://azure.microsoft.com)

Topicx services are also deployed on Amazon Web Services cloud and on AWS data centers (https://aws.amazon.com)

Topicx offices access is control with key card to access building and code to enter specific offices.

Electronic Access Controle.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media

All Topicx office is hosted on Microsoft Office 365 and protected via multi-factor authentication provided by Microsoft.

All production system access is limited to production team.

Internal access control (permissions for user rights of access to and amendment of data)

e.g. rights authorization concept, need-based rights of access, logging of system access events

Access to data is limited to authorized personnel:

1. Inside Topicx portal
2. Access to Azure
3. Access to infrastructure services: 360Dialogue
4. Roles and permissions inside Topicx services

Isolation Control e.g. multiple client support, sandboxing

Topicx system are separated in different areas each with its own access control:
1. Development environment
2. Production environment
3. Within production environment, separated logical instance

Pseudonymization - if possible taking into account the purpose of processing (article 32 paragraph 1 lit. a GDPR; article 25 paragraph 1 GDPR):

Replacement of the name and other identifiers by a pseudonym (usually a multi-digit letter or number combination, e.g. numeric personnel or customer numbers or user IDs) to impede the attribution of data and persons. Personal data will then only be processed on the basis of the pseudonym, and additional information that allows a connection to the person will be kept separately and will be subject to appropriate technical and organizational measures.

Personal data is stored separately on two database, one that include only a pseudo id and the other that contains the personal identification details. Data is only merged when required during the interaction with the customer.

2. Integrity (Article 32 Paragraph 1 Point b GDPR)
Data Transfer Controle.g.: encryption, virtual private networks (VPN), electronic signature

All data transfer between servers is performed using encryption or within secured network

Data entry controle.g.: logging, document management

Topicx services haveextensive logs of all operations performed and new logs are added when new requirementis defined

3. Availability and Resilience (Article 32 Paragraph 1 lit. b GDPR)
Availability control (article 32 paragraph 1 lit. c GDPR) e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning

Topicx services has beenbuilt on top of Microsoft Azure cloud with necessary measures to enablesecurity, integrity and resilience of all systems.

Rapid recovery (article 32 paragraph 1 lit. c GDPR)

Processes are defined in order to be able to recover entire services in case of need.

4. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 lit. d GDPR; article 25 paragraph 1 GDPR)
Data Protection Management e.g. availability of a data protection management system (data protection guidelines), documentation of the data protection measures taken.

N/A

Incident-Response-Management

N/A

Data protection by design and default (Article 25 paragraph 2 GDPR) e.g. minimization of the processing of personal data, early pseudonymization, transparency with regard to the functions and processing of personal data

Topicx platform takes in account data protection requirements in its design.

Contract control e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls on the selection of the service providers, duty of pre-evaluation, supervisory follow-up checks

All required measures are being taken for contract control.

Annex 3: List of approved subcontractors

The Controller authorizes the engagement of the following subcontractors:

Name of the subcontractor
Type of subcontracting
Address (location) of the company and if not corresponding: the location of data processing

Amazon - AWS

Server
Storage
Cloud services

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL [Israel Branch], Azrieli Sharona tower, 121st Menachem Begin Road, 28 Floor, Tel-Aviv, 6701203, Israel, number of corporation 560034407

Microsoft - Azure

Server
Storage
Cloud services

Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18D18 P521
Ireland
VAT Reg. No. IE 8256796 U

360Dialogue

Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18D18 P521
Ireland
VAT Reg. No. IE 8256796 U

360dialog GmbH
Torstraße 61
10119 Berlin
Germany
https://www.360dialog.com/en/

The Processor shall inform the Controller of any intended changes concerning the replacement of sub-contractors listed above. The Processor shall not replace the sub-contractor without prior specific written authorization of the Controller.