Definitions and Schedules

1.1.   Unless otherwise defined herein, capitalized terms and expressionsused in this Addendum shall have the following meaning:

1.1.1.     “Customer Data” means any Personal Data processed by Companyin provision of the Services, however, specifically excluding Usage Data.

1.1.2.    “Database”, “Processing”,“Sensitive Data”, “Security Breach”, “Controller” and “Processor”shall have the meanings ascribed to them in the Data Protection Laws.

1.1.3.     “Data Subjects” means the Customer's end-users and/orindividual clients whose Personal Data is processed as part of the CustomerData.

1.1.4.     “Data Protection Laws” - means the Israeli Privacy ProtectionLaw (“PPL”), the regulations promulgated pursuant thereto, and theapplicable guidelines issued by the Privacy Protection Authority (“IsraeliData Protection Legislation”), and the Regulation 2016/679 of the EuropeanParliament and of the Council of 27 April 2016 on the protection of naturalpersons with regard to the processing of personal data and on the free movementof such data and applicable EU Member State laws implementing or supplementingthe GDPR (“GDPR”), where applicable, all as amended, replaced orsuperseded from time to time.

1.1.5.     “EEA” means the European Economic Area;

1.1.6.     “Personal Data” means any information relating to anidentified or identifiable natural person, including "Data" and"Sensitive Data"(as these terms are defined in the PPL).

1.2.   The Schedules to this Addendum are as follows: Schedule A -Details of Processing; Schedule B - Security Measures, Schedule C- List of Sub processors.

1.3.   The Schedules to this Addendum form an integral part of thisAddendum and are to be read concomitantly.

2.      Authorizations and Compliance

2.1.   The Parties acknowledge and agree that with regard to the Processingof Customer Data, under the Data Protection Laws, the Customer is theController or the Owner of the Database and The Company is the Processor or theHolder of Database, as such terms are defined under applicable laws.

2.2.   Notwithstanding the above, regarding the Usage Data, Company is theController or the Owner of the Database.

2.3.   If the Agreement between the Parties is entered into through theCompany's authorized reseller, both the Company and the Reseller shall beindividually, and not jointly, responsible for complying with the DataProtection Laws applicable to each of them.

2.4.   Customer Data, which the Company is entitled to process solely forthe Purpose (as defined below), may include any and all information, text,graphics, videos, or other material that the Customer posts, links, stores, shares,or otherwise makes available through the use of the Services.

2.5.   Company is aware that the Customer retains any and all rights, titleand interest in the Database and the Customer Data (including, withoutlimitations, to the Personal Data incorporated therein).

2.6.   The Customer is solely responsible for providing any requirednotices to its end-users (Data Subjects) regarding the processing of theirPersonal Data and for obtaining any necessary consent for such processing. Tothe extent such notification or consent is required to be provided using the Services,such notification or consent shall be made at the Customer's request andaccording to the Customer's instructions. The Company has no responsibility orobligation to notify the Data Subjects directly or to obtain their consent.

3.      Company's Undertakings

3.1.   The Purpose. The Company shall onlyprocess the Customer Data on behalf of Customer for the purpose of providingthe Services for the Customer, according to the terms set forth in theAgreement and the Services Terms of Service, and not for any other purpose(above and herein: the "Purpose").  

3.2.   Instructions. Company will not processCustomer Data other than on documented instructions from Customer,the Services’ Terms of Service and this Addendum and solely for the Purpose.Any other Processing shall only be permitted in the event that such processingis required by law or binding order of a governmental body to which Company issubject, in which caseCompany shall inform Customer of that requirement before engaging in suchprocessing, unless applicable law prohibit such information on importantgrounds of public interest. Company shall immediately inform Customer inwriting, if in Company’s opinion an instruction could violate Data ProtectionLaws and if Company determines that it can no longer meet its obligation underthis Addendum or Data Protection Law.

3.3.   Security Measures. Company warrants thatit complies with the security obligations under the DataProtection Laws for the required security level of the Database, and maintainsappropriate technical and organizational measures to protect the security,confidentiality and integrity of Customer Data,including (without limitation) against unauthorized orunlawful processing, accidental or unlawful destruction, loss or alteration ordamage, unauthorized disclosure use, or access to Customer Data. Such measuresmay be updated by the Company’s discretion as long as they will not materiallydecrease the overall security of the Services (as detailed in Schedule A)during the term of the Agreement.

3.4.   Data subject rights. Company shallpromptly notify Customer in writing if it receives a request from a DataSubject to exercise its rights under Data Protection Laws ("Data SubjectRequest"). Company shall assist Customer, at theCustomer’s cost (if any such costs are incurred), by appropriate technical andorganizational measures, insofar as this is possible, for the fulfilment ofCustomer's obligation to respond to a Data Subject Request under DataProtection Laws, and comply with Customer'sinstruction in this regard. Company shall not respond directly to Data SubjectRequest, and any such response shall be executed by the Customer.

4.      Reports

4.1.   Upon Customer’s written request, once a year (except in the event ofSecurity Breach), Company shall provide with reasonable cooperation, assistanceand information needed to fulfil their obligation under Data Protection Laws.

4.2.   Company shall notify Customer immediately, and no later than 24hours after becoming aware of Security Breach. Company shall make reasonableefforts to identify the cause of such Security Breach, provide Customer withthe information as may be requested by it (including, without limitations, adescription of the measures taken or proposed to be taken to address theSecurity Breach, including measures to mitigate its possible adverse effects)and take the steps necessary and reasonable in order to remediate the cause ofsuch a Security Breach. To the extent required, Company shall providereasonable cooperation to Customer in its notification of the supervisory authorityand, if applicable, Data Subjects.

5.      Company's Personnel

5.1.   Company shall ensure that any personnel engaged on its behalf in theprovision of the Services for the Purpose (a) are informed of the confidentialnature of such Customer Data, (b) have executed written confidentialityagreements or appropriate statutory obligation of confidentiality materiallysimilar to the confidentiality obligations under the Agreement (c) shallimplement appropriate security measures and use or access to Customer Data onlyfor the Purpose and (d) undergo data protection and security training asrequired by Data Protection Laws.

6.      Audit Rights

6.1.   Company acknowledges that: (a) Customer, upon a reasonable requestand reasonable prior written notice, has the right to monitor and superviseCompany's compliance with the terms herein and Data Protection Laws by makingavailable information which is reasonably necessary to demonstrate compliance;(b) in the event of Security Breach or as required by any applicable supervisoryauthority, and subject to providing prior written notice, Customer or theapplicable supervisory authority (as the case may be) shall be entitled toaudit Company's compliance with this Addendum and Data Protection Laws, andCompany undertakes to reasonably cooperate with such audit, and providerelevant information in its possession, as reasonably required. Any informationobtained through such audit shall be deemed Company's Confidential Informationand shall be subject to compliance with confidentiality obligations.

7.      Subcontractors

7.1.   Company transfers Customer Data to a third party acting on theCustomer’s behalf to provide services to the Customer ("Subcontractor").The Company publishes the list of Subcontractors to its website available at: https://www.glassix.com/glassix-sub-processorsmaking it publicly accessible, and will update the list with any addition orreplacement of the Subcontractors ("New Subcontractor").Company may engage with the New Subcontractor by providing thirty (30) daysprior notice (“Notice Period”) of its intention to do so to Customers(such notice can be provided through the website or by a notice in the productor via email, as applicable). If the Customer does not object to the additionor replacement of a Subcontractor within the Notice Period, such Subcontractorshall be deemed approved. In the event the Customer objects to the addition orreplacement of a Subcontractor within such Notice Period, the Company may,suggest the engagement of a different Subcontractor for the same course ofservices or otherwise the Customer may terminate the Agreement where theServices cannot be reasonably provided under such circumstances.

7.2.   Company shall enter into written agreements with each Subcontractorand New Subcontractor, binding them by at least the same terms and obligationsthat apply to the Company under this Addendum,mutatis mutandis. As of the date hereof, Company represents that with respectto each existing Subcontractor as published in the link mentioned above Companyhas concluded an agreement no less onerous than this Addendum.

8.      Location ofCustomer Data  

8.1.   The parties agree that the Company processes Customer Data withinthe EEA or transfers Customer Data based on an adequacy decision under DataProtection Laws. For Customers whose data is not subject to Data ProtectionLaws, the Company shall maintain Customer Data in locations consistent withgenerally accepted industry standards for data security and privacy, which mayinclude locations outside the EEA or Israel.

8.2.   With respect to Customers subject to Data Protection Laws, theCompany shall (and shall ensure that each Subcontractor shall), processCustomer Data only in Israel, the EEA, a Member State of the European Union,the United Kingdom, or in other territories outside such jurisdictions,provided that (i) appropriate contractual agreements and transfer mechanisms asrequired by applicable Data Protection Laws have been executed, and (ii) suchagreements and mechanisms ensure a level of protection for Personal Dataequivalent to that required under applicable Data Protection Laws.

9.      Return and deletion of Customer Data  

9.1.   At the earlier of: (a) a written request of the Customer or (b)termination or expiration of the Agreement for any reason, the Companyundertakes to delete or return all Customer Data to the Customer within 30 daysof such request or termination, and to delete any copies, extracts and otherobjects or items in which is can be contained or embodied, in any environment.The deletion must be documented, and after deletion is completed, Company shallprovide the Customer with written confirmation of the deletion of the CustomerData.

9.2.   The Company shall not be required to delete electronic files createdduring the routine course of automated backup procedures, provided that suchelectronic backup files are stored in a manner that prevents unauthorizedaccess to or use of the Customer Data. Any Customer Data stored or retainedelectronically by the Company shall remain subject to the obligations set forthin this Addendum for as long as such Customer Data is retained or stored. Thisprovision shall remain in effect even after the expiration or termination ofthe Agreement.

9.3.   The Company may retain Customer Data to the extent and for suchperiod as required by applicable laws or for the purpose of defending againstlegal proceedings.

10.   Government Authority Requests  

10.1.                  Where Company receives anysubpoena, warrant or other judicial, regulatory, governmental or administrativeorder by a government or quasi-governmental or other regulatory authority(including law enforcement or intelligence agencies) seeking or requiringaccess to or disclosure of Personal Data ("GovernmentAuthority Request"), to the fullest extent permitted by applicablelaw, Company shall without undue delay notify the Customer, in writing of suchGovernment Authority Request so that Customer may contest or seek to narrowsuch disclosure or seek a protective order or other appropriate remedy. Companyshall have no obligation to notify Customer if such notification is prohibitedby applicable law.

10.2.                   Company shallcooperate with and take reasonable steps to assistCustomer to contest or seek to narrow such Government Authority Request, obtaina protective order or seek another remedy.

10.3.                  Where any attempt to contest,or to seek to narrow such Government Authority Request,or obtain a protective order or seek another remedy is not successful so thatsome or all of the Customer Data is required to be disclosed, Company shalltake steps to furnish only the minimum amount of Customer Data legally requiredto be disclosed.

10.4.                  Company maintains a writtenrecord of all Government Authority Requests and provide a copy to Customer,upon request.

11.   Governinglaw and Jurisdiction

11.1.                  This Agreement is governed bythe laws of Israel.

11.2.                  Any dispute arising inconnection with this Agreement, which the Parties will not be able to resolveamicably, will be submitted to the exclusive jurisdiction of the Tel Avivcompetent courts.

12.  Miscellaneous

12.1.                  The terms and conditions setout herein shall be added as an Addendum to the Agreement.

12.2.                   Except to the extentmodified below, the terms of the Agreement shall remain in full force andeffect.

12.3.                  in the event of inconsistenciesbetween the provisions of this Addendum and the Agreement, the provisions ofthis Addendum shall prevail with respect to the subject matter herein.

12.4.                   Should any provisionof this Addendum be invalid or unenforceable, then the remainder of thisAddendum shall remain valid and in force. The invalid or unenforceableprovision shall be either (a) amended as necessary to ensure its validity andenforceability, while preserving the parties’ intentions as closely as possibleor, if this is not possible, (b) construed in a manner as if the invalid orunenforceable part had never been contained therein.

‍

Schedule A - Details of Processing

Categoriesof data subjects whose personal data is transferred:  

Any category of individuals to which belongthe personal data submitted by the Customer into the Services.  

Categoriesof personal data transferred:  

As detailed above, including any personaldata uploaded by the Customer’s end user, it is hereby clarified that both theEnd User and the Customer independently determine which data to upload andwhich Customer databases to connect to the Services. The Company does notparticipate in or influence these decisions.

Categoriesof Sensitive data:

Depending on the end-user or Customer’s usecase of the Services.  

Thefrequency of the transfer:  

Continuous basis, as uploaded by theCustomer and provided by the end user.  

Natureof the processing:

Collect, store, transfer, host, use,modify, perform, display, reproduce, and distribute data, generate outputs,troubleshoot technical issues, respond to suspected information security andcybersecurity incidents, and pseudonymize or anonymize data to minimize privacyand information security risks.  

Purpose(s)of the data transfer and further processing:  

The provision, maintenance and support ofthe Services to the Customers.  

Theperiod for which the personal data will be retained, or, if that is notpossible, the criteria used to determine that period:  

Personal Data will be retained during theterm of the Services and will be deleted in accordance with Section 9 of theDPA.  

Schedule B - Security Measures

1.      General Commitment:  

The Company shall implement and maintainappropriate technical and organizational measures to protect Customer Dataagainst accidental or unlawful destruction, loss, alteration, unauthorizeddisclosure or access, and against all other unlawful forms of processing,following The Data Protection.

2.     Access Control  

Access to Customer Data is limited toauthorized personnel on a need-to-know basis. Access rights are reviewedregularly and revoked immediately upon role change or termination. Multi-factorauthentication (MFA) is enforced for all privileged and standard accountsaccessing Customer Data.  

Each employee is assigned a unique,high-security password for computer access; All systems are configured toautomatically lock after a period of inactivity and require password re-entry;Employee passwords are changed automatically at regular intervals; Access toproduction environments and actual Customer Data is strictly limited based onjob function and the "need-to-know" principle.  

3.     Encryption  

Customer Data is encrypted in transit andat rest. Personal Data is pseudonymized where appropriate.  

4.     Vulnerability Management & Penetration Testing  

Regular vulnerability assessments andpenetration tests are conducted as required in the Data Protection Laws.High-risk vulnerabilities are remediated before production deployment; mediumand low risks are addressed per documented remediation plans. The Companyoperates bug bounty programs on a periodic basis to enhance its securityposture and engage with the security research community.  

5.     Logging and Monitoring  

Access to systems processing Customer Datais logged, including user identity, timestamp, access type, and outcome. Logsare retained for at least 24 months and protected against tampering orunauthorized deletion. Intrusion detection and prevention systems areimplemented where appropriate.  

6.     Backup and Restore  

Company maintains backup and restoreprocedures to ensure the availability and integrity of Customer Data. Companyperforms regular backups of systems and databases and stores backup copiessecurely in accordance with industry standards. Company tests its backup andrestore procedures and means on a regular basis to verify that data can berestored effectively when needed. Such tests are conducted at least annuallyand following significant system changes. Company will address any issuesidentified in its backup and restore processes to maintain effective dataprotection and recovery capability.  

7.     Disaster Recovery  

Company maintains a Disaster Recovery Planto ensure continuity of services and protection of Customer Data in the eventof significant disruptions, including system outages, cyberattacks, or otherincidents. Company's disaster recovery procedures include defined recoveryobjectives and are tested periodically to ensure effectiveness. Company reviewsand updates its disaster recovery plan on a regular basis. Such reviews andupdates are conducted at least annually.

8.     Physical Security  

Physical access to offices and data centersis restricted to authorized personnel and monitored by security controls (e.g.,key cards, CCTV, guards). No Customer Data is stored at the Company’s offices;all Customer Data is stored at certified providers that operate data centresand comply with relevant standards.  

Company office entrances remain locked andare accessible only through designated entry systems (e.g., intercom, accesscodes). Office premises are secured 24/7 through locks, surveillance cameras,and automated monitoring systems that provide alerts in case of unauthorizedaccess. Restricted areas containing sensitive information or equipment aresubject to additional access controls.  

9.     Personnel Security  

Background checks are conducted onemployees and contractors before granting access to Customer Data, subject toapplicable law. Personnel are required to sign confidentiality and dataprotection agreements.  

10. Change Management  

All changes to production systems aresubject to documented change management procedures, including peer review,approval, and testing.  

11. Incident Response & Breach Notification  

The Company maintains an Incident ResponsePlan (IRP) covering preparation, detection, containment, investigation,remediation, and recovery. In the event of a confirmed security breachaffecting Customer Data, the Company will without further delay and no laterthan 24 hours notify the Customer, providing relevant details and updates asinformation becomes available. In case of a reasonable suspicion of a securitybreach affecting Customer Data, the Company will notify the Customer no laterthan 24 hours, providing all relevant details and updates as informationbecomes available.  

12. Vendor Management  

The Company conducts due diligence on allsubcontractors and service providers accessing Customer Data, ensuring theymeet equivalent security standards. Subcontractors are required to sign dataprocessing and confidentiality agreements.

13. Secure Development  

Company follows secure developmentpractices in the design, development, and deployment of systems andapplications used in connection with the Services, ensuring that securityconsiderations are integrated throughout the development process. Company implementssecure coding practices and conducts regular security assessments to identifyand address potential vulnerabilities in its systems and applications.Company's secure development practices are aligned with recognized industrystandards.  

14. Cloud Security and Access Management  

The Company implements and maintain accesscontrols and security measures for cloud-based systems and datarepositories:  

a. Access to cloud systems for maintenanceand administration purposes is restricted to authorized personnel only, basedon role and responsibility;  

b. All cloud access requires multi-factorauthentication, including complex passwords and additional verificationmethods;  

c. Automatic session timeout is configuredfor all cloud accounts;  

d. All credentials for cloud systems arestored in a secure password management solution with appropriate accesscontrols;  

e. Access to cloud-based data repositoriesis restricted by IP address filtering and/or through secure VPNconnections;  

f. Access to customer environments ispermitted only with the customer’s explicit approval, with access granted for apre-defined, limited time window and subject to monitoring.  

15. Artificial Intelligence (AI) Security  

The Company implements and maintainsappropriate technical and organizational measures to ensure the securedevelopment, deployment, and use of Artificial Intelligence (AI) systems thatprocess Customer Data. Such measures include, at a minimum:  

a. Ensuring that AI systems are designedand operated following Data Protection Laws, industry standards, and ethicalguidelines;  

b. Implementing safeguards to preventunauthorized access, misuse, or unintended disclosure of Customer Data by orthrough AI systems;  

c. Maintaining transparency regarding theuse of AI systems in processing Customer Data, including providing informationto the Customer upon request regarding the nature and purpose of suchprocessing;  

d. Regularly reviewing and updatingAI-related security measures to address emerging risks and technologicaldevelopments.

Schedule C - List of Subprocessors

Subprocessors list available at https://www.glassix.com/glassix-sub-processors