Data Processing Addendum

Definitions and Schedules

1.1.   Unless otherwise defined herein, capitalizedterms and expressions used in this Addendum shall have the following meaning:

1.1.1.“Customer Data” means any Personal Data processedby Company in provision of the Services, however, specifically excluding UsageData.

1.1.2.“Database”, “Processing”, “Sensitive Data”,“Security Breach”, “Controller” and “Processor” shall havethe meanings ascribed to them in the Data Protection Laws.

1.1.3.“Data Subjects” means the Customer'send-users and/or individual clients whose Personal Data is processed as part ofthe Customer Data.

1.1.4.“Data Protection Laws” - means theIsraeli Privacy Protection Law (“PPL”), the regulations promulgatedpursuant thereto, and the applicable guidelines issued by the PrivacyProtection Authority (“Israeli Data Protection Legislation”), and theRegulation 2016/679 of the European Parliament and of the Council of 27 April2016 on the protection of natural persons with regard to the processing ofpersonal data and on the free movement of such data and applicable EU MemberState laws implementing or supplementing the GDPR (“GDPR”), whereapplicable, all as amended, replaced or superseded from time to time.

1.1.5.“EEA” means the European Economic Area;

1.1.6.“Personal Data” means any informationrelating to an identified or identifiable natural person, including"Data" and "Sensitive Data"(as these terms are defined inthe PPL).

1.1.7.“Usage Data” means data and informationgenerated by or derived from the access to, use of, or operation of theServices, including technical, diagnostic, analytics, and performance data, butexcluding any data that identifies Customer, its users, or any individual, orthat constitutes Customer Data.

1.2.   The Schedules to this Addendum are as follows: ScheduleA - Details of Processing; Schedule B - Security Measures, ScheduleC - List of Sub processors.

1.3.   The Schedules to this Addendum form an integralpart of this Addendum and are to be read concomitantly.

‍

1.1.   The Parties acknowledge and agree that withregard to the Processing of Customer Data, under the Data Protection Laws, theCustomer is the Controller or the Owner of the Database and The Company is the Processoror the Holder of Database, as such terms are defined under applicable laws.

1.2.   Notwithstanding the above, regarding the UsageData, Company is the Controller or the Owner of the Database.

1.3.   If the Agreement between the Parties is enteredinto through the Company's authorized reseller, both the Company and theReseller shall be individually, and not jointly, responsible for complying withthe Data Protection Laws applicable to each of them.

1.4.   Customer Data, which the Company is entitled toprocess solely for the Purpose (as defined below), may include any and allinformation, text, graphics, videos, or other material that the Customer posts,links, stores, shares, or otherwise makes available through the use of theServices.

1.5.   Company is aware that the Customer retains anyand all rights, title and interest in the Database and the Customer Data(including, without limitations, to the Personal Data incorporated therein).

1.6.   The Customer is solely responsible forproviding any required notices to its end-users (Data Subjects) regarding theprocessing of their Personal Data and for obtaining any necessary consent forsuch processing. To the extent such notification or consent is required to beprovided using the Services, such notification or consent shall be made at theCustomer's request and according to the Customer's instructions. The Companyhas no responsibility or obligation to notify the Data Subjects directly or toobtain their consent.

2.     Company's Undertakings

2.1.   The Purpose. TheCompany shall only process the Customer Data on behalf of Customer for thepurpose of providing the Services for the Customer, according to the terms setforth in the Agreement and the EULA, and not for any other purpose (above andherein: the "Purpose").  

2.2.   Instructions.Company will not process Customer Data other than on documented instructionsfrom Customer, the EULA and this Addendum and solely for thePurpose. Any other Processing shall only be permitted in the event that suchprocessing is required by law or binding order of a governmental body to whichCompany is subject, in which case Company shall inform Customer of that requirementbefore engaging in such processing, unless applicable law prohibit suchinformation on important grounds of public interest. Company shall immediatelyinform Customer in writing, if in Company’s opinion an instruction couldviolate Data Protection Laws and if Company determines that it can no longermeet its obligation under this Addendum or Data Protection Law.

2.3.   Security Measures. Company warrants that it complies with thesecurity obligations under the Data Protection Laws for the required securitylevel of the Database, and maintains appropriate technical and organizationalmeasures to protect the security, confidentiality and integrity of CustomerData, including(without limitation) against unauthorized or unlawful processing, accidental orunlawful destruction, loss or alteration or damage, unauthorized disclosureuse, or access to Customer Data. Such measures may be updated by the Company’sdiscretion as long as they will not materially decrease the overall security ofthe Services (as detailed in Schedule A) during the term of the Agreement.

2.4.   Data subject rights. Company shall promptly notify Customer in writing if it receives arequest from a Data Subject to exercise its rights under Data Protection Laws("Data Subject Request"). Company shall assist Customer, at the Customer’s cost (if any such costs are incurred), byappropriate technical and organizational measures, insofar as this is possible,for the fulfilment of Customer's obligation to respond to a Data SubjectRequest under Data Protection Laws, and comply withCustomer's instruction in this regard. Company shall not respond directly toData Subject Request, and any such response shall be executed by the Customer.

3.     Reports

3.1.   Upon Customer’s written request, once a year(except in the event of Security Breach), Company shall provide with reasonablecooperation, assistance and information needed to fulfil their obligation underData Protection Laws.

3.2.   Company shall notify Customer immediately, andno later than 24 hours after becoming aware of Security Breach. Company shallmake reasonable efforts to identify the cause of such Security Breach, provideCustomer with the information as may be requested by it (including, withoutlimitations, a description of the measures taken or proposed to be taken toaddress the Security Breach, including measures to mitigate its possibleadverse effects) and take the steps necessary and reasonable in order to remediatethe cause of such a Security Breach. To the extent required, Company shallprovide reasonable cooperation to Customer in its notification of the supervisoryauthority and, if applicable, Data Subjects.

4.     Company's Personnel

4.1.   Company shall ensure that any personnel engagedon its behalf in the provision of the Services for the Purpose (a) are informedof the confidential nature of such Customer Data, (b) have executed writtenconfidentiality agreements or appropriate statutory obligation ofconfidentiality materially similar to the confidentiality obligations under theAgreement (c) shall implement appropriate security measures and use or accessto Customer Data only for the Purpose and (d) undergo data protection andsecurity training as required by Data Protection Laws.

5.     Audit Rights

5.1.   Company acknowledges that: (a) Customer, upon areasonable request and reasonable prior written notice, has the right tomonitor and supervise Company's compliance with the terms herein and DataProtection Laws by making available information which is reasonably necessaryto demonstrate compliance; (b) in the event of Security Breach or as requiredby any applicable supervisory authority, and subject to providing prior writtennotice, Customer or the applicable supervisory authority (as the case may be)shall be entitled to audit Company's compliance with this Addendum and DataProtection Laws, and Company undertakes to reasonably cooperate with suchaudit, and provide relevant information in its possession, as reasonably required.Any information obtained through such audit shall be deemed Company'sConfidential Information and shall be subject to compliance withconfidentiality obligations.

6.     Subcontractors

6.1.   Company transfers Customer Data to a thirdparty acting on the Customer’s behalf to provide services to the Customer("Subcontractor"). The Company publishes the list ofSubcontractors to its website available at: https://www.glassix.com/glassix-sub-processorsmaking it publicly accessible, and will update the list with any addition orreplacement of the Subcontractors ("New Subcontractor").Company may engage with the New Subcontractor by providing thirty (30) daysprior notice (“Notice Period”) of its intention to do so to Customers(such notice can be provided through the website or by a notice in the productor via email, as applicable). If the Customer does not object to the additionor replacement of a Subcontractor within the Notice Period, such Subcontractorshall be deemed approved. In the event the Customer objects to the addition orreplacement of a Subcontractor within such Notice Period, the Company may,suggest the engagement of a different Subcontractor for the same course ofservices or otherwise the Customer may terminate the Agreement where theServices cannot be reasonably provided under such circumstances.

6.2.   Company shall enter into written agreementswith each Subcontractor and New Subcontractor, binding them by at least thesame terms and obligations that apply to the Company under thisAddendum, mutatis mutandis. As of the date hereof, Company represents that withrespect to each existing Subcontractor as published in the link mentioned aboveCompany has concluded an agreement no less onerous than this Addendum.

7.     Location of Customer Data  

7.1.   The parties agree that the Company processesCustomer Data within the EEA or transfers Customer Data based on an adequacydecision under Data Protection Laws. For Customers whose data is not subject toData Protection Laws, the Company shall maintain Customer Data in locationsconsistent with generally accepted industry standards for data security andprivacy, which may include locations outside the EEA or Israel.

7.2.   With respect to Customers subject to DataProtection Laws, the Company shall (and shall ensure that each Subcontractorshall), process Customer Data only in Israel, the EEA, a Member State of theEuropean Union, the United Kingdom, or in other territories outside suchjurisdictions, provided that (i) appropriate contractual agreements andtransfer mechanisms as required by applicable Data Protection Laws have beenexecuted, and (ii) such agreements and mechanisms ensure a level of protectionfor Personal Data equivalent to that required under applicable Data ProtectionLaws.

8.    Return and deletion of Customer Data  

8.1.   At the earlier of: (a) a written request of theCustomer or (b) termination or expiration of the Agreement for any reason, theCompany undertakes to delete or return all Customer Data to the Customer within30 days of such request or termination, and to delete any copies, extracts andother objects or items in which is can be contained or embodied, in anyenvironment. The deletion must be documented, and after deletion is completed,Company shall provide the Customer with written confirmation of the deletion ofthe Customer Data.

8.2.   The Company shall not be required to deleteelectronic files created during the routine course of automated backupprocedures, provided that such electronic backup files are stored in a mannerthat prevents unauthorized access to or use of the Customer Data. In any event,backup copies containing Customer Data shall not be retained for longer thantwo (2) years. Any Customer Data stored or retained electronically by theCompany shall remain subject to the obligations set forth in this Addendum foras long as such Customer Data is retained or stored. This provision shallremain in effect even after the expiration or termination of the Agreement.

8.3.  The Company may retain Customer Data to theextent and for such period as required by applicable laws or for the purpose ofdefending against legal proceedings.

9.     Government Authority Requests  

9.1. Where Company receives any subpoena, warrant orother judicial, regulatory, governmental or administrative order by agovernment or quasi-governmental or other regulatory authority (including lawenforcement or intelligence agencies) seeking or requiring access to or disclosure of Personal Data ("GovernmentAuthority Request"), to the fullest extent permitted by applicablelaw, Company shall without undue delay notify the Customer, in writing of suchGovernment Authority Request so that Customer may contest or seek to narrowsuch disclosure or seek a protective order or other appropriate remedy. Companyshall have no obligation to notify Customer if such notification is prohibitedby applicable law.

9.2. Company shallcooperate with and take reasonable steps to assistCustomer to contest or seek to narrow such Government Authority Request, obtaina protective order or seek another remedy.

9.3.  Where any attempt to contest, or to seek tonarrow such Government Authority Request, or obtain aprotective order or seek another remedy is not successful so that some or allof the Customer Data is required to be disclosed, Company shall take steps tofurnish only the minimum amount of Customer Data legally required to be disclosed.

9.4.  Company maintains a written record of allGovernment Authority Requests and provide a copy to Customer, upon request.

10.   Governing law andJurisdiction

10.1.  This Agreement is governed by the laws of Israel.

10.2.  Any dispute arising in connection with this Agreement, which the Parties will notbe able to resolve amicably, will be submitted to the exclusive jurisdiction ofthe Tel Aviv competent courts.

11.  Miscellaneous

11.1.  The termsand conditions set out herein shall be added as an Addendum to the Agreement.

11.2. Except to the extentmodified below, the terms of the Agreement shall remain in full force andeffect.

11.3.  in theevent of inconsistencies between the provisions of this Addendum and theAgreement, the provisions of this Addendum shall prevail with respect to thesubject matter herein.

11.4.  Should any provisionof this Addendum be invalid or unenforceable, then the remainder of thisAddendum shall remain valid and in force. The invalid or unenforceableprovision shall be either (a) amended as necessary to ensure its validity andenforceability, while preserving the parties’ intentions as closely as possibleor, if this is not possible, (b) construed in a manner as if the invalid orunenforceable part had never been contained therein.

‍

Schedule A - Details of Processing
‍

Categories of data subjects whose personal data is transferred:  

Any category of individuals to which belongthe personal data submitted by the Customer into the Services.  

Categories of personal data transferred:  

As detailed above, including any personaldata uploaded by the Customer’s end user, it is hereby clarified that both theEnd User and the Customer independently determine which data to upload andwhich Customer databases to connect to the Services. The Company does notparticipate in or influence these decisions.
‍

Categories of Sensitive data:

Depending on the end-user or Customer’s usecase of the Services.  
‍

The frequency of the transfer:  

Continuous basis, as uploaded by theCustomer and provided by the end user.  
‍

Nature of the processing:

Collect, store, transfer, host, use,modify, perform, display, reproduce, and distribute data, generate outputs,troubleshoot technical issues, respond to suspected information security andcybersecurity incidents, and pseudonymize or anonymize data to minimize privacyand information security risks.

Purpose(s)of the data transfer and further processing:  

The provision, maintenance and support ofthe Services to the Customers.  
‍

Theperiod for which the personal data will be retained, or, if that is notpossible, the criteria used to determine that period:  

Personal Data will be retained during theterm of the Services and will be deleted in accordance with Section 9 of theDPA.  

Schedule B - Security Measures
‍

1.     General Commitment:  

The Company shall implement and maintainappropriate technical and organizational measures to protect Customer Dataagainst accidental or unlawful destruction, loss, alteration, unauthorizeddisclosure or access, and against all other unlawful forms of processing,following The Data Protection.
‍

2.    Access Control  

Access to Customer Data is limited toauthorized personnel on a need-to-know basis. Access rights are reviewedregularly and revoked immediately upon role change or termination. Multi-factorauthentication (MFA) is enforced for all privileged and standard accountsaccessing Customer Data.  

Each employee is assigned a unique,high-security password for computer access; All systems are configured toautomatically lock after a period of inactivity and require password re-entry;Employee passwords are changed automatically at regular intervals; Access toproduction environments and actual Customer Data is strictly limited based onjob function and the "need-to-know" principle.  
‍

3.    Encryption  

Customer Data is encrypted in transit andat rest. Personal Data is pseudonymized where appropriate.  
‍

4.    Vulnerability Management & Penetration Testing  

Regular vulnerability assessments andpenetration tests are conducted as required in the Data Protection Laws.High-risk vulnerabilities are remediated before production deployment; mediumand low risks are addressed per documented remediation plans. The Companyoperates bug bounty programs on a periodic basis to enhance its securityposture and engage with the security research community.  
‍

5.    Logging and Monitoring  

Access to systems processing Customer Datais logged, including user identity, timestamp, access type, and outcome. Logsare retained for at least 24 months and protected against tampering orunauthorized deletion. Intrusion detection and prevention systems areimplemented where appropriate.  
‍

6.    Backup and Restore  

Company maintains backup and restoreprocedures to ensure the availability and integrity of Customer Data. Companyperforms regular backups of systems and databases and stores backup copiessecurely in accordance with industry standards. Company tests its backup andrestore procedures and means on a regular basis to verify that data can berestored effectively when needed. Such tests are conducted at least annuallyand following significant system changes. Company will address any issuesidentified in its backup and restore processes to maintain effective dataprotection and recovery capability.  
‍

7.    Disaster Recovery  

Company maintains a Disaster Recovery Planto ensure continuity of services and protection of Customer Data in the eventof significant disruptions, including system outages, cyberattacks, or otherincidents. Company's disaster recovery procedures include defined recoveryobjectives and are tested periodically to ensure effectiveness. Company reviewsand updates its disaster recovery plan on a regular basis. Such reviews andupdates are conducted at least annually.
‍

8.    Physical Security  

Physical access to offices and data centersis restricted to authorized personnel and monitored by security controls (e.g.,key cards, CCTV, guards). No Customer Data is stored at the Company’s offices;all Customer Data is stored at certified providers that operate data centresand comply with relevant standards.  Company office entrances remain locked andare accessible only through designated entry systems (e.g., intercom, accesscodes). Office premises are secured 24/7 through locks, surveillance cameras,and automated monitoring systems that provide alerts in case of unauthorizedaccess. Restricted areas containing sensitive information or equipment aresubject to additional access controls.  
‍

9.    Personnel Security  

Background checks are conducted onemployees and contractors before granting access to Customer Data, subject toapplicable law. Personnel are required to sign confidentiality and dataprotection agreements.  
‍

10. Change Management  

All changes to production systems aresubject to documented change management procedures, including peer review,approval, and testing.  
‍

11. Incident Response & Breach Notification  

The Company maintains an Incident ResponsePlan (IRP) covering preparation, detection, containment, investigation,remediation, and recovery. In the event of a confirmed security breachaffecting Customer Data, the Company will without further delay and no laterthan 24 hours notify the Customer, providing relevant details and updates asinformation becomes available. In case of a reasonable suspicion of a securitybreach affecting Customer Data, the Company will notify the Customer no laterthan 24 hours, providing all relevant details and updates as informationbecomes available.  
‍

12. Vendor Management  

The Company conducts due diligence on allsubcontractors and service providers accessing Customer Data, ensuring theymeet equivalent security standards. Subcontractors are required to sign dataprocessing and confidentiality agreements.
‍

13. Secure Development  

Company follows secure developmentpractices in the design, development, and deployment of systems andapplications used in connection with the Services, ensuring that securityconsiderations are integrated throughout the development process. Company implementssecure coding practices and conducts regular security assessments to identifyand address potential vulnerabilities in its systems and applications.Company's secure development practices are aligned with recognized industrystandards.
‍

14. Cloud Security and Access Management  

The Company implements and maintain accesscontrols and security measures for cloud-based systems and datarepositories:  

a. Access to cloud systems for maintenanceand administration purposes is restricted to authorized personnel only, basedon role and responsibility;  

b. All cloud access requires multi-factorauthentication, including complex passwords and additional verificationmethods;  

c. Automatic session timeout is configuredfor all cloud accounts;  

d. All credentials for cloud systems arestored in a secure password management solution with appropriate accesscontrols;  

e. Access to cloud-based data repositoriesis restricted by IP address filtering and/or through secure VPNconnections;  

f. Access to customer environments ispermitted only with the customer’s explicit approval, with access granted for apre-defined, limited time window and subject to monitoring.  

15. Artificial Intelligence (AI) Security  

The Company implements and maintainsappropriate technical and organizational measures to ensure the securedevelopment, deployment, and use of Artificial Intelligence (AI) systems thatprocess Customer Data. Such measures include, at a minimum:  

a. Ensuring that AI systems are designedand operated following Data Protection Laws, industry standards, and ethicalguidelines;  

b. Implementing safeguards to preventunauthorized access, misuse, or unintended disclosure of Customer Data by orthrough AI systems;  

c. Not using Customer Data, or permittingCustomer Data to be used, to train, retrain, fine-tune, or otherwise improveany artificial intelligence or machine learning models, except for the purposeof providing the specific service to the Customer or where expressly authorizedin writing by the Customer;

d. Maintaining transparency regarding theuse of AI systems in processing Customer Data, including providing informationto the Customer upon request regarding the nature and purpose of suchprocessing;  

e. Regularly reviewing and updating AI-related security measures to address emerging risks and technological developments

Schedule C - List of Subprocessors

Subprocessors list available at: https://www.glassix.com/glassix-sub-processors

‍