page_banner

DPA

This Data Processing Addendum (“Addendum”) forms part of the Terms of Use Agreement (“Agreement”) entered into between:

(i) Complyt Technologies Ltd., with principal place of business at 7 Menachem Begin road, Ramat Gan, 5268102, Israel (“Complyt” or the “Data Processor”); and

(ii) [Customer / Data Controller], with principal place of business at [Customer’s Address].

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.

  1. Definitions In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
    1. “Applicable Laws” means (a) European Union law or any laws of a member state of the European Union in respect of which Complyt or Customer is subject to; and (b) any other applicable law in respect of which Complyt or Customer is subject to;
    2. “SCC“ means the applicable model of the standard clauses for the transfer of Personal Data pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
    3. “Customer Personal Data” means any Personal Data which may be processed by a Complyt on behalf of Customer, pursuant to or in connection with the Agreement;
    4. “Data Protection Legislation” means GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and the relevant Israeli applicable data protection and privacy law. “EU” means the European Union;
    5. “EEA” means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;
    6. “GDPR” means EU General Data Protection Regulation 2016/679;
    7. “Services” the provision of a cloud-based SaaS platform which provides an all-in-one solution for effortless, accurate, and efficient sales tax compliance across the US and as defined in the Agreement;
    8. “Sub-processor” means any person (excluding an employee of Complyt or any of its sub-contractors) appointed by or on behalf of Complyt to Process Personal Data on behalf of Customer in connection with the Agreement;
    9. “Supervisory Authority” means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation; and
      “Term” means the term of the Agreement, as defined therein.
    10. The terms “Controller”, “Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
  2. Processing of Customer Personal Data
    1. The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the GDPR and that Complyt is acting in the capacity of a Processor. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.
    2. Complyt shall Process Customer’s Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which Complyt is subject. In which case, Complyt shall notify Customer if, in its opinion, any instruction infringes the Data Protection Legislation or other Union or Member State data protection provisions, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of Complyt to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.
    3. Customer warrants that it has all the necessary rights to give access to and to provide the Personal Data to Complyt for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Data Protection Legislation support the lawfulness of the Processing.
    4. Annex 1 to this Addendum sets out certain information as required by Article 28(3) of the GDPR according to which, Personal Data may be processed by Complyt. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement.
  3. Confidentiality
    Without prejudice to any existing contractual arrangements between the parties, Complyt shall ensure that any person who it authorizes to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality.
  4. Security
    Taken into account the measures required by Article 32 of the GDPR, and the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, Complyt shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures are detailed under Annex 2 and may be updated by Complyt from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
  5. Sub-processing
    1. Customer authorizes Complyt to appoint (and permit each Sub-processor to appoint) Sub-processors listed under Annex 3 attached hereto, and in accordance with this Addendum and any restrictions in the Agreement.
    2. Complyt shall inform Customer as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorized Sub-Processors that will Process any Customer Personal Data (“New Sub-Processor”). If, within 14 calendar days of receipt of that notice, Customer notifies Complyt in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-Processor, the parties will endeavor to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processors is compliant with Article 28(4) of the GDPR. In the absence of a resolution, Complyt will make commercially reasonable efforts to provide Customer with the same level of service described in the Agreement, without using the objected Sub-Processor to Process Customer’s Personal Data.
    3. Where the Customer reasonably argues, that the risks involved with the Sub-processing activities are still unacceptable, in the context of Article 28(4) and in relation to the appropriate steps, within the requisite time frame, and the parties are unable to resolve the issues within such time frame, Customer’s sole remedy will be to terminate the Agreement.
    4. With respect to each Sub-processors, Complyt shall ensure that the Sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.
  6. Data Subject Rights
    1. Complyt shall assist Customer, according to Customer’s reasonable instructions, to comply with requests received from Data Subjects to exercise their rights pursuant to Chapter III of the GDPR and the Data Protection Legislation, with regard to accessing Customer’s Personal Data held by Complyt.
  7. Personal Data Breach
    1. When Complyt becomes aware of a data breach that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the data breach. Complyt shall cooperate with Customer and follow Customer’s reasonable instructions with regard to such data breach, to enable Customer to perform an investigation into the data breach, formulate a correct response and take suitable further steps in respect to the data breach.
    2. Complyt shall, at Customer’s cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.
  8. Deletion or Return of Customer Personal Data
    1. Subject to section ‎8.3, Customer may in its discretion by written notice to Complyt within 30 calendar days of the termination of the Agreement, require Complyt to (a) return a Complyt copy of all Customer’s Personal Data to the Customer; and (b) delete all other copies of Customer’s Personal Data Processed by any Sub-processor. Complyt shall comply with any such written request within 60 calendar days of the termination of the Agreement.
    2. When relevant, Complyt shall notify the relevant Sub-processors, who are Processing Personal Data on its behalf, of the termination of the Addendum.
    3. Each Sub-processor may retain Customer’s Personal Data to the extent and for such period as required by Applicable Laws.
  9. Audit Rights
    1. Subject to section ‎9.2 and ‎9.3, Complyt shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR.
    2. Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, Complyt shall, at the Customer’s costs, allow for audits in relation to the Processing of the Customer’s Personal Data by Complyt, provided that:
    3. Customer shall give Complyt a reasonable notice of any audit to be conducted; and
    4. Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to Complyt’s business, in the course of such audit, while such audits shall be conducted during normal working hours.
    5. Complyt may object to an auditor mandated by Customer if the auditor is, in Complyt’s opinion, not suitably qualified or independent, a competitor of Complyt, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.
  10. Transfers
    1. Information may be transferred to third party companies and individuals to facilitate Complyt’s Services, who are located in a country outside of the EEA. To the extent that Complyt or its Sub-processors Processes Customer Personal Data in countries outside of the EEA that do not provide an adequate level of data protection, as determined by the European Commission or other adequate authority, the applicable module of the SCC shall apply and shall be incorporated herein upon execution of this Addendum by the parties or Complyt shall otherwise ensure that the continuity of protection of Personal Data shall be maintained for any respective onward transfers. With respect to each such data transfer, Complyt shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, and when required shall implement supplemental security measures, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of Processing as well as the likelihood of a risk to the rights and freedoms of natural persons. Annex II of the SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum.
    2. To the extent that Complyt or Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, Complyt or Customer agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
  11. General Terms
    1. Order of Precedence. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
    2. Changes in Data Protection Legislation. If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.
    3. Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

ANNEX 1 – DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer’s Personal Data.

Subject Matter and Duration of the Processing of Customer’s Personal Data
The subject matter and duration of the Processing of Customer’s Personal Data are set out in the Agreement and this Addendum.

The Nature and Purpose of the Processing of Customer’s Personal Data
Complyt provides a cloud-based SaaS solution to Customer to achieve a high level of sales tax compliance across the US. In the course of the provision of Complyt’s Services, Complyt may Process the Personal Data received from Customer.

Special Categories of Personal Data to be Processed

N/A.

The Categories of Data Subject to whom the Personal Data Relates

Names, email addresses, country and state of employment of certain employees as shall be determined by Customer.

The Obligations and Rights of Complyt

The obligations and rights of Complyt are set out in the Agreement and this Addendum.

ANNEX 2 – SECURITY MEASURES

  1. Complyt shall establish a procedure for allowing access to Personal Data and restriction of such access. Complyt shall ensure that access to Personal Data is strictly limited to those individuals who “need to know” or need to access the Personal Data and as strictly necessary for the purpose of providing the Service and shall keep record of the persons authorized to access the Personal Data subject of the Agreement.
  2. Complyt shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and written security protocols.
  3. Complyt shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.
  4. Complyt shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to Complyt’s system’s infrastructure, data processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Customer’s Personal Data or to Customer’s systems or communication lines between Complyt and Customer.
  5. Complyt shall list all components (infrastructure and software) used to Process the Personal Data subject to the Agreement, including computer systems, communication equipment, and software. Complyt shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.
  6. Complyt shall act in accordance with an appropriate information security policy and working procedures that comply with the security requirements under this Annex and Data Protection Legislation, including with respect to backup and recovery procedures. Complyt shall review its security policies and operating procedures periodically.
  7. Complyt shall take measures to record the access to the Personal Data, including monitoring the entry into the facilities where the Personal Data is Processed, as well as any equipment brought in or taken out of such facilities.
  8. Complyt shall implement automatic control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. Complyt shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them.
  9. Complyt will perform security risk surveys to systems containing Personal Data, at least once every 12 months.
  10. Complyt will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.

ANNEX 3 – LIST OF SUB-PROCESSORS

Name of Sub-processor Description of the Services Provided
AWS – ECS Complyt uses ECS Fargate as its production infrastructure to host and monitor containers. As these containers process our customers’ data, this is a cardinal production part that deals with data.
MongoDB Atlas – Hosted on AWS Complyt utilizes MongoDB as our main DB. Complyt uses Atlas to manage DB cluster. The cluster is hosted on AWS as well.
Auth0  Complyt utilized Auth0 for user management, authentication, and authorization purposes. 

 

Complyt
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.