Arbox Data Protection Addendum

General

This Data Protection Agreement (“Agreement”) is made in connection with the provision of Services by Arbox Ltd. (“Arbox”) acting as the data processor to the customer of the Services (“Customer”) acting as the data controllers in accordance with the License Agreement signed between the parties. The terms used in this Agreement shall have the meanings set forth in this Agreement. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Agreement to any previous transaction between the parties, whether oral or written.

Definitions:

1. In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
   1. “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer is subject to EU Data Protection Laws; and (b) the laws of the State of Israel, including the Israeli Protection of Privacy Law, 1981, and any regulations promulgated thereunder; and (c) any other applicable law with respect to any Customer Personal Data in respect of which Customer is subject to any other Data Protection Laws;
   2. “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Agreement.
   3. “Contracted Processor” means Arbox or a Subprocessor.
   4. “Data Protection Laws” means any laws applicable to the processing of Customer Personal Data, including EU Data Protection Laws and the Israeli Protection of Privacy Law.
   5. “EEA” means the European Economic Area.
   6. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
   7. “GDPR” means EU General Data Protection Regulation 2016/679.
   8. “License Agreement” means the agreement signed between the parties with regard to the terms of conditions of license of the System to the Customer.
   9. “Restricted Transfer” means: (a) a transfer of Customer Personal Data from Customer to a Contracted Processor; or (b) an onward transfer of Customer Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under section 5.4 below; For the avoidance of doubt: where a transfer of Personal Data is of a type authorized by Data Protection Laws in the exporting country, for example in the case of transfers from within the European Union to a country (such as Israel) or scheme (such as the US Privacy Shield) which is approved by the Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer shall not be a Restricted Transfer.
   10. “Services” means the license to use the System and other services and activities to be supplied to or carried out by or on behalf of Arbox for Customer pursuant to the License Agreement.
   11. “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) or any subsequent version thereof released by the European Commission. The current Standard Contractual Clauses are located on the European Commission’s website at: https://ec.europa.eu/info/law/law-topic/data-protection_en.
   12. “Subprocessor” means any person (including any third party, but excluding an employee of Arbox or any of its sub-contractors) appointed by or on behalf of Arbox to Process Personal Data on behalf of the Customer in connection with the Services.
2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
3. Capitalized terms which are not defined herein shall have the same meaning ascribed to them in the License Agreement.
4. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

Processing of Customer Personal Data

1. Arbox will Process Customer Personal Data in accordance with Customer’s documented instructions, unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Arbox will, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before the relevant Processing of that Personal Data. In addition, Arbox shall immediately inform the Customer if, in its opinion, an instruction pursuant to the License Agreement infringes Applicable Data Protection Laws.
2. The Customer:
   • instructs Arbox (and authorises Arbox to instruct each Subprocessor) to:(a) Process Customer Personal Data; and (b) in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the terms agreed upon between the parties whether orally or in writing.
   • warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 2.
3. Customer is and will at all times remain the Controller of the Customer Personal Data Processed by Arbox. Customer is responsible for compliance with its obligations as a Controller under Applicable Law, in particular for justification of any transmission of Customer Personal Data to Arbox and/or any other Contracted Processor (including providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate legal basis under Applicable Law), and for Customer’s decisions and actions concerning the Processing of such Customer Personal Data.
4. Arbox is prohibited from using or disclosing Customer Personal Data for any purpose other than (a) the specific purpose of performing the Services specified in the License Agreement; (b) maintaining, supporting, improving and developing Arbox’s products and services; and (c) complying with legal obligations and other requirements under Applicable Law and Applicable Data Protection Laws.
5. Annex 1 to this Agreement sets out certain information regarding the Contracted Processors’ Processing of the Customer Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Nothing in Annex 1 confers any right or imposes any obligation on any party to this Agreement.

Arbox Personnel

Arbox will take reasonable steps to ensure that persons authorized to process Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality, and that such persons use Personal Data only in accordance with this DPA and the License Agreement.

Personal Data Breach

1. Arbox shall notify the Customer without undue delay after becoming aware of any Personal Data Breach that affects Customer Personal Data.
2. Arbox shall have no liability for any claim, damage, loss, cost or expense arising out of or in connection with a Personal Data Breach to the extent such incident is caused by, results from or is contributed to by:
   • Any act or omission of the Customer or its personnel.
   • The Customer’s failure to comply with this DPA or with Applicable Data Protection Laws.
   • Any use of the Services that is not permitted under the License Agreement.
   • Any third-party products, services or systems not supplied by Arbox.
   • Any act or omission of a Subprocessor that causes or contributes to the breach.
3. To the extent that Arbox is finally determined to be liable for a Personal Data Breach that is caused solely by Arbox’s negligence, Arbox’s aggregate liability for such incident shall be limited to an amount equal to twelve (12) months of fees actually paid by the Customer for the Services, together with the return of any prepaid fees in respect of the period following the incident .The Customer shall take all reasonable steps to mitigate any damages arising from a Personal Data Breach. Arbox shall not be liable for any damages that could have been avoided through the Customer’s reasonable mitigation efforts.

Security

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Arbox will in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, such measures shall be in line with generally accepted industry standards and shall, where applicable, include the measures referred to in Article 32(1) of the GDPR and The Privacy Protection Regulations (Information Security), 2017. Arbox shall also implement the additional security controls described in Annex 2.
2. The Customer understands and agrees that, despite Arbox implementation of such safeguards, no information security program can completely eliminate risk, and Arbox therefore cannot promise that Customer Personal Data will never be subject to unauthorised access or disclosure.

Subprocessing

1. Customer authorises Arbox to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section.
2. Arbox may continue to use those Subprocessors already engaged by Arbox at the date of this Agreement.
3. Arbox will keep a list of Subprocessors and make it available for Customer’s review upon request on an annual basis or in the event that a new Subprocessor is added. Customer consents to Arbox’s use of Subprocessors in the performance of the Services.
4. With respect to each Subprocessor, Arbox will ensure that such Subprocessor is required by written contract to abide by the same level of data protection and security as Arbox under this Agreement, as applicable to such Subprocessor’s Processing of Personal Data.
5. If that arrangement involves a Restricted Transfer, Arbox will: (a) ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Arbox and on the other hand the Subprocessor, or (b) before the Subprocessor first Processes Customer Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with the Customer.

Audit rights

1. Arbox will make reasonable efforts to make available to Customer on request information necessary to demonstrate compliance with this Agreement (to the extend required by Applicable Law), and, at Customer’s expense, will make reasonable efforts to allow for and contribute to audits by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Arbox.
2. Customer may only mandate an auditor for the purposes of section 1 if the auditor is agreed to by Customer and Arbox and the auditor must execute a written confidentiality agreement acceptable to Arbox before conducting the audit.
3. Customer shall give Arbox reasonable notice of any audit or inspection to be conducted under section 1 and shall (and ensure that each of its mandated auditors) avoid causing any damage injury or disruption to Arbox’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Arbox need not give access to its premises for the purposes of such an audit or inspection:
   • to any individual unless he or she produces reasonable evidence of identity and authority.
   • outside normal business hours at those premises; and no trade secrets will be disclosed to auditors during such audit.
   • for the purposes of more than one audit or inspection in any calendar year.

Data Subject Rights

1. Arbox will provide reasonable assistance to the Customer to handle Data Subject requests to exercise rights of access, rectification, erasure, restriction, data portability, objection and opt-out.
2. The Customer acknowledges that it is solely responsible for receiving, assessing and responding to all Data Subject requests and for complying with all Applicable Data Protection Laws regarding Data Subject rights. Arbox role is purely assistive, and Arbox shall not be liable for any claims, damages, losses, costs or expenses arising out of or in connection with (i) any Data Subject rights or requests, (ii) the Customer’s compliance or non-compliance with such requests, or (iii) any delay or failure by the Customer to respond to such requests. The Customer shall not assert any claims against Arbox in this regard.
3. If Arbox receives a Data Subject request relating to the Processed Data, it will notify the Customer’s designated contact without undue delay and in any event within seven (7) days of receipt, forward the request to the Customer, and provide reasonable cooperation and assistance as needed for the Customer to meet its obligations under Applicable Data Protection Laws. If Arbox receives a query or other communication from a data protection authority relating to the Processed Data, Arbox will, to the extent it is permitted to share such information under Applicable Law or any binding court order, inform the Customer and provide reasonable cooperation and assistance in connection with such query.

General Terms

Order of precedence

1. In the event of any conflict or inconsistency between this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
2. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and the License Agreement and/or any other agreements between the parties, whether written or oral, including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.

3. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
4. This DPA shall survive termination or expiry of the License Agreement for as long as Arbox processes Customer Personal Data. Upon such termination or expiry, Arbox shall delete all Customer Personal Data, except where retention is required by Applicable Law or necessary for the establishment, exercise or defence of legal claims. For the avoidance of doubt, fully anonymised information that no longer relates to an identified or identifiable natural person shall not be treated as Personal Data and need not be deleted. Confidentiality obligations applicable to Arbox personnel, as well as any provisions regarding remuneration, shall also survive termination or expiry of this DPA.

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in this Agreement.

The nature and purpose of the Processing of Customer Personal Data

Arbox and any Contracted Processor may Process Customer Personal Data for the purpose of (i) providing the Services to the Customer; (ii) complying with Customer’s documented written instructions; or (iii) complying with Applicable Law

The types of Customer Personal Data to be Processed

Customer Personal Data typically relates to some or all of the following categories of Personal Data: personal contact information such as name, home address, home telephone or mobile number, email address, information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children etc., identification numbers, goods and services provided, unique IDs collected from mobile devices, network carriers or data providers and IP addresses. Nevertheless, Customer has control over and determines the categories of Customer Personal Data and can configure and/or customize data fields. Customer may also include in the Customer Personal Data free text data, as well as attachments.

Special categories of Personal Data

Customer Personal Data might include, at the sole discretion of the Customer health data.

Notwithstanding the above, Customer shall ensure that Customer Personal Data does not include any sensitive or special personal data that imposes specific data security or data protection obligations on Arbox (except as those specified in the Agreement).

The categories of Data Subject to whom the Customer Personal Data relates

Data Subjects typically include, among others, Customer’s representatives and end users, such as Customer employees, job applicants, contractors, collaborators, partners, customers and clients. Nevertheless, Customer has control over and determines the categories of Data Subjects.

Duration of Processing

Subject to any Section of this Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Arbox will Process Customer Personal Data on a continuous basis for the duration of the Agreement, and as further described in the Agreement, unless otherwise agreed upon in writing.

Annex 2

Technical and Organizational Measures according to the Privacy Protection Regulations (Information Security), 2017 (“Israeli Security Regulation”)