DATA PROCESSING AGREEMENT

[Recently updated: January 1, 2022]

This Data Processing Agreement (“DPA”) is an integral part of the Service Agreement executed between Namogoo and the Client (as defined in the applicable master services agreement “MSA” or “Agreement” signed between the parties). Capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. This DPA sets forth the Parties’ responsibilities and obligations regarding the Processing of Personal Data or Personal Information during the course of the engagement between the Parties.

1. DEFINITIONS

1.1 “Adequate Country” is a country that has an adequacy decision from the European Commission. 

1.2 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.

1.3 “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Personal Information”, “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the meaning ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA. “Personal Data” shall also mean “Personal Information” for the purpose of this DPA. 

1.4 “Client Data” means Personal Information or Personal Data which is processed by Namogoo solely on behalf of Client, as detailed in ANNEX I.

1.5 “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, EU Data Protection Law and the CCPA, including, where applicable, Israeli Privacy Protection Regulations (Data Security) 5777-2017Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), all as may be amended or superseded from time to time. 

1.6 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725;(iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iii) any legislation replacing or updating any of the foregoing. 

1.7 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident. 

1.8 “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.  

1.9 “UK GDPR” means th7e Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

1.10 “UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK.

2. RELATIONSHIP OF THE PARTIES 

2.1 The parties acknowledge that the Client is the Controller of the Client Data and Namogoo, in providing the Service is acting as a Processor on behalf of Client. For the purpose of the CCPA (and to the extent applicable), the Client is the Business, and Namogoo is the Service Provider. 

2.2. The purpose, subject matter, and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects are described in ANNEX I attached hereto.

3. REPRESENTATIONS 

3.1 The Client represents and warrants that the Processing of Client Data is in compliance with Data Protection Laws, including by establishing a lawful basis if and as required, and that the instructions provided to Namogoo shall comply with applicable Data Protection Law. In the event EU Data Protection or CCPA do not apply to the Client, then Client must abide by whatever other Data Protection Laws and data security laws and regulations applicable to it, and at a minimum: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow Namogoo to lawfully process and use the Client Data within the scope of the Services;  and (ii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Laws.

3.2 Namogoo represents and warrants that (i) it shall process the Personal Data on behalf of Client, solely for the purpose of providing the Services and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Client’s written instructions including as set forth in the Agreement and this DPA; and (ii) in the event the Namogoo is required under applicable laws to Process Client Data other than as instructed by Client, Namogoo shall make its best efforts to inform Client of such requirement prior to Processing such Client Data unless prohibited under applicable law.

3.3 Namogoo shall take reasonable steps to ensure (i) the reliability of its staff and any other person acting under its supervision who may come into contact with or otherwise have access to and Process the Client Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) ensure that such personnel is aware of their responsibilities under this DPA and any Data Protection Laws.

4. DATA SUBJECT RIGHTS

4.1 When Namogoo receives a request from a Data Subject (“DSR”) or a request from an authority, with respect to Client Data, Namogoo will, unless otherwise required under applicable laws, direct the Data Subject or the authority to the Client in order to enable the Client to respond directly. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a DSR. 

4.2 Where applicable, Namogoo shall assist the Client to ensure that Client Data Processed is accurate and up to date by informing the Client without delay if Namogoo becomes aware that the Client Data it is processing is inaccurate or has become outdated.

5. DO NOT SELL PERSONAL INFORMATION 

5.1 It is hereby agreed that any Processing and sharing of Personal Data between the parties is done solely in order to fulfill a Business Purpose and shall not be considered a “sale” under the CCPA. 

6. SUB-PROCESSOR

6.1 Client acknowledges that Namogoo may transfer Personal Data to and otherwise interact with third-party data Processors (“Sub-Processor”). The Client hereby authorizes Namogoo to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Namogoo may continue to use those Sub-Processors already engaged by Namogoo, as listed in ANNEX III, and Namogoo may engage an additional or replace an existing Sub-Processor to process Personal Data subject to providing a 30 days prior notice to the Client. In case the Client has not objected to the adding or replacement of a Sub-Processor, such Sub-Processor shall be considered as approved by the Client.  In the event the Client objects, in good faith, its sole remedy is to terminate the Agreement.

6.2 Namogoo shall, where it engages any Sub-Processor, impose, through a legally binding contract between Namogoo and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. Namogoo shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Law.

6.3 Namogoo shall remain fully responsible for the performance of the Sub-Processors obligations, and shall notify the Client of any failure by the Sub-Processor to fulfill its contractual obligations.

7. TECHNICAL AND ORGANIZATION MEASURES

7.1 Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, Namogoo shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk  and in accordance with best industry practices to protect data from a Security Incident. Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Technical and organizational measures implemented by Namogoo to ensure an appropriate level of security.

7.2 The security measures are further detailed in ANNEX II.

8. SECURITY INCIDENT

8.1 Namogoo will notify Client upon becoming aware of any confirmed Security Incident involving Client Data, as determined by Namogoo in its sole discretion. Namogoo will, in connection with any Security Incident affecting Client Data: (i) take needed steps to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Client and provide Client with needed assistance and information as it may reasonably require in connection with the Security Incident;  (iii) notify Client in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Client informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Client and assist Client, in the Client’s expense, with the Client’s obligation to notify affected individuals in if required.

8.2 Namogoo’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by the Namogoo of any fault or liability with respect to the Security Incident.

9. AUDIT RIGHTS

9.1 Namogoo shall respond to inquiries from the Client regarding the Processing of Personal Data in accordance with this DPA, further, shall make available to the Client all information necessary to demonstrate compliance with the obligations under the EU Data Protection Laws.

9.2 Namogoo shall make available, solely upon prior written notice and no more than once per year, unless in the event of a Security Incident, to a reputable auditor nominated by Client, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Client Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Namogoo may object to an auditor appointed by Client in the event Namogoo reasonably believes the auditor is not suitably qualified or independent, is a competitor of Namogoo, or otherwise unsuitable (“Objection Notice”). The Client will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Namogoo. The Client shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall), over the course of such Audit, avoid causing any damage, injury, or disruption to Namogoo’s premises, equipment, personnel, and business. Any and all conclusions of such an Audit shall be confidential and reported back to Namogoo immediately. 

9.3 Any information obtained under this Section 9 shall be deemed Confidential Information and are subject to the confidentiality obligations set forth in the Agreement.

10. DATA TRANSFER

10.1 The Client acknowledges and agrees that in order to provide the Services Namogoo might transfer (or access) Client Data from countries outside the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) as detailed herein. 

10.2 The parties acknowledge that EU Data Protection Law does not require Standard Contractual Clauses or an alternative transfer solution in order for Client Data to be processed in or transferred to an Adequate Country (“Permitted Transfers”).

10.3 In the event the Processing includes transferring of Personal Data from the EEA, Switzerland or the UK to other countries and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Namogoo for the lawful transfer of processing Personal Data outside the EEA, Switzerland or the UK, as applicable or is not exempt under Article 49 of the GDPR (collectively “Restricted Transfer”), the following shall apply:

  • 10.3.1 In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which Namogoo shall be deemed as the Data Importer and the Client shall be deemed as the Data Exporter.
  • 10.3.2 The purpose and description of the transfer shall be detailed in ANNEX I.
  • 10.3.3 The UK SCC shall incorporate ANNEX I, II and III herein.

10.4 The Client further agrees that where Namogoo engages a Sub-Processor, and those processing activities include a Restricted Transfer, Namogoo and the Sub-Processor shall be bound by the Standard Contractual Clauses in which Namogoo shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Namogoo and the Sub-Processor will enter into Module III of the Standard Contractual Clauses

10.5 Subject to Clause 13 of Standard Contractual Clauses, Namogoo agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Notwithstanding the above the UK SCCs shall be governed by the laws of England and Wales.

10.6 Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) are further detailed in ANNEX II.

11. CONFLICT 

11.1 In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

12. TERM & TERMINATION

12.1 This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Client shall be entitled to suspend the Processing of Client Data in the event Namogoo is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority.

12.2 Namogoo shall be entitled to terminate this DPA or terminate the Processing of Client Data in the event the Processing of Personal Data under the Client’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Client and the Client insists on compliance with the instructions.

12.3 Following termination of this DPA, Namogoo shall, at the choice of the Client, delete the Client Data processed on behalf of the Client and certify to the Client that it has done so, or return all the Client Data to the Client and delete existing copies unless applicable law or regulatory requires the storage of the Client Data. Until the data is deleted or returned, Namogoo shall continue to ensure compliance with this DPA.

13 TERM & TERMINATION

13.1 This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Client shall be entitled to suspend the Processing of Client Data in the event Namogoo is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority. 

13.2 Namogoo shall be entitled to terminate this DPA or terminate the Processing of Client Data in the event the Processing of Personal Data under the Client’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Client and the Client insists on compliance with the instructions.

13.3 At the written request of the Client, following termination of this DPA and unless applicable law or regulatory requires the storage of the Client’s Personal Data, Namogoo shall delete all Client’s Personal Data processed on behalf of the Client and certify to the Client that it has done so, or return all the Client’s Personal Data to the Client and delete existing copies,. Until the data is deleted or returned, Namogoo shall continue to ensure compliance with this DPA.

 

 

ANNEX I 

DETAILS OF PROCESSING AND TRANSFERRING OF CLIENT PERSONAL DATA 

This ANNEX I includes certain details of the Processing of Client Data as required by Article 28(3) GDPR and details of transferring Personal Data subject to the Standard Contractual Clauses and the UK SCC. 

Categories of data subjects whose personal data is processed or transferred:

Client Employees, Client’s end users who interact with the Client’s website 

Categories of personal data processed and transferred:

Depending on the Services obtained by the Client (i.e., IBP, CHP, SEM etc.) the following categories may be applicable: 

  • UserID
  • IP Address
  • Website interaction data (e.g. browsing behavior, click-events, page-calls)
  • Contact Information

Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:

NA

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

 

Nature of Purpose(s) for the processing and transferring:

Depending on the Services obtained by the Client: CHP – Security and fraud deduction; IBP- optimization; or  SEM – analytics and optimization

 

Purpose(s) for which the Personal Data is processed or transferred on behalf of the controller:

Providing the Services

 

Duration of the processing:

For the duration of the Services according to the Agreement and the period from the end of the Term until deletion of all Client Data

 

For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing.

The sub-processors are hosting services, storage providers, all of the above is applicable to the sub-processors.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

(I)  GENERAL BACKGROUND: 

This Technical and Organizational Measures Annex sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission. 

The following policies are maintained by the Company in order to ensure the measures set forth above, the policies are updated on an ongoing basis and reviewed annually for gaps:

  • Information Security
  • Security Incident Response
  • Vulnerability Management
  • Policy Management and Maintenance
  • Data Request
  • System Access
  • Business continuance and disaster recovery 

(II) SPECIFICATION

SYSTEM ACCESS CONTROL

Company’s database is accessible only by a minimal amount of Company employees and personnel, all accessible only from within the Company office. The personal data processed and stored by Company is based on cloud services and access granted through personal user authentication. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards. The systems are also protected and solely authorized employees may access the systems by using a designated password. In addition to password login, two-factor authentication (“2FA”) provides an added layer of security to Namogoo database. 

PHYSICAL ACCESS CONTROL

The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Company’s office (alarm system, security cards, CCTV, etc.) and the physical security measures taken by Company hosting providers. The Company secures access to its offices and ensures that solely authorized persons have access such as employees. All visitors which visit the Company facilities are accompanied by Namogoo employees at all times. Company works with Amazon Web Services datacenter and Snowflake, as its main storage and hosting processor, Amazon’s security policy available here. Snowflake’s security policy available here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification. 

DATA ACCESS CONTROL

All access to a database, system or storage is solely with authorization hierarchy and password protection by two-factor authentication. Further, the access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Company has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.

ORGANIZATIONAL AND OPERATIONAL SECURITY

The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis. Further measures for internal IT and IT security governance and management have been taken and the Company’s IT team ensures security of all hardware and software by installing all updates needed, installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc. It is the responsibility of the individuals across the Company to comply with these practices and standards.

TRANSFER CONTROL

Namogoo conducted a transfer impact assessment (“TIA”) identifying all transfers of Personal Data and is able to share the TIA upon Client’s request. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Further, any and all transfers of the data (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted. Default encryption is implemented in transit and rest. 

AVAILABILITY CONTROL

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster Namogoo will be able to continue to provide the services. Client

DATA RETENTION

Personal Data and raw data are all deleted as soon as possible or legally applicable. Usually, the data is provided by the Client for the purpose of providing the services by Namogoo and is deleted upon termination of the contractual obligations. However, certain data, such as financial data is required to be retained for a longer period of time. 

JOB CONTROL

Employees, Clients, vendors and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure he or she are well educated and responsible to handle the Personal Data. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures and breaking or not complying with such shall result in disciplinary actions. To ensure the employees stay educated and up to date with applicable policies and legislation the Company holds annual compliance training which include data security education.

DATA SUBJECT REQUEST 

The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), further, the Company has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations. 

CONTRACTUAL OBLIGATIONS 

Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the Data Protection Regulations, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).  

ADDITIONAL SAFEGUARD

Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following: 

  • encryption both in transit and at rest; 
  • As of the date of this DPA, Sentry has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision. 
  • No court has found Namogoo to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition. 
  • Namogoo shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance). 
  • Namogoo shall use all available legal mechanisms to challenge any demands for data access through national security process that Sentry receives, as well as any non-disclosure provisions attached thereto. 
  • Namogoo will notify Client if Namogoo can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

ANNEX III

SUB-PROCESSORS LIST

Processor Address/Country Service
Fastly Inc. 475 Brannan St. #300. San Francisco, CA 94107 CDN
Microsoft Corporation (Microsoft Azure ) 475 Brannan St. #300. San Francisco, CA 94107 Storage
Amazon Web Services, Inc.   410 Terry Avenue North, Seattle, WA Storage
Snowflake, Inc.  Snowflake Computing Netherlands B.V. Storage