Data Processing Agreement

1.    Applicability.

This KAMATERA Data Processing Agreement (“DPA”) shall apply to all of your ("User's") agreements (“Agreements”) with KAMATERA. and its affiliates and/or subsidiaries (“KAMATERA”) and you and/or the entity you represent (“Customer”) supplements the KAMATERA terms of use available at: https://www.kamatera.com/tos/ , as updated from time to time (“TOU”), or any agreement between Customer and KAMATERA, governing Customer’s use of the Services (“Agreements”) to the extent that KAMATERA processes data.

2.    Definitions.

2.1. Terms used in this DPA but not defined herein (whether or not capitalized) shall have the meanings assigned to such terms in the Agreements, or in the Applicable Data Protection Laws, as applicable.
2.2. ”Applicable Data Protection Laws“ shall mean, to the extent applicable to KAMATERA’s processing of Personal Data hereunder (with respect to each data subject): (i) General Data Protection Regulations (European Parliament and Council of European Union (2016) Regulation (EU) 2016/679) (EU GDPR); (ii) EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 and UK Data Protection Act 2018 (UK GDPR) ; (iii) California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA); (iv) Protection of Privacy Law (Israel); and (v) any rules or regulations that amend and/or replace any of the aforementioned Data Protection Laws. In the event of any conflict between the Applicable Data Protection Laws, the most restrictive law applicable to the Customer shall govern.
2.3 “Customer Data” shall mean the Personal Data (as defined below) that is uploaded to the KAMATERA Services which may include software, data, text, audio, video, or images that Customer or any of its end customers transfers to KAMATERA for processing, storage, or hosting by the Services. Customer Data does not include account information about Customer relating to and/or in connection with Customer account (e.g., Customer name and surname, phone numbers, email addresses, payment information or other information related to the management of KAMATERA resources such as access permissions, service usage, etc.) which is governed by the Privacy Notice (“PN”).
2.4 Personal Data“ refers to the definition of that term or any other similar term defined under the Applicable Data Protection Laws.
2.5 “Standard Contractual Clauses or SCCs” shall mean: where the EU GDPR applies, the standard contractual clauses pursuant to the EU Commission's Implementing Decision 2021/914 of 4 June 2021 currently set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); (ii) where the UK GDPR applies, the EU SCCs together with the UK Information Commissioner’s Office addendum, under S119A(1) of the Data Protection Act 2018 (“UK Addendum”); or any other Standard Contractual Clauses which amended and/or replace such Standard Contractual Clauses in accordance with Applicable Data Protection Law.
2.6. “Services” means the services and products provided to Customer by KAMATERA in accordance with the Agreements

3.    Processing of Personal Data on behalf of Controller/Business.

The Parties acknowledge and agree that with regard to the Processing of Personal Data performed solely on behalf of Customer: (i) Customer is the Controller or Business (to the extent the CCPA is applicable) of Personal Data; (ii) KAMATERA acts as a Processor or Service Provider (to the extent the CCPA is applicable) for Customer, and upon the instructions of Customer, as set forth herein, and in the Agreements, as may be amended from time to time by KAMATERA (collectively, the "Terms"), pursuant to which personal data may be disclosed to KAMATERA and KAMATERA may process such personal data (the “Contracted Business Purpose”).

4.    Customer Representations

Customer sets forth the details, including the purpose, the means and the ways in which KAMATERA shall process the Customer Data, as required by Applicable Data Protection Laws in Appendix A (Details of Processing of Processed Personal Data), attached hereto, and Customer represents and warrants that:
4.1. It complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for controller/businesses, and that the provision of Customer Data to KAMATERA complies with Applicable Data Protection Laws;
4.2. It only processes personal data/personal information that has been collected in accordance with the Applicable Data Protection Laws;
4.3. It has in place procedures in case individuals/consumers whose personal data is collected, wish to exercise their rights in accordance with the Applicable Data Protection Laws;
4.4. It provides Customer Data to KAMATERA for a business purpose in accordance with the representations Customer makes to consumers in Customer's privacy policy, and Customer does not sell Customer Data to KAMATERA;
4.5. It shall provide to KAMATERA as a processor/service provider, or otherwise have KAMATERA (or anyone on its behalf) process such Customer Data which is explicitly permitted under KAMATERA's PN ("Permitted Personal Data"). Solely Customer shall be liable for any data which is made available to KAMATERA in excess of the Permitted Personal Data (“Non-Permitted Data”). KAMATERA's obligations under the Terms shall not apply to any such Non-Permitted Data;
4.6. It is and will remain duly and effectively authorized to give the instruction set out herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which KAMATERA is lawfully processing personal data/personal information;
4.7. Notwithstanding anything to the contrary herein, Customer acknowledges that KAMATERA is able to access Customer Data, and might do so when required for operational and maintenance purposes and if required to provide the Services.

5.    KAMATERA Obligations.

5.1. KAMATERA carries out the processing of Customer Data on Customer’s behalf;
5.2. Pursuant to the provisions of Article 28 of the GDPR, KAMATERA represents and warrants that it will:
5.2.1.     Process Customer Data solely on Customer's behalf and in compliance with User's instructions (including relating to international data transfers ), including instructions in this DPA and all Terms, unless required to do so by EU or applicable Member State law;
5.2.2.     Implement appropriate technical and organizational measures to provide an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR;
5.2.3.     Take reasonable steps to ensure that access to the processed Customer Data is limited on a need to know/access basis, and that all KAMATERA personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Customer Data.
5.2.4.    It shall provide reasonable assistance to Customer with any data protection impact assessments or prior consultations with supervising authorities in relation to processing of Customer Data by the processor/service provider, as required under any Applicable Data Protection Laws, at the written request of the Customer, and at Customer’s sole expense.
5.3. Pursuant to the CCPA, to the extent applicable with respect to each data subject, KAMATERA agrees that:
5.3.1.     KAMATERA is acting solely as a service provider with respect to Customer Data for the purposes of the Contracted Business Purpose;
5.3.2.     KAMATERA shall not retain, use or disclose Customer Data for any purpose other than for the Contracted Business Purpose
5.3.3.    KAMATERA may de-identify or aggregate Customer Data as part of performing the services specified in the Terms.
5.3.4.     KAMATERA will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

6.    Sub-Processing.

6.1. Customer authorizes KAMATERA to appoint sub-processors in accordance with the provision of the Terms. Any subcontractor used must qualify as a service provider under the Applicable Data Protection Laws.KAMATERA cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
6.2. KAMATERA may continue to use those sub-processors already engaged by KAMATERA as of the date of this DPA. Customer acknowledges and agrees that as of the date of this DPA KAMATERA uses certain subprocessors; a list of such subprocessors will be provided upon request.
6.3. KAMATERA may appoint new sub-processors and shall give reasonable notice of the appointment of any new sub-processor. Customer’s continued use of the applicable services after such notification constitutes Customer’s acceptance of the new sub-processor

7.    Data Subjects' Rights.

7.1. Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise data subject rights under Applicable Data Protection Laws (e.g., for access, rectification, deletion of processed Customer Data, etc.). KAMATERA shall reasonably endeavor to assist Customer insofar as feasible, to fulfil Customer’s said obligations with respect to such data subject requests, as applicable, at Cutseomr’s sole reasonable expense.
7.2. KAMATERA shall (i) without undue delay notify customer if it receives a request from a data subject under any Applicable Data Protection Laws in respect of Processed Personal Data; and (ii) not respond to that request, except on the written instructions of Customer or as required by Applicable Data Protection Laws, in which case KAMATERA shall, to the extent permitted by Applicable Data Protection Laws, inform controller/business of that legal requirement before it responds to the request

8.    Personal Data Breach.

8.1. KAMATERA shall notify Customer without undue delay upon KAMATERA becoming aware of any personal data breach within the meaning of Applicable Data Protection Laws relating to Customer Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws "Personal Data Breach").
8.2. At the written request of the Customer and at Customer’s sole expense, KAMATERA shall provide reasonable co-operation and assistance to Customer in respect of Customer's obligations regarding the investigation of any Personal Data Breach and the notification to the supervisory authority and data subjects in respect of such a Personal Data Breach; provided, however, that KAMATERA shall, at its own expense, use reasonable efforts to contain and remedy any Personal Data Breach caused by KAMATERA (or its agents, representatives, or subcontractors) without undue delay and prevent any further Personal Data Breach, including, but not limited to taking any and all reasonable action necessary to comply with Applicable Data Protection Laws.

9.    Deletion or Return of Processed Personal Data.

9.1. Subject to the terms hereof, KAMATERA shall within up to sixty (60) days, unless a sooner time period is required by Applicable Data Protection Laws, return and then destroy the Customer Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Data Protection Laws.
9.2. KAMATERA may retain Customer Data only to the extent authorized or required by Applicable Data Protection Laws, provided that KAMATERA shall ensure the confidentiality of such Customer Data and shall ensure that it is only processed for such legal purpose(s). The provisions of this DPA shall govern any such retained Customer Data.
9.3. Upon Customer’s prior written request, KAMATERA shall provide written certification to Customer that it has complied with this Section 9.

10.    Audit Rights

10.1. Subject to the terms hereof, and not more than once in each calendar year, KAMATERA shall make available to a reputable auditor mandated by Customer in coordination with KAMATERA, at the reasonable cost of the Customer upon prior written request, within normal business hours at KAMATERA premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the Customer in relation to the processing of the Customer Data by KAMATERA, provided that such third-party auditor shall be subject to confidentiality obligations.
10.2. Customer shall use (and ensure that each of its mandated auditors use) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to KAMATERA's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

11. International Data Transfers

11.1. Customer may select the datacenters locations as offered by KAMATERA where Customer Data will be processed. Once Customer has made its choice, KAMATERA will not transfer Customer Data from Customer’s selected locations, except as necessary to provide the Services initiated by Customer, or as specifically required by the Customer, or as necessary to comply with applicable law. 11.2. Subject to Section 11.1, Personal Data may be transferred from the European Economic Area and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions, as determined by the European Commission pursuant to Article 45 of GDPR, and by the Secretary of State, pursuant to Section 17A of the United Kingdom Data Protection Act 2018, respectively, or other adequate authority, as determined by the EU and the UK (“Adequacy Decisions”), as applicable, without any further safeguard being necessary. 11.3. To the extent that KAMATERA transfers (either directly or via onward transfer) Personal Data to countries outside of the European Economic Area and/or outside of the UK, which have not been subject to a relevant Adequacy Decision, or such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by KAMATERA for the lawful transfer of Personal Data (as set out under the GDPR), and to the extent applicable with respect to each data subject, such transfer of Customer’s Personal Data to other countries, shall be subject, where the application of such SCCs, as between the parties, is required under Applicable Data Protection Laws, to the Standard Contractual Clauses, as such are incorporated into this DPA by reference, and shall be implemented as follows: 11.3.1.In the case of transfer of Personal Data between Customer to KAMATERA, the parties shall implement Module II - “Controller to Processor”, of the Standard Contractual Clauses, with modifications detailed under this Section 11.3.2. However, when Customer is acting as a processor Module III (“Processor-toProcessor”) shall apply, provided that, taking into account the nature of the processing, Customer agrees that it is unlikely that KAMATERA will know the identity of Customer’s controllers, as KAMATERA has no direct relationship with Customer’s controllers and therefore, Customer will fulfil KAMATERA’s obligations to Customer’s controllers under the Processor-to-Processor SCCs. 11.3.2.The parties are deemed to have accepted and executed the SCCs, including the associated annexes. The contents of Annex I of the SCCs are included within Appendix A to this DPA. The contents of Annex II of the SCCs are included within Appendix B to this DPA. The parties further agree to the following implementation choices under the SCCs: 11.3.2.1. Clause 7: shall not be applicable. 11.3.2.2. Clause 9(a): The parties choose Option 2, “General Written Authorization” and specify a time period of thirty (30) days. 11.3.2.3. Clause 11: The parties choose not to include the optional language relating to the use of an independent dispute resolution body. 11.3.2.4. Clause 17: The parties select Option 1 and specify the law of Ireland. 11.3.2.5. Clause 18(b): The parties specify the courts of Ireland. 11.3.3.In the case of transfer of Personal Data between KAMATERA and its SubProcessors for the purposes of carrying out specific Processing activities (on behalf of Customer) the Partis will enter into Module III (“Processor-toProcessor”) of the Standard Contractual Clauses. 11.3.4.If applicable, when transferring Personal Data governed by the UK GDPR, the parties agree to implement the applicable SCCs, as modified by the UK Addendum. The information required by Table 1 of the UK Transfer Addendum appears within Appendix A to this DPA. In addition, the parties adopt the SCCs, as modified by the UK Transfer Addendum, as to applicable international transfers of UK Personal Data in exactly the same manner set forth in Section 11.1 above, subject to the following: 11.3.4.1. Clause 13: The UK Information Commissioner’s Office (“ICO") shall be the competent supervisory authority. 11.3.4.2. Clause 17: The SCCs, as modified by the UK Transfer Addendum, shall be governed by the laws of England and Wales. 11.3.4.3. Clause 18: The parties agree that any dispute arising from the SCCs, as modified by the UK Transfer Addendum, shall be resolved by the courts of England and Wales. A UK Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts. 11.4. Appendixes A and B, attached to this DPA shall also apply in connection with the processing of Personal Data, subject to Applicable Data Protection Law. 11.5. KAMATERA reserves the right to adopt an alternative compliance standard to the SCCs for the lawful transfer of Personal Data, provided it is recognized under Data Protection Law. KAMATERA will provide 30 days’ advance notice of its adoption of an alternative compliance standard.

12.    General Terms.

12.1. Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the laws of the State of Israel and shall be handled at a competent court in Tel Aviv-Yafo.
12.2. Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties, including agreements entered into after the date of this DPA, the provisions of this DPA shall prevail.
12.3. Changes in Applicable Data Protection Laws. KAMATERA may by at least fortyfive (45) calendar days' prior written notice to Customer, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the processing of Customer Data. If Customer provides its modification request, KAMATERA shall make commercially reasonable efforts to accommodate such modification request, and Customer shall not unreasonably withhold or delay agreement to any consequential changes to this DPA to protect KAMATERA against any additional risks, and/or to indemnify and compensate KAMATERA for any further costs associated with the changes made hereunder.
12.4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

 

Appendix A

Details of Processing of Processed Personal Data

(As required by Article 28(3) of the GDPR)

1.    The subject matter and duration of the processing of processed personal data are set forth in the Terms.

2.    The nature and purpose of the processing of processed personal data is rendering services, as detailed and defined in the Kamatera terms of use and the Kamatera PN.

3.    The types of processed personal data to be processed are as detailed in the PN.

4.    The categories of data subjects to whom the processed personal data relates to are as follows: natural persons who are end users of the Controller's or any other third parties' services.

5.    The obligations and rights of Controller are as set forth herein and in the GDPR.