GDPR & Data Processing

1.	Applicability.

This Kamatera Data Processing Agreement (“DPA”) shall apply to all of your ("User's") agreements (“Agreements”) with Kamatera and its affiliates and/or subsidiaries (“Kamatera”) to the extent that Kamatera processes (i) as User's processor any personal data from the European Economic Area, the United Kingdom and Switzerland; or (ii) as User's service provider any personal information of California consumers (collectively, “User Data”).

2.	Definitions.

2.1.	Terms used in this DPA but not defined herein shall have the meanings assigned to such terms in (i) the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, (ii) the EU-US Privacy Shield (“Privacy Shield”), and (iii) the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as applicable (collectively, “Applicable Data Protection Laws”).
2.2.	"User" or "You" means the controller or business that entered into this DPA with Kamatera.

3.	Processing of Personal Data on behalf of Controller/Business.

Kamatera acts as a processor/service provider for User, and performs any processing operations on behalf of User and upon the instructions of User, as set forth herein, in the Kamatera terms of use ("TOU") and the KAMATERA privacy notice ("PN"), as may be amended from time to time by Kamatera, and any additional agreement entered into between User and Kamatera (collectively, the "Terms").

4.	Controller/Business Obligations and Representations.

User sets forth the details, including the purpose, the means and the ways in which Kamatera shall process User Data, as required by Applicable Data Protection Laws in Appendix A (Details of Processing of Processed Personal Data), attached hereto, and User represents and warrants that:
4.1.	It complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for controller/businesses, and that the provision of User Data to Kamatera complies with Applicable Data Protection Laws;
4.2.	It only processes personal data/personal information that has been collected in accordance with the Applicable Data Protection Laws; 
4.3.	It has in place procedures in case individuals/consumers whose personal data/personal information is collected, wish to exercise their rights in accordance with the Applicable Data Protection Laws; 
4.4.	It provides User Data to Kamatera for a business purpose in accordance with the provisions User makes to consumers in User's privacy policy, and User does not sell User Data to Kamatera;
4.5.	It shall provide to processor/service provider, or otherwise have processor/service provider (or anyone on its behalf) process such User Data which is explicitly permitted under Kamatera's PN ("Permitted User Data"). Solely controller/business shall be liable for any data which is made available to processor/service provider in excess of the Permitted User Data (“Non-Permitted Data”). processor/service provider obligations under the Terms shall not apply to any such Non-Permitted Data;
4.6.	It is and will remain duly and effectively authorized to give the instruction set out herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which Kamatera is lawfully processing personal data/personal information.

5.	Processor/Service Provider Obligations.

5.1.	Kamatera carries out the processing of User Data on User's behalf;
5.2.	Pursuant to the provisions of Article 28 of the GDPR, Kamatera agrees that it will:
5.2.1.	process User Data solely on User's behalf and in compliance with User's instructions (including relating to international data transfers ), including instructions in this DPA and all Terms, unless required to do so by EU or applicable Member State law;
5.2.2.	implement appropriate technical and organizational measures to provide an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR;
5.2.3.	take reasonable steps to ensure that access to the processed User Data is limited on a need to know/access basis, and that all Kamatera personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of User Data.
5.2.4.	it shall provide reasonable assistance to controller/business with any data protection impact assessments or prior consultations with supervising authorities in relation to processing of User Data by the processor/service provider, as required under any Applicable Data Protection Laws, at the written request of the controller/business, and at controller's/business' sole expense. 
5.3.	Pursuant to the CCPA, Kamatera agrees that:
5.3.1.	Kamatera is acting solely as a service provider with respect to User Data;
5.3.2.	Kamatera shall not  retain, use or disclose User Data  for any purpose other than for the specific purpose of performing the services specified in the Terms;
5.3.3.	Kamatera may de-identify or aggregate User Data as part of performing the services specified in the Terms; and
5.3.4.	Further to the provisions of Privacy Shield, Kamatera agrees that it will provide any EU Personal Data with at least the same level of protection as required under the Privacy Shield Principles, as described here: www.privacyshield.gov/EU-US-Framework.

6.	Sub-Processing.

6.1.	Controller/business authorizes processor/service provider to appoint sub-processors in accordance with the provision of the Terms.
6.2.	Processor/service provider may continue to use those sub-processors already engaged by processor/service provider as of the date of this DPA. Controller/business acknowledges and agrees that as of the date of this DPA processor/service provider uses certain sub-processors; a list of such sub-processors will be provided upon request.
6.3.	Processor/service provider may appoint new sub-processors and shall give reasonable notice of the appointment of any new sub-processor. Controller's/business’ continued use of the applicable services after such notification constitutes controller's/business’ acceptance of the new sub-processor. 

7.	Data Subjects' Rights.

7.1.	Controller/business shall be solely responsible for compliance with any statutory obligations concerning requests to exercise data subject rights under Applicable Data Protection Laws (e.g., for access, rectification, deletion of processed User Data, etc.). Processor/service provider shall reasonably endeavor to assist controller/business insofar as feasible, to fulfil controller's/business' said obligations with respect to such data subject requests, as applicable, at controller's/business' sole expense.
7.2.	Processor/service provider shall (i) without undue delay notify controller/business if it receives a request from a data subject under any Applicable Data Protection Laws in respect of Processed Personal Data; and (ii) not respond to that request, except on the written instructions of controller/business or as required by Applicable Data Protection Laws, in which case processor/service provider shall, to the extent permitted by Applicable Data Protection Laws, inform controller/business of that legal requirement before it responds to the request.

8.	Personal Data Breach.

8.1.	Processor/service provider shall notify controller/business without undue delay upon processor/service provider becoming aware of any personal data breach within the meaning of Applicable Data Protection Laws relating to User Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws "Personal Data Breach"). 
8.2.	At the written request of the controller/business and at controller's/business’ sole expense, processor/service provider shall provide reasonable co-operation and assistance to User in respect of User's obligations regarding the investigation of any Personal Data Breach and the notification to the supervisory authority and data subjects in respect of such a Personal Data Breach.

9.	Deletion or Return of Processed Personal Data.

9.1.	Subject to the terms hereof, processor/service provider shall promptly and in any event within up to sixty (60) days User Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Data Protection Laws.
9.2.	Processor/service provider may retain User Data to the extent authorized or required by Applicable Data Protection Laws, provided that processor/service provider shall ensure the confidentiality of such User Data and shall ensure that it is only processed for such legal purpose(s).
9.3.	Upon controller's/business’ prior written request, processor/service provider shall provide written certification to controller/business that it has complied with this Section 9.

10.	Audit Rights

10.1.	Subject to the terms hereof, and not more than once in each calendar year, processor/service provider shall make available to a reputable auditor mandated by controller/business in coordination with processor/service provider, at the cost of the controller/business, upon prior written request, within normal business hours at processor/service provider premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the controller/business in relation to the processing of the User Data by the processor/service provider, provided that such third-party auditor shall be subject to confidentiality obligations.
10.2.	Controller/business shall use (and ensure that each of its mandated auditors use) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the processor's/service provider's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. 

11.	General Terms.

11.1.	Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the laws of the State of Israel and shall be handled at a competent court in Tel Aviv-Yafo.
11.2.	Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties, including agreements entered into after the date of this DPA, the provisions of this DPA shall prevail.
11.3.	Changes in Applicable Data Protection Laws. Controller/business may by at least forty-five (45) calendar days' prior written notice to processor/service provider, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the  processing of User Data. If controller/business provides its modification request, processor/service provider shall make commercially reasonable efforts to accommodate such modification request, and controller/business shall not unreasonably withhold or delay agreement to any consequential changes to this DPA to protect the processor/service provider against any additional risks, and/or to indemnify and compensate processor/service provider for any further costs associated with the changes made hereunder.
11.4.	Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
 
 
 
Appendix A
Details of Processing of Processed Personal Data
(As required by Article 28(3) of the GDPR)
 
1. The subject matter and duration of the processing of processed personal data are set forth in the Terms.

2. The nature and purpose of the processing of processed personal data is rendering services, as detailed and defined in the Kamatera terms of use and the Kamatera PN.

3. The types of processed personal data to be processed are as detailed in the PN.

4. The categories of data subjects to whom the processed personal data relates to are as follows: natural persons who are end users of the Controller's or any other third parties' services.

5. The obligations and rights of Controller are as set forth herein and in the GDPR.