DEEPCODING’S DATA PROCESSING AGREEMENT
This Data Processing Agreement (“Agreement”) is entered into between DeepCoding Limited, a company registered in Israel with its place of business at Atrium tower, 2 Zeev Jabotinsky Road, 5250501 Ramat Gan, Israel (“DeepCoding”) and you, the recipient of the Services (respectively “Agreement” and “Company”).
WHEREAS Company is interested in receiving from DeepCoding certain Services that involve the Processing of Company Personal Data (as such terms are defined below) so that DeepCoding will act as a Processor on behalf of Company, and DeepCoding agrees to act as a Processor with respect to Company Personal Data in the context of providing the Services to Company in accordance with the terms of this Agreement; and
WHEREAS the parties wish to be bound by an agreement that will govern the Processing of Company Personal Data in accordance with Article 28 of the GDPR;
NOW THEREFORE, in consideration of the mutual obligations set out herein, the parties hereby agree as follows:
1.1 In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Company Personal Data” means any Personal Data Processed by DeepCoding on behalf of Company pursuant to or in connection with this Agreement or the Services;
1.1.2 “EEA” means the European Economic Area;
1.1.3 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.4 “Services” means the services to be supplied to or carried out by or on behalf of DeepCoding for Company, including analyzing the Company’s business activities, collecting data contained in the Company’s various delivery or IT systems using a cloud based SaaS platform and providing Company with insights and metrics on Company efficiency and productivity to help improve Company’s IT delivery organization;
1.1.5 “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) or any subsequent version thereof released by the European Commission. The current Standard Contractual Clauses are located on the European Commission’s website at: https://ec.europa.eu/info/law/law-topic/data-protection_en;
1.1.6 “Subprocessor” means any person (including any third party, but excluding an employee of DeepCoding or any of its affiliates) appointed by or on behalf of DeepCoding to Process Personal Data in connection with this Agreement or the Services; and
1.2 The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2.Processing of Company Personal Data
2.1 DeepCoding will Process Company Personal Data in accordance with Company’s documented instructions, unless Processing is required by applicable laws to which DeepCoding is subject, in which case DeepCoding will, to the extent permitted by applicable laws, inform the Company of that legal requirement before the relevant Processing of that Personal Data.
2.2 Company hereby:
2.2.1 instructs DeepCoding (and authorizes DeepCoding to instruct each Subprocessor) to Process Company Personal Data (including, by transferring Company Personal Data to any country or territory) as reasonably necessary for the provision of the Services and in accordance with this Agreement;
2.2.2 warrants and represents that it is and will at all relevant times remain (a) duly and effectively authorized to give the instruction set out in section 2.2.1; (b) the Controller of the Company Personal Data Processed by DeepCoding; (c) responsible for compliance with its obligations as a Controller under applicable law, in particular with respect to the justification of any Processing of Company Personal Data by DeepCoding and/or any Subprocessor; and
2.2.3 Warrants and represents that it will not transfer to DeepCoding any data relating to Company’s customers as such data is not necessary in any way for DeepCoding to provide the Service. DeepCoding shall bear no responsibility for any consequences resulting from Company’s failure to fulfil its obligations under this Section 2.2.3.
2.3 Notwithstanding the above, Company will be solely responsible for: (a) providing any required notices and obtaining any required consents and/or authorizations to/from Data Subjects and/or other third parties; (b) securing an appropriate legal basis under applicable law, as necessary for DeepCoding to Process Company Personal Data on Company’s behalf; and (c) Company’s decisions and actions concerning the Processing of such Company Personal Data.
2.4 Annex 1 to this Agreement sets out certain information regarding the Processing of the Company Personal Data by DeepCoding and/or any Subprocessors as required by Article 28(3) of the GDPR. Nothing in Annex 1 confers any right or imposes any obligation on any party to this Agreement.
DeepCoding will ensure that DeepCoding employees authorized to process Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DeepCoding will in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Company is solely responsible for implementing appropriate internal measures for securing Company Personal Data in connection with Company’s use of the Services and for the secure transfer of Company Personal Data to DeepCoding.
4.2 DeepCoding offers a service of setting up a server on Company’s premise, that will replace personally identifiable data with codes (pseudonymization) before data is transferred from Company to DeepCoding’s cloud for Processing. This service is not part of the standard DeepCoding Service and is provided at an additional cost. Company may also choose to independently anonymize or pseudonymize, at Company’s expense, Company Personal Data, prior to providing such data to DeepCoding. In all cases, the Company’s Personal Data is transferred in an encrypted manner from DeepCoding’s cloud to the Company’s system.
5.1 Company authorizes DeepCoding to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5.
5.2 DeepCoding may continue to use those Subprocessors already engaged by it at the date of this Agreement, including DeepCoding’s main Subprocessors as listed in Annex 2.
5.3 Company authorizes DeepCoding to use additional Subprocessors, provided that DeepCoding will notify Company of the addition of any Subprocessor and give the Company an opportunity to object in writing thereto, within fourteen (14) days of receiving such notice.
5.4 With respect to each Subprocessor, DeepCoding will ensure that such Subprocessor is required by written contract to abide by the same level of data protection and security as DeepCoding under this Agreement, as applicable to such Subprocessor’s Processing of Company Personal Data.
6.International Transfer of Personal Data
6.1 Processing of Company Personal Data will generally take place in Israel, in the EU and in the US.
6.2 Notwithstanding section 6.1 above, DeepCoding is allowed (and allowed to authorize its Subprocessors) to transfer Company Personal Data outside of the EEA to a country other than as detailed in section 6.1 above in the following cases: (a) Company Personal Data is transferred to a country within the European Union or to a country (such as Israel) or scheme (such as the US Privacy Shield) which is approved by the Commission as ensuring an adequate level of protection (b) subject to the entry into the Standard Contractual Clauses by the transferor and the transferee with respect to the transfer of Company Personal Data; or (c) if the transfer falls within a permitted derogation.
7.Data Subject Rights
Taking into account the nature of the Processing, DeepCoding will, at Company’s expense, provide reasonable assistance to Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Company’s obligations to respond to requests to exercise Data Subject rights under the GDPR.
Personal Data Breach
7.1 DeepCoding will notify Company upon DeepCoding becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company, to the extent reasonable, with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach.
8.Data Protection Impact Assessment and Prior Consultation
DeepCoding will, at Company’s expense, provide reasonable assistance to Company with data protection impact assessments, and prior consultations with Supervisory Authorities, which Company reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to DeepCoding.
9.Deletion of Company Personal Data
9.1 Subject to Section 9.2 below, DeepCoding may, by written notice to Company within fourteen (14) days of the date of cessation of Services (“Cessation Date”) request that Company return a copy of DeepCoding Personal Data that is in its possession at that time and delete all other copies of DeepCoding Personal Data Processed by Company. If Company receives no such written notice within fourteen (14) days of the Cessation Date, Company will promptly delete all DeepCoding Personal Data and copies thereof.
9.2 Notwithstanding Section 9.1, DeepCoding may retain Company Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws. DeepCoding will ensure the confidentiality of all such Company Personal Data and will ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
10.1 Subject to sections 10.2 to 10.4, DeepCoding will make reasonable efforts to make available to Company on request information necessary to demonstrate compliance with this Agreement (to the extent required by the GDPR).
10.2 During the term in which DeepCoding provides Services to Company, DeepCoding will allow Company to audit DeepCoding’s compliance with its obligations under this Agreement up to once per each calendar year (“Audit”), provided, however, that any such Audit is subject to the following cumulative conditions:
10.2.1 the Audit will be pre-scheduled in writing with DeepCoding, at least thirty (30) days in advance and will be conducted during normal business hours only;
10.2.2 Company may only mandate an auditor for the purposes of conducting an Audit on its behalf pursuant to this Section 10 if the auditor is agreed to by DeepCoding;
10.2.3 all personnel participating in the Audit, whether employed or contracted by Company and/or third party auditor (“Audit Personnel”), will execute DeepCoding’s standard non-disclosure and non-competition undertakings prior to the initiation of the Audit;
10.2.4 Company will take all necessary measures to verify that Audit Personnel do not access, disclose or compromise the confidentiality and security of data on DeepCoding’s information and network systems;
10.2.5 Company will take all commercially reasonable measures to prevent any damage or interference with DeepCoding’s information and network systems;
10.2.6 Company will bear all costs and assume responsibility and liability for the Audit and for any failures or damage caused as a result thereof;
10.2.7 Company will keep the Audit results in strict confidentiality, will use them solely for the specific purposes of the Audit under this section, will not use the results for any other purpose, or share them with any third party, without DeepCoding’s prior explicit written confirmation;
10.2.8 If Company is required to disclose the Audit results to a competent authority, Company will first provide DeepCoding with a prior written notice, explaining the details and necessity of the disclosure, and will provide DeepCoding with assistance to prevent the disclosure thereof, in accordance with applicable law; and
10.2.9 DeepCoding will inform Company if, in its opinion, an instruction in connection with this Section 10 infringes applicable laws.
Disclosure to competent authorities
11.1 To the extent required by applicable law, DeepCoding may disclose Company Personal Data (a) if required by a subpoena or other judicial or administrative order, or if otherwise required by law, provided that DeepCoding will, prior to such disclosure and to the extent permitted by applicable law, notify Company and provide Company an opportunity to object to such disclosure; or (b) if DeepCoding dee5ms the disclosure necessary to protect the safety and rights of any person, or the general public.
Anonymized and aggregated data
11.2 DeepCoding may Process data based on extracts of Company Personal Data and/or other data obtained from Company in the course of the Services on an aggregated and anonymized forms, for DeepCoding’s legitimate business purposes, including but not limited to; testing, research, development, controls, and operations of its Service, and may share and retain such data at DeepCoding’s discretion, provided that such data cannot reasonably identify an individual. For the avoidance of doubt, data are anonymized if any Personal Data contained therein is rendered anonymous in such a manner that the Data Subject is not or is no longer identifiable.
Order of precedence
11.3 With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, the provisions of this Agreement shall prevail.
11.4 Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 1 includes certain details of the Processing of Company Personal Data pursuant to Article 28(3) GDPR.
Subject matter and duration of the Processing of Company Personal Data
The subject matter of the Processing of Company Personal Data is the provision of the Services by Deepcoding to the Company. The duration of the Processing is for as long as the Services are provided by Deepcoding to the Company.
The nature and purpose of the Processing of Company Personal Data
DeepCoding and any Subprocessor may Process Company Personal Data in accordance with the Company’s instructions and, in particular, for providing the Services, including by collecting, storing on a cloud, analyzing (including by using artificial intelligence and/or deep learning methods) and creating summaries and/or analyses of data that is stored on Company’s systems (such data may include Company Personal Data) for the purpose of providing Company with an analysis of a detailed analysis of Company’s business activities, including an analysis of the activity of Company’s personnel, to help Company improve efficiency, productivity and task allocation among its personnel.
The types of Company Personal Data to be Processed
Company Personal Data typically includes some or all of the following data relating to the Company’s personnel: first and last name, username, email address, the fact that the person is employed/contracted by Company, position at Company, work tasks assigned to that person, time person spent on such tasks, progress made on tasks and attendance.
The categories of Data Subject to whom the Company Personal Data relates
Data Subjects typically include Company personnel.
The obligations and rights of the parties
The obligations and rights of the Controller and Processor are set out in this Agreement.
ANNEX 2: DEEPCODING’S MAIN SUB-PROCESSORS
SUB-PROCESSOR NAME: Google Cloud
PURPOSE OF PROCESSING: Storage, AI processing
TYPE OF DATA PROCESSED: All types of data as described in Annex 1
 This list contains DeepCoding’s main Subprocssors and is not an exhaustive list of all of DeepCoding’s existing Subprocessors. DeepCoding may appoint additional Subprocessors in accordance with Section 5 of this Addendum.