Data Processing Agreement

As a responsible forward-looking business, Meckano Ltd., from 251 HaHistadrut st. Haifa I, Israel

As a responsible forward-looking business, Meckano Ltd., from 251 HaHistadrut st. Haifa I, Israel ("Meckano" or the “Company”), recognizes the need to protect the security and privacy of the data it’s processing as part of its daily conduct, and comply with the provisions of the GDPR as well as the Israeli Privacy Protection Regulations (Data Security), 2017 (the “Israeli Security Regulations”). As part of that, the Company has implemented various technological and organizational security measures as detailed hereunder.

This Data Processing Addendum (“DPA”), forms part of any other agreement by and between Meckano and the undersigned customer of Meckano (“Customer” and together with the Company, the “Parties”) for the provision of certain services by Meckano to the Customer, including without limitation, software system and mobile app for the management of an attendance cloud system for the management of manpower, shifts arrangement and report data and ancillary support and maintenance services (the "Services", "System" and the "Main Agreement" relatively).

In the course of providing the Services to the Customer pursuant to the Main Agreement, Meckano may Process Personal Data on behalf of the Customer. Meckano agrees to comply with the following provisions with respect to any Personal Data submitted by or for the Customer to Meckano or collected and Processed by or for the Customer using Meckano’s Services and System.

  1. Definitions

 The following definitions are used in this DPA:

1.1. "Data Controller", "Data Processor", "Data Subject", "Personal Data Breach" and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.

1.2. "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject" as defined under the GDPR). This DPA does not address or limit the processing of anonymous data which is not identifiable and/or can no longer be identified or associated with a Data Subject, even if such data is de-identified, aggregated or statistical and was produced by using Personal Data (e.g. aggregative data which was derived from raw Personal Data), for statistical and/or financial purposes, provided always that Company maintains such data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such data;

1.3.Usage and Account Data” means technical, account management and contact info of the users of the System, which is Processed by Meckano as part of its direct customers management (e.g. System’s users’ usernames and passwords, email addresses relevant for the identification and access management of System’s users, time of usage, etc.);

1.4. "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as storage, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction;

1.5. "Delete" means the removal or obliteration of Personal Data such that it cannot be reconstructed;

1.6. "Third Country" means a country which is not: (a) part of the EEA; (b) recognized by the EU Committee as a country which ensure an adequate level of protection;

1.7. "EEA" means those countries that are member of the European Economic Area;

1.8. "Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), as updated, amended, replaced or superseded from time to time by the European Commission. The current Standard Contractual Clauses are attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.

1.9. "Sub-processor" means any third party (excluding an employee of the Company but including Company’s Affiliates and all third service provider engaged by Meckano the Company or its Affiliates in the performance of the Services) appointed by or on behalf of the Company to Process Personal Data for the benefit of the Customer as part of the performance of the Services under the Main Agreement.

1.10. "Affiliate" means a corporation which directly controls or is controlled by or is under common control with a party. As used in this section, “control” means direct ownership of fifty percent (50%) or more of the shares of stock entitled to vote for the election of directors.

1.11. "Privacy Laws and Regulations" means to the extent applicable, the Israeli Privacy Protection Law, 1981 and the regulations and guidelines promulgated under, and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").

  1. Processing of customer's Personal Data

2.1. The type of Personal Data which may be Processed pursuant to this DPA, the subject matter, duration, nature and purpose of the Processing, and the categories of Data Subjects, are as described in Annex 1, as required by Privacy Laws and Regulations.

2.2. This DPA applies to all Personal Data Processed by Meckano as part of Meckano’s provision of the Services to the Customer. In this context, to the extent that Privacy Laws and Regulations apply to the Personal Data which may be Processed by Meckano on behalf of the Customer, during the provision of the Services and the term of the Main Agreement and this DPA, the Parties hereby acknowledge and agree that the Customer is the Data Controller, and Meckano is the Data Processor. Where the Customer itself is the Data Processor of such Personal Data, Meckano shall be deemed as a Sub-processor.

2.3. With respect to Usage and Account Data, the Customer acknowledges that Meckano shall be deemed as the Controller of any such Usage and Account Data under the GDPR.  Meckano acknowledge that, as between the Parties, all Personal Data Processed on behalf of the Customer (except for Usage and Account Data) shall be and remain the sole property of the Customer.

2.4. Each party warrants in relation to Personal Data that it will comply (and will procure that any of its authorized personnel shall comply), with the provisions of the Privacy Laws and Regulations and this DPA.

2.5. As between the Parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data fed to the System by the Customer or on behalf of the Customer, and the means by which such Personal data was acquired, including any consent required for that. Without derogating from the generality of the above said, if the Customer provides access to the System to any of its employees or other third parties, the Customer shall be solely responsible for obtaining any disclosure or consent.

  1. Meckano's Undertakings

With respect to all Personal Data Processing which shall occur during the provision of the Services by Meckano, Meckano warrants and undertakes as follows:

3.1. Limited and purpose-oriented Processing

3.1.1. Meckano shall Process Customer's Personal Data, only in order to provide the Services, and shall strictly act only in accordance with: (i) this DPA; (ii) the Customer's written instructions as represented by the Main Agreement and this DPA; and (iii) as required by the provisions of the GDPR.

3.1.2. Meckano shall immediately inform the Customer if, in its opinion, any of the Customers’ instructions infringes any of the Provisions of the GDPR or other Privacy Laws and Regulations.

3.2 Data protection and access authorizations

3.2.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Meckano shall establish, implement and maintain an information security program that includes administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of the Personal Data, pursuant to Meckano’s information security policy and in accordance with applicable Privacy Laws and Regulations, as stipulated in Annex 3 of this DPA, including without limitation, safeguards related to: physical and environmental security measures, information transmission, periodic risk assessments, passwords, access control and authorization, responsibilities and accountability, encryption algorithms, secured software, web security, development and maintenance, incident management, fault and intrusion detection, training, vendors' security assessments, secured information deletion, destruction or disposal, mitigation of vulnerabilities, back-up and business continuity, employees confidentiality suitability checks (subject to the Israeli law).

3.2.2. Those measures shall include (as a minimum):

a) Implementation of security-related policies and procedures, standards and practices designated for the protection of Personal Data;

b) Minimalization of Personal Data Processing;

c) Use of encryption and pseudonymization where needed and possible;

d) Implementation of data protection measures by default and by design;

e) The use of proper firewalls and antivirus systems;

f) Managing organizational passwords policy which enforces complexity requirements;

g) Keeping backup and recovery capabilities;

h) The use of other state of the art technological and organizational controls mitigating data protection risks or any data breach or loss.

3.2.3. Meckano shall review its security policies and operating procedures periodically and as required under the Privacy Laws and Regulations, in order to keep it updated and amended;

3.2.4. Meckano shall implement control mechanism for verifying access to systems containing Customer's Personal Data, which shall include the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied.  Meckano will monitor compliance with these safeguards as stipulated in Annex 3 of this DPA. Meckano will not materially decrease the overall security of the Service during the term of this DPA.

3.3. Meckano's Personnel

3.3.1. Meckano shall take commercially reasonable steps to ensure that Meckano's personnel will comply with the terms of this DPA and the provisions of the GDPR;

3.3.2. Meckano shall implement authorization and access control mechanisms ensuring that any access to Personal Data by Meckano’s employees and/or personnel shall be strictly limited to those employees and/or personnel which are in need of a such access for the provision of the Services;

3.3.3. Meckano shall ensure that all relevant personnel have undertaken appropriate training regarding their responsibilities, and are informed of the importance and confidential nature of the Personal Data;

3.3.4. All of Meckano's personnel have committed themselves to confidentiality in writing or are under an appropriate statutory obligation of confidentiality.

3.4. Engaging Sub-processors and other contractors

3.4.1. Meckano shall comply with the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another Sub-processor;

3.4.2. Meckano has implemented a proper procedure for engaging Sub-processors and other external suppliers, in order to ensure that any such engagement is being made in accordance with the provisions of the GDPR, including:

3.4.2.1. Prior for any such engagement, and taking into account the nature, context, scope and costs of Processing actions to be carried out by the Sub-processor, Meckano shall assess and analyze any Personal Data related risks involved in the engagement;  

3.4.2.2. Any relevant Sub-processor shall be subject to contractual terms substantially no less protective than those imposed on Meckano in this DPA. Upon Customer request, Meckano shall provide Customer with a copy of the relevant contractual arrangement between Meckano and each Sub-processor (for the avoidance of doubt, commercial terms and other confidential clauses to Company’s sole discretion, included therein may be redacted) and an updated list of Sub-processors.

3.4.3. Subject to compliance with Sections 3.4.4 and 3.4.5, Customer hereby (i) grants Meckano a general authorization to engage (and permits each Sub-processor appointed in accordance with this Section to engage) Sub-processors for the purpose of providing the Services; (ii) agrees that Affiliates of Meckano may be used as Sub-processors; and (iii) confirms that Meckano may continue to use those Sub-processors already engaged by Meckano as of the effective date of this DPA, which are detailed in Annex 2 to this DPA.

3.4.4. Meckano will provide Customer with a prior written notice of Meckano’s intention to engage any additional Sub-processor to Process any Customer Personal Data ("New Processor"), thereby giving Customer the opportunity to object to engagement of a New Processor. In the event Customer objects, its sole remedy is to terminate the Main Agreement with no further compensation or remediation.

3.4.5. Where the Sub-processor fails to fulfil its Personal Data protection obligations, under this DPA, Meckano shall remain fully liable Customer for the performance of that the Sub-processor's obligations under this DPA and the applicable Privacy Laws and Regulations.

3.5. Customer's Data Subject's Rights requests and inquiries

3.5.1. Taking into account the nature of the Processing made by it as a Processor, Meckano shall assist the Customer within a reasonable timescale with addressing requests for exercising the Data Subject's rights laid down in Chapter three of the GDPR, including without limitation: (i) Customer employees, supervising authorities, or Data Subjects requests for assistance in relation to any request from a Data Subject to exercise any of the Data Subject's rights under applicable Privacy Laws and Regulations; and (ii) any other correspondence, inquiry or complaint received from a Data Subject (or on a Data Subject's behalf), supervising authority and other regulators, or competent authorities in connection with the Processing of Customer Personal Data under the Main Agreement;

3.5.2. Meckano's assistance may be provided by implementing relevant interfaces in the System, in a manner which provides the Customer with all relevant information and features required for him for addressing any such request or legal obligation;

3.5.3. If any such communication related to the Processing of the Customer’s Personal Data is made directly to Meckano, Meckano shall promptly notify the Customer if it receives any such inquiry from any Data Subject on behalf of the Customer, provide Customer all related details and will not respond to the communication unless specifically required by applicable Privacy Laws and Regulations or authorized in writing by Customer;

3.5.4. For removal of any doubt, Meckano shall not directly respond to any Data Subject's request on behalf of the Customer, unless it is required to do so by the provisions of the GDPR. In addition, Meckano shall not bear any responsibility to any response or denial provided by the Customer to any Data Subject with regard to its rights under the provisions of the GDPR, to the extent Meckano has provided the Customer with the assistance and information as required under this DPA.

3.6. Data Transfers to Third Countries

3.6.1. To the extent any Processing of Personal Data by Meckano or any Sub-processor on its behalf, takes place in any Third Country, the Customer agrees, and Meckano undertakes that, any such Processing shall be subject to a written agreement which includes the Standard Contractual Clauses.

3.6.2. The Customer acknowledges and agrees that Meckano is an Israeli based company, and therefore some of its Processing actions shall be conducted in Israel, under an adequacy decision provided by the relevant EU committee.

3.6.3. At all times, Meckano will provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of the applicable Privacy Laws and Regulations.

3.6.4. If required and applicable, Meckano and Customer may enter into and sign the Standard Contractual Clauses.

3.6.5. Meckano will not process or transfer any Personal Data outside the EEA, to other territories, unless the transfer of the Personal Data is made: (i) to a territory that was formally recognized by the European Commission as providing adequate protection to Personal Data ("Adequacy Recognition"); or (ii) in accordance with the relevant terms of the Standard Contractual Clauses - the Standard Contractual Clauses shall apply to Meckano in its role as processor as if it were the “data importer” and to Customer in its role as “data exporter”. In particular, Meckano agrees that as provided in the Standard Contractual Clauses, Customer shall be third party beneficiary to the Standard Contractual Clauses. In addition, Customer and Meckano hereby agree that the security provisions in this DPA shall apply to Appendix 2 of the Standard Contractual Clauses and vice versa.

3.6.6. From time to time, Customer may request Meckano to enter into such other Personal Data arrangements, as may be required pursuant to applicable Privacy Laws and Regulations or other applicable privacy laws and regulations, and Meckano will endeavor in good-faith to comply with such requirements. In the event that Meckano will not comply with such requirement, Customer may terminate the Main Agreement and this DPA with no further compensation or remediation.

3.6.7. Meckano will downstream the obligations for transferring Personal Data under Section 3.6, as required under applicable Privacy Laws and Regulations, by entering into an appropriate onward transfer agreements with all relevant Meckano’s Sub-processors, other processors (as this term is referred to under the GDPR) or equivalents to Sub-processors or other processors under applicable Privacy Laws and Regulations, to whom Meckano transfers the Customer’s Personal Data.

3.6.8. As applicable, if: (i) the Adequacy Recognition is invalidated or otherwise terminated; (ii) the Standard Contractual Clauses are invalidated or no longer in effect; or (iii) any other Personal Data transfer safeguard is no longer in effect for any reason, then Meckano, will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful transfer of Customer’s Personal Data by Meckano, and by Meckano’s Sub-processors, other processors, or equivalents thereof.

3.6.9. If Meckano is unable to provide an alternative measure to continue transferring Customer’s Personal Data, then Customer may terminate upon a written notice with immediate effect (i) the DPA and the Main Agreement (upon a pro-rated refund of applicable pre-paid fees), or (ii) those portions of the Services which cannot be provided without the transfer of the Customer’s Personal Data (upon a pro-rated refund of any applicable pre-paid fees for those portions of the Services, and a pro rata reduction of future fees as agreed by the parties), with no further compensation or remediation.

3.7. Personal Data Breach and Security Incidents

3.7.1. Meckano shall notify the Customer without undue delay and in any event within 48 hours upon becoming aware of any Personal Data Breach and/or security incidents. Such notification shall, at a minimum:

3.7.2. describe the date and time, the nature of the Personal Data Breach, and the categories and numbers of Data Subjects concerned;

3.7.3. communicate the contact details of Meckano’s relevant contact from whom more information may be obtained;

3.7.4. describe the likely consequences of the Personal Data Breach and potential adverse effects of the incident; and

3.7.5. describe the measures taken or proposed to be taken to address the Personal Data Breach, remediate the risks involved with the Personal Data Breach including without limitation, an analysis of the root cause that led to such Personal Data Breach, to mitigate potential adverse effects and to prevent the occurrence of a similar incident in the future.

3.7.6.  Meckano will use commercially reasonable endeavors to assist the Customer in mitigating, where possible, the adverse effects of any such Personal Data Breach;

3.7.7. Meckano shall not inform any third party of a Personal Data Breach, without notifying the Customer, unless it is required to do so under the provisions of the GDPR, provided that, Meckano will keep Customer informed of the status of such notification and any response from any such third parties, unless such notification by Meckano is prohibited under applicable laws or regulations.

3.8. Information, Audit rights and Assistance with Risk Assessments

3.8.1. Upon Customer request, and taking into account the nature of Processing and the available data, Meckano shall provide reasonable assistance to the Customer under Articles 32 to 36 of the GDPR with respect to: (a) data protection impact assessments and prior consultation that are carried out by the Customer; (b) prior consultations to any supervisory authority; (c) breach notifications to any supervisory authority and/or any Data Subject; (d) Customer's ability to demonstrate its compliance with the provisions of the GDPR; (e) Any required notification to Customer's employees, supervising authorities or Data Subjects as applicable, taking into account the nature of Processing and the information available to Meckano (it shall be clarified that Meckano shall not be obligated to provide Customer employees with any “employee GDPR notice” or any similar disclosure); (f) Requests to exercise Data Subjects' rights, complaints and inquiries pursuant to this DPA as described in Section 3.5 above.

3.8.2. Meckano shall reasonably assist the Customer and provide it with information that is necessary to demonstrate compliance with Meckano's obligations laid down in this DPA, and contribute to audits reasonably required and conducted by the Customer or another auditor mandated by the Customer.

3.8.3. For removal of any doubt, any such assistance to the Customer shall be provided in each case solely in relation to Processing of Customer's Personal Data on behalf of the Customer and/or Customer’s employees.

3.9 Deletion or return of Customer's Personal Data

3.9.1. Other than to the extent required to comply with the provisions of the GDPR or other applicable Privacy Laws and Regulations, and at Customer's sole choice, Meckano shall delete or (where possible) return all the Personal Data in its possession or control to the Customer after the termination of the Main Agreement, and delete existing copies unless otherwise required by the provisions of the GDPR or other applicable Privacy Laws and Regulations, in which event Meckano will isolate and protect such Personal Data from any further Processing except to the extent required by such law. It shall be clarified that back-up data may be kept for longer periods in accordance to Meckano’s ongoing back-up routines, provided however that under no circumstances such data shall be used for any other purpose than the mere resilience and availability of the System, unless Customer has specifically required that Meckano shall delete or (where possible) return all the Personal Data contained thereto in accordance with this Section 3.9;

3.9.2. Within 30 (thirty) days from termination of the Main Agreement and upon receiving written demand from the Customer, Meckano shall provide written certification to the Customer that it has fully complied with this deletion undertaking. Notwithstanding the above, general backup files may be kept for additional 90 (ninety) days, provided that: (i) backup files shall be used only for limited backup purposes and for no other purpose; (ii) the provisions of this DPA shall apply with respect to any file containing Customer’s data, until its final deletion or destruction by the Company. 

  1. Miscellaneous

4.1. Except as amended by this DPA, the Main Agreement shall remain in full force and effect.

4.2. This DPA is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter, other than the Main Agreement. In the event of any conflict between the terms of this DPA and the Main Agreement, the terms of this DPA shall prevail.

4.3. Meckano’s liability under this DPA is subject to the limitations on liability contained in the Main Agreement.

4..4. This DPA shall be deemed effective as of the same date that the Main Agreement came into effect, and shall remain in full force until the later of the date when Meckano ceases to Process the Personal Data on behalf of the Customer, or until the Main Agreement is expired or terminated for any reason. This DPA will terminate simultaneously and automatically with the termination of the Main Agreement. Notwithstanding anything to the contrary herein express or implied, any Customer confidentiality obligations under the Main Agreement and this DPA will survive the expiration or termination for any reason of the Main Agreement and of this DPA.

4.5. This DPA shall be governed by the laws and jurisdiction as agreed in the Main Agreement.

4.6. Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both Parties.

4.7. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives.

(Last Updated: August 2022)