This Data Processing Addendum (“DPA”) is incorporated by reference into the agreement governing the use of the Services as defined in this Agreement (“Agreement”) entered by and between you, the Customer (as defined in the Agreement) (collectively, “you”, “your”, “Customer”), and PULSE.HR Ltd (“Pulse HR”, “Processor”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by the Processor solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.
By using the Services, Customer accepts this DPA and you represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to Us.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.
1. Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
The terms “Controller”, “Processor”, “Processing” shall have the same meaning as in the Data Protection Laws.
“Data Protection Laws” means the Protection of Privacy Law, 5741-1981 and secondary legislation including Israeli Privacy Protection Regulations (Data Security), 2017 (“Data Security Regulations”) and the Privacy Protection Authority’s guidance and policies as may be updated, amended, extended and re-enacted from time to time.
“Data Subject” means the identified or identifiable person to whom the Personal Data relates.
“Personal Data” means any information that identifies a natural person, which is processed by the Processor solely on behalf of Customer under this DPA and the Agreement.
“Services” means the services provided to Customer by the Processor in accordance with the Agreement.
“Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of the Processor.
2. Processing of Personal Data
Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data solely on behalf of Customer, (i) Customer is the Controller of Personal Data, (ii) Processor is the Processor of such Personal Data. The terms “Controller” and “Processor” below hereby signify Customer and PULSE.HR respectively.
For the avoidance of doubt, Processor may use statistical or aggregated information in an anonymous or aggregated manner for any purpose, including for the purpose of secure, support, improve the Services and any ancillary or related services.
Customer’s Processing of Personal Data. Customer, in its use of the Services, and Customer’s instructions to the Processor, shall comply with Data Protection Laws. Customer has provided notice and obtained consent as required under Data Protection Laws in order to collect, Process and transfer to Processor the Personal Data, and to authorize the Processing by Processor in accordance with this DPA, and for Processor’s Processing activities on Customer’s behalf.
Processor’s Processing of Personal Data. When Processing on Customer’s behalf under the Agreement, Processor shall Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing for Customer as part of its provision of the Services; (iii) Processing to comply with Customer’s reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement, regarding the manner in which the Processing shall be performed; without derogating from the above, it should be clarified that Processor shall not comply with Customer instructions that are unlawful or inconsistent with applicable Data Protection Laws; (iv) rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder; (v) Processing as required under the laws applicable to Processor, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority.
Details of the Processing. The subject-matter of Processing of Personal Data by Processor is the performance of the Services pursuant to the Agreement and the purposes set forth in this DPA. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.
3. Data Subject Requests
Processor shall, to the extent legally permitted, notify Customer or refer Data Subject to Customer, if Processor receives a request from a Data Subject to exercise their rights (to the extent available to them under applicable Data Protection Laws) (“Data Subject Request”). Processor shall reasonably assist the Customer in the fulfilment of its obligation to respond to Data Subjects Request. Customer shall bear the costs associated with Processor’s assistance.
4. Confidentiality
Processor shall ensure that its personnel engaged in the Processing of Personal Data have committed themselves to confidentiality.
5. Sub-processors
Appointment of Sub-processors. Customer acknowledges and agrees that (a) Processor’s Affiliates may be engaged as Sub-processors; and (b) Processor and Processor’s Affiliates on behalf of Processor may each engage third-party Sub-processors in connection with the provision of the Services.
Objection to New Sub-processors. Customer may reasonably object to Processor’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying Processor promptly in writing within seven (7) days after receipt of notice by the Processor of such new appointment. Such written objection shall include the reasons for objecting to Processor’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within seven (7) days following Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Processor is unable to make available such change within 30 days, each Party may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to the other Party. All amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Processor. Until a decision is made regarding the new Sub-processor, Processor may temporarily suspend the Processing of the affected Personal Data and/or the Services. Customer will not have any claims against Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA.
Agreements with Sub-processors. Processor has entered into a written agreement with each Sub-processor containing reasonable safeguards to the protection of Personal Data.
6. Security & Audits
Controls for the Protection of Personal Data. Processor shall maintain industry-standard technical and organizational measures for protection of Personal Data Processed hereunder as detailed in Schedule 2 to this DPA and as may be amended by the Processor from time to time. Customer confirms that it has examined Processor’s systems, data protection policies, standards and security measures and that they comply with Data Protection Laws and Customer’s requirements.
Audits and Inspections. Upon Customer’s 30 days prior written request at reasonable intervals (no more than once every 12 months), and subject to strict confidentiality undertakings by Customer, and at the Customer’s expense, Processor shall make available to Customer that is not a competitor of Processor (or Customer’s independent, reputable, third-party auditor that is not a competitor of Processor and not in conflict with Processor, subject to their confidentiality and non-compete undertakings) information necessary to demonstrate compliance with this DPA. The information shall only be used by Customer to assess compliance with this DPA and shall not be used for any other purpose or disclosed to any third party without Processor’s prior written approval. Upon Processor’s first request, Customer shall return all records or documentation provided by Processor in the context of the audit and/or the inspection.
7. Data Incident Management and Notification
Processor shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Processor on behalf of the Customer (a “Data Incident”). At the request of the Customer, Processor will reasonably cooperate with the investigations. The Parties will keep each other informed of any new developments with regard to any Data Incident and of the measures they take to limit its consequences and to prevent the repetition of such Data Incident. It is the responsibility of the Customer to report any Data Incident to the Supervisory Authority or the Data Subject, as required. Unless prohibited by applicable laws, Customer shall provide Processor with reasonable prior written notice to provide Processor with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required.
8. Return and Deletion of Personal Data
Within 45 days following termination of the Agreement and subject thereto, Processor shall, at the choice of Customer (indicated through the Services or in written notification to Processor), delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer in the manner described in the Agreement, and Processor shall delete existing copies of such Personal Data unless Data Protection Laws require otherwise. Notwithstanding the above, Processor shall not require to delete data from backups or archival systems. In addition, Processor shall be entitled to retain Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with applicable laws, legal obligations, etc.
9. Trans-Border Data Transfers
The Customer hereby agrees to process and store the Personal Data on Google (“Cloud Provider”) as a cloud provider according to Cloud Service Provider documentation, procedures and policies as may be updated and amended from time to time. The Processor reserves the right to replace the Cloud Provider as a cloud service provider or add additional cloud service providers according to its sole discretion. The Processor shall not be responsible for any data protection matters including those related to the Company, third parties/Cloud Service Providers, etc.
10. Miscellaneous
- This DPA may not be amended or modified except in writing signed by authorized representatives of both parties.
- The Processor maintains the right to perform the Services through its affiliates, employees, service providers and representatives located in various locations around the world, including but not limited to the United States, the EEA and other locations, according to its sole discretion.
- Processor’s liability in accordance with this DPA shall not exceed the amount actually paid to the Processor by the Customer under the Agreement over the 3 months prior to the damage.
- All notices under this DPA will be in writing and will be delivered by courier service, facsimile or certified mail to such address as appearing in the preamble to this Agreement or at such other address as may be designated from time to time by the relevant Party. Any notice sent by certified mail will be deemed to have been given three (3) days after the date on which it was mailed. All other notices will be deemed given when received.
- All assistance to be performed by the Processor under this DPA exceeding 6 hours per quarter, will be charged on the basis of the hours worked and the hourly rates of Processor as may be updated from time to time. Processor will invoice these amounts on a monthly basis.
- This DPA constitutes the entire agreement of the Parties with respect to the subject matter hereof and supersedes all prior understandings or agreements of the Parties with respect thereto, whether written or oral, and may be amended only by the written consent of both parties hereto.
- No failure, delay or forbearance of either Party in exercising any power or right hereunder shall in any way restrict or diminish such Party’s rights and powers under this DPA, or operate as a waiver of any breach or non-performance by either Party of any terms or conditions hereof.
IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the date first set out above.
Schedule 1 – Details of the Processing
Nature and Purpose of Processing
- Providing the Services to Customer;
- Performing the Agreement, this DPA and/or other contracts executed by the Parties;
- Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement;
- Sharing Personal Data with third parties in accordance with the provisions of the DPA;
- Complying with applicable laws and regulations;
- All tasks related to any of the above.
Duration of Processing
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement.
Type of Personal Data
All the data required for the purposes of providing the Services in accordance with the Agreement.
Categories of Data Subjects
Personal Data relating to the following categories of Data Subjects: Employees.
Schedule 2 – Technical and Organisational Measures
a. Security Management
- Processor maintains an internal information security program.
- Processor reviews and updates its security measures periodically.
b. Network Security Measures
Processor employs technical security controls. These measures include:
- Firewall protections and network access controls within the cloud infrastructure environment;
- Encryption of network traffic using industry-standard TLS protocols;
- Segmentation of infrastructure components using private network zones;
- Reverse proxy and load balancing layers controlling external access to application services;
- Monitoring and logging mechanisms;
- Protection against malware and unauthorized access;
- Authentication mechanisms including password protection and multi-factor authentication for sensitive resources.
Network security measures may be updated by Processor from time to time.
c. System and Data Protection Measures
Processor implements technical safeguards to protect personal data processed through the Services. These safeguards include:
- Encryption of data in transit using TLS;
- Encryption of data at rest within the cloud infrastructure;
- Role-based access control mechanisms restricting access to authorized users;
- Logical separation of customer data within the multi-tenant platform;
- Secure management of infrastructure access credentials;
- Regular backups of customer data.
d. Organizational Measures
Access to Personal Data is limited to personnel who require such access in order to perform their job responsibilities. Processor maintains internal policies and procedures governing:
- acceptable use of systems;
- data access controls;
- incident response and escalation procedures.
e. Personnel Security
Processor implements personnel security measures including:
- requiring employees and contractors to sign confidentiality obligations;
- restricting access to personal data based on the principle of “Need to Know basis” and least privilege;
- providing internal awareness regarding data protection and security responsibilities;
- conducting background checks where permitted under applicable law.
f. Physical Security
Processor hosts its infrastructure on Google Cloud Platform (GCP). Physical security of the infrastructure is managed by Google Cloud. Processor relies on Google Cloud’s physical security controls.
g. Incident Response
Processor maintains procedures for responding to security incidents that may affect personal data. Such procedures include identification, investigation, mitigation, and notification processes consistent with applicable contractual and legal obligations.
h. Updates to Security Measures
Processor may update or modify these technical and organizational measures from time to time, provided that such updates do not materially decrease the level of protection for Personal Data processed under the Agreement.