1. Scope
    • This Data Processing Addendum (“DPA”) forms an integral part of the Terms and Conditions of QEDIT Systems Ltd. Available at: and the QEDIT Privacy Policy available at: (collectively, the “Terms”) and supplement the Terms to the extent that QEDIT processes Personal Data, or has access to Personal Data, in the course of its performance under the Terms.
    • This DPA is intended to satisfy the requirement for an obligatory contract between the processor and controller for the onward transfer of personal data as well as to reflect the parties’ agreement with regard to the Processing of data, including Personal Data, in accordance with the requirements of applicable Data Protection Laws. Parties shall comply with the provisions of this DPA when collecting and processing Personal Data in connection with the provision of the Services (as such term is defined in the Terms).
    • QEDIT shall qualify as the Data Processor and Customer shall qualify as the Data Controller. [As between the Parties, all Customer Personal Data processed under the terms of this DPA shall remain the property of Customer.] Under no circumstances will QEDIT act, or be deemed to act, as a Data Controller (or equivalent concept) of the Customer Personal Data Processed under any Data Protection Laws.


  1. Definitions

All capitalized terms not defined in this DPA have the meanings set forth in the Terms.

  • Approved Jurisdiction” means a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission.
  • Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • Data Controller”, “Data Processor”, “data subject”, “process” and “processing” shall have the meanings ascribed to them in the Data Protection Laws.
  • Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the Israeli Protection of Privacy Law, 5741-1981 (and any regulation thereof), to the extent applicable.
  • Personal Data” means any information that is about, or can be related to, an identifiable individual. Personal Data includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Personal Data shall be considered Confidential Informati
  • Security Measures” means commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of QEDIT’s business, the level of sensitivity of the data collected, handled and stored, and the nature of QEDIT’s business activities.
  • Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission Decision C(2010)593.
  • Sub-Processors” means any affiliate, agent or assign of QEDIT that may process Personal Data pursuant to the terms of the Terms, and any unaffiliated processor engaged by QEDIT.


  1. Compliance with Laws
    • Each Party shall comply with its respective obligations under the Data Protection
    • QEDIT shall provide reasonable cooperation and assistance to Customer in relation to QEDIT’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under Data Protection Laws.
    • Each Party agrees to notify the other Party promptly if it becomes unable to comply with the terms of this DPA and take reasonable and appropriate measures to remedy such non-compliance.
    • Throughout the duration of the DPA, Customer agrees and warrants that:
      • Personal Data has been and will continue to be collected, processed and transferred by Customer in accordance with the relevant provisions of the Data Protection Laws and subject to the Terms;
      • the processing of Personal Data by Customer, as well as any instruction to QEDIT in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Laws;
      • Personal Data has been collected and transferred fairly and lawfully, pursuant to any applicable Data Protection Laws, and that the concerned it has informed data subjects of the processing and transfer of Personal Data pursuant to DPA and obtained the relevant consent thereto (including without limitation any consent required in order to comply with the Processing Instructions and those purposes detailed herein); and that
      • Customer shall ensure that each data subject is fully aware and gives unambiguous consent to the terms relating to the handling of their personal data, including the collection, process and possession of their personal data, and to a privacy notice which shall reflect the terms herein.
      • Customer will establish, implement, and maintain an information security program that includes administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data, including without limitation safeguards related to the physical and environmental security measures, information transmission, periodic risk assessments, password protections, access control and authorization, encryption of data in transit and at rest, web security, incident management, fault and intrusion detection, staff training, secured destruction and disposal of information, mitigation of vulnerabilities, back-up and business continuity, host services monitoring, employee confidentiality and background checks. In addition, Customer will establish, implement, and maintain an security incident management policies and procedures in accordance with applicable law.


  1. Processing Purpose and Instructions
    • It is hereby clarified that the Customer shall be solely and fully responsible for obtaining any consent and take any action necessary to comply with Data Protection Laws and for the provision of information to the data subject prior to the collection of the Personal Data and as a condition to be provided with the Services by QEDIT. Customer undertakes to provide QEDIT with a record of when and how Customer got consent, including, to the extent applicable, consent information and timestamp. Such information shall be submitted to QEDIT’s approval in advanced. Customer further undertakes to immediately notify QEDIT of any change, request or amendment to a consent and understand that such may incur changes or amendments to the Services or to a Campaign. Following any such notice from the Customer, QEDIT shall provide the Customer with an acknowledgment confirmation.
    • QEDIT shall act based on Customer’s reasonable instructions. The instructions include the provision of the Services and Campaigns by QEDIT as set forth in the Terms. The instructions may be received through API or any automatic means incorporated into the Application. Customer shall remain liable with respect to any instructions, provided that QEDIT acted in accordance with the instructions.
    • QEDIT shall use, process Personal Data to deliver the Services in accordance with the Terms and the Data Protection Laws.
    • QEDIT will not use Personal Data for any use other than as provided in the Terms or this DPA. Processing any Personal Data outside the scope of the Terms or Customer’s instructions will require an agreement between QEDIT and Customer, and may include additional fees.
    • Notwithstanding the foregoing, QEDIT shall be entitled to process and use the Personal Data for internal, statistical and financial purposes provided however that any personal attributes shall be removed from such Personal Data or on an aggregated basis.


  1. Reasonable Security and Safeguards
    • QEDIT represents, warrants, and agrees to use Security Measures to (i) protect the availability, confidentiality, and integrity of any Personal Data processed by QEDIT in connection with the Terms; and (ii) protect such data from Breach Incidents.
    • QEDIT may update or modify the Security Measures from time to time provided that such updates and modifications shall not result in the degradation of the overall Security Measures.
    • QEDIT shall take reasonable steps to implement appropriate technical and organizational measures and to ensure the reliability of its staff who have access to and process Personal Data. QEDIT shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. QEDIT shall remain liable for any act or omission of its staff that does not comply with the requirements of this DPA.


  1. Breach Incidents

Upon becoming aware of a Breach Incident, QEDIT will notify Customer as soon as reasonably possible without undue delay, investigate the Breach Incident, provide information relating to the Breach Incident as reasonably requested by Customer and make best efforts to prevent a recurrence of the Security Breach. QEDIT will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Breach Incident as required to comply with Data Protection Laws. Notification to end users should be at the responsibility of Customer.


  1. Security Assessments and Audits
    • QEDIT audits its compliance against data protection and information security standards on a regular basis, as required by Data Protection Laws. Such audits are conducted by QEDIT’s internal audit team or by third party auditors engaged by QEDIT.
    • QEDIT shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected annually by Customer in order to ascertain compliance with this DPA. QEDIT shall cooperate in good faith with audit requests by providing access to relevant knowledgeable personnel and documentation.


  1. Cooperation and Assistance
    • If QEDIT receives any request from individuals relating to the processing of Personal Data under the Terms, including requests from individuals seeking to exercise their rights under Data Protection Law, (each a “Request”) QEDIT shall (unless legally compelled) promptly redirect the Request to Customer. The Request may be received through API or any automatic means incorporated into the Application.
    • QEDIT will not respond to such Request directly without Customer’s prior authorization unless Customer’s response is not received by QEDIT within 48 hours (or otherwise any shorter period as dictated by Data Protection Law). If QEDIT responded directly to such a Request, QEDIT shall provide Customer with a copy of the Request and respond, unless legally prohibited from doing so.
    • A respond by QEDIT to any request from applicable data protection authority, supervisory authority, other government or regulatory entity or is required by law, relating to the processing of Personal Data under the Terms and the disclosure of Personal Data, shall not be considered to be a breach of this DPA, provided, however, that QEDIT shall (to the extent legally permitted) notify Customer upon receipt of such request thereof to enable Customer to seek a protective order or otherwise prevent or contest such request.
    • Notwithstanding the foregoing, QEDIT will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request.
    • Upon reasonable notice, QEDIT shall provide reasonable assistance to Customer in:
      • allowing data subjects to exercise their rights under the Data Protection Law, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or the right not to be subject to an automated individual decision making;
      • ensuring compliance with any notification obligations of Brach Incidents to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
      • Ensuring Customer’s compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data.

Any such assistance to Customer will be solely at Customer’s expense and may include additional fees.


  1. Use of Sub-Processors

Customer provides a general consent to QEDIT to engage onward Sub-Processors, provided that QEDIT has entered into an agreement with the Sub-Processor containing data protection obligations that are as restrictive as the obligations under this DPA (to the extent applicable to the services provided by the applicable Sub-processor).


  1. International Data Transfers
    • QEDIT may transfer and process Personal Data to and in other locations around the world where QEDIT or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Terms.
    • If QEDIT processes Personal Data in a jurisdiction that is not an Approved Jurisdiction, QEDIT shall ensure that it has a legally approved mechanism, such as Privacy Shield or Standard Contractual Clauses in place to allow for the international data transfer.
    • Customer shall be required and obligated to include, in the framework of its relevant terms and conditions or otherwise privacy policy, the Standard Contractual Clauses so as to allow QEDIT if it so wishes, to rely on such Standard Contractual Clauses in order to allow for the international data transfer.


  1. Data Retention and Destruction

QEDIT will only retain Personal Data for as long as Services are provided to Customer [as long as the customer has a valid account] in accordance with the Terms. Notwithstanding the foregoing, QEDIT shall be entitled to maintain Personal Data following the termination of the Terms for internal, statistical and financial purposes provided that QEDIT maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal data, so that the Data is no longer Personal Data.


  1. Indemnification
    • Customer will indemnify and save QEDIT and each of its officers, employees and agents or Sub-Processors (subject to Section 9 above) (each a “Indemnified Party”) harmless from and against any losses, claims, actions, suits, proceedings, damages, liabilities or expenses including the aggregate amount paid in reasonable settlement of any actions, suits, proceedings, investigations or claims and the reasonable fees, disbursements and taxes of their counsel in connection with any action, suit, proceeding, investigation or claim that may be made or threatened against any Indemnified Party or in enforcing this indemnity (each a “Claim”) to which an Indemnified Party may become subject insofar as the Claim relate to, is caused by, result from, arise out of or is based upon, directly or indirectly, any failure by Customer to comply with the terms of this DPA or any Data Protection Law and to reimburse each Indemnified Party forthwith, upon demand, for any cost, fine, damage, reasonable attorneys’ fee or other liability of any nature (whether direct, indirect or consequential) incurred by such Indemnified Party in connection with any Claim.
    • The rights accorded to the Indemnified Party hereunder shall be in addition to any rights an Indemnified Party may have at common law, Data Protection Law or otherwise.


  1. General
    • Any claims brought under this DPA will be subject to the terms and conditions of the Terms, including the exclusions and limitations set forth in the Terms.
    • In the event of a conflict between the Terms (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
    • QEDIT may modify the terms of this DPA in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Laws, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Laws. QEDIT will provide notice of such changes to Customer, and the modified DPA will become effective, in accordance with the terms of the Terms.
    • If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and parties will promptly begin complying with such Data Protection Laws.
    • In the event and to the extent that the Data Protection Laws impose stricter obligations on the Customer than under this DPA, the Data Protection Laws shall prevail.
    • Customer agrees that, in the event of a breach of this DPA, neither QEDIT nor any relevant user will have an adequate remedy in damages and therefore QEDIT shall be entitled to injunctive or equitable relief to immediately cease or prevent the use or disclosure of Personal Data not contemplated by the Terms and to enforce the terms of this DPA or ensure compliance with all Data Protection Laws.
HomeData Processing Agreement