DATA PROCESSING AGREEMENT


 

This Data Processing Agreement (“DPA”) is made and entered into as of this 15 day of August, 2019 by and between [______], incorporated under __________ law, with its principal offices located at ____________________  ( “Client”, or “Data Controller”), and Clique AI Communities, a company incorporated under Israeli law, with its principal offices located at ____________________   (“Clique”  or “Data Processor”) to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) of GDPR-protected individuals. Both parties shall be referred to as the “Parties” and each, a “Party”. 

 

WHEREAS, Clique shall provide the services as set forth in the applicable Subscription Agreement (the “Agreement”) between Client and Clique (collectively, the “Services”) for Client, as described in the Agreement; and

 

WHEREAS, The Services may entail the processing of Personal Data (as defined below) in accordance with the General Data Protection Regulation (EU) 2016/679 EU  (“GDPR”) and its corresponding implementation laws in the EU Member States (collectively, the “Data Protection Laws and Regulations”); and 

 

WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a “Data Processor”; and 

 

WHEREAS, the Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

 

NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:

  1. DEFINITIONS​

    1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

    2. “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 

    3.  “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.

    4. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    5. “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    6. “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.

    7.  “Sub-processor” means any Processor engaged by Clique for the Processing of Personal Data in connection with the Services.

    8. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
       

  2. PROCESSING OF PERSONAL DATA

    1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, (i) Client is the Data Controller, (ii) Clique is the Data Processor, and that (iii) Clique may engage Sub-processors pursuant to the requirements set forth in Section ‎5 (Sub-processors) below.

    2. Processing of Personal Data 

    3. Subject to the Agreement, Clique shall Process Personal Data in accordance with Client’s documented instructions, for the following purposes: (i) Processing in relation to the Services and in accordance with the Agreement and this DPA; (ii) Processing necessary to comply with other reasonable instructions provided by Client,  where such instructions are consistent with the terms of the Agreement and this DPA; and (iii) Processing as required by Union or Member State law to which Clique is subject; in such a case, Clique shall inform the Client of the legal requirement before processing, unless that applicable law prohibits such information on important grounds of public interest. 

    4. To the extent that Clique cannot comply with a request from Client: (i) Clique shall inform Client, providing relevant details of the problem, and (ii) Clique may, without any kind of liability towards Client, temporarily cease all Processing of the affected Personal Data. If the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Client shall pay to Clique all the amounts owed to Clique or due before the date of termination. 

    5. Clique will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Clique, to the extent that such is a result of Client’s instructions.
       

  3. ​​​RIGHTS OF DATA SUBJECTS 
    1. ​Data Subject Request. Clique shall, to the extent legally permitted, promptly notify Client if Clique receives a request from a GDPR-protected individual to exercise its rights under the applicable Data Protection Laws and Regulations (each, a “Data Subject Request”). Taking into account the nature of the Processing, Clique shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to a Data Subject Request. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Clique may, upon Client’s request, provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent Clique is legally permitted to do so. To the extent legally permitted, Client shall be responsible for any costs arising from Clique’s provision of such assistance. 
       
  4. CONFIDENTIALITY
    1. Clique shall ensure that its personnel engaged in the Processing of Personal Data have committed themselves to confidentiality and non-disclosure. 
    2. Clique may disclose and Process the Personal Data: (a) as permitted hereunder; (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable Data Protection Laws and Regulations; or (c) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).
       

  5. SUB-PROCESSORS 

    1. Client acknowledges and agrees that Clique may engage third-party Sub-processors in connection with the provision of the Services. Cliqueshall respect the conditions referred to in Articles 28.2 and 28.4 of the GDPR when engaging another processor for Processing Personal Data provided by Client.

    2. Clique current list of Sub-processors used in connection with the Services is available at such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client. In any event, the Sub-processor List shall be deemed authorized by Client unless it provides a written reasonable objection (for reasons related to the GDPR) within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to Clique’s use of an existing Sub-processor by providing a written objection to hello@clique.ai. In the event that Client reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Clique without the use of the objected-to Sub-processor by providing written notice to Clique, provided that all amounts due under the Agreement before the termination date with respect to the Processing in question shall be duly paid to Clique. Furthermore, Client will have no further claims against Clique due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph. 
       

  6. SECURITY

    1. Controls for the Protection of Personal Data. Clique shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data. Clique regularly monitors compliance with these measures.

    2. Third-Party Certifications and Audits. Upon Client’s written request, at reasonable intervals and subject to the confidentiality obligations set forth in the Agreement and this DPA, Clique shall make available to Client (that is not a competitor of Clique (or Client’s independent, third-party auditor that is not a competitor of Clique)) a copy of Clique’s then most recent third-party audits or certifications in order to confirm Clique’s compliance with this DPA and/or with applicable Data Protection Laws and Regulations, and shall not be used for any other purpose or disclosed to any third party without Clique’s prior written approval.

    3. Collaboration with Clients’ Data Protection Impact Assessments. Upon Client’s request, Clique may provide Client, at Client’s cost, with reasonable cooperation and assistance needed to fulfil Client’s obligation under the GDPR to: (i) carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Clique; or (ii) engage in prior consultation with a Supervisory Authority.
       

  7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
    Clique maintains security incident management policies and procedures specified in Security Documentation and, to the extent required under applicable Data Protection Laws and Regulations, shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Clique or its Sub-processors of which Clique becomes aware (each, a “Personal Data Incident”). Clique shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Clique deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Clique's reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s users. In any event, Client will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
     

  8. RETURN AND DELETION OF PERSONAL DATA
    Subject to the Agreement, Clique shall, at the choice of Client, delete or return the Personal Data to Client after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Clique may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. 
     

  9. TRANSFERS

    1. Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.

    2. Transfers to other countries. If the Processing of Personal Data includes transfers from the EEA to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with Article 46 of the GDPR, including, if necessary, executing the standard data protection clauses adopted by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission or comply with any of the other mechanisms provided for in the GDPR for transferring Personal Data to such Other Countries.

    3. For clarity, responsibility for compliance with the obligations corresponding to Data Controllers under Data Protection Laws and Regulations shall rest with Client and not with Clique. Clique may, at Client’s cost, provide reasonable assistance to Client with regards to such obligations.
       

  10. GENERAL

    1. Termination. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections ‎1, ‎2.2.3, ‎8 and ‎10 shall survive the termination or expiration of this DPA for any reason.

    2. Relationship with Agreement. This DPA forms an integral part of the Agreement. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For clarity, capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.  

    3. Amendments. This DPA may be amended at any time by a written instrument duly signed by each of the Parties



 

SCHEDULE 1 - DETAILS OF THE PROCESSING

 

Subject matter

 

Clique will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Client in its use of the Services.

 

Nature and Purpose of Processing

 

  1. Providing the Service(s) to Client.

  2. Setting up profile(s) for Permitted Users.

  3. For Clique to comply with the documented instructions provided by Client, where such instructions are consistent with the terms of the Agreement. 

  4. Performing the Agreement, this DPA and/or other contracts executed by the Parties. 

  5. Providing support and technical maintenance, if agreed under the Agreement.

  6. Enforcing the Agreement, this DPA and/or defending Clique’s rights.

  7. Management of the Agreement, the DPA and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation; and

  8. Complying with all applicable laws and regulations.

  9. All tasks related to the above.

 

Duration of Processing

 

Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Clique will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 

Type of Personal Data

 

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: 

  • First name

  • Last name

  • Email Address

  • Company Name​​​​

 

Categories of Data Subjects

 

Client may submit Personal Data with respect to the Services, which may include, but is not limited to Personal Data relating to the following categories of data subjects:

​​​​

  • Client’s users authorized by Client to use the Services

  • Employees, agents, advisors, freelancers of Client (who are natural persons)