top of page

Data Processing Addendum

 

Last updated February, 2025

This Data Processing Addendum (“Addendum”) is hereby incorporated into the Software as a Service Agreement ("Agreement") entered by and between you ("Customer") and Spot-Nik Ltd. (“Company”).

 

WHEREAS            

the Customer has engaged the Company to provide the Applications to the Customer, for Customer's internal business purposes; and

 

WHEREAS            

use of the Applications involves processing certain Personal Data (as defined below) of individuals, and the parties wish to regulate the Company's processing of such Personal Data through this Addendum, which is an integral part of the Agreement.

 

THEREFORE,

the parties have agreed to this Addendum, consisting of these parts:

Part 1: Part One – General Provisions

  • Is applicable for: Always applies and in force

Part 2: Part Two – EU/EEA or UK GDPR

  • Is applicable for: Only if the response to the question on the right is YES, then Part Two applies and is in force.

  • Determination of applicability: Is the Customer a controller or Processor under GDPR?

Part 1: General Provisions

1. Definitions. In this Addendum, the following terms shall be interpreted as follows:

  1. "Applicable Laws” means Israeli Privacy Protection Law, 5741-1981 and the regulations promulgated thereunder (and in particular the Privacy Protection Regulations (Data Security), 5777-2017), the guidelines of the Israeli Data Protection Authority, as well as any legislative or administrative provision or directive that will apply to the Processor in connection with the provision of the services under the Agreement.

  2. "Database" means a collection of personal data held by digital means.

  3. Personal Data” means information, data and data sets that relates to an individual, and which identifies such individual, or which may be reasonably used in order to identify such individual, regardless of the medium in which such data is being presented, and which the Processor Processes for and on behalf of the Customer within the scope of providing the Applications and the services associated therewith.

  4. "Personal Data Breach” means an actual or reasonably suspected incident: (a) of unauthorized access to or use of Personal Data, or such access or use exceeding authorization, or (b) impacting the integrity of the Personal Data in a manner that is not authorized or exceeds authorization.

  5. "Processing" (and its derivatives, including, but not limited to "Process") means the collection, access, retention, modification, use, disclosure and transfer of Personal Data.

  6. Processor” means the Company.

Any capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement

2. Scope. This Addendum shall only apply where the Company is Processing Individuals' Personal Data provided to it as part of the provision of services through the Applications ("Customer Personal Data"), on behalf of the Customer and under the Customer's instructions.

3. Order of Precedence. In the event of any conflicting provisions between this Addendum and the Agreement or any other agreement in place between the parties, the provisions of this Addendum shall prevail.

4. The Applications are developed and operated using the monday.com API. Customer Data is stored on monday.com’s servers, and not on our own servers, and is subject to monday.com's strict data protection standards. We do not store any Customer Data on our servers, except for configuration data (monday.com ID and the interface settings set out by Customer and its users), which we use strictly for the purpose of facilitating the proper display of Customer Data to Customer.​

5. Processor’s obligations regarding the Processing of Customer Personal Data

  1. The Processor shall Process the Customer Personal Data on behalf of Customer solely for the purposes of providing its Applications and any services associated therewith under the Agreement, and only in the manner determined in the Agreement and in this Addendum.

  2. The Processor shall map the operational environment of the Database. In this regard, the Processor shall prepare an inventory list (the “Inventory List”) that includes all the systems, software, interfaces, infrastructures of hardware components and communications components that the Processor operates in the Database environment for the ongoing operation of the Database (the “Database Systems”). The Processor shall update the Inventory List from time to time and shall only disclose the document on a need-to-know basis to those individuals who require access to it for the performance of their job functions. However, the Processor shall update the Inventory List in any case in which substantial changes to the operating environment are implemented in the Database or in the manner in which Customer Personal Data is Processed.

  3. Processor shall develop, implement, and enforce a data security policy that covers at least the following topics (“Data Security Policy”):

    1. Guidelines regarding the physical protection of the Database Systems and the sites in which they are located;

    2. Guidelines regarding the management and monitoring of access authorizations and actions taken in the Database;

    3. Mapping of the security measures taken by the Processor regarding the Database;

    4. Guidelines for individuals authorized to access Customer Personal Data and Database;

    5. A review of the risks to which the Customer Personal Data is exposed to as part of the Processor’s ongoing activities including instructions regarding the means of recording, monitoring, and identifying threats to which the Database systems are exposed;

    6. Instructions and procedures regarding the mitigation and management of a Personal Data Breach;

    7. Instructions and procedures regarding the use of removable devices.

  4. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set forth in this Addendum.

  5. The Processor undertakes to manage access rights to Customer Personal Data, including by way of providing its employees with ‘Least Privileges’ based on their ‘Need to Know’, for the purpose of carrying out their tasks, and shall take measures in order to prevent access by unauthorized individuals to Personal Data. In addition, Processor will maintain an up-to-date listing of all individuals authorized to access or use the Database and will prevent access to any individual who does not have a need to be exposed to the Personal Data. The Processor is liable to the Customer for any action or omission by anyone acting on the Processor’s behalf in connection with Customer Personal Data.

  6. The Processor shall not grant access to the Customer Personal Data to its employees, consultants or anyone else acting on its behalf, before confirming, within the boundaries of applicable law, that their background, integrity, and reliability are suitable for a position granting them access to Customer Personal Data. The Processor will ensure that its staff which is authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  7. The Processor shall grant its employees access to the Database, subject to conducting training activities regarding privacy protection and information security obligations applicable to the Processor by virtue of the Applicable Laws and this Addendum.

  8. The Processor shall provide the Customer with a yearly report summarizing the Processor’s compliance with the provisions of this Addendum.

6. Disclosure and transfer of Customer Personal Data

  1. The Processor shall not disclose Customer Personal Data in the scope of its Processing activities to any entity, unless the Customer has provided its prior written consent, except as follows:

    1. As strictly necessary for the provision of its Applications and the services associated therewith.

    2. Where such disclosure is required by Applicable Law or during legal proceedings, in which case the Processor shall notify the Customer in writing immediately upon receipt of the disclosure request and prior to fulfilling it, and will cooperate and disclose the minimum Personal Data necessary to comply with Applicable Law or legal proceedings;

    3. The Customer authorizes the Processor to engage third party sub-processors and service providers in Processing Customer Personal Data within the scope of the Agreement and this Addendum. The Processor will bind sub-processors to agreements that requires the sub-processors to Process the Customer Personal Data in a manner consistent with the Processor’s obligations under this Addendum and any Applicable Laws, by way of engaging in a written contract providing sufficient guarantees thereof. The Processor shall be liable to the Customer for sub-processors’ compliance with their obligations.

    4. The Processor shall use conventional encryption mechanisms for any transfer of Personal Data to a third party and for any remote connection to the Database Systems.

7. Storing, Deletion and Return of Personal Data

  1. The Processor shall maintain logical separation between the Database Systems and the other computer systems used by the Processor that are not directly related to the Processing of Customer Personal Data. In the event the Database Systems is connected to the Internet or to another public network, the Processor shall install appropriate means of protection, such as firewalls and anti-virus tools.

  2. The Processor shall retain the Customer Personal Data only as strictly necessary to provide the Applications and the services associated therewith to Customer, or as mandatory under Applicable Laws.

  3. The Processor shall regularly update the Database Systems, including the software installed in the Database Systems, with information security updates. When operating the Database Systems, Processor will not use software and/or hardware components that the manufacturer does not support in terms of their security and always in the manner in which that use was intended.

  4. The Processor shall engage with market-standard cloud hosting services to host Customer Data. If Processor retains Customer Data on its own servers and computing systems, Processor shall implement measures to prevent or limit the connection of removable devices to the Database Systems or devices Processing Personal Data (to the extent those Database Systems or devices are located in the Processor’s premises or assigned to its employees, consultants, and anyone on its behalf).

  5. Upon the Customer’s written request where no subsequent further processing is required, or when the Agreement is Terminated, the Processor shall, at the instruction of the Customer, either delete or destroy, some or all of the Customer Personal Data that it and its third parties Process for the Customer. Notwithstanding the foregoing, following the deletion of Personal Data per Customer's request, Processor may still retain statistical or aggregated anonymized data derived from Customer Personal Data for the Processor's business purposes.

8. Data subjects' rights

  1. The Processor shall provide support and assistance, as requested by the Customer, in relation to data subjects’ requests to review their Personal data, rectify it or delete it (each, a "Data Subject Request"). The Processor shall pass on to the Customer any Data Subject Requests it receives, along with any relevant details. The Processor shall not respond to any Data Subject Request unless the Processor is legally compelled to respond. Where the Processor is compelled to respond to a Data Subject Request, then unless prohibited by law, it shall permit the Customer to participate in the response process to ensure compliance with Applicable Laws.

  2. The Processor shall, at the request of the Customer in writing, rectify or delete Personal Data in its possession if Customer accepted a Data Subject Request to do so.

9. Cross-Border Data Transfers

  1. The Processor shall comply with Applicable Laws regarding the transfer of Personal Data to foreign jurisdictions, including but not limited to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001, when disclosing or transferring Personal Data.

10. Personal Data Breach

  1. The Processor shall, without undue delay, notify the Customer of any Personal Data Breach affecting Customer Personal Data, that it becomes aware of. Such notice shall include details of the nature of the Personal Data Breach, the category and approximate number of affected individuals, anticipated consequences and proposed remedies for mitigating the possible adverse effects of the Personal Data Breach.

  2. The Processor will investigate the Personal Data Breach, and take reasonable measures to mitigate the Personal Data Breach and prevent its reoccurrence. The Processor will cooperate with the Customer, in good-faith, on issuing required statements or notices to authorities and data subjects.

  3. In the event of a Personal Data Breach, the parties will discuss the matter and reach an agreement regarding the measures required to repair the Personal Data Breach and the schedule for their implementation.

11. Disputes. Any dispute that the parties are unable to amicably resolve under this Addendum shall be subject to the sole and exclusive jurisdiction and venue specified in the Agreement.

 

 

 

Part 2: Additional requirements for GDPR Compliance

  1. Introduction & Scope

    1. In the event of any conflicting provisions between this Part 2 and Part 1, the provisions of this Part 2 shall prevail.

    2. Capitalized terms used in this Part 2 but not defined herein shall have the meaning ascribed to them under the GDPR and any supplementing national law (collectively, "Data Protection Laws").

    3. This Part 2 applies only where the Processor is Processing Personal Data as a Data Processor on behalf of the Customer and under the Customer’s instructions.

  2. Data Processing

    1. The Processor will Process the Personal Data only on Customer’s behalf, for as long as Customer instructs the Processor to do so. The Processor shall Process the Personal Data on behalf of Customer solely for the purpose set forth in this Part 2.

    2. The nature and purpose of the Processing activities are the provision of the Applications and the services associated therewith to the Customer. The Personal Data Processed is determined by the Customer and may include the data Customer chooses to upload to the Applications when using them.

    3. The Data Subjects about whom Personal Data is Processed, are determined by the Customer and may include the end-users, employees of the Customer.

    4. As a Data Processor, the Processor will Process the Personal Data only as set forth in this Addendum. The Processor and Customer are each responsible for complying with Data Protection Laws as applicable to their roles.

    5. The Processor will Process the Personal Data only with accordance with written instructions by the Customer. Instructions must be consistent with the nature and characteristics of the Applications and the services associated therewith. The foregoing applies unless the Processor is otherwise required by law to which it is subject (and in such a case, the Processor shall inform Customer of that legal requirement before processing, unless that law prohibits such information). The Processor shall inform the Customer if, in the Processor's opinion, an instruction is in violation of Data Protection Laws.

    6. The Processor will make available to the Customer all information at its disposal necessary to demonstrate compliance with the obligations under Data Protection Laws.

  3. Data Subject Requests

    1. The Processor will follow the Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. The Processor will pass on to the Customer requests that it receives (if any) from Data Subjects regarding their Personal Data Processed by the Processor. The Processor shall notify the Customer of the receipt of such requests as soon as possible, and no later than three (3) business days from the receipt of such requests, together with the relevant details.

  4. Sub-Processors

    1. The Customer authorizes the Processor to engage Sub-Processor for carrying out specific Processing activities At the outset, Customer authorizes the Processor to engage with the following Sub-Processors:

    2. Without limiting the foregoing, in any event where the Processor engages a Sub-Processor, the Processor will ensure that the same data protection obligations, as set out in this Addendum, are likewise imposed on the Sub-Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where the Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Customer for the performance of the Sub-Processor's obligations.

    3. Processor and Sub-Processors will only Process the Personal Data in member states of the European Economic Area (EEA), in territories or territorial sectors recognized by an adequacy decision of the European Commission as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR, or using adequate safeguards as required under Data Protection Laws governing cross-border data transfers.

  5. Additional Provisions

    1. Audits and Inspections., including inspections conducted by the Customer or another auditor mandated by the Customer in order to establish the Processor's compliance with this Addendum and the provisions of applicable Data Protection Laws, as regards the Personal Data that the Processor Processes on behalf of the Customer. Such audits or inspections shall be: (i) carried out during the Processor’s ordinary business hours, not more than one (1) business day per calendar year (unless Data Protection Laws or a supervisory authority mandate more frequent audits or inspections); (ii) conducted upon at least sixty (60) days prior written notice; (iii) conducted with minimal disruption to the Processor’s business activities, (iv) subject to confidentiality undertakings satisfactory to the Processor; and (v) at Customer's sole cost and expense.

    2. Personal Data Breach. The Processor shall, without undue delay and in any event within forty-eight (48) hours, notify the Customer of any Personal Data Breach that it becomes aware of regarding Personal Data of Data Subjects that the Processor Processes.

    3. Compliance Support.

      1. The Processor will assist the Customer with the preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).

      2. Unless legally prohibited, the Processor will provide the Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on the Customer’s behalf, so that the Customer may contest or attempt to limit the scope of production or disclosure request.

      3. Upon the Customer’s request, the Processor will delete Personal Data it has Processed on the Customer’s behalf under this Addendum from its own and its Sub-Processors’ systems, or, at the Customer’s choice, return such Personal Data and delete existing copies, within ten (10) business days of receiving a request to do so. Upon Customer’s request, the Processor will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.

 

 

bottom of page