Effective Date: May 25, 2018

Data Processing Agreement

This Data Processing Agreement (”DPA”) forms an integral part of, and is subject to, the Go2mobi Terms of Service available at https://www.go2mobi.com/terms/, as the case may be (”Agreement”), entered into by and between You (as defined under the Agreement) (hereinafter referred to as “Controller”) and ConvertStar Inc. (“Go2mobi”) (hereinafter referred to as “Processor”). Controller and Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party”. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

  1. Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
    1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
    2. “Applicable Laws” means (i) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (ii) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws
    3. “Personal Data” means any Personal Data Processed pursuant to or in connection with the Agreement;
    4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including in Israel;
    5. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
    6. “GDPR” means EU General Data Protection Regulation 2016/679;
    7. “Restricted Transfer” means a transfer of Personal Data where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
    8. “Sub Processor” means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller in connection with the Principal Agreement; and
    9. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.
  2. Processing and Use of Personal Data.
    1. Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Personal Data; and (ii) in particular, transfer Personal Data to any country or territory, all as reasonably necessary for the provision of the Service and consistent with the Agreement (including the Privacy Policy, as defined under the Agreement) and in accordance with Applicable Laws.
    2. Controller will at all times: (i) only use Personal Data accessed through the Service for the purpose of acting as Advertiser, as defined under the Agreement; (ii) not use Personal Data for its own purpose or those of any third party.
    3. Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Personal Data it processes under this DPA
  3. Processor Personnel. Processor shall take reasonable steps to ensure that access to the Personal Data is limited on a need to know/access basis, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Personal Data.
  4. Security. The Parties will implement and maintain all appropriate technical and organizational security measures to protect from security incidents and to preserve the security, integrity and confidentiality of all data in connection with the Contract(s), including Personal Data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, Controller agrees to the following Security Measures (i) Personal Data is not changed while stored, transferred or otherwise processed (ii) Personal Data that is stored, transferred or otherwise processed is encrypted or kept in another equally secure format; (iii) the availability of and access to Personal Data can be ensured in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing is in place; (v) appropriate safeguards are in place to restrict and/or limit access to Personal Data to those employees who (a) have a strict need to know; (b) have been provided with appropriate training on the handling of Personal Data; and (c) have agreed to confidentiality obligations consistent with the terms herein.
  5. International Transfers. Controller shall not process or transfer any Personal Data in or to a territory other than the territory in which the Personal Data was first collected (nor permit the Personal Data to be so processed or transferred) unless: (i) it has first obtained Processor’s prior written consent; and (ii) it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Privacy Laws.
  6. Sub Processing.
    1. Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 6 to appoint) Sub Processors in accordance with this Section 6 and any restrictions in the Agreement.
    2. Processor and each Processor Affiliate may continue to use those Sub Processors already engaged by Processor or any Processor Affiliate as of the date of this DPA.
    3. Processor may appoint new Sub Processors and shall give notice of the appointment of any new Sub Processor (for instance as part of a Privacy Policy amendment), whether by general or specific reference to such Sub Processor (e.g., by name or type of service).
    4. With respect to each new Sub Processor, Processor shall:
      1. before the Sub Processor first Processes Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed to provide the level of protection for Personal Data required by the Agreement; and
      2. ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Personal Data as those set out in this DPA that meet the requirements of Applicable Laws.
  7. Data Subject Rights.
    1. Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Personal Data, etc.). Taking into account the nature of the Processing, Processor shall reasonably endeavour to assist Controller insofar as feasible, to fulfil Controller’s said obligations with respect to such Data Subject requests, as applicable, at Controller’s sole expense.
    2. Processor shall:
      1. promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
      2. ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before it responds to the request.
  8. Personal Data Breach.
    1. Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Personal Data, in connection with the Processing of such Personal Data by the Processor or Processor Affiliates. In such event, Processor shall provide Controller with information (to the extent in Processor’s possession) to assist Controller to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Laws.
    2. At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
  9. Data Protection Impact Assessment and Prior Consultation. At the written request of the Controller, the Processor and each Processor Affiliate shall provide reasonable assistance to Controller, at Controller’s expense, with any data protection impact assessments or prior consultations with Supervising Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Personal Data provided by Controller.
  10. Deletion or return of Personal Data. Processor shall promptly and in any event within up to sixty (60) days of the date of cessation of any Services (the “Cessation Date”), delete or pseudonymize all copies of Personal Data provided by Controller, except such copies as authorized including under this DPA or required to be retained in accordance with applicable law and/or regulation.
  11. General Terms
    1. Governing Law and Jurisdiction.
      1. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
      2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
    2. Order of Precedence. Nothing in this DPA reduces either party’s obligations under the Agreement in relation to the protection of Personal Data or permits either party to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Privacy Policy (as defined under the Agreement), the Privacy Policy shall prevail provided only that the procedure prevailing through the Privacy Policy shall not constitute as a breach or infringement of any Applicable Laws. This DPA is not intended to, and does not in any way limit or derogate from Controller’s obligations and liabilities towards the Processor under the Agreement, and/or pursuant to the GDPR or any law applicable to Controller, in connection with the collection, handling and use of Personal Data by Controller or its Affiliates or other processors or their sub-processors. Subject to this Section 11.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
    3. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.