בית DPA – Data Processing Agreement

DPA – Data Processing Agreement

  • This Data Processing Addendum (“DPA“) forms part of the Main Agreement between Meckano Ltd. (“Meckano“) and Customer and governs the Processing of Customer Personal Data by Meckano in connection with the Services. Meckano shall Process Customer Personal Data in accordance with this DPA and Applicable Data Protection Laws.

1. Definitions

  • 1.1 “Affiliate” means a corporation which directly controls or is controlled by or is under common control with a party. As used in this section, “control” means direct ownership of fifty percent (50%) or more of the shares of stock entitled to vote for the election of directors; and

    1.2. “Applicable Data Protection Laws” means all data protection and privacy legislation and regulations applicable to and binding on the Processing of Personal Data hereunder, including, where applicable, the Israeli Privacy Laws, the UK Data Protection Act 2018, the EU Privacy and Electronic Communications (EC Directive) Regulation, the GDPR and any other applicable or equivalent laws, each as amended or superseded from time to time and in effect at the time of Company’s performance hereunder.

    1.3. “Customer Personal Data” means any Personal Data and/or Special Categories of Data Processed by Meckano on behalf of Customer in connection with the provision of the Services under the Main Agreement. 

    1.4. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§1798.100 et. seq, and its implementing regulations, as may be amended from time to time.

    1.5. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider”, “Contractor”, “Sell” and “Share” shall have the meanings given to them under the CCPA. For clarity, to the extent the CCPA applies, Meckano shall act as a Service Provider and/or Contractor with respect to Customer Personal Data Processed on behalf of Customer under this DPA.

    1.6. “GDPR” means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements, or supplements; the terms “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Special Categories of Data”, “Process” or “Processing”, “Controller”, “Processor”, and “Supervisory Authority” shall have the same meaning given to them in the GDPR (or where the same or similar terms are used under another Applicable Data Protection Laws, the meaning given to such terms under such Applicable Data Protection Laws.

    1.7. “Israeli Privacy Laws” or “IPL” mean the Protection of Privacy Law 5741-1981 and its implementing regulations, each as amended or superseded from time to time.

    1.8. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as storage, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction;

    1.9. “Third Country” means a country which is not: (a) part of the EEA; (b) recognized by the  EEA, the European Union Member States or the European Commission, as a country which ensure an adequate level of protection, or; (c) in the United States, solely for Processing by the Processor or Sub-Processor on its behalf which has self-certified and complies with the EU-US frameworks, as administered by the US Department of Commerce, to the extent permitted under Applicable Data Protection Laws;

    1.10. “EEA” means European Economic Area. 

    1.11. “Restricted Transfer” means a transfer of Customer Personal Data subject to GDPR, UK GDPR or Swiss Data Protection Law to a recipient in a jurisdiction for which no applicable adequacy decision or other lawful transfer mechanism applies.

    1.12. “EU Transfer SCCs” means the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as amended, replaced or superseded from time to time.

    1.13. “Sub-processor” means any third-party engaged directly by the Processor to process any Personal Data pursuant to or in connection with the Services. The term shall not include employees or contractors of the Processor;

    1.14. “Website” means Meckano official website available at: https://www.meckano.com/ 

2. Processing of Customer’s Personal Data

  • 2.1. This DPA applies to all Personal Data Processed by Meckano as part of Meckano’s provision of the Services to the Customer. In this context, to the extent that Applicable Data Protection Laws  apply to the Personal Data which may be Processed by Meckano on behalf of the Customer, during the provision of the Services and the term of the Main Agreement and this DPA, the Parties hereby acknowledge and agree that the Customer is the Data Controller, and Meckano is the Data Processor. Where the Customer itself is the Data Processor of such Personal Data, Meckano shall be deemed as a Sub-processor. 

    2.2. The type of Personal Data which may be Processed pursuant to this DPA, the subject matter, duration, nature and purpose of Processing, and the categories of Data Subjects, are as described in Annex 1, as required by Applicable Data Protection Laws.

    2.3. Meckano acknowledge that, as between the Parties, Customer retains all right, title and interest in and to Customer Personal Data and Personal Data Processed on behalf of the Customer. 

    2.4. Each party warrants in relation to Personal Data that it will comply, with the provisions of the Applicable Data Protection Laws and this DPA. 

    2.5. As between the Parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data transferred to the System by the Customer or on behalf of the Customer, and the means by which such Personal Data was acquired, including any consent required for that. Customer is solely responsible for determining and documenting the lawful basis for its collection and disclosure of Customer Personal Data to Meckano, and for providing all required privacy notices and obtaining any consent or other authorizations required by Applicable Data Protection Laws. To the extent Customer uploads documents or fields containing Special-Category of Data or sensitive personal information, including health-related information or precise geolocation, Customer instructs Meckano to process such data solely as necessary to provide the Services and subject to this DPA. Without derogating from the generality of the above said, if the Customer provides access to the System to any of its employees or other third parties, the Customer shall be solely responsible for obtaining any disclosure or consent or any other lawful basis / notices / authorizations as may apply according to Applicable Data Protection Laws.

    2.6. If Processor Processes Personal Data hereunder that originates from Israel or is otherwise subject to the Israeli Privacy Laws, Processor shall adhere to the terms set forth in Annex 4 (IPL Terms) with respect to such Personal Data and the Processing thereof.

    2.7. For the avoidance of doubt, Personal Data does not include information that has been anonymized in such a manner that the Data Subject is no longer identifiable by any means reasonably likely to be used, in accordance with Applicable Data Protection Laws.

    2.8. Subject to the foregoing, Company may use data that has been aggregated and anonymized for statistical, analytical or business purposes, provided that such data does not identify and cannot reasonably be used to identify any Data Subject.

3. Meckano’s Undertakings

  • With respect to all Personal Data Processing which shall occur in connection with the provision of the Services by Meckano, Meckano warrants and undertakes as follows:

    3.1. Limited and purpose-oriented Processing

    3.1.1. Meckano shall Process Customer’s Personal Data, only in order to provide the Services, and shall strictly act only in accordance with: (i) this DPA; (ii) the Customer’s written instructions as represented by the Main Agreement; and (iii) as required by the provisions of the Applicable Data Protection Laws.

    3.1.2. Meckano shall immediately, upon being aware, inform the Customer if, in its opinion, any of the Customers’ instructions infringe any of the Provisions of the Applicable Data Protection Laws .

    3.2. Data Protection and Security Measures

    3.2.1. Taking into account the nature, scope, context and purposes of the Processing, and the risks to the rights and freedoms of Data Subjects, Meckano shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, as further described in Annex 3 and, where applicable, Annex 4.

    3.2.2. Meckano shall not materially decrease the overall security of the Services during the term of the Main Agreement.

    3.2.3. Meckano shall treat Personal Data as strictly ‘confidential’ and will not disclose, make available or transfer the Personal Data to any third party, other than as permitted under this DPA. 

    3.3. Meckano’s Personnel

    3.3.1. Meckano shall take commercially reasonable steps to ensure that Meckano’s personnel will comply with the terms of this DPA and the provisions of the Applicable Data Protection Laws ;

    3.3.2. Meckano shall implement authorization and access control mechanisms ensuring that any access to Personal Data by Meckano’s employees and/or personnel shall be strictly limited to those employees and/or personnel which are in need of a such access for the provision of the Services;

    3.3.3. Meckano shall ensure that all relevant personnel have undertaken appropriate training regarding their responsibilities, and are informed of the importance and confidential nature of the Personal Data;

    3.3.4. All of Meckano’s personnel have committed themselves to confidentiality in writing or are under an appropriate statutory obligation of confidentiality.

    3.4. Engaging Sub-Processor and other contractors

    3.4.1. Meckano shall comply with the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another Sub-processor.

    3.4.2. Meckano has implemented a proper procedure for engaging Sub-processors and other external suppliers, in order to ensure that any such engagement is being made in accordance with the provisions of the GDPR, including:

    • Prior for any such engagement, and taking into account the nature, context, scope and costs of Processing actions to be carried out by the Sub-rocessor, Meckano shall assess and analyze any Personal Data related risks involved in the engagement;
    • Any relevant Sub-processor shall be subject to contractual terms substantially no less protective than those imposed on Meckano in this DPA (including the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-processors. Upon Customer request, Meckano shall provide Customer with a copy of the relevant contractual arrangement between Meckano and each Sub-processor (for the avoidance of doubt, commercial terms and other confidential clauses to Company’s sole discretion, included therein may be redacted) and an updated list of Sub-processors.

    3.4.3. Subject to compliance with Sections 3.4.4 and 3.4.5, Customer hereby (i) grants Meckano a general authorization to engage (and permits each Sub-processor appointed in accordance with this Section to engage) Sub-processors for the purpose of providing the Services; (ii) agrees that Affiliates of Meckano may be used as Sub-processors; and (iii) confirms that Meckano may continue to use those Sub-processors already engaged by Meckano as of the effective date of this DPA. Meckanoshall maintain an up-to-date list of Sub-processors published available at the Website. 

    3.4.4. Meckano will provide Customer with a prior written notice of Meckano’s intention to engage any additional Sub-processor to Process any Customer Personal Data (“New Processor“), thereby giving Customer the opportunity to object the engagement of a New Processor within fourteen (14) days after receipt of the notice. In the event Customer objects, its sole remedy is to terminate the Main Agreement with no further compensation or remediation. 

    3.4.5. Where the Sub-processor fails to fulfil its Personal Data protection obligations, under this DPA, Meckano shall remain fully liable towards the Customer for the performance of the Sub-processor’s obligations under this DPA and the Applicable Data Protection Laws. 

    3.5. Customer’s Data Subject’s Rights requests and inquiries

    3.5.1. Taking into account the nature of the Processing made by it as a Processor, Meckano shall assist the Customer within a reasonable timescale with addressing requests for exercising the Data Subject’s rights laid down in Applicable Data Protection Laws , including without limitation: (i) Customer employees, supervising authorities, or Data Subjects requests for assistance in relation to any request from a Data Subject to exercise any of the Data Subject’s rights under Applicable Data Protection Laws ; and (ii) any other correspondence, inquiry or complaint received from a Data Subject (or on a Data Subject’s behalf), supervising authority and other regulators, or competent authorities in connection with the Processing of Customer Personal Data under the Main Agreement;

    3.5.2. Meckano’s assistance may be provided by implementing relevant interfaces in the System, in a manner which provides the Customer with all relevant information and features required for him for addressing any such request or legal obligation;

    3.5.3. If any such communication related to the Processing of the Customer’s Personal Data is made directly to Meckano, Meckano shall promptly notify the Customer if it receives any such inquiry from any Data Subject on behalf of the Customer, provide Customer all related details and will not respond to the communication unless specifically required by applicable Applicable Data Protection Laws  or authorized in writing by Customer;

    3.5.4. For removal of any doubt, Meckano shall not directly respond to any Data Subject’s request on behalf of the Customer, unless it is required to do so by the provisions of the Applicable Data Protection Laws . In addition, Meckano shall not bear any responsibility to any response or denial provided by the Customer to any Data Subject with regard to its rights under the provisions of the Applicable Data Protection Laws, to the extent Meckano has provided the Customer with the assistance and information as required under this DPA.

    3.6. International Transfers

    3.6.1. Customer Personal Data may be transferred to, accessed from, or Processed in countries other than the country in which it was originally collected, solely as necessary for the provision, support, security and operation of the Services and in accordance with this DPA and Applicable Data Protection Laws.

    3.6.2. Where Customer Personal Data subject to the GDPR is transferred to Israel, the Parties acknowledge that Israel is currently recognized by the European Commission as providing an adequate level of protection, and no EU Transfer SCCs are required solely by reason of such transfer for so long as such recognition remains in force.

    3.6.3 To the extent a transfer of Customer Personal Data constitutes a Restricted Transfer, the applicable module(s) of the EU Transfer SCCs shall be incorporated by reference and deemed completed with the information set out in this DPA and its Annexes.

    3.6.4. Where the UK GDPR applies, the applicable UK transfer addendum or other lawful UK transfer mechanism shall apply. Where Swiss data protection law applies, the EU Transfer SCCs shall apply with such amendments as are required under Swiss law.

    3.6.5. Meckano shall ensure that onward transfers to Sub-Processors are subject to appropriate contractual and transfer safeguards in accordance with Applicable Data Protection Laws.

    3.6.6. If a transfer mechanism relied upon by the Parties is invalidated or ceases to be available, Meckano shall use commercially reasonable efforts to implement an alternative lawful transfer mechanism. If no such mechanism is available for a transfer necessary to provide the Services, Customer may terminate the affected Services in accordance with the Main Agreement.

    3.7. Personal Data Breach and Security Incidents 

    3.7.1. Meckano shall notify the Customer without undue delay and, where feasible, within 48 hours after becoming aware of any Personal Data Breach and/or security incidents affecting Customer’s Personal Data. Information may be provided in phases as it becomes available. Such notification shall, at a minimum:

    • describe the date and time, the nature of the Personal Data Breach, and the categories and numbers of Data Subjects concerned;
    • communicate the contact details of Meckano’s relevant contact from whom more information may be obtained;
    • describe the likely consequences of the Personal Data Breach and potential adverse effects of the incident; and
    • describe the measures taken or proposed to be taken to address the Personal Data Breach, remediate the risks involved with the Personal Data Breach including without limitation, an analysis of the root cause that led to such Personal Data Breach, to mitigate potential adverse effects and to prevent the occurrence of a similar incident in the future.

    3.7.2. Meckano will use commercially reasonable endeavors to assist the Customer in mitigating, where possible, the adverse effects of any such Personal Data Breach. 

    3.7.3. Meckano shall not inform any third party of a Personal Data Breach, without notifying the Customer, unless it is required to do so under the provisions of the Applicable Data Protection Laws , provided that, Meckano will keep Customer informed of the status of such notification and any response from any such third parties, unless such notification by Meckano is prohibited under Applicable Data Protection Laws.

    3.8. Information, Audit rights and Assistance with Risk Assessments

    3.8.1. Upon Customer request, and taking into account the nature of Processing and the available data, Meckano shall provide reasonable assistance and information to the Customer as required by the applicable Applicable Data Protection Laws , with respect to: (a) data protection impact assessments and prior consultation that are carried out by the Customer; (b) prior consultations to any supervisory authority; (c) breach notifications to any supervisory authority and/or any Data Subject; (d) Customer’s ability to demonstrate its compliance with the provisions of the Applicable Data Protection Laws ; (e) Any required notification to Customer’s employees, supervising authorities or Data Subjects as applicable, taking into account the nature of Processing and the information available to Meckano (it shall be clarified that Meckano shall not be obligated to provide Customer employees with any “employee GDPR notice” or any similar disclosure); (f) Requests to exercise Data Subjects’ rights, complaints and inquiries pursuant to this DPA as described in Section 3.5 above.

    3.8.2. Meckano shall make available to Customer information reasonably necessary to demonstrate Meckano’s compliance with this DPA. Customer shall first rely on information made available by Meckano, including security summaries, certifications and third-party audit reports. To the extent such information is insufficient under Applicable Data Protection Laws, Customer may conduct, or mandate an independent auditor to conduct, an audit no more than once in any twelve-month period, unless required more frequently due to a Personal Data Breach, material non-compliance or Applicable Data Protection Laws. Any audit shall be subject to at least thirty (30) days’ prior written notice, conducted during normal business hours, and performed in a manner that does not unreasonably disrupt Meckano’s business operations or compromise the confidentiality or security of other customers’ information.

    3.8.3. For the avoidance of doubt, any such assistance to the Customer shall be provided in each case solely in relation to Processing of Customer’s Personal Data on behalf of the Customer and/or Customer’s employees.

    3.9. Deletion, Archiving and De-identification of Customer Personal Data

    3.9.1. Meckano will maintain and implement reasonable data retention and deletion procedures designed to ensure that Customer Personal Data is retained only for as long as necessary for the provision of the Services, compliance with Applicable Data Protection Laws, or other legitimate documented purposes.

    3.9.2. During the term of the Services, the Customer may export Customer Personal Data through the export functionalities made available within the Services and is responsible for exporting any Customer Personal Data it wishes to retain prior to termination.

    3.9.3. Following termination, Meckano will retain and delete Customer Personal Data in accordance with this DPA, its applicable retention and deletion procedures, and Applicable Data Protection Laws. Any manual, bespoke or non-standard export, retrieval or deletion assistance requested by an active Customer may be subject to additional fees, provided that such fees do not derogate from Meckano’s mandatory obligations under Applicable Data Protection Laws.

    3.9.4. Meckano may de-identify, anonymize or aggregate Customer Personal Data so that it no longer identifies, and cannot reasonably be used to identify, any Data Subject, in which case Applicable Data Protection Laws will not apply and may use such non-identifiable data for analytics, statistics, service improvement, product development and any other purposes.

4. California Privacy Laws

  • 4.1. To the extent the CCPA applies to the Processing of Customer Personal Data under this DPA, the Parties agree that Meckano shall Process such Customer Personal Data as a “service provider” and/or “contractor”, as applicable, solely for the limited and specified business purposes set out in the Main Agreement and this DPA.

    4.2. Meckano shall not sell or share Customer Personal Data, including for cross-context behavioral advertising purposes, and shall not retain, use, disclose or combine Customer Personal Data except for the limited and specified business purposes set out in the Main Agreement and this DPA, within the direct business relationship between Meckano and Customer, or as otherwise permitted under the CCPA. 

    4.3. Meckano shall provide the same level of privacy protection as required by the CCPA with respect to Customer Personal Data Processed under this DPA, shall reasonably assist Customer in responding to consumer requests under the CCPA to the extent such assistance is technically feasible and relates to Customer Personal Data Processed by Meckano on behalf of Customer, and shall notify Customer if Meckano determines that it can no longer meet its applicable obligations under the CCPA.

    4.4. Customer shall have the right to take reasonable and appropriate steps to help ensure that Meckano Processes Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA and to stop and remediate unauthorized use of Customer Personal Data.

    4.5. Meckano shall require any Sub-Processor Processing Customer Personal Data subject to the CCPA to be bound by written obligations no less protective than those set out in this Section.

5. Miscellaneous

  • 5.1. Except as amended by this DPA, the Main Agreement shall remain in full force and effect. 

    5.2. This DPA is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter, other than the Main Agreement. In the event of any conflict between the terms of this DPA and the Main Agreement, the terms of this DPA shall prevail.

    5.3. Meckano’s liability under this DPA is subject to the limitations on liability contained in the Main Agreement. 

    5.4. In connection with any actual or contemplated merger, acquisition, reorganization, sale of assets or shares, financing transaction or change of control, Meckano may disclose or transfer Customer Personal Data to the extent reasonably necessary for such transaction, provided that the recipient is subject to appropriate confidentiality and data protection safeguards. Any successor or acquiring entity that Processes Customer Personal Data following such transaction shall be bound by obligations no less protective than those set out in this DPA, to the extent applicable. Meckano shall notify Customer where required by Applicable Data Protection Laws. 

    5.5. This DPA shall be deemed effective as of the same date that the Main Agreement came into effect, and shall remain in full force until the later of the date when Meckano ceases to Process the Personal Data on behalf of the Customer, or until the Main Agreement is expired or terminated for any reason. This DPA will terminate simultaneously and automatically with the termination of the Main Agreement. Notwithstanding anything to the contrary herein express or implied, any confidentiality obligations under the Main Agreement and this DPA will survive the expiration or termination for any reason of the Main Agreement and of this DPA.

    5.6. This DPA shall be governed by the laws and jurisdiction as agreed in the Main Agreement.

    5.7. Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both Parties.

    5.8. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives.

Annex 1: Details of the Processing of Personal Data

  • 1. Categories of Data Subject – The categories of Data Subjects may include, to the extent applicable to the Services:

    1.1. Customer’s employees, contractors, freelancers, agents, advisors and other end users whose attendance, employment or workforce-related data is managed through the Services;

    1.2. Customer’s authorized administrative users, representatives and contact persons;

    1.3. Individuals who interact with Meckano’s support or AI-assisted support on Customer’s behalf; and

    1.4. Customer’s prospects, customers, business partners or vendors, to the extent their Personal Data is submitted.

    2. Type of Personal Data

    2.1. Customer may submit, upload or otherwise make available Customer Personal Data to the Services, the scope and extent of which are determined and controlled by Customer in its sole discretion, subject to the Main Agreement and the functionality of the Services.

    2.2. Without limiting the foregoing, the categories of Customer Personal Data Processed by Meckano in connection with the Services may include, to the extent submitted, generated or made available through the Services:

    2.2.1. Customer End-User / Employee Data: employee full name, email address, contact details, employee or user identifiers, gender, attendance dates and times, attendance records, shift and absence data, attendance location data at the time of reporting, and documents uploaded by Customer in connection with attendance or employment administration, which may include health-related information such as sick leave documentation, to the extent uploaded by Customer;

    2.2.2. Customer Administrative / Representative User Data: name, business contact details, email address, phone number, position or role, account identifiers, login and access data, usage data, timestamps, system settings

    2.2.3. Technical, Usage and Security Data: IP address, device / browser information, session data, system logs, audit / access / error logs, authentication data, and limited diagnostic or security-related metadata; and

    2.2.4. Support and AI-Assisted Support Data: contact details of Customer’s authorized representatives, including first name, email address and phone number and their support requests, AI-assisted support chat content, chat histories, user-submitted messages, AI-generated responses, session-related metadata, timestamps, but no End-user Personal Data. 

    3. Processing activities and operations – as required and necessary for the provision of the Services under the Main Agreement or this DPA and for example, may include:

    3.1. Hosting, storage, access control, attendance tracking, reporting, support, troubleshooting, backup, deletion/return, Sub-Processor hosting/support etc.; 

    3.2. Hosting, storage, retrieval, analysis, generation of support responses, logging, internal support administration, abuse/fraud/safety monitoring, and deletion of support chat data, in connection with AI-assisted support functionality made available as part of the Services if applicable. 

    4. Purpose of Processing – for the provision of the Services under the Main Agreement, including customer support, troubleshooting, service administration, internal service improvements, system maintenance, analytics, and abuse/fraud/safety monitoring related to the AI-assisted support functionality, in accordance with Customer requests and this DPA. Where the CCPA applies, the purposes described in this Annex shall constitute the limited and specified business purposes for which Meckano Processes Customer Personal Data as a service.

    5. Duration of processing – for the term of the provision of the Services under the Main Agreement, and thereafter for such period as required to complete return, deletion, de-identification, anonymization, archiving, backup, overwrite, legal compliance, security, fraud or abuse prevention, business continuity, or dispute-resolution processes, in accordance with the Main Agreement, this DPA, and Applicable Privacy Laws and Regulations.

Annex 3: Technical and Organizational Security Measures

  • Meckano shall implement, maintain and periodically review appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, taking into account the nature, scope, context and purposes of the Processing, the risks presented by the Processing, and the state of the art.

    Meckano may update or modify the security measures described in this Annex from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Services during the term of the Main Agreement.

    For the avoidance of doubt, certain Processing activities may also be subject to additional jurisdiction-specific requirements, including those set out in Annex 4 (IPL Terms).

    1. Security Governance and Policies

    1.1. Meckano maintains and implements documented information security policies, procedures and practices designed to protect Personal Data and govern access, use, disclosure, retention, deletion, incident response, vendor management and business continuity in relation to the Services.

    1.2. Meckano designates responsible personnel to oversee information security and privacy compliance functions, including the coordination of security measures, incident response, access governance, vendor oversight and compliance activities, as applicable to the Services and in accordance with applicable law.

    1.3. Meckano defines and maintains internal roles and responsibilities relating to the protection of Personal Data, including responsibilities for access management, security operations, incident handling, vendor oversight and compliance.

    1.4. Meckano shall periodically review and update its security policies, procedures and measures, taking into account relevant technological developments, emerging threats, material changes to the Services or Processing activities, and applicable legal or regulatory requirements.

    2. Security Certifications and Frameworks

    2.1. Meckano maintains an information security management system designed to protect Personal Data and support the security of the Services.

    2.2. Meckano maintains ISO/IEC 27001 certification and applies cloud security and privacy controls aligned with ISO/IEC 27017 and ISO/IEC 27018, to the extent applicable to the Services and the Processing of Personal Data thereunder.

    3. Access Control and Authorization

    3.1. Meckano implements measures designed to prevent unauthorized access to systems and environments used to Process Personal Data, including, as applicable:

    3.1.1. role-based access controls based on least privilege and need-to-know principles;

    3.1.2. unique user identification or equivalent account-level traceability for personnel accessing systems Processing Personal Data, where reasonably practicable;

    3.1.3. authentication mechanisms, including password complexity requirements;

    3.1.4. multi-factor authentication for remote administrative access where appropriate;

    3.1.5. periodic review and maintenance of access rights; and

    3.1.6. update or revocation of access rights without undue delay upon a change in role, termination of employment or engagement, or when access is no longer required.

    4. Confidentiality and Personnel Security

    4.1. Meckano ensures that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations and receive training appropriate to their responsibilities regarding privacy, data protection and information security.

    4.2. Where legally permitted and appropriate to the role, Meckano may perform pre-engagement screening or background checks for personnel with access to Personal Data or critical systems.

    4.3. Access to Personal Data by Meckano personnel shall be limited to personnel who require such access for the performance of their duties in connection with the Services.

    5. Physical and Environmental Security

    5.1. Meckano implements measures designed to prevent unauthorized physical access to facilities and environments used to Process Personal Data, including, as applicable:

    5.1.1. controlled access to offices, facilities and hosted environments;

    5.1.2. access management procedures for personnel and visitors;

    5.1.3. use of reputable cloud hosting providers maintaining appropriate physical and environmental safeguards;

    5.1.4. protection against environmental risks, such as fire, power disruption and other availability risks, where applicable.

    6. Encryption and Transmission Security

    6.1. Meckano implements appropriate measures designed to protect Personal Data in transit and, where appropriate, at rest, including industry-standard encryption methods, secure transmission protocols and network security controls.

    6.2. Personal Data transmitted over public networks shall be protected using secure communication protocols, such as HTTPS/TLS or equivalent secure transfer mechanisms, where applicable.

    7. Network and System Security

    7.1. Meckano implements measures designed to protect systems Processing Personal Data against unauthorized access, malware, malicious code and unauthorized disruption, including, as applicable:

    7.1.1. firewalls and network security controls;

    7.1.2. secure system configuration and hardening practices;

    7.1.3. malware protection measures;

    7.1.4. regular patching and vulnerability management;

    7.1.5. network segmentation or equivalent logical separation measures, where appropriate; and

    7.1.6. application-layer security controls, including web application protection measures, where appropriate to the Services.

    8. Logging, Monitoring and Accountability

    8.1. Meckano maintains logging and monitoring mechanisms designed, where reasonably practicable, to record and review relevant access to systems Processing Customer Personal Data. The scope, content and retention period of such logs may vary depending on the system, service configuration, security risk and applicable legal requirements.

    8.2. Meckano shall review relevant logs and document material findings and corrective actions, where appropriate.

    8.3.  With respect to Customer Personal Data subject to Israeli Privacy Laws, additional logging and log retention requirements may apply as set out in Annex 4.

    9. Integrity and Change Management

    9.1. Meckano implements measures designed to preserve the integrity of Personal Data and systems Processing Personal Data, including controls relating to authorized data entry, change tracking where appropriate, software maintenance, patching, and change management.

    9.2. Meckano shall apply reasonable measures designed to ensure that changes to systems Processing Personal Data are reviewed, tested and implemented in a controlled manner, taking into account the nature and risk of the change.

    10. Vulnerability Management, Testing and Risk Assessment

    10.1. Meckano performs periodic risk assessments and vulnerability management activities appropriate to the Services and the Processing of Personal Data, and implements corrective actions where reasonably required.

    10.2. Where appropriate to the risk profile of the Services, Meckano performs security testing, including penetration testing, vulnerability assessments or equivalent technical assessments, and documents material findings and remediation activities.

    11. Data Minimization and Segregation

    11.1. Meckano implements measures designed to support data minimization and to limit the Processing of Personal Data to that which is necessary for the purposes described in the DPA.

    11.2. Where applicable to the Services architecture, Meckano implements logical segregation measures designed to separate Customer Personal Data from the data of other customers.

    12. Vendor and Sub-Processor Security

    12.1. Meckano maintains procedures for assessing and engaging relevant vendors and Sub-processors that may Process Personal Data on its behalf, including appropriate contractual, security and privacy requirements proportionate to the services provided.

    12.2. Meckano shall require relevant Sub-processors to implement security measures designed to provide a level of protection materially equivalent to the requirements applicable to Meckano under this DPA, taking into account the nature of the services provided by such Sub-processor.

    13. Incident Management and Breach Response

    13.1. Meckano maintains a security incident response process designed to identify, assess, escalate, investigate, document, mitigate and remediate Security Incidents and Personal Data Breaches.

    13.2. Such process may include, as applicable:

    13.2.1. classification of incidents by severity;

    13.2.2. internal escalation procedures;

    13.2.3. documentation of incidents and response actions;

    13.2.4. root cause analysis;

    13.2.5. remediation and corrective actions; and

    13.2.6. cooperation with Customer in accordance with the Personal Data Breach notification provisions of the DPA.

    14. Availability, Backup, Recovery and Business Continuity

    14.1. Meckano implements measures designed to support the availability and resilience of the Services and Personal Data, including, as applicable:

    14.1.1. regular backup procedures;

    14.1.2. secure storage of backups;

    14.1.3. disaster recovery and business continuity measures;

    14.1.4. protection against malware and unauthorized disruption; and

    14.1.5. recovery processes designed to restore access to Personal Data in a timely manner following an incident.

    14.1.6. Meckano shall periodically review or test restore capabilities and business continuity measures, where appropriate to the Services.

    15. Retention, Deletion and Disposal

    15.1. Customer, as Controller or Database Owner, is responsible for determining the applicable retention periods for Customer Personal Data processed through the Services. Meckano processes, retains, deletes or de-identifies Customer Personal Data in accordance with Customer’s documented instructions, the DPA, applicable law, security requirements, legal compliance, backup cycles and legitimate business continuity needs. 

    15.2. Meckano maintains technical and organizational measures designed to support the secure deletion, destruction or de-identification of Customer Personal Data when no longer required for the purposes of the Services or upon Customer’s documented instruction, in a manner designed to prevent reconstruction where reasonably practicable.

    16. System Documentation and Inventory

    16.1. Meckano maintains documentation appropriate to the Services regarding relevant systems, assets, security architecture and data flows, to the extent necessary for security management, risk assessment and compliance.

    16.2. Such documentation may include, as applicable, system architecture, relevant data flows, asset inventory, infrastructure components and network diagrams.

    17. Continuous Compliance and Improvement

    17.1. Meckano shall periodically evaluate the effectiveness of its technical and organizational security measures and update such measures as appropriate, taking into account technological changes, emerging threats, changes to the Services or Processing activities, audit findings, security incidents and applicable regulatory developments.

    18. AI-Assisted Support Specific Measures

    18.1. Where Meckano makes available AI-assisted support functionality as part of the Services, Meckano shall implement appropriate measures designed to protect Customer Personal Data Processed through such functionality, including, as applicable, limiting the functionality to Customer’s authorized representatives, restricting access to support chat data, providing user-facing instructions discouraging the submission of sensitive or unnecessary Personal Data, maintaining the functionality separately from Customer’s core databases and end-user employee records, and supporting deletion or rendering inaccessible of support chat data where technically feasible and subject to provider architecture and applicable law.

Annex 4: IPL Terms

  • SCOPE, APPLICATION & INTERPRETATION

    1. Meckano acknowledges that the terms set forth herein are required to ensure Customer’s compliance with Regulation 15(a)(2) of Israel’s Protection of Privacy (Data Security) Regulations, 5777-2017, which prescribes specific contractual arrangements a Database Controller (as defined below) must establish with any external service provider engaged to perform a service that involves access to Personal Data on its behalf.

    2. The term and conditions of the Parties’ engagement is as set forth in the Main Agreement, and the terms and conditions of this Annex 4 shall follow that of the DPA. The Parties agree that this Annex 4 shall also apply retroactively to all Personal Data in Meckano’s possession or control as of the date this DPA takes effect, including any such data made available to, transferred to, created, or received by Meckano on behalf of Customer before that date, to ensure compliance with the IPL.

    3. This Annex 4 forms part of the DPA. Any provision of the DPA not amended by this Annex 4 shall continue to apply to Processing subject to the IPL. In the event of a conflict between this Annex 4 and the Main Agreement or the DPA, this Annex 4 shall prevail solely to the extent required under the IPL.

    4. This Annex 4 shall be interpreted in favor of the Parties’ intent to comply with the IPL, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the IPL.

    5. For the avoidance of doubt, Annex 3 (Technical and Organizational Security Measures) shall apply to all Personal Data Processed under the DPA, including Personal Data subject to the IPL. This Annex 4 sets out additional and/or more specific requirements applicable solely with respect to Personal Data originating from Israel or otherwise subject to the IPL. In the event of a conflict, this Annex 4 shall prevail solely to the extent required under the IPL.

    DEFINITIONS

    6. For the purposes of this Annex 4, and in addition to the capitalized terms defined elsewhere in the DPA, the following terms shall have the meanings set forth below:

    6.1. “Authorized User” means any Meckano Personnel authorized by Meckano to access: (i) the Personal Data; (ii) the Database Systems; or (iii) information or components essential for operating or accessing the Database.

    6.2. “Database” – a collection of Personal Data Processed by digital means by Meckano on behalf of Customer.

    6.3. “Database Controller” – the natural or legal person that, alone or jointly with others, determines the purposes of Processing Personal Data in the Database.

    6.4. “Database Systems” – systems serving the Database that are important in relation to aspects of Data Security.

    6.5. “Data Security” – ensuring integrity of or Protecting Personal Data from unauthorized Processing.

    6.6. “Data Security Procedure” – a written procedure established by Meckano that sets forth appropriate Data Security measures binding on Authorized Users and governing the protection of the Database and Database Systems, addressing at a minimum: (i) physical protection and secure surroundings; (ii) access controls and authorization management; (iii) safeguards for protecting Database Systems and their secure operation; (iv) instructions for Authorized Users regarding data protection; (v) identification and mitigation of Data Security risks, including, where appropriate, the implementation of industry-standard encryption methods; (vi) Security Incident response based on the severity of the incident and sensitivity of affected data; (vii) security measures for portable devices; (viii) monitoring and logging of Database access; (ix) periodic Data Security audits; (x) data backup and recovery procedures; and (xi) security measures governing development activities and access.

    6.7. “Security Incident” means any event raising concerns about the potential unauthorized Processing of Personal Data, Processing beyond granted authorization, or a compromise of the integrity of Personal Data. 

    ACCESS TO CUSTOMER’ DATABASE SYSTEMS

    7. In providing the Services to Customer the Personal Data shall be provided to Meckano through the Services directly by Customer or the Data Subjects concerned.

    AUTHORIZED PROCESSING 

    8. Meckano’s Processing hereunder shall be limited to the types of Personal Data and purposes specified in Annex 1 of the DPA and as necessary to comply with this Annex 4 and the IPL.

    CROSS-BORDER DATA TRANSFERS

    9. Meckano shall not transfer or permit the transfer of Personal Data originating from Israel to any recipient outside the EEA or a country subject to an Adequacy Decision of the European Commission, unless Meckano has ensured that the recipient is bound by a written agreement that imposes, in substance, the same obligations as those binding Meckano under this Annex 4. For the avoidance of doubt, to the extent Customer Personal Data is transferred from Israel to a recipient outside Israel, Meckano shall ensure that such transfer and any onward transfer comply with the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001, including by binding the recipient to protect the data at a level not less than that required under Israeli law and restricting onward transfer except as permitted by applicable law and this DPA.

    IMPLEMENTATION OF DATA SECURITY OBLIGATIONS

    10. Without limiting any provision of this Annex 4, Meckano represents and warrants that:

    10.1. It has established and shall maintain a Data Security Procedure, ensure only necessary portions of it are disclosed to its Authorized Users strictly to the extent required for the performance of their duties, and assess the need for updates to such procedure annually and, in any event, upon becoming aware of new technological risks affecting the Database Systems and/or a material change to such systems or Processing activities;

    10.2. It shall ensure that up-to-date documentation of Database structure and inventory of its Database Systems is securely maintained, with access restricted to Authorized Users strictly as required for their duties. This shall include, at a minimum: (i) the date of its last update; (ii) infrastructure and hardware systems, communication components, and Data Security elements; (iii) software systems for Database operation, maintenance, monitoring, and security; (iv) software and interfaces for data exchange with the Database Systems; and (v) a network diagram illustrating the connections between system components and their physical locations; 

    10.3. Conduct, at least once every eighteen (18) months, risk assessments to identify security vulnerabilities in its Database Systems and penetration tests to evaluate their resilience against internal / external threats, discuss findings, implement corrective measures where required, and update its Data Security Procedure as necessary;

    10.4. It shall maintain industry-standard measures, appropriate to the nature and scope of Personal Data and Processing, to ensure access to Personal Data on Meckano’s behalf is restricted exclusively to Authorized Users. Such measures shall include, to the extent possible, identification by physical means under the Authorized User’s exclusive control;

    10.5. It shall hold periodic discussions (at least quarterly) regarding any Security Incidents and assess the need to update its Data Security Procedure accordingly;

    10.6. It shall restrict or prohibit connections of portable devices to its Database Systems in a manner appropriate to the sensitivity of Personal Data and the specific risks such connections may pose, and if permitting, it shall implement industry-standard encryption to protect the copied data;

    10.7. It shall ensure that reasonable measures are used to authenticate and verify the authorization of Authorized Users accessing Personal Data remotely via the internet or other public network, including physical authentication means under the Authorized User’s exclusive control;

    10.8. It shall securely retain, for at least twenty-four (24) months, the data generated in the course of fulfilling the obligations outlined in Sections ‎10.4, ‎‎10.5, ‎10.7, ‎‎‎10.11-‎‎‎10.13, and ‎‎‎10.15-‎‎10.16 hereto, and shall back up such data in a manner that ensures its integrity and enables its restoration to its original state at any time;

    10.9. It shall ensure before granting an Authorized User access to Personal Data or modifying their access privileges, the Authorized User has received appropriate training on Meckano’s obligations under this Annex 4;

    10.10. Its Database Systems shall be maintained in a secure location that prevents unauthorized access, and it shall ensure that appropriate measures to monitor and log: (i) entries and exits to and from the premises where such Database Systems are located, and (ii) the introduction and removal of equipment within such premises;

    10.11. It shall maintain up-to-date documentation detailing access permissions to the Database and Database Systems for each role, as well as role-based permissions for each Authorized User, ensuring that permissions are strictly limited to those necessary for the performance of their role; 

    10.12. It has implemented and maintains an automated logging mechanism that: (i) records and logs access to the Personal Data and its Database Systems, including the logging of user identity, date and time of access attempts, the system component attempted to be accessed, and the type, scope and outcome of access attempts (i.e., granted or denied) (collectively, “Access Logs”); (ii) detects and sends alerts on any disabling or modification of its operation, while preventing such actions to the extent possible. Meckano shall regularly review the Access Logs and document identified issues and corrective actions taken;

    10.13. It shall maintain records, based on automated logging where feasible, of any Security Incidents;

    10.14. It shall, to the extent reasonably practicable, maintain segregation between its Database Systems enabling access to Personal Data and other computing systems used by Meckano, ensure their proper management and operation in accordance with industry standards, implement regular updates, and prevent the use of unsupported systems unless adequate Data Security measures have been implemented to mitigate associated risks;

    10.15. It shall ensure that its Database Systems are not connected to the internet or other public networks unless appropriate safeguards are in place to protect against unauthorized access and/or malicious software capable of causing harm or disruption to computer systems, software or data, and that any transmission of Personal Data over such networks is conducted using industry-standard encryption methods;

    10.16. It shall ensure that at least once every twenty-four (24) months, a qualified Data Security auditor who is not Meckano’s Security Officer conducts an internal or external audit to verify Meckano’s compliance with this Section ‎‎10. The audit shall include a documented assessment of the adequacy of Meckano’s Data Security measures against its Data Security Procedure and obligations in this Section ‎10, identification of deficiencies, and recommended corrective actions. Meckano shall review each audit report and assess whether updates to its Data Security Procedure are required.

    10.17. Where Meckano makes available AI-assisted support functionality as part of the Services, and to the extent such functionality Processes Personal Data subject to the IPL, Meckano shall apply to such Processing the safeguards described in Annex 3, including as applicable user-facing instructions designed to discourage the submission of unnecessary or sensitive Personal Data, segregation from Customer’s core databases, access restrictions, logging and monitoring, deletion or de-identification measures, and configuration measures designed to prevent the use of such Personal Data for training or improvement of general-purpose or shared AI models, except where expressly authorized by Customer in writing.

    SATISFACTION OF DATA SECURITY OBLIGATIONS THROUGH CERTIFICATION

    11. Meckano shall be deemed to have materially satisfied the obligations under Sections 9 to the extent it maintains ISO/IEC 27001 certification and applies security and privacy controls consistent with ISO/IEC 27017 and ISO/IEC 27018, as applicable to its cloud environment and Processing activities.

    COMPLIANCE REPORTING

    12. Meckano shall, at least annually, make available to Customer reasonable information regarding the manner in which Meckano performs its obligations under this Annex 4, solely with respect to Personal Data subject to the IPL. Such information may be provided through security certifications, audit summaries, compliance statements or other reasonable documentation, subject to confidentiality and security restrictions.

     

    (Last Updated: June 2026)