Data Processing Agreement

Whereas

• By clicking "I Agree", installing, accessing, or using the Service you indicate acceptance of this Agreement electronically. Agreement is a prerequisite to use the Services.
• The Data Processor provides the Data Controller the Services described in Schedule 1.
• The Data Processor is solely the Processor of Personal Data as described under this Agreement. Timeclock 365 is the Data Controller of any and all Account Data.
• The Parties have agreed to enter into this Agreement to ensure compliance with the provisions of the GDPR in relation to all processing of Personal Data by the Data Processor for the Data Controller.
• Under EU Regulation 2016/679 (GDPR) Article 28(3), the Data Controller is required to put in place a written agreement governing the processing of personal data by any organization acting on its behalf.
• If the Client entity agreeing to this DPA is not a party to the Agreement between Timeclock 365 and Client, this DPA is not legally binding or valid.
• This DPA shall not replace any additional or comparable rights relating to the processing of Client Data in the Agreement.
• In the event of any discrepancies between this DPA and the Agreement with respect to the processing of Client Data, this DPA shall prevail.

1. Definitions and Interpretation

1.1. Definitions

In this DPA, the following terms shall have the following meanings:

• "Controller", "processor", "data subject", "personal data" and "processing" shall have the meanings given in Applicable Data Protection Law.
• "Applicable Data Protection Legislation" means all applicable privacy and data protection laws including the GDPR and any applicable national implementing laws, regulations, and secondary legislation in Israel, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive 2002/58/EC and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
• "Account Data" means the Personal Data collected in connection with account-related data provided by you to Data Processor during the purchase, sign up, billing, or support of your account. Account Data includes contact information for Administrators, product feedback and surveys, information collected in connection with events, training sessions, webinars, sales and marketing purposes, and de-identified technical data used for support and product maintenance.
• "Biometric Data" means any kind of computer data that is created during a biometric process. This includes samples, models, fingerprints, similarity scores and all verification or identification data excluding the individual's name and demographics such as facial recognition technology on photographs collected through the Service.
• "Client" means the client entity that entered into the Agreement with Timeclock 365 for Timeclock 365 Services as described in Schedule 1.
• "Client Data" means the Personal Data contained in: (i) any data you upload or input into the Service, and (ii) data generated or collected in the course of your configuration or use of the Service. Client Data does not include Business Relationship Data.
• "Timeclock 365" means Timeclock 365 Ltd or any other entity that directly or indirectly controls, is controlled by or is under common control with Timeclock 365 Ltd.
• "Security Incident" means "Personal Data Breach" as defined under the GDPR.
• "Services" means those services described in Schedule 1 which are provided by the Data Processor to the Data Controller.
• "Sub-processor" means a sub-contractor appointed by the Data Processor to process the Personal Data.
• "Sub-processing Agreement" means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor.

1.2. Interpretation

Unless the context otherwise requires:

• "writing" includes any communication effected by electronic or facsimile transmission or similar means;
• a statute or provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
• headings are for convenience only and shall have no effect upon interpretation;
• words imparting the singular shall include the plural and vice versa;
• references to any gender shall include the other gender;
• references to persons shall include corporations.

2. Purpose Limitation

Data Processor shall process the Client Data as a processor only as necessary to perform its obligations under the Client Agreement and strictly in accordance with the documented instructions of the Data Controller (the "Permitted Purpose"), except where otherwise required by any EU or EU Member State law applicable to the Data Controller. In no event shall the Data Processor process the Client Data for its own purposes or those of any third party, save that the Data Processor may de-identify and aggregate Client Data ("Aggregated Data") and may process Aggregated Data to maintain and improve the Data Processor's products and services.

3. Scope and Application

The provisions of this Agreement shall apply to the processing of Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether held at the date of this Agreement or received afterwards.

In the event of any conflict or ambiguity:

• A provision in the body of this Agreement shall prevail over a provision in a Schedule;
• A Schedule provision shall prevail over any invoice or other annexed document;
• This Agreement shall prevail over the Service Agreement with respect to processing of Personal Data; and
• Any executed Standard Contractual Clauses shall prevail over this Agreement.

4. Provision of the Services and Processing Personal Data

The Data Processor is to carry out the Services and process Personal Data received from the Data Controller:

• for the purposes of those Services and not for any other purpose;
• to the extent and in such a manner as is necessary for those purposes; and
• strictly in accordance with the express written authorization and instructions of the Data Controller.

The Data Controller shall retain control of the Personal Data and shall remain responsible for its compliance obligations under applicable Data Protection Legislation, including providing required notices and obtaining required consents, and for all processing instructions it gives to the Data Processor.

5. Data Protection Compliance

All instructions given by the Data Controller to the Data Processor shall be in writing and shall at all times comply with applicable laws. The Data Processor shall act only on such written instructions unless required by law to do otherwise.

The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to cease, mitigate, or remedy any authorized processing.

The Data Processor shall transfer all Personal Data to the Data Controller on request in the formats, at the times, and in compliance with the Data Controller's written instructions.

Both Parties shall comply at all times with Applicable Legislation and shall not perform their obligations under this Agreement in such a way as to cause either Party to breach any applicable obligation under Applicable Legislation.

The Data Controller hereby warrants, represents, and undertakes that the Personal Data and its use with respect to the Service Agreement and this Agreement shall comply with applicable Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing.

The Data Processor hereby warrants, represents, and undertakes that:

• all of its personnel that will access the Personal Data are reliable, trustworthy, and have been suitably trained on the Data Protection Legislation;
• the Personal Data shall be processed in compliance with Applicable Legislation and all other relevant laws, regulations, and standards;
• it has no reason to believe that applicable Data Protection Legislation prevents it from complying with its obligations; and
• it will implement appropriate technical and organizational measures to prevent unauthorized and/or unlawful processing and/or accidental loss, destruction, or damage to the Personal Data, ensuring levels of security appropriate to the harm that may result and the nature of the Personal Data.

When processing Personal Data on behalf of the Data Controller, the Data Processor shall:

• not transfer any Personal Data to any third party without the written consent of the Data Controller;
• not transfer any Personal Data outside of the EEA without the written consent of the Data Controller and only if there is a legal basis for such transfer;
• process the Personal Data only to the extent necessary in order to comply with its obligations to the Data Controller or as required by law;
• implement appropriate technical and organizational measures as described in Schedule 2; and
• if requested, supply further details of the technical and organizational systems in place to safeguard Personal Data.

6. Biometric Data

In connection with the collection, retention, and use of Biometric Data, the parties agree that:

The Data Controller is the controller of any Biometric Data collected through the Service. The Data Controller agrees to provide appropriate notice and obtain all consents and rights necessary for the Data Processor to process the Biometric Data on behalf of the Data Controller. The Data Controller recognizes and agrees that there are various laws that specifically govern the collection, use, and retention of Biometric Data, and understands that it is the sole responsibility of the Data Controller to comply with all applicable laws.

From time to time, the Data Processor may provide reasonable assistance to the Data Controller with certain obligations, such as assisting in responding to data subject requests and in providing relevant consent and disclosure language. Any such assistance does not constitute legal advice, is for informational purposes only, and it is the Data Controller's ultimate responsibility to ensure compliance with all applicable law.

7. Data Subject Rights, Complaints, and Personal Data Breaches

The Data Processor shall assist the Data Controller in complying with its obligations under Applicable Legislation regarding:

• the exercise by data subjects of their rights (including subject access rights, rights to rectification and erasure, rights to object to processing, restrict processing, and rights relating to automated processing), complaints, and personal data breaches; and
• notices served on the Data Controller by the relevant supervisory authority.

The Data Processor shall notify the Data Controller immediately if it receives any complaint, notice, or other communication concerning the processing of Personal Data or either Party's compliance with applicable Data Protection Legislation.

The Data Processor shall cooperate fully with the Data Controller and assist as required in relation to any complaint, notice, communication, or data subject request, including by:

• providing the Data Controller with full details of the complaint, notice, communication, or request;
• providing the necessary information and assistance in order to comply;
• providing the Data Controller with any Personal Data it holds in relation to a data subject; and
• providing the Data Controller with any other information requested.

The Data Processor shall promptly notify the Data Controller if any Personal Data is lost, destroyed, or becomes damaged, corrupted, or otherwise unusable.

The Data Processor shall notify the Data Controller immediately if it becomes aware of any accidental, unauthorized, or unlawful processing of Personal Data, or of any personal data breach. The following information shall be provided without undue delay:

• a full description of the nature of the event, including the category or categories of Personal Data and data subjects concerned, and the approximate number of records involved;
• details of the likely consequences; and
• details of the measures taken or planned to address the event.

Following any such event, the Data Controller and the Data Processor shall jointly investigate. The Data Processor shall assist fully, including by: assisting with any investigation; providing access to relevant premises and records; facilitating interviews with relevant personnel; and taking all reasonable steps to mitigate the effects of the event.

The Data Processor shall not inform any third party of any Personal Data breach without the prior written consent of the Data Controller unless required to do so by law.

The Data Controller shall have the sole right to determine whether or not to notify Personal Data breaches to data subjects, relevant authorities, regulators, or law enforcement agencies; and whether or not to offer a remedy to affected data subjects.

8. International Transfers

The Data Processor shall not transfer the Client Data (nor allow the Client Data to be transferred) outside of the European Economic Area ("EEA") unless (a) it has first obtained Client's prior consent, or (b) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Client Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

9. Data Processor's Personnel

The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data:

• are aware both of the Data Processor's duties and obligations, and of their own individual duties and obligations under this Agreement and the Data Protection Legislation;
• have been given suitable training on applicable Data Protection Legislation with respect to the handling of Personal Data; and
• are contractually obliged to keep the Personal Data strictly confidential and shall not permit any person to process Personal Data who is not under such a duty of confidentiality.

The Data Processor shall ensure that Personal Data is only processed according to the necessary purpose.

10. Security

The Data Processor shall implement suitable technical and organizational security measures in order to protect the Personal Data against unauthorized or unlawful access, processing, disclosure, copying, alteration, storage, reproduction, display, or distribution; and against loss, destruction, or damage, whether accidental or otherwise. Such measures shall include, but not be limited to, those set out in Schedule 2.

11. Appointment of Sub-Processors

The Data Processor shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Data Controller.

The Data Processor shall maintain control over all Personal Data transferred to any Sub-Processor.

In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement.

12. Term and Termination

This Agreement shall remain in full force and effect:

• for as long as the Service Agreement remains in effect; or
• for as long as the Data Processor retains any Personal Data relating to the Service Agreement in its possession or control,

whichever period is longer.

Where any provision of this Agreement either comes into force or continues in force on or after the termination of the Service Agreement in order to protect the Personal Data, that provision shall remain in full force and effect.

If any change to the Data Protection Legislation prevents either Party from fulfilling any of its obligations under the Service Agreement, the processing of the Personal Data shall be suspended until such processing can be made to comply with the Data Protection Legislation, as amended.

13. Deletion and/or Disposal of Personal Data

The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:

• the end of the provision of the Services under the Service Agreement; or
• the termination of the Service Agreement.

If the Data Processor is required by law, government, or other regulatory body to retain any documents or materials that it would otherwise be required to return or delete, the Data Processor shall notify the Data Controller in writing of the requirement, including details of the documents or materials to be retained, the legal basis for retention, and the timeline for deletion at the end of the retention period.

14. Legal Disclosure

If the Data Processor reasonably believes it is required by a subpoena, court order, agency action, or any other legal or regulatory requirement to disclose any Client Data, we will provide you with notice and a copy of the demand as soon as practicable, unless we are prohibited from doing so pursuant to applicable law or regulation.

15. Law and Jurisdiction

This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of Israel.

Any dispute, controversy, proceedings, or claim between the Parties relating to this Agreement shall fall within the jurisdiction of the courts of Israel.

16. Miscellaneous

This DPA, including the terms of the underlying Client Agreement, is the entire agreement between the Data Processor and the Data Controller and replaces all prior understandings, communications, and agreements, oral or written, regarding its subject matter. If any court of law, having jurisdiction, rules that any part of this DPA is invalid, that section will be removed without affecting the remainder of the DPA. The remaining terms will be valid and enforceable.

Schedule 1 — Services

The Data Processor operates Timeclock 365, a technology platform owned and operated by the Data Processor, providing help to organizations to manage their workforce time, attendance, projects, tasks, and property, such as vehicles and packages. The Data Processor uses a mobile App, physical clock Devices, and a cloud platform, accessible to end-users through the App and a dedicated web Portal. Timeclock 365 enables Clients to manage their workforce, pay their employees and contractors, and perform other functions related to workforce management. Any person using the Timeclock 365 App, Devices, or Portal is an End User.

Our Clients decide the purposes for which they use Timeclock 365, as well as the means for collecting data from Timeclock 365's magnitude of features. We process the data on our Clients' behalf and according to their instructions. Our Clients control the data processed on their behalf on Timeclock 365. Any person (natural or legal) regarded as a Client will for the purposes of this agreement be referred to as the Data Controller.

Schedule 2 — Technical and Organisational Data Protection Measures

The Data Processor shall ensure that in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:

• the harm that might result from unlawful or unauthorized processing or accidental loss, damage, or destruction of the Personal Data; and
• the nature of the Personal Data.