This Data Processing Addendum (“DPA”) is entered into by and between Cywareness Ltd. (Reg. No. 516180866), a company incorporated under the laws of the State of Israel (“Cywareness”), acting on its own behalf and as agent for each Cywareness Affiliate, and the customer identified in the Main Agreement (“Customer”), acting on its own behalf and as agent for each Customer Affiliate.

This DPA supplements the Terms of Service, Master Services Agreement (MSA), or any other written or electronic agreement between Cywareness and Customer (“Main Agreement”).

PREAMBLE

In connection with the Services, the parties anticipate that Cywareness may Process certain Personal Data in respect of which the Customer (or a Customer Affiliate) acts as a Data Controller under applicable Data Protection Laws. The parties have agreed to enter into this DPA to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data. This DPA shall remain in effect for as long as Cywareness retains or Processes Personal Data on behalf of the Customer, even after the termination of the Main Agreement.

1. DEFINITIONS

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Main Agreement.

• “Affiliate”means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.
• “Authorized Users” means the employees, agents, or contractors of the Customer who are authorized to use the Services.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” shall have the meanings given to them in the GDPR.
• “Customer Data” means Personal Data Processed by Cywareness on behalf of Customer in connection with the Services. This includes:
  • “Admin Data”: Personal Data relating to Customer’s account administrators (e.g., billing contacts, admin login details).
  • “User Data”: Personal Data relating to Authorized Users (e.g., names, email addresses, department) required for the provision of the Services.
  • “Usage Data”: Data generated by the system regarding Authorized Users’ interactions with the Services (e.g., logs, task completion status, progress metrics).
• “Aggregated/Statistical Data” means data that has been processed in an anonymous, aggregated, or statistical manner, such that it cannot be used to identify a specific individual or the Customer.
• “Data Protection Laws” means all applicable privacy and data protection laws and regulations, including the GDPR (EU General Data Protection Regulation), the UK GDPR, the CCPA (California Consumer Privacy Act), and the Israeli Privacy Protection Law, 5741-1981.
• “Services” means the services as defined in the Main Agreement.
• “Sub-processor” means any third party appointed by Cywareness to Process Personal Data on behalf of Customer in connection with the Services.

2. PROCESSING OF DATA

2.1. Roles & Compliance. The parties acknowledge and agree that:

(a) The subject matter and details of the Processing are described in Schedule 1 to this DPA;

(b) Cywareness acts as a “Processor” (or “Service Provider” under the CCPA) with respect to Customer Data;

(c) Customer acts as a “Controller” (or “Business” under the CCPA) with respect to Customer Data;

(d) Each party shall comply with its applicable obligations under Data Protection Laws with respect to the Processing of Customer Data.

2.2. Scope & Instructions.

By entering into this DPA, Customer instructs Cywareness to Process Customer Data only in accordance with applicable law: (a) to provide the Services; (b) as authorized by the Main Agreement and this DPA; and (c) as further documented in any other written instructions given by Customer and acknowledged by Cywareness. Cywareness shall inform Customer if, in its opinion, an instruction infringes Data Protection Laws (unless applicable law prohibits such notification).

2.3. Purpose Limitation.

Cywareness shall not: (a) Sell or Share Customer Data (as such terms are defined in the CCPA); (b) Process Customer Data outside of the direct business relationship between the parties; or (c) Process Customer Data for any purpose other than the purposes set forth in the Agreement.

2.4. Customer Responsibilities.

Customer represents and warrants that it has and will maintain a valid Lawful Basis (such as legitimate interest, necessity for the performance of a contract, or consent) to collect, Process, and transfer User Data to Cywareness. Customer is solely responsible for providing any necessary notices to its Authorized Users (employees) regarding the use of the Services and the Processing of their data, and for ensuring the accuracy of the data provided.

3. DATA SECURITY

3.1. Security Measures.

Cywareness shall implement and maintain appropriate technical and organizational measures to protect Personal Data against destruction, loss, alteration, or unauthorized access. These measures shall include, among others:

(a) Encryption: Encryption of data in transit over public networks (using protocols such as TLS 1.2 or higher) and encryption of sensitive data at rest (using algorithms such as AES-256 or equivalent).

(b) Access Control: Multi-Factor Authentication (MFA) for access to management systems, and implementation of the “Least Privilege” principle in permission management.

(c) Network & Infrastructure Security: Use of Firewalls, DDoS protection systems, and ongoing log monitoring to detect anomalous activity.

(d) Vulnerability Management: Conducting automated vulnerability scans and periodic Penetration Testing by an independent third party.

(e) Physical Security: Hosting in secure data centers (such as AWS, Google Cloud, or Azure) that comply with international standards (such as ISO 27001, SOC 2).

Cywareness may update these measures from time to time, provided that the overall level of security is not diminished.

3.2. Customer Security Responsibilities.

Customer is solely responsible for its use of the Services, including: (a) securing its authentication credentials (username and password); (b) securing the systems and devices used to access the Services; and (c) performing backups of Customer Data as needed.

4. CONFIDENTIALITY

Cywareness ensures that all persons authorized to Process Customer Data on its behalf (including employees, contractors, and Sub-processors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. DATA SUBJECT RIGHTS

Cywareness shall assist Customer, to a reasonable extent and by technical means, in fulfilling Customer’s obligation to respond to requests from Data Subjects to exercise their rights (e.g., access, deletion, rectification). Where the Services provide tools for Customer to handle such requests independently (“Self-Service”), Customer shall utilize such tools. Cywareness may charge a reasonable fee for exceptional manual assistance not included in the standard Service.

6. SUB-PROCESSING

6.1. Authorization. Customer grants Cywareness a general authorization to engage Sub-processors.

6.2. Transparency & Objection. A list of current Sub-processors is available on Cywareness’s website or upon request. Cywareness will notify Customer of the appointment of any new Sub-processor. Customer may object to such new Sub-processor on reasonable data protection grounds within fourteen (14) days of notice.

6.3. Liability. Cywareness remains fully liable to Customer for the performance of its Sub-processors’ data protection obligations.

7. INTERNATIONAL DATA TRANSFERS

Cywareness is located in Israel, a country recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision 2011/61/EU). Transfers of Personal Data to third countries not recognized as providing adequate protection shall be subject to lawful transfer mechanisms, such as the Standard Contractual Clauses (SCCs).

8. INCIDENT MANAGEMENT

In the event of a Personal Data Breach affecting Customer Data, Cywareness shall notify Customer without undue delay (and in any event within 48 hours), provide details regarding the incident, and cooperate in its investigation and mitigation.

9. AUDIT RIGHTS

Upon request, Cywareness shall make available to Customer information necessary to demonstrate compliance with this DPA, including valid external security certifications (e.g., SOC 2 Type II or ISO 27001). Customer agrees that such reports shall serve as a substitute for a physical audit, unless there is a reasonable suspicion of a breach, in which case a physical audit may be conducted with thirty (30) days’ prior written notice and at Customer’s expense.

10. DELETION AND RETURN

10.1. Termination. Upon termination or expiration of the Main Agreement, Cywareness shall delete all Customer Data within thirty (30) days, unless applicable law requires continued storage of the data.

10.2. Retention for Evidence. Notwithstanding the foregoing, Cywareness may retain high-level Audit logs required to demonstrate the provision of Services, provided such data is stored under appropriate security procedures.

11. ANALYTICS (STATISTICAL DATA)

11.1. Customer acknowledges and agrees that Cywareness may create and derive “Aggregated/Statistical Data” (which does not identify Customer or any natural person) from the use of the Services. Cywareness shall own all rights in such data and may use it without limitation for product and service improvement, research, trend analysis, and marketing purposes.

11.2. Notwithstanding the foregoing, Cywareness does not retain raw credentials (e.g., passwords or usernames) entered by Authorized Users on phishing simulation landing pages. Such inputs are used solely to trigger a ‘compromised’ event status and are not stored in the Company’s databases.

12. LIABILITY

The total liability of each party and its Affiliates arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall be subject to the limitations of liability and liability caps set forth in the Main Agreement. Nothing in this section shall limit liability towards Data Subjects where applicable law prohibits such limitation.

13. GENERAL

13.1. Conflict. In the event of a conflict between this DPA and the Main Agreement, the provisions of this DPA shall prevail regarding the Processing of Personal Data.

13.2. Governing Law. This DPA shall be governed by the laws stipulated in the Main Agreement.

SCHEDULE 1 – DETAILS OF PROCESSING

Subject Matter:

Provision of Services and performance of the Main Agreement.

Nature and Purpose:

• Performance of the Services as defined in the Main Agreement.
• User management, technical support, and service improvement.
• Usage analysis and performance metrics.

Data Subjects:

• Employees, contractors, and agents of the Customer (“Authorized Users”).

Categories of Personal Data:

• Identification: Name, email address, job title, department.
• Technical: IP address, browser type, device info.
• Behavioral: Interaction data with the system, task completion, and awareness/training metrics.

Special Categories of Data:

None anticipated.