DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

HYP Payment Solutions Ltd. (the " Service Provider”) owns and operates a payments and clearing platform and services, including API interfaces, payment pages, transaction management, reports, and operational support (the "System" and/or the "Services"). This Data Processing Agreement (this “DPA”) forms an integral part of the service agreement between the Service Provider and the Customer (the "Agreement" and the "Customer"), and sets out how and for what purposes the Service Provider processes Personal Data on behalf of its customers, and the information security measures it employs.

1. Definitions

1. "Customer's Personal Data" – Personal Data that the Service Provider processes on behalf of the Customer in the course of providing the Services.
2. "Data Protection Laws" – the laws and regulations applicable in Israel to the processing of Personal Data, including the Protection of Privacy Law, 5741-1981 (the "Data Protection Law") and the Protection of Privacy Regulations (Data Security), 5777-2017 (the "Data Security Regulations"), as amended from time to time.
3. "Data Subject" – as defined in the Data Protection Law.
4. "Personal Data", "Special Category of Personal Data" – as defined in the Data Protection Law.

2. General Provisions

1. The Service Provider undertakes to comply with applicable Data Protection Laws.
2. The Service Provider implements appropriate technical and organizational information security measures, commensurate with the nature of the Services, the categories of Personal Data processed, and the level of risk involved.
3. Without derogating from the foregoing, the Service Provider's information security framework is based, inter alia, on the principles of the ISO/IEC 27001 Information Security Management Standard, as well as the requirements of the PCI DSS Standard, to the extent applicable to the Service Provider's activities and the relevant scope of the Services.
4. A detailed description of the principal information security measures, controls, and standards implemented by the Service Provider is set out in Annex B to this DPA, which forms an integral part hereof.
5. The Service Provider does not determine the purposes of processing of the Customer's Personal Data. The Customer retains full discretion as to the categories of Personal Data transferred to the Service Provider or processed through the Services, subject to the limitations of the Services and applicable law. The categories of Personal Data and the purposes of processing and use to be carried out by the Service Provider are detailed in Annex A.
6. The Customer acknowledges that the Service Provider shall have access only to Personal Data that is required for the provision of the Services, and to the extent that specific access to the Customer’s systems or to certain Personal Data is required for the purposes of integration, support, or troubleshooting, such access shall be restricted to the minimum necessary.
7. For the avoidance of doubt, the Service Provider shall not receive a full copy of the Customer's databases and shall not have access to Personal Data that is not required for the performance of the Services.
8. The Service Provider undertakes to ensure that all persons authorized to access Personal Data on its behalf are subject to appropriate written undertakings to maintain the confidentiality of the Personal Data, to use the Personal Data solely in accordance with this DPA, and to process Personal Data only in accordance with the terms hereof.
9. The Customer declares and undertakes that: (a) Personal Data transferred to the Service Provider has been collected, stored, and processed by the Customer lawfully, and that processing by the Service Provider does not violate any applicable law, including Data Subject notification obligations where applicable; (b) the Customer shall not transfer to the Service Provider any Personal Data collected or stored in violation of applicable law, and shall refrain from transferring Personal Data from a database that is not managed in accordance with the legal requirements applicable to the Customer.
10. The Service Provider shall not be responsible for examining the legal obligations applicable to the Customer in connection with Personal Data transferred under the Agreement, and does not provide the Customer with legal advice on this matter. The Customer shall be solely responsible for compliance with applicable law in connection with the collection of Personal Data, its transfer to the Service Provider, and its use in connection with the Services.
11. The Customer shall be solely responsible for ensuring compliance with the applicable laws governing its communications with its customers, including marketing communications and direct messaging, to the extent the Services are used to send messages, payment links, or proactive communications, including notification obligations, obtaining any required consents, and providing opt-out mechanisms in accordance with applicable law.
12. The Service Provider's Privacy Policy is available on its website, and the Customer acknowledges that it is aware of its existence and that it applies, to the extent relevant, to the processing of Personal Data by the Service Provider under the Agreement. The Service Provider may update its Privacy Policy from time to time, and that the then-current version shall apply to the processing of Personal Data under the Agreement.

In the event of a material change affecting the Service Provider’s compliance with applicable Data Protection Laws, the Service Provider shall notify the Customer within a reasonable time.

3. Data Processing

1. The Service Provider shall process the Customer's Personal Data solely as necessary to: (1) provide, operate, manage, support, and secure the Services, and to the extent necessary for their performance; (2) comply with legal obligations applicable to the Service Provider, to the extent such processing is required by applicable law and is consistent with the Agreement and applicable Data Protection Laws. For the avoidance of doubt, the Service Provider shall be entitled to use anonymized data that does not identify an individual, including for the purpose of developing and improving the System and Services.
2. Except as set out in Section 3.1 above, the Service Provider shall not use the Personal Data, and shall not process Personal Data, for any other purpose.

4. Data Subject Rights

1. The Service Provider shall assist the Customer, to the extent required under applicable law and within its control, in enabling the exercise of Data Subjects’ rights with respect to the Personal Data processed by the Service Provider on behalf of the Customer in connection with the Services.
2. The Service Provider shall not correct or update any Personal Data held by it on behalf of the Customer except in accordance with explicit and documented instructions of the Customer, or pursuant to a court order, a request from a competent authority, or pursuant to a legal obligation applicable to the Service Provider.
3. Without derogating from the foregoing, the Service Provider shall assist the Customer in handling Data Subject requests to the extent such requests relate to matters within its control, within a reasonable time and to a reasonable extent, while maintaining compliance with applicable law, data security, and the continuity of the Services. For the avoidance of doubt, the scope of the Service Provider's assistance is limited to actions within its technological and operational control, and does not include actions that are technically infeasible, not required by law, or the performance of which may prejudice data security, data integrity, or service continuity.

5. Sub-Processors

1. The Service Provider may engage sub-processors for the purpose of providing all or part of the Services, at its professional discretion, provided that the use of sub-processors is carried out in accordance with Data Protection Laws and that any access to Personal Data shall be limited to the minimum necessary for the performance of their activities in connection with the Services.
2. The Service Provider shall ensure that any sub-processors involved in the processing of Personal Data undertake, under appropriate contractual arrangements, to comply with the relevant obligations under this DPA relating to data protection and information security, taking into account the nature of the Services and the types of Personal Data processed by them.
3. The Service Provider shall remain responsible for the performance of its sub-processors’ obligations with respect to the processing of the Customer’s Personal Data.

6. Data Security

1. The Service Provider implements and shall continue to implement organizational, technological, and operational information security measures consistent with applicable law, its internal procedures and policies, and the nature of the Services and Personal Data processed thereunder.
2. Without derogating from the foregoing, the Service Provider implements the information security measures set out in Annex B to this DPA, which forms an integral part hereof.

7. Security Incident Reporting

1. The Service Provider shall notify the Customer, without undue delay and no later than twenty-four (24) hours after becoming aware of a “Severe Security Incident” (as defined under the Data Security Regulations), to the extent such incident directly relates to the Customer’s Personal Data processed by the Service Provider in connection with the Services and in accordance with applicable Data Protection Laws. Unless required by law, the Service Provider shall not make any public statement or announcement relating to such incident, including technical or operational details, without prior coordination with Customer, and subject to Customer’s prior written approval.
2. To the extent the relevant information regarding the Customer is in the Service Provider’s possession at that time, the Service Provider shall include in its notification to the Customer: a general description of the nature of the incident; the categories of Personal Data affected or that may have been affected; the principal steps taken or being taken to contain the incident and mitigate its consequences; and planned measures to prevent the recurrence of similar incidents in the future.

8. Data Retention

1. The Service Provider shall retain the Customer's Personal Data only for the period required for the provision of the Services, or as required by applicable law or for the establishment, exercise or defense of legal claims. Upon Customer's request, the Service Provider shall delete the Customer's Personal Data under its control and processed in connection with the Services within a reasonable period of time, and shall certify the deletion to the Customer, to the extent technically feasible and not contrary to any legal, regulatory, or operational obligation applicable to the Service Provider.
2. The Service Provider undertakes to retain the Customer's Personal Data in accordance with the provisions of this DPA throughout the entire retention period.

9. Audits

1. The Service Provider shall cooperate with the Customer to enable reasonable oversight of its compliance with applicable Data Protection Laws and this DPA, subject to applicable law and reasonable limitations relating to confidentiality, data security, and the protection of third-party privacy.
2. The Service Provider shall conduct information security audits as required by applicable law and in accordance with its internal procedures. Should any deficiencies be identified in such audits, the Service Provider shall act to remediate them in accordance with its professional discretion.
3. The Service Provider undertakes to provide the Customer, upon request but no more than once per calendar year, with a written report regarding its compliance with the provisions of this DPA.

10. General

The Service Provider's liability under this DPA shall be subject to the limitation of liability provisions set out in the Agreement.

ANNEX A: DETAILS OF PROCESSING OF CUSTOMER'S PERSONAL DATA

1. Categories of Personal Data

In the course of providing the Services, the Service Provider may process Customer’s Personal Data relating to the Customer's end-customers, employees, suppliers, and sub-contractors on its behalf.

Such Personal Data may include, inter alia, personal contact details such as name, ID number, address, telephone number, and email address, as well as additional identifying information as provided by Customer in the course of the Services. The Personal Data may also include information related to payment and clearing activities, including transaction data, credit card details, payment identifiers, transaction references, billing details, tokens, and financial identifiers, as required for the provision and operation of the Services.

The Customer shall be solely responsible for the content of the Personal Data it chooses to transfer or process through the Services. The Customer's Personal Data may also include Special Category Personal Data, including financial data, due to the nature of the payment and clearing Services provided by the Service Provider. The Customer represents and warrants that it is responsible for providing the required notifications to Data Subjects and for obtaining consents, authorizations, or permissions as required under Data Protection Laws.

2. Purposes of Processing of Personal Data by the Service Provider

The Service Provider shall process the Customer's Personal Data solely for the purpose of providing the payment, clearing, and financial management Services to the Customer under the Agreement, as updated from time to time, as well as ancillary Services and any additional activities agreed between the parties in advance and in writing. Such processing may include ancillary activities such as the establishment, connection, ongoing operation, and management of clearing terminals, point-of-sale systems, gateway systems, digital invoice services, and API interfaces with external systems, as selected by Customer and to the extent necessary for the performance of the Services.

In addition, the Service Provider shall be entitled to process Personal Data to the extent necessary for compliance with legal, regulatory, or contractual obligations applicable to it, in accordance with the provisions of the Agreement and subject to applicable Data Protection Laws.

For the avoidance of doubt, the Service Provider does not determine the business purposes of processing the Personal Data of the Customer's end-customers, and does not make independent use of such Personal Data beyond what arises from the provision of the Services. The Service Provider shall be entitled to use anonymized or aggregated data that does not allow identification of an individual, for the purposes of developing, improving, analyzing, and optimizing the System and the Services.

3. Contact Details for Queries and Reports

For inquiries regarding privacy or information security matters, including the reporting of security incidents, please contact the Service Provider's Information Security Officer: Benny Arzuan, at: [email protected]

ANNEX B: DESCRIPTION OF INFORMATION SECURITY MEASURES IMPLEMENTED BY THE SERVICE PROVIDER

General

The Service Provider implements organizational, technological, and operational information security measures in accordance with applicable Data Protection Laws and generally accepted professional standards in the fields of information security and payments processing. The Service Provider's information security framework is based, inter alia, on the principles of the ISO/IEC 27001 Information Security Management Standard, as well as the requirements of the PCI DSS Standard, to the extent applicable to its activities and the relevant scope of the Services.

Organizational Accountability

1. The Service Provider has appointed a person responsible for information security and privacy, tasked with implementing the information security policy, ongoing supervision, handling security incidents, and leading improvement processes.
2. The Service Provider operates a structured information security management framework, comprising procedures, policies, controls, and periodic review processes.
3. The Service Provider conducts ongoing assessments of information security risks, including in response to technological, operational, and regulatory changes.

System Mapping and Risk Management

1. The Service Provider maintains an inventory and mapping of information systems and relevant infrastructure, for the purpose of understanding data flows, identifying vulnerabilities, and planning appropriate controls.
2. The Service Provider operates a structured risk management process, encompassing threat identification, impact assessment, and implementation of mitigation measures, in accordance with the principles of ISO/IEC 27001 Information Security Management Standard.
3. Logical segregation mechanisms between customers are implemented, ensuring that data belonging to one customer is not accessible to other customers.
4. Periodic information security assessments are conducted in accordance with the Service Provider's internal policies.

Personnel Management and Data Security

1. All of the Service Provider's employees, as well as service providers acting on its behalf who have access to Personal Data or systems are bound to maintain the confidentiality of such data and to comply with the Service Provider's information security requirements, and sign appropriate confidentiality and data protection undertakings as part of their onboarding or engagement process.
2. The Service Provider conducts information security training for its employees, including periodic training and dedicated training for new employees, as a condition for granting access to information systems.
3. The Service Provider operates formal procedures for managing the employee lifecycle, including the allocation and revocation of access permissions, adjustments of permissions upon role changes, management of employee departures, return of equipment, workstation management, and documentation of security incidents, as part of the organizational control framework for maintaining information security.

Access Rights Management

1. Access rights to the Service Provider's information systems are determined in accordance with the user´s role and areas of responsibility, and are limited to the minimum extent necessary for the performance of their role, in accordance with the need-to-know principle and the principle of least privilege.
2. Identity and access management is carried out through centralized access management mechanisms that support the management of users, groups, and permissions in accordance with the organizational structure and role distribution.
3. The Service Provider conducts periodic reviews of the access rights framework to verify alignment with actual roles and responsibilities, identifying inactive accounts, and reducing or revoking unnecessary permissions.
4. Access rights are revoked upon termination of the employee's engagement, and prior to a role change, permissions are adjusted in accordance with the relevant requirements and the information security policy.

Identification and Authentication (Local, Remote, and Mobile Device Access)

1. Access to the Service Provider's systems is carried out through secure identification and authentication mechanisms, in accordance with the Service Provider's information security policy. Remote access for authorized personnel only is enabled through secure access means, including VPN connections or alternative mechanisms of equivalent security level.
2. User authentication processes include, in accordance with the risk level of the system and information processed, the use of multi-factor authentication or other identity verification mechanisms, in accordance with accepted standards and the Service Provider's information security policy.
3. The Service Provider operates a password management policy and safeguards against unauthorized access attempts, including mechanisms limiting login attempts, automatic account lockout, and password complexity requirements, in accordance with applicable law and relevant standards.
4. Access to the Service Provider's systems from mobile devices or endpoint devices is enabled subject to dedicated information security procedures, including user identification requirements, encryption, use of secure communications, and compliance with defined security configurations.
5. The Service Provider implements a restrictive policy with respect to the use of external and mobile devices, and permits connection of such devices only subject to appropriate authorization and in accordance with organizational procedures, including the use of encryption, access controls, and automatic locking of workstations after periods of inactivity.

Communication and Infrastructure Security

1. The Service Provider operates multi-layered network security controls to limit unauthorized access to its systems, including network segmentation, network traffic filtering and routing, and the definition of access rules in accordance with the information security policy.
2. The work environment and infrastructure are protected through enterprise security solutions for the identification, prevention, detection, and remediation of malware and threats, comprising monitoring, updates, and ongoing maintenance mechanisms.
3. The Service Provider operates threat monitoring and detection systems designed to identify anomalies, intrusion attempts, and security vulnerabilities, and to activate appropriate response mechanisms for risk mitigation, in accordance with internal procedures and the requirements of relevant regulations.
4. Communications between the Service Provider's systems, and between the Service Provider's systems and external interfaces, are carried out using accepted encryption protocols and means designed to ensure the confidentiality, integrity, and availability of Personal Data.

Logging and Monitoring

The Service Provider operates logging and monitoring mechanisms in its systems for information security purposes, ongoing control, and anomaly detection. Such mechanisms include, inter alia, logging of access attempts, changes in permissions, and relevant security events, and enable threat detection and response in accordance with the Service Provider's information security procedures. Logging records are stored securely, maintaining its integrity and preventing unauthorized access, in accordance with applicable law and the information security policy applicable to the Service Provider.

Backup and Recovery

The Service Provider operates data backup and recovery processes to ensure availability of customer’s data and business continuity, including the performance of periodic backups and the secure storage of backup copies of information. Recovery tests are carried out at appropriate intervals for the purpose of verifying the integrity of backups and the ability to restore such information, in accordance with the Service Provider's information security policy. Upon the Customer's request and subject to the provisions of applicable law and the Agreement, the Customer shall be able to export its information from the Service Provider’s systems for the purpose of terminating the engagement, to the extent technically feasible. For the avoidance of doubt, the transfer of information containing or relating to payment details shall only be permitted to an alternative service provider holding a valid PCI DSS certification at the time of transfer.

Physical Security

The Service Provider implements reasonable physical security measures to protect its working environment and the information assets within its control, including access controls to relevant areas and supervisory measures to prevent unauthorized entry, in accordance with applicable law. The Service Provider's central computing infrastructure is hosted with secure hosting service providers operating in accordance with accepted professional standards for physical and operational information security.

Vendors and Outsourcing

1. The Service Provider acts in accordance with a structured process for managing external vendors to ensure the confidentiality and security of information processed in the course of the Services. Engagements with external vendors are accompanied by appropriate contractual undertakings, including requirements for maintaining confidentiality and data protection, and compliance with applicable law.
2. Access to the Service Provider's information systems is granted to external vendors only to the extent required for the performance of the Services and in accordance with the principle of least privilege. The Service Provider operates reasonable control mechanisms for the purpose of overseeing external vendors' compliance with the applicable information security requirements.
3. Prior to engaging with a new external vendor, the Service Provider conducts an internal risk assessment to examine the nature of the service, the scope of access to information systems, and the organizational maturity level in the area of information security, and accordingly determines the required control measures.

Handling Information Security Incidents

The Service Provider operates a procedure for managing information security incidents, which includes identification, documentation, handling, and response to information security incidents, based on the circumstances and in accordance with the internal information security procedures. As part of the process, the Service Provider conducts examination and analysis of relevant information security incidents for identifying lessons learned and improving the information security framework.