Data Processing Addendum

Prepp.Calls Ltd. ("Company") provides its Services to customers ("Customer", and together with the Company, each a "Party" and collectively the "Parties") pursuant to the Company's Terms of Service or any other applicable agreement governing the use of the Services (both, the "Agreement").

This Data Processing Addendum, including Schedule A and Annexes I–II ("DPA"), applies to any Customer whose Personal Data under its control is processed by the Company in connection with the Agreement.

By accessing or using the Services, or otherwise engaging with the Company under an Agreement, the Customer agrees that this DPA forms an integral part of the Agreement and governs the Company's processing of Personal Data on behalf of the Customer.

1. Definitions

• 1.1 "Approved Jurisdiction" means a jurisdiction approved as having adequate legal protections for data by the European Commission (or by the UK Information Commissioner's Office, where applicable).
• 1.2 "Data Protection Laws" means any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC, the Regulation (EU) 2016/679 ("GDPR"), the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland ("UK GDPR"), Israel Privacy Protection Law, 5741-1981 ("PPL"), and the regulations promulgated thereunder, including the Israeli Protection of Privacy Regulations (Information Security), 2017 ("DSR"), the US Data Protection Laws and any amendments or replacements to the foregoing.
• 1.3 "Data Subject" means a natural person to whom Personal Data relates. Where applicable, the term Data Subject shall include "Consumer", as this term is defined under US Data Protection Laws.
• 1.4 "EEA" means those countries that are members of the European Economic Area.
• 1.5 "Security Incident" shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach (as defined under the GDPR), or any similar definition under applicable Data Protection Laws, will comprise a Security Incident.
• 1.6 "Special Categories of Data" means personal data as defined under Article 9 of the GDPR or as defined under the PPL.
• 1.7 "Standard Contractual Clauses" the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 from June 4th 2021.
• 1.8 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which was entered into force on 21 March 2022.
• 1.9 "US Data Protection Laws" means any and all applicable laws, rules, acts, decrees, directives, regulations and binding regulatory guidance, on any state or federal level, pertaining to data privacy, data security and the protection of Personal Data, including, without limitation, in California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Florida, Montana, Iowa, Delaware, New Jersey, New Hampshire, Nebraska, as well as any future laws, amendments, or regulations that may be enacted or promulgated governing data protection within the United States.
• 1.10 The terms "controller", "Personal Data", "process(ing)" and "processor" as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, controller shall be deemed "Business", processor shall be deemed "Service Provider" or "Contractor", and Personal Data shall be deemed "Personal Information" as these terms are defined under US Data Protection Laws.
• 1.11 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2. Application of this DPA

2.1 This DPA will only apply to the extent all of the following conditions are met:

• Company processes Personal Data that is made available by the Customer in connection with the Agreement (whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer);
• Data Protection Laws apply to the processing of Personal Data.

2.2 This DPA will only apply to the services for which the Parties agreed to in the Agreement ("Services"), which incorporates the DPA by reference.

3. Parties' Roles

3.1 In respect of the Parties' rights and obligations under this DPA regarding the Personal Data, the Parties hereby acknowledge and agree that the Customer is the Controller and Company is a Processor, and accordingly:

• Company agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA;
• The Parties acknowledge that the Customer discloses Personal Data to Company only for the performance of the Services.

3.2 If Customer is a Processor, Customer warrants to Company that Customer's instructions and actions with respect to the Personal Data, including its appointment of Company as another Processor and concluding the Standard Contractual Clauses, have been authorized by the relevant Controller and is in accordance with Data Protection Laws.

4. Compliance with Laws

4.1 Each Party shall comply with its respective obligations under applicable Data Protection Laws.

4.2 Company shall provide reasonable cooperation and assistance to Customer in relation to Company's processing of Personal Data in order to allow Customer to comply with its obligations under applicable Data Protection Laws.

4.3 Company agrees to notify Customer promptly if it becomes unable to comply with the terms of this DPA or Data Protection Laws and take reasonable and appropriate measures to remedy such non-compliance.

4.4 Throughout the duration of the DPA, Customer represents and warrants that:

• Personal Data has been and will continue to be collected, processed and transferred by Customer to Company in accordance with the relevant provisions of Data Protection Laws;
• Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Company and shall provide Company only instructions that are lawful under Data Protection Laws;
• The processing of Personal Data by Company for the permitted purposes, as well as any instructions to Company in connection with the processing of the Personal Data ("Processing Instructions"), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law; and
• The Customer has informed Data Subjects of the processing and transfer of Personal Data pursuant to the DPA and obtained any relevant consents or established other lawful grounds thereto.

5. Processing Purpose and Instructions

5.1 The subject matter of the processing, the nature and purpose of the processing, the type of Personal Data, categories of Data Subjects, Customer's database systems to which Company has access and details of processing of personal data from high/medium security level databases, shall be as set out in the Agreement, or in the attached Annex I.

5.2 Company shall process Personal Data only for the Permitted Purposes and in accordance with Customer's written Processing Instructions (unless waived in a written requirement), the Agreement and applicable Data Protection Laws, unless Company is otherwise required to do so by law to which it is subject.

5.3 Company shall not process Personal Data for any purpose other than for the purpose of performing the Services, or as otherwise permitted under Data Protection Laws.

6. Reasonable Security and Safeguards

6.1 Company shall use security measures (i) to protect the availability, confidentiality, and integrity of Personal Data processed by Company in connection with this DPA, and (ii) to protect such data from Security Incidents. Such security measures include the security measures set out in Annex II.

6.2 The security measures are subject to technical progress and development and Company may update or modify the security measures from time to time provided that such updates and modifications shall not, in the Company's discretion, result in the degradation of the overall security of the services procured by Customer.

6.3 Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who has access to and processes Personal Data. Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security Incidents

7.1 Upon becoming aware of a Security Incident, Company will notify Customer without undue delay and will provide information relating to the Security Incident as reasonably requested by Customer. Company will make reasonable endeavors, at Customer's expense, to assist Customer in mitigating, where possible, the adverse effects of any Security Incident. Company will document Security Incidents and will review them on a periodical basis, including any required updates to the security policy.

8. Security Assessments and Audits

8.1 Company audits its compliance with data protection and information security standards on a regular basis and at least every 24 months in the event that the Company processes Personal Data for the Customer from a high or medium security level. Such audits are conducted by Company's internal audit team or by third party auditors engaged by Company and will result in the generation of an audit report ("Report"), which will be Company's confidential information.

8.2 Company shall, upon 30-days prior written notice and subject to obligations of confidentiality, no more than once a year and in normal business hours, allow its data processing procedures and documentation to be inspected by Customer (or its designee), at Customer's expense, in order to ascertain compliance with this DPA.

8.3 Subject to obligations of confidentiality, Company shall provide Customer with a copy of the Report, and this may satisfy the requirements set out in this section if Customer can reasonably verify Company's compliance with its obligations under this DPA.

9. Obligations under US Data Protection Laws

9.1 To the extent that Company processes Personal Data which is subject to US Data Protection Laws, then in addition to the obligations set out herein, Company shall not:

• Sell or share Personal Data (as the terms "sell" and "share" are defined under US Data Protection Laws) disclosed to or collected by it in connection with the Agreement, or, except as necessary to perform the Services, retain, collect, use or disclose said Personal Data, for any purpose, including commercial purposes, other than for the business purpose;
• Retain, use or disclose the personal information disclosed to it or collected by it in connection with the Agreement, outside the direct business relationship between the Customer and the Company, unless otherwise permitted under US Data Protection Laws;
• Combine the Personal Data of consumers that it collects, receives from, or on behalf of, the Customer with Personal Data that the Company receives from, or on behalf of, another person or persons or collects from its own interaction with consumers unless and solely to the extent necessary to perform the business purpose.

10. Cooperation and Assistance

10.1 If Company receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under applicable Data Protection Law, Company will promptly redirect the request to Customer. Company will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so.

10.2 If Company receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, Company shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. If no response is received from Customer within three (3) business days (or otherwise any shorter period as dictated by the relevant Data Protection Laws or authority), Company shall be entitled to provide such information.

10.3 Notwithstanding the foregoing, Company will reasonably and commercially cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data. Customer shall cover all costs incurred by the Company in connection with its provision of such assistance.

10.4 Upon reasonable notice, Company shall:

• Taking into account the nature of the processing, provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising Data Subject's rights, at Customer's expense;
• Provide reasonable assistance to the Customer in ensuring Customer's compliance with its obligation to carry out data protection impact assessments or prior consultations with data protection authorities with respect to the processing of Personal Data.

11. Use of Sub-Processors

11.1 Customer provides a general authorization to Company to appoint (and permit each Sub-Processor appointed in accordance with this Clause to appoint) Processors and/or Sub-Processors in accordance with this section.

11.2 Company may continue to use those Sub-Processors already engaged by Company as at the date of this DPA, as specified in Annex III, subject to Company, in each case as soon as practicable, meeting the obligations set out in this Clause.

11.3 Company can at any time appoint a new Sub-Processor provided that Customer is given thirty (30) days' prior written notice, and the Customer does not legitimately object to such changes within that time frame. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor's non-compliance with Data Protection Laws.

11.4 With respect to each Sub-Processor, Company shall ensure that the arrangement between Company and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection as those set out in this DPA and meets the requirements of Data Protection Laws.

11.5 Company will be responsible for any acts or omissions by its Sub-Processors, which may cause Company to breach any of its obligations under this DPA.

11.6 The Company will only disclose Personal Data to Sub-Processors for the specific purposes of carrying out the Services on Company's behalf.

12. Cross Border Personal Data Transfers

12.1 Transfer of Personal Data of EU residents outside the EU

To the extent that Customer transfer to Company Personal Data of EU or UK residents outside the EEA or the UK (as applicable), or an Approved Jurisdiction, then the Parties shall be deemed to enter into the Standard Contractual Clauses and UK Addendum (as applicable), subject to any amendments contained in Exhibit A, in which event the Customer shall be deemed as the Data Exporter and the Company shall be deemed as the Data Importer (as these terms are defined therein).

12.2 Transfer of Personal Data from an Israeli database outside of Israel

To the extent Company transfers any Personal Data from an Israeli database outside of Israel, then such transfer will be performed in accordance with the requirements of the applicable Data Protection Laws. Customer and Company will determine what is the legal basis for such transfer and will sign any applicable document required under the applicable Data Protection Laws.

13. Data Retention and Destruction

13.1 Company will only retain Personal Data for the duration of the Agreement or as required to perform its obligations under the Agreement, or as otherwise required to do so under applicable laws or regulations. Following expiration or termination of the Agreement, Company will delete or return to Customer all Personal Data in its possession as provided in the Agreement, except to the extent Company is required under applicable laws to retain the Personal Data, and will provide Customer with written confirmation of such action. The terms of this DPA will continue to apply to such Personal Data.

14. General

14.1 Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including any exclusions and limitations set forth therein.

14.2 In the event of a conflict between the Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.

Exhibit A: Standard Contractual Clauses and the UK Addendum

1. If Customer is a Controller – the Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module Two); if Customer is a Processor – the Parties shall be deemed to enter into the Processor to Processor Standard Contractual Clauses (Module Three).

2. This Exhibit A sets out the Parties' agreed interpretation of their respective obligations under Module Two or Module Three of the Standard Contractual Clauses (as applicable).

3. The Parties further agree that for the purpose of transfer of Personal Data between the Customer (Data Exporter) and the Company (Data Importer), the following shall apply:

• 3.1 Clause 7 of the Standard Contractual Clauses shall not be applicable.
• 3.2 In Clause 9, option 2 (General written authorization) shall apply. The time period to be specified is set forth in section 11.3 of this DPA.
• 3.3 In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
• 3.4 In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of the state of Ireland.
• 3.5 In Clause 18(b) the Parties choose the courts of Dublin, Ireland.

4. The Parties shall complete Annexes I–III below, which are incorporated in the Standard Contractual Clauses by reference.

5. To the extent the UK Addendum applies, the following shall apply:

• 5.1 All the information provided under the Standard Contractual Clauses shall apply to the UK Addendum with the necessary changes per the requirement of the UK Addendum. Annexes 1A, 1B and 2 to the UK Addendum shall be replaced with Annexes I–III below, respectively.
• 5.2 In Table 4 of the UK Addendum, either party may terminate the agreement in accordance with section 19 of the UK Addendum.

Annex I: Description of Processing Activities

A. Identification of Parties

• "Data Exporter": Customer
• "Data Importer": Company

B. Description of Transfer

Annex II: Technical and Organizational Measures

This Annex describes the technical and organizational security measures implemented by the Company.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

1. Encryption of Personal Data: The Company implements advanced encryption protocols to protect Personal Data both in transit and at rest, utilizing standards such as TLS 1.3 and AES-256.
2. Confidentiality, integrity, availability and resilience: The Company is SOC 2 Type II certified, with audit reports available upon request. Robust protection of systems is maintained through multiple layered controls, including strict access management, least privilege enforcement, and encryption; secure authentication protocols such as OAuth 2.0 and SAML; customer-controlled access and detailed audit logs; and continuous threat monitoring via WIZ and Azure Security Center. The Company also utilizes private VPC networks, redundant infrastructure, and applies data segregation measures.
3. Disaster recovery: Company maintains a Disaster Recovery Plan (DRP) and provides ongoing security and DRP training to all employees.
4. Regular testing and evaluation: Company conducts regular security audits, external penetration testing by authorized vendors, and continuous evaluation of AI systems outputs. In the event that Company processes Personal Data for the Customer from a database with a high security level, it performs risk assessments and penetration tests at least every 18 months.
5. Appointment of CISO: If required under the PPL, Company will appoint a CISO which will perform the duties required of it under the PPL and the DSR.
6. Security Policy: Company has in place security policies which include the requirements under the DSR and which are reviewed on an annual basis.
7. Mapping of database systems: Company maintains an up-to-date document of the structure of its databases and of its database systems.
8. Physical protection: Systems on which and from which Personal Data is stored and processed are retained in secured premises preventing unauthorized penetration and entry.
9. Data security in staff management: Company provides access to Personal Data to its Staff on a need to know basis. Company performs periodical data security training to its staff.
10. Management of access rights: Company maintains an up-to-date record of roles, access rights granted to these roles and the authorized users performing such roles, and cancels authorizations for staff that no longer require authorization.
11. Identification and authentication: Company utilizes measures to ensure that only authorized users have access to the Personal Data and the systems on which or from which it is processed.
12. Monitoring and documenting access: In the event that Company processes Personal Data for the Customer from a database with a high or medium security level, it will maintain automatic monitoring of access to systems.
13. Portable devices: Company restricts or denies the option to connect portable devices to systems from which Personal Data is processed or accessed.
14. Secure and updated management of systems: Company ensures that its systems are managed and operated as customary in the operation of such systems. The systems are updated regularly.
15. Network security: Connection of systems to internet or other public network will be done with appropriate safeguards. Transfer of Personal Data through the internet or a public network will be conducted by commonly used encryption methods. Remote access is subject to MFA.
16. Retention, Back-Up and Recovery: Company retains logs/audit trails and security documentation data for a period of 12 months.

Annex III: List of Sub-Processors

Below is the list of the Data Importer's Sub-processors:

Contact

For questions about this DPA or to request a signed copy, contact legal@prepp.tech.