Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms an integral part of, and is subject to the Silverbee Terms of Service, entered into by and between you, the customer ("Customer") and Silverbee AI Inc. ("Silverbee" and the "Terms"). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms.

1. Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:

• "Applicable Law" means whichever of the following legal regimes is applicable to the processing of Personal Data under this DPA, including but not limited to:
• EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR;
• The California Consumer Privacy Act of 2018 (CCPA);
• The Israel Protection of Privacy Law, 1981, and related regulations.
• "Customer Personal Data" means any Personal Data Processed by Silverbee on behalf of Customer pursuant to or in connection with the Terms;
• "Data Subject" shall mean the person whose Personal Data is Processed;
• "Personal Data" shall mean Personal Data as defined under the GDPR, 'Personal Information' as defined under the CCPA, and 'Personal Information' ('meda') as defined under Israeli Privacy Law;
• "Processing" shall be as defined in the GDPR, CCPA, and Israeli Privacy Law;
• "Sub Processor" means any person appointed by or on behalf of Silverbee to Process Personal Data on behalf of the Customer in connection with the Terms.

2. Applicability and Roles of the Parties

2.1 For Processing subject to the GDPR

When Customer Personal Data is subject to the GDPR, Customer serves as a Controller of such Personal Data and Silverbee serves as a Processor on its behalf.

2.2 For Processing subject to the CCPA

When Customer Personal Data is subject to the CCPA, Customer serves as a Business with respect to such Personal Data and Silverbee serves as a Service Provider on its behalf.

2.3 For Processing subject to Israeli Privacy Law

When Customer Personal Data is subject to Israeli Law, Customer shall be considered the party controlling the database of Customer Personal Data and Silverbee serves as an outsourced service provider on its behalf.

3. Processing of Customer Personal Data

Silverbee shall Process Customer Personal Data at the Customer's instructions as specified in the Terms and/or this DPA. Customer instructs Silverbee to Process Customer Personal Data for the provision of the services and as otherwise set forth in the Terms and in this DPA.

4. Customer

Customer represents and warrants that it has and shall maintain throughout the term of the Terms and this DPA, all necessary rights to provide the Customer Personal Data to Silverbee for the Processing to be performed in relation to the Services and in accordance with the Terms and this DPA.

5. Silverbee Employees

Silverbee shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know and/or access basis, and that all Silverbee employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

6. Security

Silverbee shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data as set forth in the Binding Security Document attached hereto as Schedule 2.

7. Personal Data Breach

Silverbee shall notify Customer without undue delay and, where feasible, not later than within forty-eight (48) hours upon Silverbee becoming aware of a Personal Data Breach affecting Customer Personal Data.

8. Sub Processing

Customer authorizes Silverbee to appoint Sub Processors in accordance with this Section 8. Silverbee shall give notice of the appointment of any new Sub Processor to Customer.

9. Data Subject Rights

Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Applicable Law. Silverbee shall use commercially reasonable efforts to assist Customer to fulfill Customer's obligations with respect to such Data Subject requests.

10. Data Protection Impact Assessment and Prior Consultation

To the extent the processing is subject to the GDPR, Silverbee and each Sub Processor shall provide reasonable assistance to Customer with respect to any Customer Personal Data Processed by Silverbee and/or a Sub Processor, at Customer's written request and expense, with any data protection impact assessments or prior consultations with Supervisory Authorities.

11. Deletion or Return of Customer Personal Data

Silverbee shall promptly and in any event within up to sixty (60) days of the date of cessation of provision of the Services to Customer involving the Processing of Customer Personal Data, delete, return or anonymize all copies of those Customer Personal Data.

12. Audit Rights

Subject to Sections 2 and 12.3, to the extent required by Applicable Law, Silverbee shall make available to a reputable auditor mandated by Customer in coordination with Silverbee, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA.

13. Liability and Indemnity

Customer shall indemnify and hold Silverbee harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Silverbee and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Applicable Law by Customer.

14. General Terms

14.1 Governing Law and Jurisdiction

The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA.

14.2 Order of Precedence

Subject to this Section 14.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Terms, the provisions of this DPA shall prevail.

14.3 Changes in Applicable Law

Customer may request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under any Applicable Law.

14.4 Severance

Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force.

Schedule 1: Details of Processing of Controller Personal Data

This Schedule 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.

Schedule 2: Binding Security - Technical and Organizational Measures

1. Information security program and certification. A written security program is implemented, maintained, and complied with.
2. Chief Information Security Officer (CISO). Silverbee appointed a CISO who is responsible for the development, implementation, and ongoing maintenance of the information security program.
3. Access control. Access rights are assigned according to the principle that employees and third parties are only granted the level of access they need to perform their activities.
4. Physical access control. Secure areas are defined on the basis of information security and data protection requirements.
5. Encryption. Personal Data encryption at rest using AES-256 and in transit using TLS v1.2 or higher.
6. Confidentiality. Controls are in place to maintain the confidentiality of Data in accordance with the Service Agreement.
7. Information integrity and Availability. A variety of tools and mechanisms are used to achieve high availability and resiliency.
8. Third party vendor management. Security risk-based assessments of prospective vendors are carried out before working with them.
9. Incident response plan. Policies and procedures are implemented, designed to detect, respond to, and otherwise address incidents.
10. System testing and maintenance. Silverbee tests and maintains systems to protect data.
11. Audit logging. Hardware, software, or procedural mechanisms are implemented and maintained to record and examine activity in processing systems.
12. Security awareness and privacy training. An ongoing security and privacy awareness and training program is maintained for all employees.
13. Secure Software Development. Code integrity protection is implemented including regular review and testing such as OWASP Top 10 vulnerabilities.