High Intent

Terms of Use

DATED 2019-08

DATA PROCESSING AGREEMENT

Between

High Intent

And

Customer

Regarding the processing of personal data through the High Intent Services, this DATA PROCESSING AGREEMENT (the “DPA”) is entered into by and between:

1)  Uniquely Ltd. a limited liability company incorporated under the laws of Israel with corporate registration number 515539211 (“Excavator”); and

2) The entity or individual executing the Agreement (the “Customer”).

Each of High Intent and the Customer is a “Party” and together as the “Parties”.

BACKGROUND

(a) High Intent is a website analytics and advertising technology company specialized in B2B marketing and lead generation. High Intent has developed and provides a tracking code, which collects data from visitors to the Customers website when integrated on the website, as well as a service that identifies company-related visitors to the Customer’s website.

(b) The customer has entered into the agreement for the supply of digital advertising services (the “Agreement”)[AB2]  with Excavator in order to use the services in its business operations, which forms the subject matter of the processing of Personal Data under this DPA.

(c) The High Intent tracking code, which collects data from visitors to the Customers website when integrated on the website, is a software as a service solution in which data processing is carried out (the “Service”), rendering the Customer the data controller, whilst Excavator qualifies as data processor under the applicable data protection laws. In light of the above, High Intent and Customer have agreed on the following terms and conditions set out in this written DPA concerning the processing of Personal Data under this DPA.

1. Definitions

“Applicable Laws” shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.

“Data Protection Laws” shall mean the applicable national laws concerning data protection and, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016⁄679) and their national implementations and related national legislation.

“EEA” shall mean the European Economic Area.

“EU” shall mean the European Union.

“Personal Data” shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address[AB3], location data, etc.

“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. General Terms

  1. High Intent may under this DPA process Personal Data on behalf of the Customer according to the instructions of the Customer. The Personal Data is and shall remain the property of the Customer, and the Customer takes full responsibility for the Personal Data, including that such data does not infringe any third-party rights or in any other way violate Applicable Laws.

  2. This DPA is intended to constitute and shall be interpreted as a written data processing agreement between the Customer and Excavator pursuant to applicable Data Protection Laws.


3. The processing

  1. High Intent shall process the Personal Data relating to the categories of data subjects and shall consist of the processing operations as set out in Schedule 1.

  2. High Intent shall process the Personal Data for the purpose of providing the Service to the Customer.


4. Term of processing

  1. This DPA shall enter into force on the date of last signing and, subject to the below section 4.2, shall remain effective until the Agreement is terminated or expires.

  2. Upon the termination or expiry of the Agreement, without entering into a new data processor agreement replacing this DPA, the provisions of this DPA, subject to the discretion of the Customer, shall continue to apply as long as and to the extent Personal Data is processed by High Intent pursuant to the instructions of the Customer.


5. High Intent's obligations

  1. High Intent may process Personal Data only for purposes necessary for the due performance of the Agreement and only in accordance with the Data Protection Laws applicable to High Intent and in accordance with the written instructions from the Customer as further detailed in Schedule 2 and as otherwise instructed by the Customer in writing from time to time. High Intent may not disclose any Personal Data to a third party without the prior written approval from the Customer or if otherwise required by law.

  2. If High Intent does not have sufficient instructions to enable High Intent to deliver the Services or otherwise fulfill its obligations, High Intent shall without delay inform the Customer hereof and specify the need for further instructions and await further written instructions from the Customer prior to continuing the relevant processing of the Personal Data.

  3. High Intent shall implement and maintain appropriate and adequate technical and organizational measures as set forth in Schedule 2 to ensure the security for the processed data. The measures shall as a minimum protect the processed data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by High Intent. The measures shall take into account the particular risks associated with the processing of the Personal Data and the sensitivity of the Personal Data which is processed.

  4. High Intent undertakes to oblige all persons, including but not limited to its employees, who access the processed Personal Data in the course of the processing operations carried out by High Intent to comply with confidentiality obligations and access restrictions with regards to the processing of Personal Data. High Intent shall ensure that only such employees have access to Personal Data who have received training and/or instruction in the care and handling of Personal Data.

  5. Taking into account the nature of the processing, High Intent shall, at Customer’s cost upon Customer’s request in accordance with Customer’s written instructions, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising data subject’s rights under applicable Data Protection Laws.

  6. High Intent, taking into account the nature of processing and the information available to the processor, undertakes to assist the Customer, at Customer’s cost upon Customer’s reasonable request substantiating the necessity, in ensuring compliance with applicable Data Protection Laws with regards to the security of processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.


6. Notification

  1. High Intent shall immediately inform the Customer if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.

  2. High Intent shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.

  3. In the event Excavator is required to disclose information, including but not limited to the processed Personal Data or information relating to the processing, according to Applicable Laws or the decisions of public authorities or courts, High Intent shall be obligated to inform the Customer thereof immediately, insofar permitted by Applicable Laws, and request confidentiality in conjunction with the disclosure of requested information.


7. Information and audit

  1. High Intent is obliged to, upon Customer’s reasonable request and at Customer’s cost, make available to the Customer all information necessary and strictly limited to the purpose of demonstrating compliance with the obligations of the data processor under applicable Data Protection Laws.

  2. Customer may, pursuant to the relevant provision of the Agreement but in any case notwithstanding what is set out in the Agreement once per calendar year at the cost of the Customer, carry out or mandate a third-party auditor, which is not direct competitor to High Intent and acting under confidentiality undertaking, to carry out an audit strictly limited to verifying High Intent compliance with the obligations of data processors under applicable Data Protection Laws. The audit shall be carried out during High Intent normal working hours without disturbance to the normal operations of High Intent.


8. Sub-processors

  1. The customer hereby gives general written authorization for High Intent to engage sub-processors for carrying out specific processing activities on behalf of the Customer. When engaging sub-processors, High Intent undertakes to ensure that the contract entered into between High Intent and any subprocessor shall impose, as a minimum, the same data protection obligations as set out in this DPA.

  2. High Intent shall notify the Customer of any intended changes concerning the addition or replacement of the sub-processors in Schedule 3, to which the Customer may object. If the Customer has made no such objection within ten (10) days from the date of receipt of the notification, the Customer is assumed to have made no objection.

  3. High Intent may transfer (including allowing access to) Personal Data to its sub-processors outside the EEA. The parties shall jointly take all reasonably required measures necessary for ensuring that such transfer is in accordance with Applicable Laws, which may include entering into model clauses for data transfer outside of the European Economic Area (EEA).


9. Warranty

  1. If and to the extent another legal entity than the Customer is the controller, independently or jointly, for all or part of the Personal Data processed by High Intent on behalf of the Customer under this DPA, the Customer warrants that it has necessary authority and mandate to enter into this DPA on behalf of such legal entity.

  2. The Customer warrants that the processing of Personal Data is carried out in accordance with Applicable Laws, including obtaining necessary licenses, permits or approvals for the processing and notifying the processing to competent authorities or data protection officials and informing the data subjects of the processing.


10. Limitation of liability

Unless caused by the gross negligence or reckless misconduct of High Intent, High Intent shall in no event, be liable to the Customer for any losses or damages, whether direct or indirect (including, without limitation, damages for loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages) arising out of or in connection with this DPA.


11. Indemnification

The Customer shall defend, indemnify and hold High Intent harmless from and against any third-party claims, damages, costs, as well as administrative penalties or fines issued by courts or authorities if, and to the extent High Intent is held liable, by a competent court, authority or any other dispute resolution body for processing of personal that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of High Intent failure to perform its obligations under this DPA.


12. Remuneration

High Intent is not entitled to additional remuneration on the basis of the provisions of this DPA and shall unless otherwise agreed by the Parties, or in accordance with the Agreement.


13. measures upon completion of processing

  1. When the provisions of this DPA cease to be effective, High Intent shall, upon and in accordance with Controller’s request, delete all Personal Data or delete and return all Personal Data to the Customer, unless Applicable Laws require High Intent to store the Personal Data.


14. Assignment
 

  1. The Customer may only assign the rights or obligations under this DPA to a third-party with the prior written consent of High Intent.

  2. High Intent may assign its rights and obligations under this DPA to (i) any company within its group of companies, or (ii) a third party in case of a merger, joint venture or transfer of businesses or substantially all parts of businesses. Any such assignment of rights shall not be considered as High Intent engaging a sub-processor.


15. Entire Agreement
 

  1. This DPA shall supersede any prior agreements, arrangements, and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof.

  2. High Intent is entitled to amend this DPA if it is necessary to comply with the requirements of applicable Data Protection Laws. Such amendments enter into force at the latest thirty (30) days after High Intent has sent an amendment notice to the Customer, or such other time period which High Intent is obliged to adhere to according to Personal Data Laws and regulations or relevant authorities. Other alterations of and amendments to this DPA shall be made in writing and be signed by duly authorized representatives of the Parties to be binding.


16. Governing Law and Disputes
 

  1. This DPA shall be governed by and construed in accordance with the laws of Israel, with the exclusion of its conflict of law rules.

  2. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled. in Tel Aviv, Israel. The language to be used in the arbitral proceedings shall be Hebrew unless otherwise agreed.

  3. The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way his rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority or similar.

 

Schedule 1 – Processing of Personal Data

Type of Personal Data

The following types of Personal Data are processed by High Intent on behalf of the Customer under the DPA:

(a) IP address - IP v4 or v6;
(b) Location-based on IP address;
(c) URL - including “Query String”;
(d) Referer/Origination-website for the visitor;
(e) UserAgent – including i.a. OS, browser and screen resolution;
(f) The domain from form input fields (e.g. albacross.com); and
(g) Fingerprint hash.

Categories of data subjects

Data subjects:

The processed Personal Data concerns the following categories of data subjects:

(a) Visitors to the Customer’s website.

Processing operations

 

The following processing operations shall be carried out for the below-specified purposes by High Intent under this DPA:

Processing operations: - a collection of Personal Data via the High Intent tacking code; - extract information of location based on IP address; - crosschecking of Personal Data with the High Intent database with IP-addresses; and - erasure of the Personal Data if there is not a match with a company IP-address.

Purposes: - To identify which IP-address collected with the High Intent tracking code belongs to a company, and thereby identify what companies have visited the Customer’s website; and - to make accurate advertising to specific businesses based on the data.

High Intent may not process the Personal Data for any other purposes under this DPA and its schedules.

 

Schedule 2 – Instructions
 

1. Instructions for processing of the Processed Data on behalf of the Data Controller

High Intent shall comply with the instructions set forth below with respect to the processing of the Personal Data under this DPA.

2. Handling and processing of the Personal Data


Security
 

The premises used by High Intent shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. High Intent shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.

The premises used by High Intent shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. High Intent shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.

High Intent should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed Personal Data; (v) storage of processing history (log data), which shall be sorted out in accordance with Customer’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Customer’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained Personal Data that no longer is used.


3. Data subjects’ requests
 

High Intent shall make it possible to log and trace the processing of the Personal Data, including the disclosure and transfer of the Personal Data.

High Intent shall, subject to the provisions of this DPA, forward all requests from the data subjects to the Customer and shall only act upon the prior authorization and pursuant to the instruction of the Customer.

Subject to the above, High Intent shall rectify, block, delete, modify, or erase the processed Personal Data in accordance with Customer’s instructions.

Subject to the provisions of this DPA, High Intent shall not maintain the processed Personal Data for longer than is necessary taking into consideration the purpose of the processing.

 

Schedule 3 – Sub-processors

The customer approves that High Intent engages the following sub-processors.

Sub-processor: Amazon Web ServicesCountry of processing: Unites States

Processing and Personal Data:

1. IP address - IP v4 or v6;
2. Location-based on IP address;
3. URL - including “Query String”;
4. Referer/Origination-website for the visitor;
5. UserAgent – including i.a. OS, browser and screen resolution;
6. The domain from form input fields (e.g. @highintent,io); and
7. Fingerprint hash.