Data Processing Agreement

Last Updated: June 9, 2025

This Data Processing Agreement (“DPA”) is governed and hereby attached to the Terms and Conditions, or any other agreement (“Agreement”) executed by and between J.D. Digitrade Systems Ltd. together with its Affiliates and subsidiaries (“Company”), and you as a customer (“Customer”). For the avoidance of doubt, the Customer under this DPA shall be the commercial Customer of the Company, excluding any of its Authorized Users or Integrators.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

WHEREAS, the Company is the developer and operator of an e-commerce website and backend management platform and provides the Customer with certain Services as agreed upon in any Order Form, Subscription Plan or any other such agreement (the “Services”); and

WHEREAS, the Services may require the Company to Process Personal Information (as such terms are defined below) on the Customer’s behalf subject to the terms and conditions of this DPA; and

WHEREAS, the Parties desire to supplement this DPA to achieve compliance with the EU, United States and other applicable data protection laws and agree on the following:

1.1 “Account and Usage Data” means Customer Account data and any other data processed by the Company as the Controller of such data as detailed under the Company’s Privacy Policy.

1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.3 “Adequate Country” means a country that received an adequacy decision from the European Commission or other applicable data protection authority.

1.4 “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) as well as all regulations promulgated thereunder from time to time.

1.5 “Customer Data” means any Personal Data included within Customer Data (as defined in the Agreement) and any other Personal Data processed in behalf of the Customer during the use of the Services, but excluding any Account and Usage Data, all as detailed in Annex I attached herein.

1.6 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework operated by the U.S. Department of Commerce; as may be amended, superseded or replaced from time to time.

1.7 “Israel Privacy Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated thereunder, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017, and any other Israeli privacy-related regulations and amendments.

1.8 The terms “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider”, “Contractor”, “Third Party Business”, “Sale”, “Sell” and “Share” shall have the same meaning as ascribed to them under US Data Protection Laws. “Data Subject” shall also mean and refer to “Consumer”, and “Personal Data” shall include “Personal Information” under this DPA.

1.9 “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, Israel Privacy Law, EU Data Protection Law and US Data Protection Laws) as may be amended or superseded from time to time. 

1.10 “EEA” means the European Economic Area. 

1.11 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

1.12 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Any Personal Data Breach will comprise a Security Incident.

1.13 “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of  Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here: Standard Contractual Clauses. 

1.14 “US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to the Company’s Processing of Customer Data, including the CCPA, as amended or superseded from time to time and including any implementing regulations and amendments thereto.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of Data Protection Laws means the version as amended.

2.1 The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, the Company is acting as a Data Processor and Customer is acting as a Data Controller. Each party shall be individually and separately responsible for complying with the obligations that apply to such a party under the applicable Data Protection Law. As between the Parties, it is acknowledged and agreed that the Company is not in a position to, nor can, be responsible for ensuring the lawfulness of Customer Data, including the manner and means by which it was collected, and any disclosure or consent required for such collection.

2.2 The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.

2.3 Additional US Data Protection Laws specifications are further detailed in Annex V.

3.1 The Company represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely for the purpose of providing the Services, all in accordance with Customer’s written instructions under the Agreement and this DPA. Notwithstanding the above, in the event the Company is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, the Company shall make its best efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.

3.2 The Company shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of its Customer Data and to consult with the Supervisory Authority (as applicable).

3.3 The Company shall take commercially reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; (ii) that persons authorized to process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.

3.4 The Customer is solely responsible for ensuring the lawfulness of Customer Data which is uploaded to the Services, including without limitation any consent or disclosure required for that.

4.1 It is agreed that where the Company receives a request from a Data Subject or an applicable authority in respect of Customer Data, where applicable, the Company will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

5.1 The Customer acknowledges that the Company may transfer Customer Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Customer hereby authorizes the Company to engage and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permit each Sub-Processor to appoint a Sub-Processor on its behalf. The company may continue to use those Sub-Processors already engaged by the Company, as listed in Annex III, or to engage an additional or replace an existing Sub-Processors to process Customer Data, subject to the provision of a thirty (30) day prior notice of its intention to do so to the Customer. In case the Customer has not objected to the adding or replacing of a Sub-Processor within five (5) days of the Company’s notice, such Sub-Processor shall be considered approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, the Company may, under its sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.

5.2 The Company shall, where it engages any Sub-Processor, impose, through a legally binding contract between the Company and the Sub-Processor, data protection obligations similar to those set out in this DPA, in such a manner that the Processing will meet the requirements of Data Protection Law.

5.3 The Company shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA. The Company shall notify the Customer of any failure by the Sub-Processor to fulfill its contractual obligations.

5.4 List of Sub-Processors is further detailed in Annex III.

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, the Company hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.

6.2 The Company and shall remain throughout the Term. Certified under ISO 27001 pertaining to the Data Security of its operations, as well as the ISO 27701 extensions, pertaining to proper privacy management practices.

6.3 The security measures are further detailed in Annex II.

6.4 The parties acknowledge that security requirements are constantly change and that effective security requires frequent evaluation and regular improvement of outdated security measures.

7.1 The Company will notify the Customer promptly and no later than 48 hours upon becoming aware of any confirmed Security Incident involving the Customer Data in the Company’s possession or control. The Company’s notification regarding or response to a Security Incident under this Section 7 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident.

7.2 The Company will: (i) take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident;  (iii) notify the Customer in writing of any request, inspection, audit or investigation by a Supervisory Authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Customer and assist Customer with its obligation to notify the affected individuals in the case of a Security Incident.

8.1 The Company shall maintain accurate written records of any and all the processing activities of any Personal Data carried out under this DPA and shall make such records available to the Customer and applicable supervisory authorities upon written request. Such records provided shall be considered the Company’s Confidential Information and shall be subject to confidentiality obligations.

8.2 The Company shall, upon Customer’s written request, shall furnish the Customer with an updated certificate of its data security practices.

8.3 Alternatively, in the event the records and documentation provided subject to Section 8.1 above are not sufficient, the Company shall make available, solely upon prior reasonable written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including third parties). The Company may object to an auditor appointed by the Customer in the event the Company reasonably believes the auditor is not suitably qualified or independent, is a competitor of the Company or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from the Company. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such an Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.

8.4 Nothing in this DPA will require the Company to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Company’s customer or Company’s internal data including without limitation Account and Usage Data; (ii)The Company’s internal accounting or financial information; (iii) any trade secret of the Company or its Affiliates; (iv) any information that, in the Company’s reasonable opinion, could compromise the security of any of the Company’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.

9.1 The Company will not transfer Customer Data originating from the EU, UK or Switzerland (which for the purpose of this Section 9 shall be referred as “Customer Data”), to any country or recipient not recognized as providing an adequate level of protection for such Personal Data by the Company (or by a Sub-Processor) includes transfer of Personal Data (either directly or through an onward (within the meaning of the applicable Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer) to a third country outside the EEA is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by or in compliance with the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law (; or (iii) to a recipient that has executed the SCCs.

9.2 When Customer and the Company, or the Company and or its Sub-processor relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then transfer of Personal Data from the EEA the terms set forth in Annex IV shall apply.

10.1 This DPA shall be effective as of the Effective Date (as defined in the agreement) and shall remain in force until the Agreement terminates. 

10.2 The Company shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s instructions or this DPA infringes applicable legal requirements.

10.3 Following the termination of this DPA, the Company shall, at the choice of the Customer, delete all Customer Data processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that the Company continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA.

10.4 In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

Customer, Customer’s end-users (who purchase products in its e-commerce platform operated through the Services), Authorized Users, and any other data subject which are uploaded to the Services by Customer, whether directly, through an Integrator or through integration with a third-party system, on Customer’s behalf.

• User data – Credentials, contact information (such as name, email address), usage data.
• Other Customer Data – any data uploaded to the Services under customer’s sole discretion.

None.

Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.

To provide the Service.

For as long as is necessary to provide the Services by the Company; provided there is no legal obligation to retain the Personal Data past termination or unless otherwise requested by the Customer.

Continuous basis.

(ISO 27001:2022 & ISO 27701:2019 Certified Environment)

The Company maintains an integrated Information Security and Privacy Management System certified to ISO 27001 and ISO 27701. In support of that certification and to protect Customer Data, the Company implements, maintains and reviews the following controls:

• Risk-based security measures

Implement and maintain technical and organizational measures, aligned to the assessed risks and the sensitivity of Customer Data, to guard against accidental or unlawful processing, loss, destruction, damage, alteration, disclosure or access.

• Security testing and vulnerability management

Obtain independent third, party attestation of static and dynamic application security testing or penetration testing on all software that processes Customer Data. Remediate any identified high-severity vulnerabilities before delivery to Customer; document and schedule remediation for medium and low issues; and provide evidence of remediation upon Customer request.

• Confidentiality and personnel controls

Require all employees, contractors and agents with access to Customer Data to sign confidentiality obligations. Apply background screening, role-based access approvals and annual security and privacy training to all personnel and subcontractors.

• System availability and resilience

Maintain measures to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services, including network redundancy, backup procedures and disaster-recovery planning.

• Continuous monitoring and improvement

Regularly test, assess and evaluate the effectiveness of technical and organizational measures, for example through internal audits, simulated attacks and security reviews, and implement corrective actions for any deficiencies identified.

• Logging and monitoring

Log access and activities on systems and facilities that store or process Customer Data. Upon request and subject to applicable laws and retention policies, provide Customer with a report of authorized users, privileges, account status and activity history.

• Access control and least privilege

Grant access to Customer Data only to personnel who require it to perform their duties. Enforce least-privilege principles, conduct access-right reviews upon personnel changes, and promptly revoke access when no longer needed.

• Authentication and password policies

Apply industry-standard password policies for both standard and privileged accounts. Protect all accounts with multi-factor authentication where Customer Data is accessible.

• Encryption in transit and at rest

Use strong, industry-standard cryptographic protocols to protect Customer Data in transit (e.g., TLS) and, where applicable, at rest.

• Physical security

Operate physical security controls, such as code-based access locks, surveillance and environmental protections, in line with ISO 27001 requirements.

• Secure media handling and disposal

Ensure that all storage media (magnetic, optical, solid-state, paper or otherwise) containing Customer Data are securely erased or destroyed before reuse or disposal.

These measures are reviewed at least annually (or upon significant change) to maintain alignment with evolving threats, business requirements and legal obligations.

1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the data controller of the Personal Data and the Company is the data processor of the Personal Data.
3. The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and the Company (as Data Importer), the following shall apply:

   a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
   b) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.

   c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

   d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).

   e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:

   4.a.1. “Data Exporter”: Customer

   4.a.2. “Data Importer”: the Company 

   4.a.3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.

   4.a.4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.

   4.a.5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:

   a) The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.

   b) The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.

   c) The sub-processor which personal data is transferred are listed in Annex III.
6. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
7. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
8. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.
9. Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II.

This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws. All terms used but not defined in this US Data Protection Laws Addendum shall have the meaning set forth in the DPA.

1. CCPA Specifications: 

   a) For the purpose of the CCPA, Customer is the Business and the Company is the Service Provider. 

   b) The Company shall Process Customer Data on behalf of the Customer as a Service Provider under the CCPA and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA. 

   c) if, and to the extent applicable, the Company shall assist Customer in respect of a Consumer request to limit the use of its Sensitive Personal Information (“SPI”) by the Company.

   d) The Company certifies that it understands the rules, requirements and definitions of the CCPA.
2. US Applicable States Specifications: 

   a) For the purpose of this US Data Protection Laws Addendum, ”Applicable States” shall mean Virginia, California, Colorado, Connecticut and Utah.
   b) The Company agrees to notify the Customer if the Company makes a determination that it, or receives such a message from any of its Sub-Processors that it, can no longer meet its obligations under this US Addendum or US Data Protection Law. 

   c) The Company shall provide information necessary to enable Customer to conduct and document any data protection assessments required by US Data Protection Laws. Notwithstanding the above, the Company is responsible for only the measures allocated to it. 

   d) The Company shall provide assistance and procures that its subcontractors will provide assistance, as Customer may reasonably request, where and to the extent applicable, in connection with any obligation by Customer to respond to Consumer’s requests for exercising their rights under the US Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s respective obligation. The Company agrees to notify the Customer if the Company receives such a message from any of its Sub-Processors that it, can no longer meet its obligations under this US Addendum or US Data Protection Law. 

   e) The Company acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for Processing Customer Data. 

   f) Each party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. The Company technical measures are detailed in the DPA and Annexes above. 

   g) The Processing instructions, including the nature of Processing, purpose of Processing, the duration of Processing, the type of Personal Data and categories of Data Subjects, are set forth in Annex I above. 

   h) In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and subject to Customer’s consent, the Company may alternately, in response to Customer’s on-premises audit request, initiate a third-party auditor to verify the Company’s compliance with its obligations under this US Data Protection Laws. During such audit, the Company will make available to the third-party auditor all information necessary to demonstrate such compliance.

   i) Each party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data, as such term is defined under the applicable US Data Protection Law.
3. When Processing Customer Data or Usage Data (as defined in the Agreement) for the permitted purposes under US Data Protection Laws, the Company shall ensure it complies with applicable laws and shall be liable for such Processing activities.