Data Processing Agreement
Last updated: September 14, 2023
This Data Processing Addendum (“DPA”) forms part of the Agreement (as defined below) by and between Atriis Technologies Ltd. and its subsidiaries and Affiliates (“Atriis”) and the Subscriber identified in the applicable Order Form (the “Subscriber”), to reflect the parties’ agreement on the Processing of Personal Data.
All capitalized terms not defined herein will have the meaning set forth in the Agreement, or under applicable Data Protection Laws and Regulations. All terms under the Agreement apply to this DPA, except that the terms of this DPA will supersede any conflicting terms under the Agreement.
In the course of providing the service to Subscriber pursuant to the Agreement and any associated amendments, service orders, or schedules (the “Services”), Atriis may Process Personal Data on behalf of Subscriber. In accordance with this DPA, the parties agree to comply with the following provisions with respect to Subscriber’s Personal Data processed by Atriis on behalf of Subscriber as part of the Services.
1.1. “Agreement” means the agreement in place between Atriis and the Subscriber covering Subscriber’s use of the Services.
1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and shall include “Business” as such term is defined under the CCPA.
1.3. “Data Subject” means an identified or identifiable natural person. an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CCPA.
1.4. “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CCPA.
1.5. “Personal Data Breach” means a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. For the avoidance of doubt, “Personal Data Breach” does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked system.
1.6. “Personnel” means persons authorized by Atriis to Process Subscriber’s Personal Data.
1.7. “Data Protection Laws and Regulations” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq., and its implementing regulations, as amended by the California Privacy Rights Act (“CCPA”), and any laws and regulations relating to privacy, data security, and protection of Personal Data applicable to Atriis.
1.8. “Processor” or “Service Provider” – as defined under Data Protection Laws and Regulations.
2. DATA PROCESSING
2.1. Scope and Roles. This DPA applies when Personal Data is Processed by Atriis as part of Atriis’ provision of the Service, as further specified in the Agreement and the applicable order form. In this context, where Data Protection Laws and Regulations provide for the roles of “controller,” “processor,” “business,” or “service provider,” then Atriis will process Personal Data as a Processor or Service Provider, respectively, on behalf of Subscriber (who, in turn, processes such Personal Data as the Controller or Business, respectively).
2.2. Subject Matter, Duration, Nature and Purpose of Processing. This DPA applies to any Personal Data provided by or on behalf of Subscriber or its authorized users in connection with their use of the Services and any Personal Data supplied to or accessed by Atriis or its Sub-Processors in order to provide the Services and govern the way in which Atriis can process the Personal Data. Personal Data is processed in accordance with the specifications and for the duration stipulated in the Agreement.
2.3. Instructions for Atriis’ Processing of Personal Data. Atriis will only Process Personal Data on behalf of and in accordance with Subscriber’s instructions. Subscriber instructs Atriis to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and for the purpose of providing the Service to Subscriber; and (ii) Processing to comply with other reasonable instructions provided by Subscriber where such instructions are consistent with the terms of the Agreement and to comply with applicable Data Protection Laws and Regulations. Processing outside the scope of this DPA (if any) will require prior written agreement between Atriis and Subscriber on additional instructions for processing.
2.4. Notwithstanding and subject to Section 6.2, Personal Data may be disclosed by Atriis (a) if required by a subpoena or other judicial or administrative order, or if otherwise required by law; or (b) if Atriis deems the disclosure necessary to protect the safety and rights of any person, or the general public.
2.5. As required under applicable Data Protection Laws and Regulations, Atriis will inform Subscriber immediately, if in Atriis’ opinion an instruction violates any provision under such applicable Data Protection Laws and Regulations and will be under no obligation to follow such instruction, until the matter is resolved following a good-faith discussion between the parties.
2.6. Atriis will not (1) “sell” (as defined in the CCPA or other Data Protection Laws and Regulations) Personal Data, or (2) retain, use or disclose Personal Data: (i) for any purpose other than for the specific purpose of performing the Service, or (ii) outside of the direct business relationship between Subscriber and Atriis, except as permitted under the applicable Data Protection Laws and Regulations, or (3) combine Personal Data received pursuant to the Agreement with Personal Data (i) received from or on behalf of another person, or (ii) collected from Atriis’ own interaction with any Data Subject to whom such Personal Data pertains.
Atriis does not receive any Personal Data from Subscriber as consideration for its provision of the Service. Atriis certifies that it understands and will comply with the restrictions set forth in this Section 2.6.
2.7. Subscriber undertakes to provide all necessary notices to Data Subject and receive all necessary permissions and consents, or otherwise secure the required lawful ground of Processing, as necessary for Atriis to process Personal Data on Subscriber’s behalf under the terms of the Agreement and this DPA, pursuant to the applicable Data Protection Laws and Regulations. To the extent required under applicable Data Protection Laws and Regulations, Subscriber will appropriately document the Data Subjects’ notices and consents, or necessary assessment with other applicable lawful grounds of Processing.
3. ASSISTANCE AND COOPERATION OBLIGATIONS
3.1. Taking into account the nature of the Processing and insofar as possible, Atriis will provide Subscriber reasonable and timely assistance to enable Subscriber to respond to requests for exercising the rights of Data Subjects, as required under applicable Data Protection Laws and Regulations. Atriis will further assist Subscriber to ensure that it complies with its obligations regarding the security of Processing, notification of a Personal Data Breach to Supervisory Authorities and affected Data Subjects, Subscriber’s data protection impact assessments and Subscriber’s prior consultation with Supervisory Authorities, in relation to Atriis’ Processing of Personal Data under this DPA.
4. ATRIIS PERSONNEL
4.1. Atriis will ensure that its access to Personal Data is limited to those Personnel who require such access to provide the Service under the Agreement. Atriis will impose appropriate contractual obligations upon its Personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and information security. Atriis will ensure that its Personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements.
5. SUB-PROCESSORS AND RECIPIENTS
5.1. Atriis may engage third-party service providers to process Personal Data on behalf of Subscriber (“Sub-Processors”). Subscriber hereby provides Atriis with a general authorization to engage the Sub-Processors listed here. All Sub-Processors have entered into written agreements with Atriis that bind them by substantially the same material data protection obligations under this DPA.
5.2. Atriis may engage with a new Sub-Processor to Process Subscriber Personal Data on Subscriber’s behalf. Atriis will notify the Subscriber of the intended engagement with the new Sub-Processor thirty (30) days prior to such engagement. Subscriber may object to the Processing of Subscriber’s Personal Data by the new Sub-Processor, for legitimate grounds, within the aforementioned notice period. If Subscriber timely sends Atriis a written objection notice, the parties will make a good-faith effort to resolve Subscriber’s objection. In the absence of a resolution, Atriis will make commercially reasonable efforts to provide Subscriber with the same level of Service, without using the new Sub-Processor to Process Subscriber’s Personal Data.
5.3. Atriis will be fully responsible for the acts and omissions related to the Processing of Personal Data by its Sub-Processors to the same extent that Atriis would be responsible if performing the Service of each Sub-Processor.
6. ONWARD AND TRANS-BORDER TRANSFER
6.1. Transfer of Personal Data related to Individuals within the EU to Israel is made in accordance the EU Commission decision 2011/61/EU of January 31, 2011, on the adequate protection of Personal Data by the State of Israel regarding automated processing of Personal Data.
6.2. All Atriis affiliates and Sub-Processors to whom Atriis transfers Personal Data to provide the Service: (i) have executed or undertook to comply with such other binding instruments, certifications or self-certifications for the lawful transfer of Subscriber’s Personal Data related to Data Subjects within the EU to other territories, as required and available under the GDPR or UK GDPR or (ii) are established in a country that was acknowledged by the EU Commission or the UK Secretary of State as providing adequate protection to Personal Data.
7. INFORMATION SECURITY
7.1. Atriis will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Subscriber’s Personal Data pursuant to Atriis’ internal policies and procedures, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties. Atriis regularly monitors compliance with these safeguards. It is agreed that Atriis will not materially reduce the overall security of the Service during the term of the Agreement. Detailed information regarding such safeguards is set forth in Annex II of the Standard Contractual Clauses, as attached hereto as Exhibit A.
8.1. Atriis will allow for and contribute to audits, conducted by Subscriber or another auditor mandated by Subscriber, in relation to Atriis’ obligations under this DPA. Atriis may satisfy the audit obligation under this section by providing Subscriber with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Subscriber are subject to the following terms: (i) the audit will be pre-scheduled in writing with Atriis, at least forty-five (45) days in advance and will be performed not more than once a year; (ii) a third-party auditor will execute a non-disclosure undertaking toward Atriis; (iii) the auditor will not have access to non-Subscriber data; (iv) Subscriber will ensure that the audit will not interfere with or damage Atriis’ business activities and information and network systems; (v) Subscriber will bear all costs and expenses related to the audit; and (vi) as soon as the purpose of the audit is completed, Subscriber will permanently and completely dispose of all copies of the audit report.
9. SECURITY BREACH MANAGEMENT AND NOTIFICATION
9.1. Atriis maintains security incident management and procedures and will notify Subscriber without undue delay (and within 24 hours) after becoming aware of a Personal Data Breach related to Subscriber’s Personal Data processed by Atriis, or any of Atriis’ Sub-Processors to allow Subscriber to fulfill its data breach reporting obligations under applicable Data Protection Laws and Regulations. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
9.2. Atriis will take reasonable steps, to contain, investigate, and mitigate the effects of the Personal Data Breach and will promptly inform Subscriber accordingly. Atriis’ notification of a Personal Data Breach in accordance with Section 9.1 will not be construed as an acknowledgment by Atriis of any fault or liability with respect to the Personal Data Breach.
10. DELETION AND RETENTION OF PERSONAL DATA
10.1. Upon the end of the provision of the Service, Atriis will return Subscriber’s Personal Data to Subscriber or delete such data, including by de-identifying thereof. Notwithstanding, Subscriber acknowledges and agrees that Atriis may retain copies of Subscriber Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law.
11.1. This DPA will commence on the same date that the Agreement is effective, or as otherwise provided explicitly under this DPA, and will continue until the Agreement expires or is terminated, pursuant to the terms therein.
[Remainder of page intentionally left blank]
A. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Unless provided otherwise by the Subscriber, transferred Personal Data relates to the following categories of data subjects: Subscriber, employees, contractors, business partners or other individuals having Personal Data stored in the Service.
Categories of personal data transferred:
The transferred Personal Data submitted into the Service may concern the categories of data set forth in this paragraph. The transferred Personal Data submitted into the Service may include, but is not limited to the following categories of data:
(a) Name, Title (b) Passport No., Date of issue, date of expiry; (c) Visa details; (d) Date of Birth; (e) Physical Address, Email Address; (f) Traveling Information (e.g., preferred hotels, airlines, cars, etc.); (g) Mobile Phone; (h) Redress Number; (i) TSA number (j) Frequent Flyer membership details; (k) Hotel Membership Number.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
The data is transferred “on demand” as and when an event occurs (such as a new booking request) which requires us to send the data to a third party (such as a GDS).
Nature of the processing:
All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.
The transferred Personal Data is subject to the following basic processing activities:
• use of Personal Data to set up, operate, monitor and provide the Service, which may include transferring the Personal Data to Subprocessors and recipients identified in this DPA or as otherwise instructed by the Subscriber;
• communication to authorized users;
• storage of Personal Data in dedicated data centers;
• upload any fixes or upgrades to the Service;
• back up of Personal Data;
• computer processing of Personal Data, including data transmission, data retrieval, data access;
• network access to allow Personal Data transfer; and
• execution of instructions of Subscriber in accordance with the Agreement.
Purpose(s) of the data transfer and further processing:
The provision of the Service in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter of the Processing is Subscriber’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.