Days Free Trial – Start Now!
Certifications

GDPR & Data Processing

  1.  

    Data Processing Addendum

    1. Applicability. This Data Processing Addendum (“DPA”) between [GNS (A.A.Y) Network Services LTD], and its affiliates and/or subsidiaries (“COMPANY”) and you and/or the entity you represent (“Customer”), supplements the Company’s terms of use available at:[https://www.gns.cloud/terms/terms-of-use/ ], as updated from time to time (“TOU”), or any other agreement between Customer and COMPANY, governing Customer’s use of the Services (“Agreements”) to the extent that COMPANY processes Customer Data (as defined below).
    2. Definitions.

    2.1.Terms used in this DPA but not defined herein (whether or not capitalized) shall have the meanings assigned to such terms in the Agreements, or in the Applicable Data Protection Laws, as applicable.

    2.2.Applicable Data Protection Laws“ shall mean, to the extent applicable to COMPANY’s processing of Personal Data hereunder: (i) General Data Protection Regulations (European Parliament and Council of European Union (2016) Regulation (EU) 2016/679) (EU GDPR); (ii) EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 and UK Data Protection Act 2018 (UK GDPR) ; (iii) California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA); (iv) Protection of Privacy Law (Israel); and (v) any rules or regulations that amend and/or replace any of the aforementioned Data Protection Laws. In the event of any conflict between the Applicable Data Protection Laws, the most restrictive law applicable to the Customer shall govern.

    2.3.Customer Data” shall mean the Personal Data (as defined below) that is uploaded to the Services which may include software, data, text, audio, video, or images that Customer or any of its end customers transfers to the COMPANY for processing, storage, or hosting by the Services. Customer Data does not include account information about Customer relating to and/or in connection with Customer’s account (e.g., Customer name and surname, phone numbers, email addresses, payment information or other information related to the management of COMPANY resources such as access permissions, service usage, etc.) which is governed by the Privacy Notice (“PN”).

    2.4.Personal Data“ refers to the definition of that term or any other similar term defined under the Applicable Data Protection Laws.

    2.5.Security Measures” means the security documentation applicable to the Services, as updated from time to time and is attached hereto as Appendix B.

    2.6.Services” means the services and products provided to Customer by the COMPANY in accordance with the Agreements.

    2.7.“Standard Contractual Clauses or SCCs” shall mean: where the EU GDPR applies, the standard contractual clauses pursuant to the EU Commission’s Implementing Decision 2021/914 of 4 June 2021 currently set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); (ii) where the UK GDPR applies, the EU SCCs together with the UK Information Commissioner’s Office addendum, under S119A(1) of the Data Protection Act 2018 (“UK Addendum”); or any other Standard Contractual Clauses which amended and/or replace such Standard Contractual Clauses in accordance with Applicable Data Protection Law. 3.Processing of Personal Data on behalf of CustomerThe Parties acknowledge and agree that with regard to the Processing of Personal Data performed solely on behalf of Customer: (i) Customer can act either as the Controller or Business (to the extent the CCPA is applicable) or as a Processor or Service Provider (to the extent the CCPA is applicable) of Customer Data; (ii) the COMPANY acts as a Processor or Service Provider (to the extent the CCPA is applicable) for Customer, and upon the instructions of Customer, as set forth herein, and in the Agreements, as may be amended from time to time by the COMPANY (collectively, the “Terms“), pursuant to which Customer Data may be processed by the Company for the purpose of providing the Services initiated by Customer from time to time (the “Contracted Business Purpose”).

    4.Details of the Processing.

    The subject-matter of Processing of Personal Data by the Company is the Contracted Business Purpose. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix A.2 (Details of Processing) to this DPA.

    5.Customer Representations.

    Customer sets forth the details, including the purpose, the means and the ways in which the COMPANY shall process the Customer Data, as required by Applicable Data Protection Laws in Appendix A (Details of Processing of Processed Personal Data), attached hereto, and Customer represents and warrants that:

    5.1. It complies with Personal Data security and other obligations prescribed by Applicable DataProtection Laws as applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Law, and that the provision of Customer Data and/or instructions to the COMPANY are in strict compliance with Applicable Data Protection Laws;

    5.2.It only processes Personal Data that has been collected in accordancewith the Applicable Data Protection Laws;

    5.3.It has in place procedures in case individuals/consumers whose Personal Data is collected, wish to exercise their rights in accordance with the Applicable Data Protection Laws;

    5.4.It provides Customer Data to the COMPANY for a business purpose in accordance with the representations Customermakes to consumers in Customer’s privacy policy, and Customer does not sell Customer Data to the COMPANY;

    5.5.Customer can elect to implement technical and organizational measures to protect Customer Data. Such technical and organizational measures include the following: (a) pseudonymization and encryption to ensure an appropriate level of security; (b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are operated by Customer; measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and (c) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Customer. Customer is responsible for (a) implementing the measures described herein and, as appropriate, (b) properly configuring the Services, (c) restoring the availability and access to Customer Data in a timely manner in the event of a physical or technical incident (for example backups and routine archiving of Customer Data), and (d) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect Customer Data from unauthorized access and measures to control access rights to Customer Data.

    5.6.It is and will remain duly and effectively authorized to give the instruction set out herein andany additional instructions as provided pursuant to the Terms, which constitute Customer’s documented instructions regarding the Company’s processing of Customer Data, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which the COMPANY is lawfully processing  Personal Data;

    5.7.Notwithstanding anything to the contrary herein, Customer acknowledges that the COMPANY is able to access or use, or disclose to any third party, any Customer Data, and might do so when required for operational and maintenance purposes and if required to provide the Services, or as necessary to comply with Applicable Data Protection Laws or a valid and binding order of a governmental body, such as a subpoena or court order. If a governmental body demands COMPANY to share Customer Data, COMPANY will attempt to redirect the governmental body to request that data directly from Customer, however COMPANY may share Customer’s basic contact information with the governmental body, for such purpose. If the Company is compelled to disclose Customer Data pursuant to such Applicable Data Protection Laws or governmental body, then the Company will notify Customer of such demand to allow Customer to seek a protective order or other appropriate remedy (to the extent the Company is not legally prohibited from doing so).

    6.COMPANY’s Obligations.

    6.1.Pursuant to the provisions of Article 28 of the GDPR, the COMPANY represents and warrants that it will:

    6.1.1.process Customer Data solely on Customer’s behalf and in compliance with Customer’s instructions(including relating to international data transfers), as set out in this DPA and the Terms;

    6.1.2.implement and maintain appropriate technical and organizational measures to provide an appropriatelevel of security, for securing the Company’s servers, networking equipment, and host software systems that are within Company’s control and are used to provide the Services (“Company Systems”), as described in the Security Measures and as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR, all as may be amended from time to time;

    6.1.3.take reasonable steps to ensure that access to the processed Customer Data is limited on aneed to know/access basis (as specified in the Security Measures), and that all COMPANY’s personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Customer Data including relevant undertakings regarding data protection and data security.

    6.1.4.Taking into account the nature of the processing and the information available to the Company, it shall provide reasonable assistance to Customer with any data protectionimpact assessments or prior consultations with supervising authorities in relation to processing of Customer Data by the COMPANY, as required under any Applicable Data Protection Laws, at the written request of the Customer, and at Customer’s sole expense.

    6.2.Pursuant to the CCPA, to the extent applicable with respect to each data subject, COMPANY agrees that:

    6.2.1.COMPANY is acting solely as a service provider with respect to Customer Data for the purposes of the Contracted Business Purpose;

    6.2.2.COMPANY shall not retain, use or disclose Customer Data for any purpose other than for theContracted Business Purpose and as set forth herein.

    6.2.3.COMPANY may de-identify or aggregate Customer Data as part of performing the servicesspecified in the Terms.

    6.2.4.COMPANY will limit Personal Data collection, use, retention, and disclosure to activities reasonably necessary and

    proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

    7.Sub-Processing.

    7.1.Customer authorizes the COMPANY to appoint sub-processors inaccordance with the provision of this Section. Any sub-processors used must qualify as a service provider under the Applicable Data Protection Laws and the COMPANY cannot make any disclosures to the sub-processors that the CCPA would treat as a sale.

    7.2.The COMPANY may continue to use those sub-processors which are currently engaged by the Company, as listed on the Company’s website located at: [https://www.gns.cloud] (“Sub-processor List”). The Sub-processors List as of the date of first use of the Services by the Customer is hereby deemed authorized, upon first use of the Services.

    7.3.The COMPANY may appoint new sub-processors and shall give reasonable notice of the appointment of any new sub-processor, to Customers who have registered to the Company’s notification mechanism for receiving such notice by sending a request via email to [email protected] with the subject header “Request to Join Sub-processors Updates”. Customer may reasonably object to Company’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying the Company promptly in writing within three (3) business days after receipt of Company’s notice of any such intention. Such written objection shall include those reasons for objecting to the Company’s use of such a new Sub-processor. Customer’s continued use of the applicable Services after the lapse of three (3) business days from the Company’s notification constitutes Customer’s’ acceptance of the new sub-processor. If Customer reasonably object, Customer can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Services for which the Company has engaged the Sub-processor; or (iii) move the relevant Customer Data to another Region where the Company has not  engaged the Sub-processor.

    7.4.Any such Sub-processors to whom the Company transfers Customer Data will be permitted to obtain Customer Data only to deliver the Services the Company has entrusted them with and will be prohibited from using such Customer Data for any other purpose. The Company remains responsible for any such Sub-processor’s compliance with Company’s obligations under the Terms.

    7.5.The Company will enter into written agreement with any such Sub-processor which contain obligations no less protective than those contained in this DPA, including the obligations imposed by the Standard Contractual Clauses, as applicable.

    8.Data Subjects’ Rights.

    8.1.Customer shall be solely responsible for compliance with any statutory obligationsconcerning requests to exercise data subject rights under Applicable Data Protection Laws (e.g., for access, rectification, deletion of processed Customer Data, etc.). The COMPANY shall reasonably endeavor  to assist Customer insofar as feasible, to fulfil Customer’s said obligations with respect to such data subject requests, as applicable, at Customer’s sole  reasonable expense.

    8.2.The COMPANY shall (i) without undue delay notify Customer if it receivesa request from a data subject under any Applicable Data Protection Laws in respect of Processed Personal Data; and (ii) not respond to that request, except on the written instructions of Customer or as required by Applicable Data Protection Laws, in which case the COMPANY shall, to the extent permitted by Applicable Data Protection Laws, inform Customer of that legal requirement before it responds to the request.

    9.Personal Data Breach.

    9.1.The COMPANY shall notify Customer without undue delay uponthe COMPANY becoming aware of any personal data breach within the meaning of Applicable Data Protection Laws relating to Customer Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws “Personal Data Breach“).

    9.2.At the written request of the Customer and at Customer’ssole expense,COMPANY shall provide reasonable co-operation and assistance to Customer in respect of Customer’s obligations regarding the investigation of any Personal Data Breach and the notification to the supervisory  authority and data subjects in respect of such a Personal Data Breach, taking into account the nature of the Processing, the information available to the Company, and any restrictions on disclosing the information, such as confidentiality; The obligations herein shall not apply to breaches that are caused by Customer or Customer’s users. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Personal Data Breach which directly or indirectly identifies the Company, without Company’s prior written approval, unless Customer is compelled to do so pursuant to Applicable Data Protection Laws, in which case, Customer shall provide Company with reasonable prior written notice of such disclosure and will limit the disclosure to the minimum scope required.

    10.Deletion or Return of Processed Personal Data.

    10.1. Subject to the terms hereof, the COMPANY shall withinup to sixty (60) days, unless a sooner time period is required by Applicable Data  Protection Laws, return and then destroy the Customer Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Data Protection Laws.

    10.2. The COMPANY may retain Customer Data only to the extent authorized or required byApplicable Data Protection Laws, provided that COMPANY shall ensure the confidentiality of such Customer Data and shall ensure that it is only processed for such legal purpose(s). To the extent authorized or required by applicable law, Company may also retain one copy of the Personal Data solely for evidence purposes  and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligation. The provisions of this DPA shall govern any such retained Customer Data.

    10.3. Upon Customer’sprior written request, COMPANY shall providewritten certification to Customer that it has complied with this Section ‎10.

    11.Audit Rights

    11.1. Upon Customer’s request, and subject to strict confidentiality undertakings by Customer, the Company will make available the following documents and information: (i) the certificates issued for the ISO 27001 certification; and (ii) the System and Organization Controls (SOC) 2 Report (or other documentation describing the controls implemented by the Company that replace or are substantially equivalent to the ISO 27001 or SOC 2).

    11.2. Subject to the terms hereof and subject to strict confidentiality undertakings by Customer, upon Customer’s 14 days prior written request at reasonable intervals (but not more than once in each calendar year), the COMPANY shall make available to the Customer or a reputable auditor mandated by Customer, at the reasonable cost of the Customer upon prior written request, within normal business hours at COMPANY’s premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the Customer in relation to the processing of the Customer Data by COMPANY, provided that such third-party auditor shall be subject to confidentiality obligations.

    11.3. Customer shall use (and ensure that each of its mandated auditors use) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to COMPANY’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

    12.International Data Transfers

    12.1. Customer may select the datacenters locations as offered by the COMPANY where Customer Data will be processed. Once Customer has made its choice, the Company will not transfer Customer Data from Customer’s selected locations, except as necessary to provide the Services initiated by Customer, or as specifically required by the Customer, or as necessary to comply with applicable law.

    12.2. Subject to Section ‎12.1, Personal Data may be transferred from the European Economic Area and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions, as determined by the European Commission pursuant to Article 45 of GDPR, and by the Secretary of State, pursuant to Section 17A of the United Kingdom Data Protection Act 2018, respectively, or other adequate authority, as determined by the EU and the UK (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.

    12.3. To the extent that the COMPANY transfers (either directly or via onward transfer) Personal Data to countries outside of the European Economic Area and/or outside of the UK, which have not been subject to a relevant Adequacy Decision, or such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by the COMPANY for the lawful transfer of Personal Data (as set out under the GDPR), and to the extent applicable with respect to each data subject, such transfer of Customer’s Personal Data to other countries, shall be subject, where the application of such SCCs, as between the parties, is required under Applicable Data Protection Laws, to the Standard Contractual Clauses, as such are incorporated into this DPA by reference, and shall be implemented as follows:

    12.3.1. In the case of transfer of Personal Data between Customer to the COMPANY, the parties shall implement Module II – “Controller to Processor”, of the Standard Contractual Clauses, with modifications detailed under this Section ‎

    12.3.2. However, when Customer is acting as a processor for its end-users controllers, Module III (“Processor-to-Processor”) shall apply on the Parties, provided that, taking into account the nature of the processing, Customer agrees that it is unlikely that the COMPANY will know the identity of Customer’s controllers, as the COMPANY has no direct relationship with Customer’s controllers and therefore, Customer will fulfil COMPANY’s obligations to Customer’s controllers under the Processor-to-Processor SCCs.

    12.3.2.The parties are deemed to have accepted and executed the SCCs, including the associated annexes. The contents of Annex I of the SCCs are included within Appendix A to this DPA. The contents of Annex II of the SCCs are included within the Security Measures stipulated under Appendix B to this DPA. The parties further agree to the following implementation choices under the SCCs:

    12.3.2.1. Clause 7: shall not be applicable.

    12.3.2.2. Clause 9(a): The parties choose Option 2, “General Written Authorization” and specify a time period of seven (7) days.

    12.3.2.3. Clause 11: The parties choose not to include the optional language relating to the use of an independent dispute resolution body.

    12.3.2.4. Clause 17: The parties select Option 1 and specify the law of Ireland.

    12.3.2.5. Clause 18(b): The parties specify the courts of Ireland.

    12.3.3.In the case of transfer of Personal Data between the COMPANY and its Sub-Processors for the purposes of carrying out specific Processing  activities (on behalf of Customer) the COMPANY and its Sub-Processors will enter into Module III (“Processor-to-Processor”) of the Standard Contractual Clauses.

    12.3.4.If applicable, when transferring Personal Data governed by the UK GDPR, the parties agree to implement the applicable SCCs, as modified by the UK Addendum. The information required by Table 1 of the UK Transfer Addendum appears within Appendix A to this DPA. In addition, the parties adopt the SCCs, as modified by the UK Transfer Addendum, as to applicable international transfers of UK Personal Data in exactly the same manner set forth in Section 11.1 above, subject to the following:

    12.3.4.1. Clause 13: The UK Information Commissioner’s Office (“ICO”) shall be the competent supervisory authority.

    12.3.4.2. Clause 17: The SCCs, as modified by the UK Transfer Addendum, shall be governed by the laws of England and Wales.

    12.3.4.3. Clause 18: The parties agree that any dispute arising from the SCCs, as modified by the UK Transfer Addendum, shall be resolved by the courts of England and Wales. A UK Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.

    12.4. Appendixes A and B, attached to this DPA shall also apply in connection with the processing of Personal Data, subject to Applicable Data Protection Law.

    12.5. COMPANY reserves the right to adopt an alternative compliance standard to the SCCs for the lawful transfer of Personal Data, provided it is recognized under Data Protection Law. COMPANY will provide 30 days’ advance notice of its adoption of an alternative compliance standard.

    13.General Terms.

    13.1. Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the laws of the State of Israel and shall be handled at a competent court in Tel Aviv-Yafo.

    13.2. Entire Agreement; Conflict. This DPA incorporates the SCCs by reference. Except as amended by this DPA, the Agreements will remain in full force and effect. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties, including  agreements entered into after the date of this DPA, the provisions of this DPA shall prevail.

    13.3. Changes in Applicable Data Protection Laws. COMPANY may by at least forty-five (45) calendar days’ prior written notice to Customer, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the processing of Customer Data. If Customer provides its modification request, COMPANY shall make commercially reasonable efforts to accommodate such modification request, and Customer shall not unreasonably withhold or delay agreement to any consequential changes to this DPA to protect COMPANY against any additional risks, and/or to indemnify and compensate COMPANY for any further costs associated with the changes made hereunder.

    13.4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

    Appendix A

    A.LIST OF PARTIES

    Data Exporter: all GNS customers

    Contact details: As detailed in the Agreement.

    Data Exporter Role:

    Module Two: The Data Exporter is a data controller.

    Module Three: The Data Exporter is a data processor.

    Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

    Data Importer: G.N.S Network Services LTD

    Contact details: As detailed in the Agreement.

    Data Importer Role:

    Module Two: The

    Data Importer is a data processor.

    Module Three: The Data Importer is a sub-processor.

    Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

    B.Details of Processing of Processed Personal Data(As required by Article 28(3) of the GDPR)

    1. The subject matter and duration of the processing of processed personal data are set forth in the Terms.
    2. The nature and purpose of the processing of processed personal data is rendering the Services initiated by Customer from time to time, , as detailed and defined in the Terms.
    3. The types of processed personal data to be processed are Customer Data uploaded to the Services under Customer’s accounts with the Company, as detailed in the Terms.
    4. Duration. As between the Company and Customer, the duration of the data processing under this DPA is determined by Customer.
    5. The categories of data subjects to whom the processed personal data relates to are as follows: natural persons who include Customer’s end customers employees, suppliers and End Users.

    6.COMPANY’s sub-processors engaged for the purpose of processing personal data:

    https://www.equinix.com/

    https://evocative.com/

    https://www.digitalrealty.com/

    https://www.coresite.com/

    https://www.bezeqint.net/

    https://www.partner.co.il/u/business

    https://cellcom.co.il/production/Business/business_home/

    C.COMPETENT

    SUPERVISORY AUTHORITY

    The competent supervisory authority is the supervisory authority in the Member State of Ireland.

     

    Appendix B

    Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

    oThe network is consistently scanned by an antivirus.

    oSampling and detection of abnormal connections to the office network is performed using technological cyber tools.

    oA periodic permeability test is performed once a year.

    oRefreshing awareness of internal organizational information security for all company employees every six months.

    oIdentifying phishing attempts and blocking them using cyber tools and distribution to all company employees in order to increase awareness and alertness to this issue.

    oMaintaining relevant software updates and operating system updates on the company’s computers, including Windows updates.

    oAnnual inspection for all 3 information security standards:

    1.SOC2

    2.ISO 27001

    3.ISO 27017

We use cookies to provide our services and for analytics and marketing. To find out more about our use of cookies, please see our privacy policy. By continuing to browse our website, you agree to our use of cookies and our terms and conditions.