Oraki and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of the Processor Services (as amended from time to time, the “Agreement”)
These Oraki Data Processing Terms (including the appendices, “Data Processing Terms”) are entered into by Oraki and Customer and supplement the Agreement. These Data Processing Terms will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the Terms Effective Date.
If you are accepting these Data Processing Terms on behalf of Customer, you warrant that (a) you have full legal authority to bind Customer to these Data Processing Terms; (b) you have read and understand these Data Processing Terms; and (c) you agree, on behalf of Customer, to these Data Processing Terms. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.
These Data Processing Terms reflect the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Law. Customer acknowledges and agrees that any Google Services provided to Customer by Oraki are subject to Google Ads Data Processing Terms located at: https://privacy.google.com/businesses/processorterms/ in addition to Oraki Data Processing Terms. Customer approves that Oraki may perform any right or obligation on behalf of Google if Oraki receive such request from Google or otherwise consider such action required to comply with Data Protection Law requirements.
In these Data Processing Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Oraki Entity” means Oraki Ltd. RN 51-190084-7 an Israeli incorporated organization with its address at 14, Abba Hillel Silver Rd. Ramat-Gan 5250607 Israel.
“Oraki” means Oraki Entity and its Affiliates engaged in the processing of Customer Personal Data in connection with the subscribed Services.
“Covered Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Oraki, but has not signed its own Order Form with Oraki and is not a “Customer” as defined under the Agreement.
“Customer Personal Data” means personal data that is processed by Oraki on behalf of Customer in Oraki’s provision of the Processor Services.
“Data Incident” means a breach of Oraki’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Oraki. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Law” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“EEA” means the European Economic Area.
“EU Data Protection Laws” means laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including European Directives 95/46/EC and any legislation and/or regulation which amends, replaces or re-enacts it (including the GDPR).
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Notification Email Address” means the email address (if any) designated by Customer, via the user interface of the Processor Services or such other means provided by Oraki, to receive certain notifications from Oraki relating to these Data Processing Terms.
“Processor Services” means the applicable services: Platforms Services at: https://privacy.google.com/businesses/adsservices/ and monetization services (if applicable) as listed below in Appendix 3: Service Information
“Security Measures” has the meaning given in Section 7.1.1 (Oraki’s Security Measures).
“Standard Contractual Clauses” means the agreement executed by and between Customer and Oraki Ltd. , pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-processors” means third parties authorised under these Data Processing Terms to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.
“Term” means the period from the Terms Effective Date until the end of Oraki’s provision of the Processor Services under the Agreement.
“Terms Effective Date” means, as applicable: 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms before or on such date; or the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms, if such date is after 25 May 2018.
The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the
Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Oraki as described in these Data Processing Terms.
Application of Data Protection These Data Processing Terms will only apply to the extent that the Data Protection Law applies to the processing of Customer Personal Data, including if:
the processing is in the context of the activities of an establishment of Customer in the EEA; and/or
Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services or the monitoring of their behavior in the
Application to Processor These Data Processing Terms will only apply to the Processor Services for which the parties agreed to these Data Processing Terms (for example: (a) the Processor Services for which Customer clicked to accept these Data Processing Terms; or (b) if the Agreement incorporates these Data Processing Terms by reference, the Processor Services that are the subject of the Agreement).
5.1 Roles and Regulatory Compliance; Authorisation.
Processor and Controller Responsibilities. The parties acknowledge and agree that
Appendix 1 describes the subject matter and details of the processing of Customer Personal Data;
Oraki is a processor of Customer Personal Data under the Data Protection Law;
Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Law; and
Each party will comply with the obligations applicable to it under the Data Protection Law with respect to the processing of Customer Personal
Authorisation by Third Party Controller. If Customer is a processor, Customer warrants to Oraki that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Oraki as another processor, have been authorised by the relevant
Customer’s Instructions. By entering into these Data Processing Terms, Customer instructs Oraki to process Customer Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Customer’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including these Data Processing Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Oraki as constituting instructions for purposes of these Data Processing
Oraki’s Compliance with Oraki will comply with the instructions described in Section 5.2 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Oraki is subject requires other processing of Customer Personal Data by Oraki, in which case Oraki will inform Customer (unless that law prohibits Oraki from doing so on important grounds of public interest).
As of the DPA Effective Date for the duration of the period Oraki provides the Services:
Oraki will, without undue delay, notify Customer, to the extent legally permitted, if Oraki receives a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
If Oraki receives any request from a data subject in relation to Customer Personal Data, Oraki will advise the data subject to submit his or her request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
Taking into account the nature of the processing, Oraki will assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under EU Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Oraki shall, upon Customer’s written request, provide Customer with reasonable cooperation and assistance to facilitate Customer’s response to such Data Subject Request, to the extent Oraki is legally permitted to do so and the response to such Data Subject Request is required under EU Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Oraki’s provision of such assistance.
If the functionality of the Processor Services does not include the option for Customer to delete Customer Personal Data, then Oraki will comply with:
any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless EU or EU Member State law requires storage; and
the data retention practices in the Data Protection Law. .
Oraki may charge a fee (based on Oraki’s reasonable costs) for any data deletion under Section 6.1 2(a). Oraki will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.
7.1 Oraki’s Security Measures
Oraki’s Security Oraki will implement and maintain technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures: (a) to encrypt personal data; (b) to help ensure the ongoing confidentiality, integrity, availability and resilience of Oraki’s systems and services; (c) to help restore timely access to personal data following an incident; and (d) for regular testing of effectiveness. Oraki may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
Security Compliance by Oraki Oraki will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.2 Data Incidents.
Incident Notification. If Oraki becomes aware of a Data Incident, Oraki will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimise harm and secure Customer Personal Data.
Details of Data Notifications made under Section 7.2.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Oraki recommends Customer take to address the Data Incident.
Delivery of Notification. Oraki will deliver its notification of any Data Incident to the Notification Email Address or, at Oraki’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and
Third Party Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.
No Acknowledgement of Fault by Oraki. Oraki’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Oraki of any fault or liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities.
Customer’s Security Customer agrees that, without prejudice to Oraki’s obligations under Sections 7.1 (Oraki’s Security Measures and Assistance) and 7.2 (Data Incidents):
Customer is solely responsible for its use of the Processor Services, including:
making appropriate use of the Processor Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; and
securing the account authentication credentials, systems and devices Customer uses to access the Processor Services; and
Oraki has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Oraki’s and its Sub-processors’
Customer’s Security Assessment Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Oraki as set out in Section 1.1 (Oraki’s Security Measures) provide a level of security appropriate to the risk in respect of Customer Personal Data.
Consent to Sub-processor Engagement Customer specifically authorizes the engagement of Oraki’s Affiliates as Sub-processors (“Oraki Affiliate Sub-processors”). In addition, Customer generally authorizes the engagement of any other third parties as Sub-processors (“Third Party Sub-processors”).
Requirements for Sub-processor Engagement. When engaging any Sub-processor, Oraki will:
ensure via a written contract that:
the Sub-processor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including these Data Processing Terms); and
if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Sub-processor; and
Remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
Opportunity to Object to Sub-processor
When any new Third Party Sub-processor is engaged during the Term, Oraki will, at least 30 days before the new Third Party Sub-processor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by sending an email to the Notification Email
Customer may object to any new Third Party Sub-processor by terminating the Agreement immediately upon written notice to Oraki, on condition that Customer provides such notice within 90 days of being informed of the engagement of the new Third Party Sub-processor as described in Section 11.4(a). This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Sub-processor.
Oraki makes the Standard Contractual Clauses available as a transfer mechanism for any transfer of Personal Data under this DPA from the European Union, the EEA and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of EU Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws.
The Standard Contractual Clauses and the additional terms specified in this Section 9 (Transfer of Personal Data Outside of the EEA) apply to (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Covered Affiliates and (ii) all Affiliates of Customer established within the EEA, Switzerland and the United Kingdom, which have signed Orders Forms for Services. For the purpose of the Standard Contractual Clauses and this Section 9, all these entities shall be deemed “data exporters”.
For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data (a) to provide the Services; (b) as further specified via Customer’s use of the Services (including the Services’ user interface dashboard and other functionality of the Services); (c) as documented in the Agreement (including this DPA and any Order Form that requires processing of Personal Data); and (d) as further documented in any other written instructions given by Customer (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Customer to Oraki from time to time), where such instructions are consistent with the terms of the Agreement.
Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that (a) Oraki’s Affiliates may be retained as Sub-processors; and (b) Oraki and Oraki’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Oraki will make available to Customer the current list of Sub-processors in accordance with Section 7 (Sub-processors).
Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that Oraki and Oraki’s Affiliates may engage new Sub-processors as described in Sections 7 (Sub-processors).
The parties agree that the copies of the Sub-processor agreements that must be provided by Oraki to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Oraki beforehand; and, that such copies will be provided by Oraki, in a manner to be determined in its discretion, only upon request by Customer.
The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications:
Upon Customer’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Oraki shall make available to Customer that is not a competitor of Oraki (or Customer’s independent, third-party auditor that is not a competitor of Oraki) information regarding the Oraki Group’s compliance with the obligations set forth in this DPA in the form of independent audit results and/or third-party certifications, as applicable, to the extent Oraki makes them generally available to its customers. No more than once per year, Customer may contact Oraki in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Customer shall reimburse Oraki for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Customer and Oraki shall mutually agree upon the scope, timing, and duration of the audit that reasonably does not interfere with normal business operations, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Oraki. Customer shall promptly notify Oraki with information regarding any non-compliance discovered during the course of an audit.
The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Oraki to Customer only upon Customer’s written request.
In the event of any conflict or inconsistency between the body of this DPA and any of its attachments (not including the Standard Contractual Clauses) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
In the event that the European Commission decision authorizing the Standard Contractual Clauses as a data transfer mechanism is held to be invalid, or that any supervisory authority requires transfer of Personal Data made pursuant to such decision to be suspended, then Customer may, at its discretion, require Oraki to cease processing Personal Data to which this Section 9 applies, or cooperate with Oraki to facilitate use of an alternative transfer mechanism.
Oraki agrees to comply with the obligations of a data importer as set out in the Standard Contractual Clauses for the transfer of Personal Data to data processors established in third countries under the Standard Contractual Clauses.
Customer acknowledges that Oraki will, as applicable, be a data importer under the Standard Contractual Clauses. In particular, and without limiting the above obligation:
Oraki agrees to grant third-party beneficiary rights to data subjects, as set out in Clause 3 of the Standard Contractual Clauses, provided that Oraki’s liability shall be limited to Oraki’s own processing operations only and the limitations set forth in Section 10 (Limitation of Liability) and the Agreement; and
Oraki agrees that Oraki’s obligations under the Standard Contractual Clauses shall be governed by the law(s) of the EEA member state(s) in which the entity that is the data exporter is established.
Contacting Oraki; Processing Records
Oraki’s Processing Customer acknowledges that Oraki is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Oraki is acting and (if applicable) of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Oraki.
Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Data Processing Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Law); or
If there is any conflict or inconsistency between the terms of these Data Processing Terms and the remainder of the Agreement, the terms of these Data Processing Terms will govern. Subject to the amendments in these Data Processing Terms, the Agreement remains in full force and effect.
to reflect a change to the name of a service;
to add a new service; or
to remove a service where either: (i) all contracts for the provision of that service are terminated; or (ii) Oraki has Customer’s consent.
Changes to Data Processing Terms. Oraki may change these Data Processing Terms if the change:
is expressly permitted by these Data Processing Terms, including as described in Section 15.1 (Changes to URLs);
reflects a change in the name or form of a legal entity;
is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
does not (i) result in a degradation of the overall security of the Processor Services; (ii) expand the scope of, or remove any restrictions on, Oraki’s processing of Customer Personal Data, as described in Section 5.3 (Oraki’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Customer’s rights under these Data Processing Terms, as reasonably determined by Oraki.
Notification of Changes. If Oraki intends to change these Data Processing Terms under Section 15.2(c) or (d), Oraki will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Processor Services. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Oraki within 90 days of being informed by Oraki of the
Appendix 1: Subject Matter and Details of the Data Processing
Oraki’s provision of the Processor Services and any related technical support to Customer.
Duration of the Processing
The Term plus the period from expiry of the Term until deletion of all Customer Personal Data by Oraki in accordance with these Data Processing Terms.
Nature and Purpose of the Processing
Oraki will process (including, as applicable to the Processor Services and the instructions described in Section 5.2 (Customer’s Instructions), collecting, recording, organising, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Processor Services and any related technical support to Customer in accordance with these Data Processing Terms.
Types of Personal Data
Categories of Data Subjects
Customer Personal Data will concern the following categories of data subjects:
Data subjects about whom Oraki collects personal data in its provision of the Processor Services; and/or
Data subjects about whom personal data is transferred to Oraki in connection with the Processor Services by, at the direction of, or on behalf of Customer.
Depending on the nature of the Processor Services, these data subjects may include individuals: (a) to whom online advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which Oraki provides the Processor Services; and/or (c) who are customers or users of Customer’s products or services.
Appendix 2: Security Measures
Oraki may update or modify such Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security.
1. Personnel Security
Oraki personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Oraki conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Oraki’s confidentiality and privacy policies. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role. Oraki’s personnel will not process Customer Personal Data without authorization.
Infrastructure Security Personnel. Oraki has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Oraki’s infrastructure security personnel are responsible for the ongoing monitoring of Oraki’s security infrastructure, the review of the Processor Services, and responding to security incidents.
Access Control and Privilege Management Customer’s administrators and users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Processor Services.
2. Sub-processor Security
Before onboarding Sub-processors, Oraki conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to
provide. Once Oraki has assessed the risks presented by the Sub-processor then, subject always to the requirements set out in Section 11.2 (Requirements for Sub-processor Engagement), the Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms.
Appendix 3: Service Information
The following services are eligible to be in scope of the Data Processing Terms:
Google services listed at: https://privacy.google.com/businesses/adsservices/ (may be update from time to time, subject to the terms of the Data Processing Terms).
Vinyl Trading desk
The Media Street
Bold Screen Media
The Daily Dot
Level Up Media
Types of personal data