Data Processing Addendum

This Data Processing Addendum (“DPA”) forms an integral part of, and is subject to the Twik Terms of Service,
entered into by and between you, the customer (“Customer”) and Twik Technologies Ltd. (“Twik” and the
“Terms”). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms.

Whereas, in connection with the performance of its obligations under the Terms, Twik may Process Customer

Personal Data (both as defined below) on behalf of the Customer; and

Whereas, the parties wish to set forth the mutual obligations with respect to the processing of Customer

Personal Data by Twik;

Now therefore, intending to be legally bound, the parties hereby agree as follows:

Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:

Applicable Law” means whichever of the following legal regimes is applicable to the processing of Personal Data under this DPA, including but not limited to:

EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“) and laws implementing or supplementing the GDPR;

The California Consumer Privacy Act of 2018, Cal. Civil Code Title 1.81.5 and the regulations thereunder (collectively, “CCPA“); and/or

The Israel Protection of Privacy Law, 1981, all related regulations enacted thereunder and the Israel Privacy Protection Authority’s Guidelines and the Israeli Protection of Privacy Regulations (Information Security) – 2017 (collectively, “Israeli Privacy Law“).

Customer Personal Data” means any Personal Data Processed by Twik on behalf of Customer pursuant to or in connection with the Terms;

Data Subject” shall mean the person whose Personal Data is Processed and both Data Subject as defined under the GDPR and Consumer as defined under the CCPA.

Personal Data” shall mean Personal Data as defined under the GDPR, ‘Personal Information’ as defined under the CCPA and ‘Personal Information’ (‘meda’) as defined under Israeli Privacy Law, in each case, as applicable.

Processing” shall be as defined in the GDPR, CCPA, and Israeli Privacy Law, in each case, as applicable.

Sub Processor” means any person (excluding an employee of Twik) appointed by or on behalf of Twik to Process Personal Data on behalf of the Customer in connection with the Terms; and

The terms “Controller“, “Member State“, “Personal Data Breach“, “Processor“, and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.

The terms “Business“, “Sell“, “Share“, and “Service Provider ” shall have the meanings ascribed to them in the CCPA.

Applicability and Roles of the Parties.

For Processing subject to the GDPR

When Customer Personal Data is subject to the GDPR, Customer serves as a Controller of such Personal Data and Twik serves as a Processor on its behalf. In such case, the Applicable Law shall be as described in Section 1.1.1 and this DPA shall be interpreted accordingly.

For Processing subject to the CCPA

When Customer Personal Data is subject to the CCPA, Customer serves as a Business with respect to such Personal Data and Twik serves as a Service Provider on its behalf. In such case, the Applicable Law shall be as described in Section 1.1.2 and this DPA shall be interpreted accordingly.

For Processing subject to Israeli Privacy Law

When Customer Personal Data is subject to Israeli Law, Customer shall be considered the party controlling the database of Customer Personal Data and Twik serves as a outsourced service provider on its behalf. In such case, the Applicable Law shall be as described in Section 1.1.3 and this DPA shall be interpreted accordingly.

Processing of Customer Personal Data

Twik shall Process Customer Personal Data at the Customer’s instructions as specified in the Terms and/or this DPA, including without limitation, with regard to transfers of Customer Personal Data to a third country or international organization. Any other Processing shall only be permitted in the event that such Processing is required by any laws to which Twik is subject. In such event, Twik shall, unless prohibited by such laws, inform Customer of that requirement before engaging in such Processing.

Customer instructs Twik (and authorizes Twik to instruct each Sub Processor) to (i) Process Customer Personal Data for the provision of the services, as detailed in the Terms (“Services“) and as otherwise set forth in the Terms and in this DPA; and (ii) transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Applicable Law. Customer hereby consents to transfer of Customer Personal Data outside of the EU and Israel, including to the United States.

Twik shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary for the provision of the Services, subject to the requirements of this DPA.

For Processing subject to the GDPR

Customer sets forth the details of the Processing of Customer Personal Data, as required by article 28(3) of the GDPR in Schedule 1 (Details of Processing of Customer Personal Data), attached hereto.

For Processing subject to the CCPA

Twik undertakes that it shall not Sell or Share Personal Data when processing Personal Data as a Service Provider and shall not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services to Customer under the Terms.

Customer

Customer represents and warrants that it has and shall maintain throughout the term of the Terms and this DPA, all necessary rights to provide the Customer Personal Data to Twik for the Processing to be performed in relation to the Services and in accordance with the Terms and this DPA. To the extent required by any Applicable Law, Customer is responsible for obtaining any necessary Data Subject consents to the Processing, and for ensuring that a record of such consents is maintained throughout the terms of the Terms and this DPA and/or as otherwise required under Applicable Law. In the event that any Data Subject exercises any of its rights under Applicable Law, then Customer shall notify Twik of any such Data Subject request relevant to Twik, within seven (7) business days.

Twik Employees

Twik shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know and/or access basis, and that all Twik employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access to and use of Customer’s Personal Data.

Security

Twik shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data as set forth in the Binding Security Document attached hereto as Schedule 2. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by the nature of the Processing and the information available to the Processor.

Personal Data Breach

Twik shall notify Customer without undue delay and, where feasible, not later than within forty eight (48) hours upon Twik becoming aware of a Personal Data Breach affecting Customer Personal Data. In such event, if required by Applicable Law, Twik shall provide Customer with reasonable and available information to assist Customer to meet any obligations to inform Data Subjects or regulatory authorities of the Personal Data Breach.

At the written request of the Customer, Twik shall reasonably cooperate with Customer and take such commercially reasonable steps as are agreed by the parties or required under Applicable Law to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Sub Processing

Customer authorizes Twik to appoint (and permits each Sub Processor appointed in accordance with this Section 8 to appoint) Sub Processors in accordance with this Section 8.

Twik may continue to use those Sub Processors already engaged by Twik as identified to Customer as of the date of this DPA.

Twik may appoint new Sub Processors and shall give notice of the appointment of any new Sub Processor to Customer. If, within seven (7) days of such notice, Customer notifies Twik in writing of any objections (on reasonable grounds) to the proposed appointment, Twik shall not appoint for the processing of Customer Personal Data the proposed Sub Processor until reasonable steps have been taken to address the objections raised by Customer, and Customer has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Customer’s reasonable objections then Customer or Twik may, by written notice to the other party, with immediate effect, terminate the Terms to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination.

With respect to each new Sub Processor, Twik shall:

before the Sub Processor first Processes Customer Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed and able to provide the level of protection for Customer Personal Data required by the Terms; and

ensure that the arrangement between Twik and the Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Customer Personal Data as those set out in this DPA.

 

Twik shall remain fully liable to the Customer for the performance of any Sub Processor’s obligations.

Data Subject Rights

Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Applicable Law (e.g., for access, correction, or deletion of Customer Personal Data, etc.). Twik shall use commercially reasonable efforts to assist Customer to fulfill Customer’s obligations with respect to such Data Subject requests, as required under Applicable Law, at Customer’s sole expense.

Twik shall:

promptly notify Customer if it receives a request from a Data Subject under Applicable Law in respect of Customer Personal Data; and

ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Law to which Twik is subject, in which case Twik shall, to the extent permitted by Applicable Law, inform Customer of that legal requirement before it responds to the request.

Data Protection Impact Assessment and Prior Consultation

To the extent the processing is subject to the GDPR, Twik and each Sub Processor shall provide reasonable assistance to Customer with respect to any Customer Personal Data Processed by Twik and/or a Sub Processor, at Customer’s written request and expense, with any data protection impact assessments or prior consultations with Supervisory Authorities.

Deletion or Return of Customer Personal Data.

Twik shall promptly and in any event within up to sixty (60) days of the date of cessation of provision of the Services to Customer involving the Processing of Customer Personal Data (the “Cessation Date“), delete, return or anonymize all copies of those Customer Personal Data, provided however that Twik may, subject to Applicable Law, retain Customer Personal Data for audit and record-keeping purposes, as well as other purposes, all as permissible and/or required under Applicable Law. Twik may also retain information in an anonymized form.

Audit Rights

Subject to Sections ‎2 and 12.3, to the extent required by Applicable Law, Twik shall make available to a reputable auditor mandated by Customer in coordination with Twik, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by Twik, provided that such third-party auditor shall be subject to confidentiality obligations.

Any audit or inspection shall be at Customer’s sole expense, and subject to Twik’s obligations to third parties, including with respect to confidentiality as well as Twik’s own reasonable security policies. The results of any audit or inspection shall be considered Twik’s confidential information and shall be treated with the same degree of care as Customer affords its own confidential information.

Customer and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to Twik’s premises, equipment, employees and business. Customer and Twik shall mutually agree upon the scope, timing and duration of the audit or inspection in addition to the reimbursement rate for which Customer shall be responsible. Twik need not give access to its premises for the purposes of such an audit or inspection:

to any individual unless he or she produces reasonable evidence of identity and authority;

if Twik was not given a prior written notice of such audit or inspection;

outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or

for the purposes of more than one (1) audit or inspection, in respect of each Twik, in any calendar year, except for any additional audits or inspections which:

Customer reasonably considers necessary because of genuine concerns as to Twik’s compliance with this DPA; or Customer is required to carry out by Applicable Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Law in any country or territory, where Customer has identified its concerns or the relevant requirement or request in its prior written notice to Twik of the audit or inspection.

Liability and Indemnity

Customer shall indemnify and hold Twik harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Twik and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Applicable Law by Customer. Each party’s liability toward the other party shall be subject to the limitations on liability under the Terms.

General Terms

Governing Law and Jurisdiction

The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms.

Order of Precedence

This DPA is not intended to, and does not in any way limit or derogate from Customer’s obligations and liabilities towards Twik under the Terms, and/or pursuant to the Applicable Law or any law applicable to Customer, in connection with the collection, handling and use of Customer Personal Data by Customer or other processors or their sub-processors, including with respect to the transfer or provision of Customer Personal Data to Twik and/or providing access thereto to Twik.

Subject to this Section 14.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Terms and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

Changes in Applicable Law

Customer may by at least forty-five (45) calendar days’ prior written notice to Twik, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under any Applicable Law in order to allow Customer Personal Data to be Processed (or continue to be Processed) without breach of that Applicable Law; and

If Customer gives notice with respect to its request to modify this DPA under Section ‎3.1:

Twik shall make commercially reasonable efforts to accommodate such modification request; and

Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Twik to protect Twik against additional risks, or to indemnify and compensate Twik for any further steps and costs associated with the variations made herein.

Severance

Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Schedule 1: Details of Processing of Controller Personal Data

This Schedule 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Controller‘s Personal Data.

The subject matter and duration of the Processing of the Controller’s Personal Data are set out in the Terms, in Twik’s Privacy Notice (“Privacy Notice“), and this DPA.

The nature and purpose of the Processing of Controller Personal Data:

Rendering the Services, as detailed in the Terms and the Privacy Notice.

The types of Controller Personal Data to be Processed are as follows:

As detailed in the Terms of Service and Privacy Notice.

The categories of Data Subject to whom the Controller Personal Data relates to are as follows:

Data Subjects who are end users or customers of the Controller’s web and mobile application services.

The obligations and rights of Controller.

The obligations and rights of Controller are set out in the Terms and this DPA.

Schedule 2: Binding Security - Technical and Organizational Measures

1. Information security program and certification. A written security program is
implemented, maintained, and complied with. As part of the program, Twik: (i) implements an
audit program to test and, if necessary, remediate identified gaps of all security controls at least
annually or whenever there is a material change in business practices that may reasonably
implicate the security or integrity of records containing Personal Data; (ii) conducts an annual
information security assessment that assesses the threats and vulnerabilities associated with
systems; and (iii) produces (pursuant to the results of (i) and (ii)) a documented information
security assessment and, where appropriate, risk remediation plan.

2. Chief Information security Officer (CISO). Twik appointed a CISO who is responsible for
the development, implementation, and ongoing maintenance of the information security
program. The CISO has appropriate recognized information security credentials and
qualifications.

3. Access control. Access rights are assigned according to the principle that employees and
third parties are only granted the level of access they need to perform their activities (need-to-
know principle) and only to those systems required for such activities. Access rights are granted
according to defined (role-based) permissions. The access rights granted are reviewed regularly.
Rights that are no longer required are withdrawn immediately. Access to systems is provided
based on strong authentication policies.

4. Physical access control. Secure areas are defined on the basis of information security
and data protection requirements and protected against unauthorized access by appropriate
physical safeguards, defined based on the protection needs of the information located or
accessed within them.

5. Encryption. Personal Data encryption at rest using AES-256 and in transit using TLS v1.2
or higher.

6. Confidentiality. Controls are in place to maintain the confidentiality of Data in
accordance with the Service Agreement; All employees and contract personnel are bound by
our internal policies regarding maintaining the confidentiality of customer data and are
contractually obligated to comply with these obligations.

7. Information integrity and Availability. a variety of tools and mechanisms are used to
achieve high availability and resiliency. Data is backed up on AWS and restoration of the back-
ups are tested regularly to ensure we meet our recovery-point objective (RPO) and recovery-
time-objective (RTO) commitments.

8. Third party vendor management. security risk-based assessments of prospective
vendors are carried out before working with them to validate they meet our security
requirements. Each vendor is periodically reviewed in light of its security and business
continuity standards, controls necessary to protect data, and legal/regulatory requirements.
Twik ensures that customer data is returned and/or deleted at the end of a vendor relationship.
A written agreement is in place with all vendors which includes confidentiality, privacy and
security obligations that provide an appropriate level of protection for customer Data that
these vendors may process.

9. Incident response plan. Policies and procedures are implemented, designed to detect,
respond to, and otherwise address incidents, including specific points of contact in the event of
an incident.

10. System testing and maintenance. Twik tests and maintains systems to protect data
including, without limitation: (i) installing of critical security patches for operating systems and
applications within thirty (30) days of publication, and within three (3) months for other types
of patches and updates, (ii) installing the latest recommended versions of operating systems,
software and firmware for all system components, and (iii) ensuring that up-to-date system
security agent software includes malware protection set to receive automatically updated (at
least daily) patches and virus definitions.

11. Audit logging. Hardware, software, or procedural mechanisms are implemented and
maintained to record and examine activity in processing systems that contain or use electronic
information, including appropriate logs and reports concerning the security requirements set
forth in this Schedule.

12. Security awareness and privacy training. An ongoing security and privacy awareness
and training program is maintained for all employees (including management, employees,
contractors and other agents), which includes training on how to implement and comply with
the information security program and setting forth disciplinary measures for violation of the
security program. Security and privacy awareness training are conducted at least annually.

13. Secure Software Development. Code integrity protection is implemented including
regular review and testing such as OWASP Top 10 vulnerabilities.