This Data Processing Undertaking (“Undertaking”) is a legally binding undertaking by QOGNIFY to any organization that uses the QOGNIFY-developed software-based physical security measures (the “Organization” and the “Solution”, respectively).

WHEREAS, QOGNIFY is involved in providing to the Organization certain installation, implementation, training, maintenance, support, hosting, Software-as-a-service (SaaS) or other services that relate to the Solution, and which involve QOGNIY processing certain personal data
QOGNIFY extends this undertaking, which consists of three parts, with the intent of being legally bound by its provisions, to enable the Organization to act in reliance thereon for all intents and purposes:

  • Part 1 applies with respect to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and supplementary GDPR legislations in EU member states).
  • Part 2 applies with respect to the UK’s Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
  • Part 3 applies with respect to the California Consumer Privacy Act of 2018 (CCPA).

Part 1

  1. Capitalized terms used in this Part 1 but not defined elsewhere in the Undertaking have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR).
  2. This Part 1 applies only where QOGNIFY is Processing Personal Data as a Processor on behalf of the Organization and under the Organization’s instructions, where the Organization is either a Controller or Processor subject to the GDPR with respect to the Personal Data that QOGNIFY Processes. It does not apply to QOGNIFY’s Processing Personal Data of the Organization’s representatives to operate the Solution, to market or promote its products, to administer the business or contractual relationship between QOGNIFY and the Organization, or in other instances where QOGNIFY operates as the Controller.

  3. QOGNIFY hereby assents to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN), for MODULE TWO (transfer controller to processor) where the Organization is a Controller, or MODULE THREE (transfer processor to processor) where the Organization is a Processor, as follows:
    1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO (Transfer controller to processor) and MODULE THREE (transfer processor to processor): The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 business days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).
    2. In Section IV (Final Provisions), Clause 17 –
      1. For MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Organization is established, or, if the Organization is not established in any EU member state, then the law of the Republic of Ireland.
      2. For MODULE THREE: Transfer processor to processor: The Parties agree that this shall be the EU member state in which the Organization’s Controller is established, or, if the Organization’s Controller is not established in any EU member state, then the law of the Republic of Ireland.
    3. In Section IV (Final Provisions), Clause 18(b) –
      1. For MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Organization is established, or, if the Organization is not established in any EU member state, then the courts of Dublin, Ireland.
      2. For MODULE THREE: Transfer processor to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Organization’s Controller is established, or, if the Organization’s Controller is not established in any EU member state, then the courts of Dublin, Ireland.
    4. In Annex I:
      1. Data Exporter: Organization.
        1. Activities relevant to the data transferred under these Clauses: an organization utilizing the Solution which involve processing personal data and seeking of technical support for those measures (including, without limitation, the provision of such data to the data importer, including transfers outside of the European Economic Area).
        2. Role: Controller (for MODULE TWO: Transfer controller to processor), or Processor (for MODULE THREE: Transfer processor to processor)
      2. Data Importer: QOGNIFY.
        1. Activities relevant to the data transferred under these Clauses: Developer, operator, and provider of the software-based physical security measures, including the provision of technical support for them.
        2. Role: Processor.
    5. Description of Transfer:
        • Categories of data subjects whose personal data is transferred: employees and contractors of the Organization, visitors to the Organization’s premises, including customers and prospective customers and their representatives and members of the public.
        • Categories of personal data is transferred: Images of data subjects and metrics monitoring their activities and behavior.
        • Sensitive data transferred: Only to the extent that images of the data subject reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
        • The frequency of the transfer: on a continuous basis (if the Solution used is in a cloud-based configuration managed by QOGNIFY), or at discrete eventualities during technical support inquiries (if the Solution is installed on-premises at the Organization).
        • Nature of the processing: recording, storage, consultation, use, disclosure by transmission and erasure.
        • Purpose(s) of the data transfer and further processing: the provision of the Solution functionality to the Organization (if the Solution used is in a cloud-based configuration managed by QOGNIFY), or the provision of technical support for the Solution (if the Solution is installed on-premises at the Organization).
        • The period for which the personal data will be retained: the period of the engagement agreement for the provision of the Solution (if the Solution used is in a cloud-based configuration managed by QOGNIFY) or for the duration of a technical support request, and until it is completed (if the Solution is installed on-premises at the Organization).
        • Transfers to (sub-) processors:
          • Subprocessor Subject matter and nature of subprocessing Country and Transfer Safeguard Duration of subprocessing
          Qognify Ltd. R&D subsidiary supporting the provision of the Solution to the Organization Israel (Adequacy Decision) For the duration of the provision of the Solution to the Organization
          Microsoft Corporation Email transmission and storage provider USA (SCCs) For the duration of the provision of the Solution to the Organization
          Amazon Web Services, Inc. Cloud hosting and processing (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) USA (SCCs) For the duration of the provision of the Solution to the Organization
          Wasabi Technologies LLC Cloud hosting and processing (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) USA (SCCs) For the duration of the provision of the Solution to the Organization
          Orock Technologies LLC Cloud hosting and processing (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) USA (SCCs) For the duration of the provision of the Solution to the Organization
          CommIT Ltd. Cloud management services (only if the Solution used is in a cloud-based configuration managed by QOGNIFY) Israel (Adequacy Decision) For the duration of the provision of the Solution to the Organization
        • Competent Supervisory Authority:
          1. For MODULE TWO: Transfer controller to processor: the data protection authority in the EU member state in which the Organization is established, or the Organization’s lead supervisory authority for GDPR purposes, but if the Organization is not established in any EU member state, then the supervisory authority of the EU member state in which the Organization’s EU representative pursuant to Article 27 of the GDPR is located.
          2. For MODULE THREE: Transfer processor to processor: the data protection authority in the EU member state in which the Organization’ Controller is established, or the Organization’s Controller’s lead supervisory authority for GDPR purposes, but if the Organization’s Controller is not established in any EU member state, then the supervisory authority of the EU member state in which the Organization’s Controller’s EU representative pursuant to Article 27 of the GDPR is located.
    6. In Annex II, for MODULE TWO and MODULE THREE (TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): See Exhibit 1 below.
    7. Annex III: List of Sub-processors (MODULE TWO and MODULE THREE): see Section 3.5.8 above.

    Exhibit 1 to Part 1

    This Exhibit 1 specifies the technical and organizational measures that QOGNIFY uses to ensure the security of the personal data:

    (a) deny unauthorized persons access to processing equipment used for processing (‘equipment access control’).

    (b) prevent the unauthorized reading, copying, modification or removal of data media (‘data media control’).

    (c) prevent the unauthorized input of personal data and the unauthorized inspection, modification, or deletion of stored personal data (‘storage control’).

    (d) prevent the use of automated processing systems by unauthorized persons using data communication equipment (‘user control’).

    (e) ensure that persons authorized to use an automated processing system have access only to the personal data covered by their access authorisation (‘data access control’).

    (f) ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (‘communication control’).

    (g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’).

    (h) prevent the unauthorized reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’).

    (I) ensure that installed systems may, in the case of interruption, be restored (‘recovery’).

    (j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (‘integrity’).

    (k) implement a process for regularly testing, assessing, evaluating, and enhancing the effectiveness of technical and organizational measures for ensuring the security of the Processing (‘assessments’)

Part 2

  1. Capitalized terms used in this Part 2 but not defined elsewhere in the Undertaking have the meaning ascribed to them in the UK’s Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
  2. This Part 2 applies only where QOGNIFY is Processing Personal Data as a Processor on behalf of the Organization and under the Organization’s instructions, where the Organization is either a Controller or Processor subject to the UK GDPR with respect to the Personal Data that QOGNIFY Processes. It does not apply to QOGNIFY’s Processing Personal Data of the Organization’s representatives to operate the Solution, to market or promote its products, to administer the business or contractual relationship between QOGNIFY and the Organization, or in other instances where QOGNIFY operates as the Controller.
  3. QOGNIFY hereby agrees to be bound by Section 3 of Part 1 of this Undertaking, and assent to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022, including their “part 2: mandatory clauses”), issued by the Commissioner under S119A(1) of the UK Data Protection Act 2018 (https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as follows:
    1. In Table 1: Parties –
      1. The Start data shall be the date that the Organization provided personal data to QOGNIFY for processing for the first time.
      2. The Organization’s and QOGNIFY’s details and Key Contact shall be as identified in first communication exchanged between them.
    2. In Table 2: Selected SCCs, Modules and Selected Clauses –
      1. The version of the Approved EU SCCs which the International Data Transfer Addendum is appended to, is in Section 3 of Part 1 of this Undertaking.
    3. In Table 3: Appendix Information – See Sections 3.4 – 3.7 of Part 1 of this Undertaking.
    4. In Table 4: Ending this Addendum when the Approved Addendum changes: Exporter.

Part 3

  1. Capitalized terms used in this Part 3 of the Undertaking but not defined in the Undertaking or in the Agreement have the meaning ascribed to them in the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §1798.140.
  2. This Part 3 applies only where QOGNIFY is processing Personal Information as a Service Provider on behalf of the Organization where the Organization is either a Service Provider or a Business subject to the CCPA. It does not apply to QOGNIFY’s Processing Personal Information of Organization’s representatives to market or promote its products, to administer the business or contractual relationship between QOGNIFY and the Organization or in other instances where QOGNIFY operates in a capacity other that a Service Provider of the Organization.
  3. QOGNIFY is a Service Provider. To that end, and unless otherwise requires by law:
    1. QOGNIFY is prohibited from retaining, using or disclosing Organization’s Personal Information for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide the Solution to the Organization, or as otherwise permitted under 11 CCR §999.314(c); (b) Selling the Organization’s Personal Information; and (c) retaining, using or disclosing the Organization’s Personal Information outside of the direct business relationship between the Parties, except as permitted under 11 CCR §999.314(c). QOGNIFY certifies that it understands the restriction specified in this subsection and will comply with it.
    2. If QOGNIFY receives a request from a California Consumer of the Organization, about his or her Personal Information, QOGNIFY shall not comply with the request itself, but shall inform the Consumer that QOGNIFY’s basis for denying the request is that the QOGNIFY is merely a service provider that follows Organization’s instruction and inform the Consumer that they should submit the request directly to the Organization and provide the Consumer with the Organization’s contact information.
  4. QOGNIFY shall assist Organization by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Organization’s obligation to respond to requests for exercising Consumer rights under the California Consumer Privacy Act of 2018.
  5. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of QOGNIFY’s processing of Personal Information of the Organization, as well as the nature of personal information processed for Organization, QOGNIFY shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).