DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service and Master Service Agreement ("Agreement") between Exsile Digital Ltd., operating under the brand Buz ("Processor", "We", "Us", or "Buz"), and the client utilizing Buz's digital business card ("Controller", "Customer", or "You").
By utilizing Buz's services, the Customer accepts and agrees to the terms of this DPA.
1. Definitions
- "Data Protection Laws" refers to all applicable privacy and data protection regulations, including the Israeli Privacy Protection Law (1981) and the EU General Data Protection Regulation (GDPR) 2016/679, where applicable.
- "Personal Data" means any information relating to an identified or identifiable natural person (such as leads, names, phone numbers, or emails) that is uploaded, stored, or processed on the Processor’s infrastructure by the Customer.
- "Controller" is the Customer, who determines the purposes and means of the processing of Personal Data.
- "Processor" is Buz, providing the hosting platform for the digital business cards and the technical routing of leads.
2. Scope and Nature of Processing
2.1. Passive Infrastructure Role: Buz provides the hosting platform for digital business cards and lead capture forms. Buz acts solely as a passive conduit for the storage and automated routing of data. We do not monitor, access, mine, or monetize the Personal Data stored on our servers by the Customer.
2.2. Processing Activities: Processing is limited exclusively to the automated storage of business card content, the reception of form submissions (leads), and the technical routing of these submissions to the Customer.
2.3. Prohibition of Sensitive Data: The Customer is strictly prohibited from storing highly sensitive data on Buz infrastructure, including but not limited to full credit card numbers (PCI data), protected health information (PHI), or special categories of data under Article 9 of the GDPR.
3. Obligations of the Controller (Customer)
3.1. Lawful Basis and Consent: The Customer bears full and sole responsibility for establishing a lawful basis for data collection. The Customer must ensure that all Personal Data collected via their digital business card has been collected legally, with appropriate end-user consent and privacy notices in place.
3.2. Application Security: While Buz secures the platform infrastructure, the Customer is completely responsible for the security of their own account access, including maintaining secure passwords and preventing unauthorized access to their Buz dashboard.
4. Obligations of the Processor (Buz)
4.1. Confidentiality: Buz ensures that any personnel authorized to manage the platform are bound by strict obligations of confidentiality.
4.2. Security Measures: Buz shall implement and maintain appropriate technical and organizational measures to protect the platform against unauthorized access and hardware failures.
4.3. Data Subject Requests: Buz shall not respond directly to Data Subject Requests (e.g., right to be forgotten). The Customer has full administrative access to their account to fulfill these requests independently. If a request is made directly to Buz, we will forward it to the Customer.
5. Personal Data Breach Management
5.1. Notification: In the event of a confirmed security breach originating at the infrastructure level managed by Buz that compromises Customer Personal Data, Buz will notify the Customer without undue delay.
5.2. Exclusion: Buz is not responsible for, and will not generate breach notifications for, security incidents resulting from Customer negligence, compromised Customer passwords, or vulnerabilities within the Customer's account content.
6. Sub-processing
6.1. The Customer provides general authorization for Buz to engage third-party sub-processors (e.g., hosting providers, SMS gateway providers) to facilitate the services.
6.2. Buz ensures that any sub-processor engaged is subject to data protection obligations that are substantially similar to those contained in this DPA.
7. Data Deletion and Return
7.1. Upon termination or cancellation of the services, Buz will permanently delete all Customer Personal Data and leads associated with the account from its active databases. The Customer is responsible for exporting any required data prior to account cancellation.
8. Governing Law and Jurisdiction
8.1. This DPA shall be governed by and construed in accordance with the laws of the State of Israel.
8.2. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts in Tel Aviv-Jaffa, Israel.