Last updated: September 01, 2021

This Data Processing Agreement (“DPA”) has been entered by and between Storycards ltd. (hereinafter "Storycards", "Our", "We", "Company") and You ("You", "Your" "User") as a user of Our Platform and Services. This DPA forms part of Our Terms of Use and Privacy Policy (collectively, "Agreement").

Storycards and the User are referred to individually as “Party” and collectively as “Parties”.

To the extent Visitor`s Personal Data is processed by the Company on your behalf you acknowledge and agree that We will process such Personal Data as necessary to provide you with the Services and as further detailed herein, and by using Our Platform and Services, you instruct us to process such Visitors Personal Data on your behalf under this DPA.

Any questions regarding this DPA should be addressed to Our Data Protection Officer at privacy@storycards.com.

1. 1. Background and objective

   1. The Parties entered into a contractual relationship under the Agreement and this DPA is an extract to. Within the scope of its assignment, The User Will/May be able to collect and process Personal Data of Visitors, and We will/may gain access to and process Personal Data collected by You.
   2. The objective of the DPA is to comply with the requirements in the Data Protection Legislation for a written agreement between the Parties.
   3. This DPA will apply ONLY if Storycards processes Personal Data made available by the User and that Data protection laws applies to the processing of such data.

2. 2. Definitions

   1. The terms used in this DPA shall have the same meaning as assigned to them below and in the Data Protection Legislation, which inter alia imply that:

      1. Personal Data – means any information that, directly or indirectly, can identify a living natural person; Visitors personal data shall mean the personal data for your visitors (as such determined in the Agreement).
      2. The term processing means any operation or set of operations performed with regard to personal data, whether or not performed by automated means, for example, collection, recording, organization, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction;
      3. Data controller or Controller mean anyone who alone or jointly with others determines the purposes and means of the processing of personal data;
      4. Data processor or Processor shall mean anyone who processes personal data on behalf of the data controller;
      5. The term sub-processor means a sub-contractor that is engaged by Storycards as Processor. The sub-processor processes personal data on behalf of Controller in accordance with the sub-processor’s obligation to provide its services to Processor;
      6. The term standard data protection clauses adopted by the EU-Commission means standard contractual clauses regulating the transfer of personal data to third countries and that have been adopted by the EU Commission in accordance with Commission Decision C(2010)593 of 5 February 2010 or corresponding decision replacing such decision;
      7. Data Protection Laws or Data Protection Legislation means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country; EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; GDPR means EU General Data Protection Regulation 2016/679;
      8. EEA means the European Economic Area;
      9. Without derogating from the above, The terms, Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

3. 3. Roles and responsibilities

   1. Notwithstanding anything to the contrary in this DPA, it is hereby clarified that:
   2. With regard to the Processing of Visitors personal data on your behalf, (i) you are the Controller and We are the Processor; and (ii) for the purposes of the CCPA (if applicable), you are the “Business” and We are the “Service Provider” (as such terms are defined in the CCPA). 

   3. We will process Visitor's personal data in order to provide the Services in accordance with the Agreement and this DPA. The nature and purposes of the Processing are as set in the Privacy Policy.

      1. Processing by the User. When using Our Service, you shall:
      1. Ensure that your submission of Personal Data to Our Platform, your instructions for the Processing of Visitor's personal data, and your processing of Visitor's personal data in your use of the Services will comply with Data Protection Laws.
      2. Establish and have any and all required consents, legal bases and authorizations in order to collect, use and otherwise process and transfer to Storycards the Visitor's personal data, and to authorize the Processing, and for Our Processing activities on your behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.
      3. Have sole responsibility for the accuracy, quality, and legality of Visitor's personal data and the means by which it was obtained.
      4. Be solely responsible for any transfer of visitor's personal data by you (or any other person operating on your behalf) to any platform other than Storycards, or any other third party.

4. 4. Undertaking and instruction

   1. Each party undertakes to process the personal data that it has access to under the Agreement on behalf of the other party, for the purpose of fulfilling the Agreement and during the term of the Agreement. Both parties further undertake:
   1. To process the personal data in accordance with the Data Protection Legislation, and the Agreement. 
   2. To keep the Personal Data confidential and not to disclose the Personal Data to any third parties or in any other way use the personal data in contradiction with the Agreement and this DPA. Parties shall also ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
   3. Each party shall maintain a publicly accessible privacy policy that is available via a prominent link that satisfies the transparency disclosure requirements of Data Protection Laws. Each party warrants and represents that it has provided data subjects with appropriate transparency regarding data collection and use and all required notices and obtained any and all consents or permissions necessary under Data Protection Laws. 
   4. To assist Other Party, taking into account the nature of the processing, by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of parties obligations to respond to and to fulfil requests from data subjects exercising their rights laid down in Chapter III of the GDPR; and
   5. To assist each other in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (implement security measures, manage personal data breaches, conduct data privacy impact assessments and participate in prior consultations with the supervisory authority) taking into account the nature of the processing and the information available to Parties. 
   6. To respond to requests to exercise Data Subject rights under the Data Protection Laws.

5. 5. Transfer of personal data

   Either party may Transfer Personal Data out of the EU/EEA if it complies with the provisions on the transfer of Personal Data to Third-countries in the Data Protection laws (such as transfer of Data to Jurisdictions that have adequate data protection laws).

   If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

6. 6. Information security

   The parties shall implement all appropriate technical and organizational measures necessary in order to ensure a level of security, as required pursuant to the Data Protection Legislation (Article 32 of the GDPR (32 § Data Protection Act (523/1999)) and other measures necessary in order for the parties to comply with the security requirements set out in the Agreement).

   If a party makes changes that could affect the protection of personal data, it shall inform the other party of this well in advance before such changes are implemented.

   Data Breach. In the event of a data breach or any potential violation of information security, The Parties shall notify Each other without delay after becoming aware of the infringement of information security of Personal Data or any other violation of Data Protection Legislation or this DPA. As a part of the notification, You must inform Storycards without delay and in writing all the necessary information about the disturbance and the related measures, especially:

   1. a description of the nature of the infringement of information security, including the information of registered groups and estimated amount of registered persons affected by the infringement along with the information required by Data Protection Legislation
   2. necessary information regarding the statutory obligations and fulfillment of the contractual obligations of Controller. These obligations shall be based, inter alia, Data Protection Legislation, agreements made with third parties and/or a request, a guidance and/or a ruling made by the supervisory authority or a tribunal
   3. necessary information for preventing similar infringements of the information security and information required for the notifications made for the Visitor, registered persons, and possible third parties.

   It is hereby clarified that any notice to be given to Visitors and third parties is the full responsibility of the User and he undertakes to do so without any delay, and in accordance with Data Protection Legislation.

7. 7. Audit

   1. You undertake to facilitate and participate in audits, including inspections, carried out by Storycards or governmental authority or by a third party authorized by Storycards.
   2. The parties shall immediately inform and consult with the other in the event that a supervisory authority initiates or takes any action in relation to the processing of personal data under the Agreement or the DPA.

8. 8. Data Protection Impact Assessment and Prior Consultation

   Both Parties shall provide reasonable assistance to each other with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law.

9. 9. Engaging sub-processors

   1. We may engage and/or replace a sub-processor for the performance of Our processing for Visitor`s personal data and Collected Data, as defined in the privacy policy, under the DPA.

10. 10. Damages and compensation

    You shall, without limitation, hold harmless and indemnify Storycards in the event of damage that is attributable to the User`s processing of personal data in breach of the DPA or the Data Protection Legislation. For the avoidance of doubt, administrative fines are imposed on the Party in breach of its obligations and, in consequence, neither party will bear the other Party’s administrative fines.

11. 11. Order of validity of contract documents

    This DPA is an irremovable part of the Agreement. In any event of a contradiction between this DPA and the Agreement, the provisions of this DPA shall govern solely with respect to the Processing of Visitors Personal Data.

12. 12. Miscellaneous

    1. The DPA is effective for as long as You are using Our Service.
    2. In the event that You are in breach of your obligations under this DPA or Data Protection Legislation, and fails to remedy the deficiency within thirty (30) days after being notified of the breach, or within the time period agreed between the Parties, We have the right to terminate the Agreement with immediate effect or the longer period of notice notified by us.
    3. Costs. Subject to applicable Data Protection Laws, to the extent any assistance described in this DPA entails material costs or expenses to Storycards, the parties shall first come to an agreement on Your reimbursement to Storycards of such costs and expenses.
    4. Deletion of Personal data. Upon termination of your use of the Services or your written request submitted through one of the methods detailed in the Privacy Policy, We shall delete Your Personal Data and related Visitor`s Personal Data as soon as reasonably practicable and according to the Agreement and applicable laws.

       Notwithstanding the foregoing, We may retain Personal Data and Visitors Personal data (or a portion of it), if required under the Agreement or by applicable law or regulation (including applicable Data Protection Laws); provided such Personal data remains protected in accordance with the terms of this DPA and applicable Data Protection Laws.

    5. For the avoidance of doubt and to the extent allowed by applicable law, all liability under this DPA, including limitations thereof, will be governed by the relevant provisions of Our Terms of Use.
    6. You acknowledge and agree that We may amend this DPA as may be required from time-to-time, by posting the relevant amended and DPA on Our website, available at https://storycards.com and any amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA is posted constitutes your agreement to, and acceptance of, the amended DPA.
    7. If any provision of this DPA deemed by a court of competent jurisdiction to be invalid, unlawful, void, or for any reason unenforceable, then such provision shall be deemed severable and will not affect the validity and enforceability of the remaining provisions.

13. 13. Governing law and Dispute resolution

    1. The DPA shall be governed by and construed in accordance with law of Israel.
    2. Disputes regarding the interpretation and application of the DPA shall be settled in accordance with the provisions in the Agreement regarding dispute resolution.