DPA

stop bad bots from abusing
api's that power your apps

Ready to tackle the bots?

Get a detailed session-level report of bot traffic on your website or app

Data Processing Addendum (click to download Data Processing Addendum)

This Data Processing Addendum (“Addendum”) is entered by and between Customer (whose details appears in the applicable subscription form) and Unbotify Ltd. a company incorporated under the laws of the State of Israel, with its principal place of business at Khoresh H-Alonim St 12, Ramat Yishai, 3009500, Israel (“Unbotify”).

WHEREAS,     Unbotify has engaged in a services agreement (the “Agreement”) with Customer; and

WHEREAS,     pursuant to the Agreement, Unbotify provides Customer access to use its fraud detection platform (the “Platform”); and

WHEREAS,     the Platform involves processing certain personal data of Customer’s end users, and the parties wish to regulate Unbotify’s processing of such personal data, through this Data Processing Addendum; and

WHEREAS,     in consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

THEREFORE, the parties have agreed as follows:

1. Definitions.

1.1           “EEA” means the European Economic Area;

1.2           “Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time,    including by the GDPR and laws implementing or supplementing the GDPR;

1.3           “GDPR” means EU General Data Protection Regulation 2016/679;

1.4           “Personal Data” means any Personal Data Processed by Unbotify or it sub-processors on behalf of the Customer pursuant to or in connection with the Agreement;

1.5           “Sub-processor” means any person appointed by or on behalf of Unbotify to Process Personal Data on behalf of Customer in connection with the Agreement; and

1.6           The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing Personal Data

2.1         Customer commissions, authorizes and requests that Unbotify provide Customer the Platform, which involves Processing Personal Data.

2.2        With respect to those activities of Unbotify as a ‘Data Processor’, Unbotify will Process the Personal Data only on Customer’s behalf and for as long as Customer instructs Unbotify to do so. Unbotify shall not Process the Personal Data for any purpose other than the purpose set forth in this Addendum.

2.3       The subject matter and purposes of the Processing activities are the provision of a platform for detecting fraudulent activities made by users of Customer, including maintenance, support, enhancement and deployment of the same. The Personal Data Processed may contain, or be indicative of, personal information of Customer’s end users, depending on the particulars of the services. At the minimum the Personal Data will include: IP address, device and web/application activity information. The data transferred is related only to human-device interaction, and is stripped of any persistent user data – data transferred only relates to specific sessions and is not attached to specific users. Customer may add additional personal data about customers and users to enrich the Platform.

2.4      The Data Subjects about whom Personal Data is Processed are Customer’s end users and Customer’s personnel that are using the Platform (e.g. employees of Customer).

 

2.5      With respect to those activities of Unbotify as a Data Processor, Unbotify will Process the Personal Data only as set forth in this Addendum. Customer and Unbotify are each responsible for complying with the Data Protection Law applicable to them in their roles as Data Controller and Data Processor, respectively.

 

2.6      In Processing Personal Data, Unbotify represent that it implemented the technical and organizational measures that are specified in Annex A.

 

2.7       If the Data Protection Law does not apply to the Customer, then Customer must abide by whatever other data privacy and data security laws and regulations applicable to it, and at a minimum –

2.7.1   Obtain and maintain valid, any and all authorizations, permissions and informed consents, including those of individuals about whom the Platform may process personal data or personally identifiable information, as may be necessary under applicable laws and regulations, in order to allow Unbotify to lawfully collect, handle, retain, process and use the processed data within the scope of the Platform.

2.7.2   Substantiate the legal basis and legitimize pursuant to applicable law, any and all personal data or personally identifiable information transferred to Unbotify, whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer.

2.7.3   Have, properly publish and abide by an appropriate privacy policy that complies with all applicable laws and regulations relating to personal data or personally identifiable information of Customer’s end users.

3. With respect to those activities of Unbotify as a Data Processor, Unbotify will Process the Personal Data only on documented instructions from Customer that are provided in writing or through the configuration of the Platform, unless Unbotify is otherwise required to do so by law to which it is subject (and in such a case, Unbotify shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Unbotify shall immediately inform Customer if, in Unbotify’s opinion, an instruction is in violation of Data Protection Law.

4.Unbotify’s Personnel

Unbotify shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer’s Personal Data, as strictly necessary for the purposes of the Agreement, and to ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Data Subjects Rights

5.1   Unbotify will follow Customer’s instructions to accommodate and assist Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Unbotify will pass on to Customer requests that it receives from Data Subjects regarding their Personal Data Processed by Unbotify.

5.2   Unbotify shall promptly notify Customer if he receives a request from a Data Subject under any Data Protection Law, in respect of Customer Personal Data and shall ensure that he does not respond to that request except on the documented instructions of Customer or as required by Data Protection Laws to which Unbotify is subject, in which case Unbotify shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before he responds to the request.

6. Sub Processors

6.1  Customer acknowledges and agrees that Unbotify uses the Sub -processors listed in Annex B, attached hereto.

6.2  Customer authorizes Unbotify to engage sub-processors for carrying out specific processing activities of the Platform. If requested, Unbotify will provide the Customer the list of Sub-processors used. Customer shall have the right to object, on reasoned grounds, to Unbotify’s use of a Sub-processor. If Customer so objects, Unbotify may not engage that new or substitute sub-processor for the purpose of Processing Personal Data in the provision of the Platform and may terminate the Agreement with the Customer for convenience, without liability to Customer for such premature termination.

7. Cross-Border Transfer

7.1  Unbotify and its sub-processors will only Process the Personal Data in member states of the EEA, in territories or territorial sectors (e.g., Privacy Shield) recognized by an adequacy decision of the Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Model Clauses).

7.2  Where Unbotify does not have Privacy Shield coverage for its Personal Data Processing activities, Unbotify and the Customer hereby subscribe to the standard contractual clauses for the transfer of personal data to processors established in third countries (“Controller to Processor EU Model Clauses”), pursuant to EU Commission Decision 2010/87/EU, which are incorporated hereto by reference. For the purpose of the Controller to Processor EU Model Clauses:

7.2.1 Customer shall be the data exporter, an operator of the services in which the Platform is implemented.

7.2.2 Unbotify shall be the data importer and operator of the Platform.

7.2.3 The parties contact information shall be as set out in the Agreement

7.2.4 The Data Subjects are as set out in Section ‎‎4 above

7.2.5 The categories of Personal Data are as set out in Section ‎2.3 above

7.2.6 The processing operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination or otherwise making available, alignment or combination, pseudonymization, erasure

8.Audits.

8.1 Unbotify shall allow for and contribute to audits, including carrying out inspections on Unbotify’s business premises conducted by Customer or another auditor mandated by Customer during normal business hours and subject to a prior notice to Unbotify of at least 30 days as well as appropriate confidentiality undertakings by Customer covering such inspections in order to establish Unbotify’s compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Unbotify processes on behalf of Customer. If such audits entail material costs or expenses to Unbotify, the parties shall first come to agreement on Customer reimbursing Unbotify for such costs and expenses.

9. Personal Data Breach.

9.1 Unbotify shall without undue delay notify Customer of any ‘Personal Data Breach’ (as this term is defined and used in Data Protection Law) that it becomes aware of regarding Personal Data of Data Subjects that Unbotify Processes. Unbotify will use commercial efforts to mitigate the breach and prevent its recurrence.

9.2 Unbotify shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9.3 Customer and Unbotify will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.

10. Data Privacy Impact Assessment

11. Unbotify will assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Unbotify, the parties shall first come to agreement on Customer reimbursing Unbotify for such costs and expenses.

12. Miscellaneous

12.1 Unbotify will provide Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Customer’s behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request.

12.2 All notices required or contemplated under this Addendum to be sent by Unbotify will be sent either by electronic mail to Customer to the email address that Unbotify has on file for the Customer’s main contact person, or, at Unbotify’s choice.

12.3 Upon Customer’s request, Unbotify will delete the Personal Data it has Processed on Customer’s behalf under this Addendum from its own and its sub-processor’s systems, and upon Customer’s request, will furnish written confirmation that the Personal Data has been deleted pursuant to this section.

12.4 The duration of Processing that Unbotify performs on the Personal Data is for the period set out in the Agreement between the parties. This Addendum shall prevail in the event of inconsistencies between it and the Agreement between the parties or subsequent agreements entered into or purported to be entered into by the parties after the date of this Addendum – except where explicitly agreed otherwise in writing.

12.5 The parties’ liability under this Addendum shall be pursuant to the liability clauses in the various parts of the Agreement.

 

Last Update: 24 June 2018

 

 

 

 

 

 

 

 

 

 

 

 

Annex A

Description of the technical and organisational security measures

 

  • Storage – Personal Data is stored on Amazon AWS S3 service in separate and private storage buckets. These buckets are only accessible with Unbotify’s AWS accounts, open only to Unbotify’s employees and protected by two-factor authentication.
  • Access Privileges Management: Unbotify is managing database access privileges and imposing restrictions on those with access privileges. This includes maintaining an updated list of users authorized to access the database, according to the various access privileges.
  • Secure Connections: All connections to Unbotify’s endpoints are secured via SSL/TLS. All of Unbotify’s endpoints use up-to-date encryption methods. SSLv3 is never used. All data to and from Unbotify’s databases is sent through https protocol.
  • Application Security: Unbotify utilizes secure development best practices that integrate security reviews throughout the development process.
  • Customer Data Protection: All data is classified as confidential and treated as such. Each customer has a dedicated storage unit, isolated from other customer.
  • Confidentiality & Obligations: Authorized users of Unbotify execute an undertaking of confidentiality and obligations.
  • Hardened Operating System: Unbotify’s backend runs on hardened AMI Linux servers, with security updates automatically applied.
  • Third Party Testing: Unbotify runs internal vulnerability scans and external penetration tests.
  • Infrastructure Access: All access to Unbotify’s AWS infrastructure is done over a secured VPN. Authentication across all the services is managed by OneLogin™ cloud identity management platform and utilizes 2FA. Access permissions to underlying AWS resources is managed by IAM roles and policies, per AWS best practices

 

 

Annex B

 

Service ProviderFunction
Amazon Web ServicesCloud Computing and storage
DatabricksBig data services