Customer DPA

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) entered by and between you, the Customer (as defined in the Agreement) (collectively, “you”, "your”, “Customer”, “Client”), and uPress. (“uPress”, “us”, “we”, “our”) to reflect the parties’ agreement regarding the Processing of Personal Data by uPress, solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.

This DPA will apply to you to the extent, and if, as specified in the agreement, the GDPR applies to data stored on your site. For the avoidance of doubt, it is clarified that, as specified in the terms of use agreement, our services are intended for image sites and blogs (and/or the image part of the site). Our services are not suitable for managing "A data library" (as it means in Israeli law, and not as it means as a professional term), and are certainly not suitable for storing sensitive data, such as medical data, financial data,  etc., and are not even intended for storing and saving business data which is not public. If, for example, it is a website that is also used as an online store, the issue of payments must be handled not on the website but through companies that meet the relevant standards.

In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.

1. Definitions
   1. “Applicable Law”: GDPR, CCPA, and all privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, and the United States of America, as applicable to the Processing of Personal Data under the Agreement.
   2. “GDPR”: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
   3. “CCPA”: the California Consumer Privacy Act of 2018.
   4. “Data Subject”: the identified or identifiable person to whom the Personal Data relates.
   5. “Personal Data”: any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer (as defined in the CCPA), which is processed by uPress solely on behalf of Customer, under this DPA and the Agreement between Customer and Processor
   6. “Process”: with respect to Personal Data, means to store, organize, record, structure, analyze, modify, encrypt, display, disclose, transmit, receive, render unusable, or destroy, by automated means or otherwise; and/or any other use or activity that is defined or understood to be processing under Applicable Law.
   7. “Applicable Law”: GDPR, CCPA, and all privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, and the United States of America, as applicable to the Processing of Personal Data under the Agreement.
2. Processing of personal data. uPress will not Process the Personal Data except as permitted by the Agreement or client other written instructions, or as necessary for our internal administrative purposes related to the provision of our Services. uPress will make available a list of any sub-processors we use in compliance with Applicable Law. We will require any sub-processors to contractually agree to terms at least as protective of your Personal Data as those stated in this DPA and the Agreement.
3. Confidentiality. uPress will ensure that its personnel engaged in the processing of Personal Data, have committed themselves to confidentiality.
4. Compliance. Each party will comply with Applicable Law as it relates to such party’s performance under the Agreement.
5. sensitive personal data: The customer undertakes, as also stated in the agreement, that he will not store sensitive information on his website, such as medical data, financial data, and any other sensitive information about his customers and in general. For the avoidance of doubt, the customer clarifies that he is aware that the uPress is not HIPPA compliant. A breach of this issue is a fundamental breach of this document and of any contract between the customer and the processor.
6. Data Subject request. uPress will notify you if we receive a request from a Data Subject to take any action with respect to Personal Data pertaining to the Data Subject unless notice is prohibited by Applicable Law; and, except to the extent required by Applicable Law, we will not independently take any action in response to a request from a Data Subject without your prior written instruction. We will cooperate with your reasonable requests for access to Personal Data and other information and assistance as necessary to respond to a request or complaint by a Data Subject.
7. Data Incident. uPress maintains security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed on behalf of the Customer, including Personal Data transmitted, stored or otherwise Processed by Processor or its Sub-processors of which Processor becomes aware (a “Data Incident”). We shall make reasonable efforts to identify the cause of such Data incidents and take those steps as the Processor deems necessary and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within the Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release, or report concerning any Data Incident which directly or indirectly identifies the Processor (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Processor’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by law, Customer shall provide Processor with reasonable prior written notice to provide Processor with the opportunity to object to such disclosure and in any case, Customer will limit the disclosure to the minimum scope required.
8. Personal Data you disclose to us. With regard to the Personal Data of others that you may provide to us, you hereby represent and warrant: (1) the Personal Data has been collected in accordance with Applicable Law, and the transfer to us for the purpose of providing the Services is authorized under Applicable Law; (2) you will comply with Applicable Law as to requests from Data Subjects in connection with the Personal Data; (3) you shall disclose to us only that Personal Data that is necessary for our provision of the Services, and never ask us to take any action with respect to the Personal Data that you are not permitted to take directly.
9. CCPA. For the purposes of CCPA: (1) we are a “Service Provider” as defined under Section 1798.140(v); (2) you are disclosing Personal Data to us solely for a valid business purpose in providing the Services to you; and (3) we will not sell Personal Data or retain, use, or disclose Personal Data except as required to provide the Services in accordance with the Agreement.
10. Audit, Records. We will comply with any audit request to the extent required by law or due legal process. We will keep reasonable records to evidence our compliance with our obligations under this DPA and shall preserve such records for at least two (2) years from the date of the events reflected therein.