This Data Processing Addendum (“Addendum”) applies pursuant to, and supplements, the Order Form (“Agreement”) entered into between the customer named on the Order Form  (“Controller”) and Supertools, Inc. d/b/a timeOS (“Processor”).

  1. Select Definitions. The following terms, when capitalized and used in this Addendum (unless otherwise indicated), shall have the meaning set forth below. Any capitalized terms not defined in this Addendum shall have the meanings given to them in the Agreement.
  2. Anonymous Information” means information which does not relate to an identified or identifiable natural person or to Personal Data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
  3. Applicable Law” means any law, regulation, ordinance, rule, or order of any governmental or judicial body which applies to the Processing of the Personal Data.
  4. Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  5. Data Protection Laws” means all laws and regulations, ordinances, rules, or orders of any governmental or judicial body, which applies to the Processing of Personal Data, such as GDPR, the CCPA and the Israeli Protection of Privacy Law, 1981.
  6. Controller Personal Data” means any Personal Data which is supplied or made available by Controller or on its behalf and Processed by Processor, or on its behalf, on behalf of the Controller in connection with the Services (defined below).
  7. EU Data Protection Laws” means the GDPR and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements the GDPR, the e-Privacy Directive 2002/58/EC, or any decision, directive or regulation of the EU Parliament, EU Commissions, EU Court of Justice or other body, as any of the above may amended, replaced or superseded from time to time.
  8. GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
  9. “CCPA” means the California Consumer Privacy Act of 2018 and the regulations issued thereunder.
  10. Personal Data” shall have the meaning ascribed to the terms “personal data”, “personal information”, or other such terms as provided under applicable Data Protection Law. It means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  11. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  12. Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction and any automated mean necessary for the improvement of the Services, including without limitation, AI learning and testing, machine learning models and any other automated model required for the Services.
  13. Services” means the products, services and other activities to be supplied or carried out by or on behalf of the Processor or its affiliates pursuant to the Agreement.
  14. Subprocessor” means any third party appointed by or on behalf of Processor to Process Controller Personal Data in connection with the Services or this Addendum.
  15. Processing Personal Data by Processor. Processor shall only Process Controller Personal Data: (i) pursuant to the Controller’s reasonable and necessary documented instructions; (ii) as necessary to perform the Services; (iii) to share Controller Personal Data with, or receive Controller Personal Data from, third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g. integrations between Processor’s Services and any services provided by third parties as configured by or on behalf of Customer); (iv) to render Customer Personal Data anonymous, thus excluding it from the definition of Personal Data; (v) as required by Union or Member State law or any other applicable law to which Processor and its affiliates are subject, in which case, Processor shall, to the extent possible, inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Controller hereby instructs Processor, along with companies within its corporate group, to Process Controller Personal Data as needed in order to perform the Services or to comply with the Agreement or Applicable Law.

To the extent that Processor or its affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer relating to the Processing of Controller Personal Data or where Processor considers such a request to be unlawful, Processor (i) shall inform Customer, providing relevant details of the problem, (ii) Processor may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing the data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Processor may, as its sole remedy, terminate the Agreement and this Addendum with respect to the affected Processing, and Customer shall pay to Processor all the amounts owed to Processor or due before the date of termination. Customer will have no further claims against Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the Addendum in the circumstances described above.

Processor will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Processor, to the extent that such is a result of Customer’s instructions.

  1. Description of Processing. The subject-matter and duration of the Processing to be performed, the nature and purpose of such Processing, the type of Personal Data and categories of data subjects and the obligations and rights of the Controller in respect of such Processing, is set forth in Annex 1 (Description of Processing), attached hereto.
  2. Confidentiality. Processor shall only authorize persons to participate in the Processing of the Controller Personal Data who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.