callmarker-logo-white.png

Data Protection Agreement

This Data Protection Agreement (“Agreement”) is incorporated by reference into the Exhibit A – Initial SOW (“Main Agreement“) and is entered into between you (“Controller”) and CallMarker Ltd., on behalf of itself and its affiliates (“Processor“), as required by EU General Data Protection Regulation 2016/679 (“GDPR”), European Union (Withdrawal Agreement) Act 2020 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (“UK GDPR”), California Consumer Privacy Act (Cal. Civ. Code §1798) (“CCPA”), Israel Protection of Privacy Law, 5741-1981 and Regulations and any other data protection laws, all as applicable (“Applicable Laws”). Capitalized terms not otherwise defined herein or in the Main Agreement, shall take the meaning ascribed to them by Applicable Laws. 

YOU MUST REVIEW AND ACCEPT THE TERMS OF THIS AGREEMENT BY CLICKING ON THE “I ACCEPT” BUTTON AT THE END OF THIS AGREEMENT.  ONCE ACCEPTED, THIS AGREEMENT BECOMES A BINDING LEGAL COMMITMENT.  YOU REPRESENT THAT (I) YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT, (II) YOU ARE OF LEGAL AGE TO FORM A BINDING CONTRACT, AND (III) YOU HAVE THE AUTHORITY TO ENTER INTO THE AGREMENT BEHALF OF THE ENTITY YOU REPRESENT, AND TO BIND THAT ENTITY TO THE TERMS OF THIS AGREEMENT.  IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS, YOU SHOULD NOT CLICK THE “I ACCEPT” BUTTON.   

Processor shall comply with the following in respect of any and all personal data (as defined Applicable Laws:

  1. Controller’s Compliance. Controller’s instructions for processing of Personal Data shall comply with all applicable privacy and data protection laws. Controller shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Controller acquires and processes Personal Data, including required notices and consents. 
  2. Details of Processing. The details of the processing activities to be carried out by Processor in respect of the Services are specified in Appendix 1. 
  3. Data Subjects Rights. Processor shall assist Controller, by using appropriate technical and organizational measures, in the fulfillment of Controller’s obligations to respond to requests by data subjects in exercising their rights under applicable laws. 
  4. Confidentiality. Processor shall ensure that its personnel engaged in the processing of Personal Data are bound by a confidentiality undertaking.   
  5. Data Breach. Processor will promptly notify Controller after becoming aware of any suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (“Data Breach“). 
  6. Records. Processor will maintain up-to-date written records of its processing activities, including, inter alia, Processor’s and Controller’s contact details, details of data protection officers (where applicable), the categories of processing, transfers of Personal Data across borders and the technical and organizational security measures implemented by the Processor. Upon request, Processor will provide an up-to-date copy of these records to Controller.
  7. Sub-Processors. Controller acknowledges and agrees that Processor may engage any of the third-party sub-processors listed in Appendix 2, which Processor may update from time to time. Such sub-processors shall be bound by data protection obligations no less protective than those in this Agreement to the extent applicable to the nature of the Services provided by such sub-processor. If required for processing by any of Processor’s entities, the EU Standard Contractual Clauses shall also apply hereto.  
  8. Assistance. Processor will assist Controller in ensuring compliance with Controller’s obligations related to the security of the processing, notification and communication of Data Breaches, conduct of data protection impact assessments and any inquiry, investigation or other request by a supervisory authority.
  9. Possible Violation. Where Processor believes that an instruction would result in a violation of any applicable data protection laws, Processor shall notify the Controller thereof.
  10. Information. Processor will make available to Controller, upon request, information necessary to demonstrate compliance with the obligations set forth in this Agreement.
  11. Audits. Upon Controller’s request, Processor shall cooperate with audits and inspections of its compliance with the requirements and obligations herein and/or under applicable law. Such audits and inspections may be conducted by Controller or by any third party designated by Controller. 
  12. Technical and Organizational Measures

12.1 Processor shall implement and maintain all technical and organizational measures that are required for protection of the Personal Data and ensure a level of security that is appropriate to for dealing with and protecting against any risks to the rights and freedoms of the data subjects, and as required in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to Personal Data and/or as otherwise required pursuant to Applicable Law, including, inter alia, the measures set forth in Appendix 3. When complying with Section 12 hereof, Processor shall take into consideration the state of technological development existing at the time and the nature, scope, context and purposes of processing as well as the aforementioned risks. 

12.2. Processor shall regularly monitor its compliance with this Agreement and will provide Controller, upon request, with evidence that will enable verification of such monitoring activities. Processor shall promptly implement all changes to Appendix 3, as requested by Controller. Processor shall ensure that all persons acting under its authority or on its behalf and having access to the Personal Data, do not process the Personal Data except as instructed by Controller and permitted herein.

  1. Transfer of Personal Data to Third Countries. Processor will not transfer Personal Data to a recipient located in a country that is not a Member State of the European Union or European Economic Area, unless that country is considered by the European Commission to have an adequate level of protection or pursuant to an EU standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision 2010/87/EC), before such transfer.
  2. Return and Deletion of Personal Data. On the Controller’s request, Processor shall return or destroy Personal Data to the extent allowed by applicable law.
  3. Amendments. If Processor considers that changes are required to this Agreement in order to comply with requirements of applicable laws or of a competent authority, this Agreement will be amended accordingly.

Appendix 1 – Processing Details

  1. Nature, Purpose, and subject matter of the Processing. The nature, purpose, and subject matter of the Processing is the provision of the Services set forth in the Main Agreement.
  2. Categories of Data Subjects. Controller’s personnel (representatives) and customers.
  3. Types of Personal Data. Any Personal Data provided by Controller under the Terms of Service for the purpose of providing the Services. This may include, inter alia, representative name, email address, job title and voice recordings (if applicable), and customer phone number, fields of interest, recordings etc.

Appendix 2 – Sub-Processors

  1. DigitalOcean LLC, cloud hosting
  2. Twilio Inc, messaging infrastructure
  3. Intercom Inc, customer support
  4. Google Inc, data analytics
  5. OpenAI Inc, language processing

Appendix 3 – Technical and Security Measures

  1. Control Environment. CallMarker management has established and maintains an internal control structure that monitors compliance with established policies and procedures. Policies and procedures are documented, reviewed and approved on an annual basis by the management team and available to company employees. Moreover, all company employees are required to sign on the general company policies.
  2. Physical access. Access to the CallMarker office is restricted to authorized personnel using front desk personnel.
  3. Infrastructure Security. (i) CallMarker’s Virtual Private Cloud is designed to be logically separated from other cloud customers and to prevent data within the cloud being intercepted. Servers are protected by restricted firewalls to minimise communications to and between the servers. Configuration of firewall is restricted to authorized personnel, as well as access to management interface. Servers are hardened according to industry best practices.

(ii) Intrusion: monitoring tools are implemented to detect unusual or unauthorized activities and conditions at ingress and egress points. These tools monitor server and network usage, port scanning activities, application usage and unauthorized intrusion attempts.

(iii) Segregation: CallMarker’s corporate network is completely separated from production network. Access to the network resources management platform is restricted to authorized personnel. Access to the production environment is performed using SSH key and is restricted to authorized personnel. Interactions between customers and company production environments are performed by using an encrypted channel based on an authenticated TLS connection.

(iv) An antivirus is installed on all employees’ workstations. Antivirus reports are sent to relevant stakeholders on a regular basis.

  1. Application Security. Only authorized Callmarker members have access to organization data. All traffic between the customer’s client and the Callmarker platform is encrypted through TLS1.2 with only the most secure algorithms enabled. Encryption between Callmarker customers and the application as well as between Callmarker sites is enabled using an authenticated TLS tunnel. Passwords are hashed using bcrypt and never stored in clear-text. Customer data is segregated in line with industry best practices.
  2. Operational Security. Access to the production environment is restricted to authorized personnel based on job function and least privilege. Internal and external system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data). Users are identified using a user ID/password combination. Strong password configuration settings, where applicable, are enabled on CallMarker’s production servers, application and database servers. Access to the production is performed using 2fA. Access permissions are reviewed regularly. Patches for software components are managed.
  3. Availability Procedures. production environments are hosted in DigitalOcean and fully managed by CallMarker’s DevOps. The production environment is comprised of numerous components such as web services, application and data server types, database, monitoring tools, and redundant network services. CallMarker maintains a dedicated operations team to provide service availability to customers and to support the operations of CallMarker environments. The company uses a suite of monitoring tools in order to monitor its service. Alerts are sent to relevant stakeholders based on predefined rules.
  4. DatabaseBackup. Database servers at the data centers are located in secured locations with security measures implemented to protect against environmental risks or disaster. CallMarker conducts an hourly backup to database, a daily backup and a weekly server backup. Backups are stored in encrypted servers and in other secure location. CallMarker’s Time Objective (RTO) is 12 hours and Recovery Point Objective (RPO) is 24 hours.
  5. IncidentManagement Process. CallMarker prepares policies and periodically trains its team for immediate and effective response to incidents regarding user data, personal data or that involve the availability and integrity of CallMarker’s systems or network.
  6. Securityawareness and privacy training. An ongoing security and privacy awareness and training program is maintained for all employees (including management, employees, contractors and other agents), which includes training on how to implement and comply with the information security program and setting forth disciplinary measures for violation of the security program. Security and privacy awareness training are conducted at least annually.