DATA SHARING AGREEMENT
This Data Sharing Agreement, together with its Annexes (the "DSA") is incorporated into and forms part of the Agreement between altshare Ltd. and its subsidiary, altshare Trusts Ltd. (together, "altshare"), and the company engaged with altshare under the Agreement (as defined below) ("Client"). altshare and Client are also referred to herein individually as a "Party", and together as the "Parties".
This DSA reflects the Parties’ agreement with regard to the Processing of Personal Data disclosed by Client to altshare in connection with the performance of the altshare services ("altshare Service(s)") as set out in the relevant agreement to which this DSA is attached (the "Agreement").
Whereas, the Parties agree that in performance of the Agreement, Client shares Personal Data with altshare; and the Parties wish to set forth the mutual obligations with respect to the Processing of Personal Data by the Parties;
Now therefore, intending to be legally bound, the Parties hereby agree as follows:
1. DEFINITIONS. In addition to capitalized terms defined elsewhere in this DSA, the following terms shall have the meanings set forth below:
1.1. "Data Protection Laws" means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"); and the Israeli Protection of Privacy Law, 5741-1981 ("PPL") and the regulations promulgated thereunder, including without limitation, the Privacy Protection Regulations (Data Security), 2017 ("Israeli Data Protection Legislation"); as such are amended, replaced or superseded from time to time.
1.2. "Controller" means the entity which determines the purposes and means of the Processing of Personal Data and shall also include "Database Owner" as defined in the PPL.
1.3. "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly; and shall include "Information" and "Sensitive Information" or similar terms as defined in the PPL.
1.4. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, or harm to the integrity of, Personal Data transmitted, stored or otherwise processed.
1.5. "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means; and shall also have the meaning ascribed to equivalent terms under the PPL.
1.6. "Processor" means the entity which processes Personal Data on behalf of one of the Parties in connection with the Agreement; and shall also include "Database Holder" as defined in the PPL.
1.7. "Supervisory Authority" means an independent public authority which is established by a European Union Member State; and shall also include the Israeli Privacy Protection Authority.
1.8. "Data Subjects" and "Database" shall have the meanings given to them or equivalent terms in Data Protection Laws.
2. RELATIONSHIP OF THE PARTIES.
2.1. Client grants authorization to altshare to process Personal Data of its employees and any other relevant individuals whose Personal Data is disclosed to altshare for the performance and benefit of altshare Services ("Client Beneficiaries"), regarding which Client is the Controller. altshare is the Controller of the Personal Data collected by altshare directly from the Client Beneficiaries. The Parties acknowledge that they are each a separate and independent Controller of the Client Beneficiaries' Personal Data.
2.2. Client shall have the sole responsibility for the accuracy, quality and lawfulness of Personal Data and the means by which Client creates, receives, accumulates and collects Personal Data provided to altshare for the performance of the Agreement. Client hereby warrants and represents that it (i) provides all appropriate notices to the Client Beneficiaries, and (ii) obtains all required informed consents of such Client Beneficiaries in compliance with Data Protection Laws, and/or documents and implements any other legal bases, as required under Data Protection Laws, for allowing altshare to use and process Personal Data.
2.3. Annex I to this DSA set out details regarding the Processing of Personal Data under the Agreement.
3. PROCESSING OF PERSONAL DATA. Each Party undertakes in relation to Client Beneficiaries' Personal Data disclosed and received from the other Party to:
3.1. be individually and separately responsible for complying with the obligations that apply to it as Controller under Data Protection Laws.
3.2. process Personal Data for the performance of altshare Services and the purposes detailed in Annex I to this DSA only (the "Purposes"). Any other Processing shall be permitted only in the event that such Processing is required by applicable law to which the Party is subject, in which situation each Party shall, unless prohibited by applicable law, inform the other Party of that requirement before engaging in such Processing.
4. PERSONNEL.
4.1. altshare shall take all steps reasonably necessary to ensure the reliability of its employees, contractors, or any other contracted individuals who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; (ii) has a limited access to the Personal Data on a need to know or access basis to perform the Agreement; (iii) is subject to written confidentiality undertakings or statutory obligations of confidentiality; and (iv) has received appropriate training.
4.2. altshare shall keep record of the individuals authorized to access the Personal Data.
5. PROCESSORS AND THIRD PARTIES.
5.1. Client is aware that altshare uses third-parties as subprocessors to assist it with the provision of altshare Services and authorizes altshare to engage and disclose Personal Data to such subprocessors. altshare will enter into appropriate agreements with its subprocessors. Upon reasonable Client’s request, altshare shall provide Client with the list of altshare’s Processors and third-parties appointed for the performance of altshare Services.
5.2. In addition, Client is aware and consents to altshare disclosing relevant Personal Data to additional third parties that are not under the control of altshare, as required for the performance of altshare's duties under the Agreement or under applicable law, such as regulatory authorities, banks, brokers, tax authorities,.
6. SECURITY. Each Party undertakes to implement and maintain appropriate technical and organization measures for the protection of the security, confidentiality and integrity of Personal Data, in particular to prevent any Personal Data Breach, not less protective than the measures required by Data Protection Laws. altshare's security practices are specified under Annex II to this DSA.
7. PERSONAL DATA BREACH AND NOTIFICATION.
7.1. In the event altshare suffers a Personal Data Breach in its systems or Databases affecting Client Beneficiaries Personal Data, altshare shall promptly notify the Client after becoming aware of the Personal Data Breach, including information required for Client's notification obligations. If the required information is not known to altshare at the time of its notification, altshare shall provide the information to Client as soon as it becomes available. Unsuccessful attempts shall not be deemed a Personal Data Breach.
7.2. altshare shall (i) provide Client with reasonably available information necessary for Client to meet its obligations under applicable Data Protection Laws, including to report the Personal Data Breach to the Supervisory Authority and notify the Client Beneficiaries; (ii) take steps reasonably required to mitigate the harm to Client Beneficiaries and to implement corrective measures; and (iii) keep records of such Personal Data Breach.
8. INDIVIDUALS RIGHTS. Where altshare or any of its Processors or third-party receives a request from a Client Beneficiary with respect to rights in relation to Personal Data processed for the performance of althsare Service, altshare shall (i) promptly notify Client by delivering the Client Beneficiary’s inquiry; and (ii) respond to the Client Beneficiary directly if such inquiry relates to Personal Data processed by altshare as Controller, or inform Client Beneficiary of the contact details of the Client if such inquiry is related to Personal Data processed by Client as Controller. The Parties shall provide each other reasonable assistance in responding to such Client Beneficiary’s requests under Data Protection Laws.
9. ASSISTANCE. Each Party undertakes to reasonably co-operate with the other Party in (i) any reasonably available information necessary to fulfil the other Party’s obligations under Data Protection Laws in relation to Client Beneficiaries; and (ii) any communication, audit or inquiry from a competent Supervisory Authority or any other regulator concerning the Processing of Client Beneficiaries' Personal Data.
10. TRANSFERS OF PERSONAL DATA.
10.1. Transfers between the Parties. altshare undertakes that all Personal Data is stored or otherwise processed in Israel, which has been recognised by the European Commission as an adequate country as provided under Article 45(1) of the GDPR.
10.2. Onward Transfer. If and when Personal Data originating from the European Economic Area is Processed hereunder and to the extent the GDPR applies, the Processing Party undertakes to transfer Personal Data to a country considered by the European Commission as providing an adequate level of protection of Personal Data; or if subject to any other approved transfer mechanism under the GDPR. For onward transfers of Personal Data originating from Israel, such Party undertakes to transfer Personal Data to a country considered by the Israeli Privacy Protection Authority as providing an adequate level of protection of Personal Data; in the absence of an adequacy decision, data importer undertakes to comply, with applicable mechanisms under the applicable regulations of Israeli Data Protection Legislation.
11. RETENTION AND DELETION.
11.1. Each Party acknowledges that Personal Data may not be kept longer than necessary for the intended Processing.
11.2. Notwithstanding the foregoing, altshare may retain Personal Data to the extent required by applicable laws, provided that (i) Personal Data is retained to the extent and for the such period as required by such applicable laws; and (ii) Personal Data is retained confidential and only processed as necessary for the purpose(s) specified in the applicable laws.
11.3. Notwithstanding the foregoing, altshare may also retain and process Personal Data for its own legitimate interests as Controller, all in compliance with Data Protection Laws.
12. GENERAL TERMS.
12.1. Order of Precedence. In the event of inconsistencies between the provisions of this DSA and the Agreement, the provisions of this DSA shall prevail, with regard to the matters covered by this DSA only. Other than as set forth in this DSA, the Agreement shall remain in full force and effect, and the terms of the Agreement shall apply to this DSA, mutatis mutandis.
12.2. Changes to this DSA. Each Party, may, by written notice to the other Party, propose changes to this DSA which it reasonably considers as necessary to comply with any Data Protection Laws. The Parties shall discuss and negotiate the proposed changes in good faith with the aim to achieve and ensure compliance with Data Protection Laws. Any modification or cancellation of a section or clause of this DSA shall be made only via a written document mutually signed by the Parties.
IN WITNESS WHEREOF, this DSA is entered into and becomes a binding part of the Agreement with effect from the later date set out below.
____________________________
Altshare Ltd.
_____________________________
Date:
____________________________
Client
_____________________________
Date:
ANNEX I – DETAILS OF PROCESSING
Categories of data subjects: Client’s employees and any other relevant individuals whose Personal Data is provided to altshare for the performance and benefit of altshare Services.
Categories of personal data:
o identification details, such as first name and last name, employee ID.
o contact details, such as email address, phone number.
o employment details related to eligibility to shares and options.
o grant specifics (number of options, vesting, exercise price).
o any relevant performance metrics.
o tax information.
o bank account details.
o any other information necessary for the submission of the trust report and to transfer payments or transfer ownership of shares.
Nature of the processing operations by altshare or by third-parties on its behalf: any Processing operation required for performance of the altshare Services, including: recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).
Purpose(s) of the processing: Provision of and access to altshare Services in accordance with the Agreement.
ANNEX II- MINIMUM SECURITY MEASURES
altshare security measures:
1. altshare shall establish a procedure for allowing access to Personal Data and restriction of such access.
2. altshare shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.
3. altshare shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to altshare’s system's infrastructure, data Processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to the Personal Data or to the system or communication lines between altshare and its respective clients.
4. altshare shall list all components (infrastructure and software) used to Process the Personal Data, including computer systems, communication equipment, and software. altshare shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.
5. altshare shall act in accordance with an appropriate written information security policy (WISP) and working procedures that comply with the security requirements under this Annex and Data Protection Laws, including with respect to backup and recovery procedures. altshare shall review its security policies and operating procedures periodically and not less than on an annual basis, and when material changes to the systems or Processing are made, all in order to amend them, if required.
6. altshare shall take measures to record the access to the Personal Data, including monitoring the entry into the facilities where the Personal Data is Processed, as well as any equipment brought in or taken out of such facilities.
7. altshare shall implement automatic control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. altshare shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them. Control records shall be maintained for a minimum of 24 months.
8. altshare will perform security risk surveys and penetration tests to systems containing Personal Data, at least once every 18 months.
9. altshare will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.
