This Data Processing Addendum (“DPA”) forms part of the Atera Terms of Use (available at and Privacy Policy (available at: and any other applicable Atera terms or agreement governing the use of the Services (collectively, the “Agreement”).

In order to provide the services provided under the Agreement (“Services”), Atera Networks Ltd. (together with its affiliated companies and subsidiaries worldwide) (“Atera”, “Us”, “We”, “Our”, “Service Provider” or “Data Processor”) may be required to processes data of the Client’s Users’ Information (as defined below).
To the extent Client’s Users’ Information falling within the scope of EU/UK Data Protection Law or Personal Information falling within the scope of the CCPA is processed by Atera on Client’s behalf you acknowledge and agree to abide to this DPA and further agree that Atera will process Client’s Users’ Information as necessary to provide you with the Services and as further detailed herein. By using the Services, you instruct Atera to process such Client’s Users’ Information on your behalf pursuant to this DPA.


    1. The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.
    2. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.
    3. Words used in the singular include the plural and vice versa, as the context may require.
    4. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
    5. Definitions:“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

      “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

      “Client” means the entity executing and/or accepting Atera’s Agreement.

      “Client’s Users” means Client’s end users and customers..

      “Client’s Users’ Information” means Personal Data or Personal Information of Client’s Users that Client submits to Atera or may otherwise be Processed by Atera on Client’s behalf.

      “Authorized Affiliate” means any of Client’s Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Client and Atera, but has not signed its own agreement with Atera and is not a “Customer” as defined under the Agreement.

      “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include yourself, the Organization and/or the Organization’s Authorized Affiliates.

      “Data Protection Laws and Regulations” means the laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

      “Data Subject” means the identified or identifiable person to whom the Personal Data relates.

      “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.

      “Atera Group” means Atera and its Affiliates engaged in the Processing of Client’s Users’ Information.

      “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Client’s Users’ Information and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

      “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

      “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

      “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.

      “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Client, as updated from time to time, and will be provided to you upon sending us a request to: [email protected], or as otherwise made reasonably available by Atera.

      “Sub-processor” means any Processor engaged by Atera.

      “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR



    1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Client’s Users’ Information, (i) Client is the Data Controller, (ii) Atera is the Data Processor and that (iii) Atera or members of the Atera Group may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
    2. Client’s Processing of Client Users’ Information. Client shall, in its use of the Services, Process Client’s Users’ Information in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Client’s instructions for the Processing of Client’s Users’ Information shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the means by which Client acquired Personal Data as well as for the accuracy and quality of the Personal Data. Without limitation, Client shall have any and all required legal bases in order to collect, Process and transfer to Data Processor the Client’s Users’ Informationand to authorize the Processing by Data Processor of the Personal Data which is authorized in this DPA. Client shall be solely responsible for any transfer and/or sharing of Client’s Users’ Information by Client (or any other person operating on Client’s behalf), or instructed by Client, to any third party, including, without limitation, third party integrations available on the Atera platform.
    3. Data Processor’s Processing of Client’s Users’ Information. Subject to the Agreement, Data Processor shall Process Client’s Users’ Informationin accordance with Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide the Services; (ii) Processing for Client to be able to use the Services; (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iv) Processing as required by Union or Member State law to which Data Processor is subject; in such a case, Data Processor shall inform the Client of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Data Processor shall not Process the Client’s Users’ Information other than as stated in this paragraph.
      To the extent that Data Processor cannot comply with a request from Client and/or its authorized users (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind), Data Processor (i) shall inform Client, providing relevant details of the problem, (ii) Data Processor may, without any kind of liability towards Client, temporarily cease all Processing of the affected Client’s Users’ Information (other than securely storing those data), and (iii) if the parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Client shall pay to Data Processor all the amounts owed to Data Processor or due before the date of termination. Client will have no further claims against Data Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).Atera will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Atera, to the extent that such is a result of Client’s instructions.If Client provides Atera or any of the entities of the Atera Group with instructions, requests, suggestions, comments or feedback (whether orally or in writing) with respect to the Services, Client acknowledges that any and all rights, including intellectual property rights, therein shall belong exclusively to Atera and that such shall be considered Atera’s intellectual property without restrictions or limitations of any kind, and Client hereby irrevocably and fully transfers and assigns to Atera any and all intellectual property rights therein and waives any and all moral rights that Client may have in respect thereto.
    4. Details of the Processing. The subject-matter of Processing of Client’s Users’ Informationby Data Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, as well as the types of Client’s Users’ Information Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.



    1. Data Subject Request. Data Processor shall, to the extent legally permitted, promptly notify Client if Data Processor receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, erasure (“right to be forgotten”), restriction of Processing, data portability, right to object, or its right not to be subject to automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Data Processor shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Data Processor shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from Data Processor’s provision of such assistance.



    1. Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Client’s Users’ Information have committed themselves to confidentiality and non-disclosure.
    2. Data Processor may disclose and Process the Personal Data, including, Client’s Users’ Information (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable Data Protection Laws and Regulations (in such a case, Data Processor shall inform the Client of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).



    1. General Authorization of Sub-processors. Client hereby grants Data Processor with a general authorization to engage Sub-processors to Process Client’s Users’ Information in order to provide the Services without obtaining any further written, specific authorization from the Client. Client acknowledges and agrees that (a) Data Processor’s Affiliates may be used as Sub-processors; and (b) Data Processor and/or Data Processor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
    2. List of Current Sub-processors and Notification of New Sub-processors.
      1. Data Processor shall make available to Client the current list of Sub-processors used by Data Processor via Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-processor List as of the latest between: (i) the date of execution of this DPA; or (ii) as of the date of your first use of the Services (as applicable), is hereby, or shall be (as applicable), authorized by Client. In order to subscribe to notifications to notifications concerning appointment or replacement of a sub-processor, kindly send a request to [email protected]. Once subscribed, Atera will provide Client with details of any change of its Sub-processors as soon as reasonably practicable, and, in any event will notify Client no less than seven (7) days prior to such change.
      2. Client may reasonably object for reasons related to the GDPR to Data Processor’s appointment or replacement of Sub-processor by providing a written objection to [email protected] within seven (7) days of the receipt of an appointment or replacement notice. In such an event, Atera may choose to use commercial reasonable efforts make available to Client an alternative solution to avoid the Processing of Client’s Users’ Information by the new Sub-processor that Client objected, as premited in the above sentence. Until Atera makes a decision concerning Client’s objection, Atera may be required to temporarily suspend the Processing of the related Client’s Users’ Information, including, if required for this matter, suspend or limit access to Client’s account or suspend or limit certain features of the Services offered to the Client.
      3. If Atera finds that it is unable to resolve Client’s objection or to provide Client with such alternative solution, within thirty (30) days from receipt of the Client’s valid reasoned objection, Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Client will have no further claims against Data Processor due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph.
      4. If no objection has been raised to the replacement or appointing a new Sub-processor within the above mentioned time frame, Atera will deem Client to have authorized the new Sub-processor.
    3. Data Processor shall remain fully liable to Client for the performance of the subprocessors’ obligations, to the same extent that Data Processor is liable under this DPA.
    4. This Section 5 shall not apply to subcontractors of Data Processor which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.

    1. Third-Party Certifications and Audits. Upon Client’s written request at reasonable intervals (no more that once every 12 months), and subject to the confidentiality obligations set forth in the Agreement and this DPA, Data Processor shall make available to Client (or Client’s independent, third-party auditor that is not a competitor of, or is in conflict of interests with, Data Processor) a copy of Data Processor’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Client to assess compliance with this DPA and/or with applicable Data Protection Laws and Regulations, and shall not be used for any other purpose or disclosed to any third party without Data Processor’s prior written approval and, upon Data Processor’s first request, Client shall return all records or documentation in Client’s possession or control provided by Data Processor in the context of the audit and/or the certification). With respect to audits and inspections, the parties shall discuss in good faith and agree on the scope, timing and details of the audits and inspections, provided however that the limitation set forth above with respect to the copies or audits certifications shall also apply to the audits. To the extent that Data Processor’s obligations in this section involve more than 8 hours/man of work, Client shall bear the costs and expenses of complying with this clause.
    2. Controls for the Protection of Client’s Users’ Information. Data Processor shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Client’s Users’ Information, as set forth in the Security Documentation which are hereby approved by Client. Data Processor regularly monitors compliance with these measures. Upon the Client’s request, Data Processor will assist Client, at Client’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Data Processor. Client is responsible for reviewing the information Atera makes available regarding its data security, and making an independent determination as to whether the Services meet the Client’s needs, requirements and legal obligations, including Client’s obligations under applicable Data Protection Laws and Regulations to ensure the appropriate level of security when using the Services, taking into consideration any risks with respect to Client’s Users’ Information. Client is further responsible to properly configuring the Services and using features and functionalities made available by Atera to maintain appropriate security in light of the nature of the data processed by Client’s use of the Services.


    Data Processor maintains security incident management policies and procedures specified in Security Documentation and, to the extent required under applicable Data Protection Laws and Regulations, shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client’s Users’ Information, including Client’s Users’ Information transmitted, stored or otherwise Processed by Data Processor or its Sub-processors of which Data Processor becomes aware (a “Personal Data Incident”). Data Processor shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Data Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s Users. In any event, Client will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations) and any other obligation required under applicable Data Protection Laws and Regulations. Client acknowledges that Data Processor’s notification concerning a Personal Data Incident shall not be deemed or construed as an acknowledgment by Data Processor of any fault or liability with respect to such incident.


    1. Subject to the Agreement, Data Processor shall, at the request of Client, delete or return the Client’s Users’ Information to Client after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Client’s Users’ Information. In any event, to the extent required or allowed by applicable law, Data Processor may retain one copy of the Client’s Users’ Information for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Client requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Data Processor’s Clients.
    2. Notwithstanding anything to the contrary, Data Processor may retain electronic copies of files containing Personal Data created pursuant to automatic archiving or backup procedures which cannot reasonably be deleted. Data Processor will delete the data in accordance with its internal data retention and deletion periods for backups.



    1. Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Data Processor. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Client.
    2. Communication. The Client shall remain responsible for coordinating all communication with Data Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.


    Upon Client’s request, Data Processor shall provide Client, at Client’s cost, with reasonable cooperation and assistance needed to fulfil Client’s obligation under the GDPR to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Data Processor. Data Processor shall provide, at Client’s cost, reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 10 of this DPA, to the extent required under the GDPR.


    1. General. Client acknowledges and agrees that Atera may Process Client’s Users’ Information anywhere in the world so long as it complies with applicable Data Protection Laws and this DPA, as follows
    2. Transfers to Atera. Client’s Users’ Information that Atera receives and Processes is initially transferred by Client and/or the applicable Data Subject to Atera Networks Ltd. in Israel under the European Commission’s adequacy decision 211/61/EU.
      1. Transfers to countries that offer adequate level of data protection. Client’s Users’ Information may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
      2. Transfers to other countries: If the Processing of Client’s Users’ Information includes transfers from the EEA to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the parties shall comply with Article 46 of the GDPR, and, if necessary, shall execute the standard data protection clauses adopted by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission or comply with any of the other mechanisms provided for in the Data Protection Laws and Regulations for transferring Personal Data to such Other Countries.
    3. Transfers at Client’s Instructions.  In case of a transfer to a third party that is not listed in the Sub-processor’s List, which is conducted by Data Processor at Client’s instructions, or directly by Client in accordance with an agreement between Client and such third-party (which Atera is not a party to), Client shall be solely and fully responsible and liable for the compliance with applicable laws, including, without limitation, with respect to the transfers of Client’s Users’ Information.
    4. If the applicable transfer mechanism that is in place between Data Processor and Client is amended, replaced, or otherwise invalidated, Client shall notify Data Processor and the parties shall enter into any updated version of such mechanism or any alternative mechanism endorsed by the applicable competent authority.
    5. For clarity, responsibility for compliance with the obligations corresponding to Data Controllers under Data Protection Laws and Regulations shall rest with Client and not with Data Processor. Data Processor may, at Client’s cost, provide reasonable assistance to Client with regards to such obligations.
    This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Section 14 shall survive termination or expiration of this DPA by any reason.

  13. CCPA
    To the extent that the Personal Information is subject to the California Consumer Privacy Act (“CCPA”), Atera shall not sell Client’s Users’ Information. Atera further agrees not to retain, use or disclose Client’s Users Information for any other purpose than to provide the Services under the Agreement or for a commercial purpose other than providing the Services. Notwithstanding the foregoing, Atera may use, disclose, or retain Client’s Users’ Information to: (i) transfer the Client’s Users’ Information to other Atera’s entities among Atera Group (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Client and to comply with the Client’s instructions; (ii) to comply with applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by Atera to build or improve the quality of its services and/or for any other purpose permitted under the CCPA as well as to de-identifiy information; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyse anonymous information.

    The terms of the Agreement shall apply to this DPA as applicable. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.To the extent permitted by law, notwithstanding anything to the contrary in the Agreement, this DPA and/or the agreements between the parties: (A) Atera’s and Atera’s Affiliates’ entire, total and aggregate liability (including any indemnification obligation (if any) regarding data protection or privacy), for or related to Personal Data or information, privacy, Client’s Users Information, or any breach of this DPA and/or Data Protection Laws and Regulations shall be limited to the amounts paid to Atera under the Agreement during the twelve (12) months preceding the day on which the claim arouse. This limitation of liability is cumulative and not per incident; (B) In no event will Atera and/or its Affiliates or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section 14 shall apply: (i) even if Atera, Atera Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).

    Client acknowledges and agrees that Atera may amend this DPA as may be required from time-to-time, by posting the relevant amended and DPA on Atera’s website, available at and any amendments to the DPA are effective as of the date of posting. Client’s continued use of the Services after the amended DPA is posted constitutes Client’s agreement to, and acceptance of, the amended DPA.


    1. If any provision of this DPA deemed by a court of competent jurisdiction to be invalid, unlawful, void, or for any reason unenforceable, then such provision shall be deemed severable and will not affect the validity and enforceability of the remaining provisions.
    2. Any questions regarding this DPA should be addressed to [email protected] Atera will attempt to resolve any complaints regarding the use of Client’s Users’ Information in accordance with this DPA and the Agreement.
    3. This DPA was written in English and may be translated into other languages for your convenience. If a translated (non-English) version of this DPA conflicts in any way with its English version, the provisions of the English version shall prevail.



Subject matter

Data Processor will Process Client’s Users’ Information as necessary to perform the Services pursuant to the Agreement, as further instructed by Client in its use of the Services.

Nature and Purpose of Processing

  1. Providing the Service(s) to Client.
  2. For Client to be able to use the Services.
  3. For Data Processor to comply with documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement.
  4. Performing the Agreement, this DPA and/or other contracts executed by the parties.

Duration of Processing

Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Data Processor will Process Client’s Users’ Information for the duration of the Agreement, unless otherwise agreed upon in writing.

Type of Client’s Users’ Information

Client may submit Client’s Users’ Information to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Client’s Users Information provided to, or accessed by Atera, in order to provide the Services subject to this DPA.

For the avoidance of doubt, the log-in details to Atera’s platform and Client’s contact details information are subject to Atera’s privacy policy available here: and not to this DPA.

Categories of Data Subjects

Client may submit Client Users’ Information to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which includes Client Users.