DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Atera Terms of Use (available at https://www.atera.com/terms-of-use/ ) and any other applicable Atera terms or agreement governing the use of the Services (collectively, the “Agreement”).

In order to provide the services provided under the Agreement (“Services”), Atera Networks Ltd. (together with its affiliated companies and subsidiaries worldwide) (“Atera or “Data Processor”) may be required to process Client Data (as defined below).

To the extent such data falls within the scope of EU/UK GDPR or CCPA is processed by Atera on Client’s behalf, Client acknowledges and agrees to abide to this DPA and further agrees that Atera will process Client Data as necessary to provide the Services and as further detailed herein. By using the Services, Client instructs Atera to process such Client Data on its behalf pursuant to this DPA.

1.   INTERPRETATION AND DEFINITION
   1.1  The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.1.2 References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.1.3 Words used in the singular include the plural and vice versa, as the context may require.1.4 Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement or as ascribed to them by GDPR and CCPA.1.5 Definitions:“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.“Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

   “Client” means the entity executing and/or accepting Atera’s Agreement.

   “Client Users” means Client admins, users, employees and other personnel, and, case of Clients who are MSPs, Client customers’ employees and personnel.

   “Client Data” means Personal Data or Personal Information of Client Users that Client submits to Atera or may otherwise be Processed by Atera on Client’s behalf as a part of the Services.

   “Authorized Affiliate” means any of Client’s Affiliate(s) permitted to use the Services pursuant to the Agreement between Client and Atera, but has not signed its own agreement with Atera and is not a “Customer” as defined under the Agreement.

   “Data Protection Laws” means EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK Data Protection Law 2018 (“UK GDPR”) (together “GDPR”), and the California Consumer Privacy Act, as amended by the Privacy Rights Act of 2020 (“CCPA”) applicable to the Processing of Personal Data under the Agreement.

   “Atera Group” means Atera and its Affiliates engaged in the Processing of Client Data.

   “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person;

2. PROCESSING OF PERSONAL DATA
   2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Client Data, Client is the Data Controller or Data Processor, and Atera is the Data Processor or Sub-Processor, as appropriate.
   
   2.2 Client’s Processing of Client Users’ Information. For the avoidance of doubt, Client’s instructions for the Processing of Client Data shall comply with Data Protection Laws. Client shall have sole responsibility for the means by which Client acquired Personal Data as well as for the accuracy and quality of the Personal Data. Without limitation, Client shall have any and all required legal bases in order to collect, Process, and transfer to Data Processor the Client Data and to authorize the Processing by Data Processor of the Personal Data which is authorized in this DPA. Client shall be solely responsible for any transfer and/or sharing of Client Data by Client (or any other person operating on Client’s behalf), or instructed by Client, to any third party, including, without limitation, third party integrations available on the Atera platform.
   
   2.3 Data Processor’s Processing of Client Data. Subject to the Agreement, Data Processor shall Process Client Data in accordance with Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide and improve the Services; (ii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iii) Processing as required under the laws applicable to Data Processor, and/or as required by a court of competent jurisdiction or other competent governmental authority, provided that Data Processor shall inform Client of the legal requirement before Processing, unless such law or order prohibits disclosing such information.Data Processor shall inform Client without undue delay if, in Data Processor’s reasonable opinion, an instruction for the Processing of Personal Data given by Client infringes applicable Data Protection Laws, unless Data Processor is prohibited from notifying Customer under applicable Data Protection Laws. It is hereby clarified that Data Processor has no obligation to assess whether instructions by Client infringe any Data Protection Laws
   
   
3. ASSISTANCE
   3.1 Data Processor Assistance. Data Processor will assist Client in responding to requests for exercising Data Subjects’ rights under Data Protection Laws. Data Processor will inform Client promptly if it receives a Data Subject Access Request, and in any event within 72 hours of receiving the Request. Data Processor will likewise assist Client with its obligations pursuant to Data Protection Laws, such as GDPR Articles 32-36, taking into account the nature of the processing and the information available to Data Processor. To the extent legally permitted, Client shall be responsible for any costs arising from Data Processor’s provision of such assistance. Data Processor will inform Client without undue delay if Data Processor experiences a Personal Data Breach, and will provide necessary details to Client. Client will not make, disclose, release, or publish any finding, admission of liability, communication, notice, press release, or report concerning any Personal Data Breach which directly or indirectly identifies Data Processor (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Data Processor’s prior written approval, unless, and solely to the extent that, Client is compelled to do so pursuant to Data Protection Laws. In the latter case, unless prohibited by law, Client shall provide Data Processor with reasonable prior written notice to provide Data Processor with the opportunity to object to such disclosure and in any case Client will limit the disclosure to the minimum scope required.3.2 Data Processor will make available all information reasonably necessary to demonstrate compliance with its obligations under GDPR Article 28 and Data Protection Laws.
4.  ATERA PERSONNEL
   4.1 Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Client Data have committed themselves to confidentiality and non-disclosure.

5. AUTHORIZATION REGARDING SUB-PROCESSORS
   5.1 General Authorization of Sub-processors. Client hereby grants Data Processor a general authorization to engage Sub-processors to Process Client Data in order to provide the Services without obtaining any further written, specific authorization from the Client. Client acknowledges and agrees that (a) Data Processor’s Affiliates may be used as Sub-processors; and (b) Data Processor and/or Data Processor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services subject to this Section5.2 List of Current Sub-processors and Notification of New Sub-processors.

   5.2.1 Data Processor’s current list of Sub-processors is available here. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-processor List as of the latest between: (i) the date of execution of this DPA; or (ii) as of the date of your first use of the Services (as applicable), is hereby, or shall be (as applicable), authorized by Client. In order to subscribe to notifications to notifications concerning the appointment or replacement of a sub-processor, kindly send a request to [email protected]. Once subscribed, Atera will provide Client with details of any change of its Sub-processors as soon as reasonably practicable, and, in any event, will notify Client no less than seven (7) days prior to such change.

   5.2.2 Client may reasonably object for reasons related to the GDPR to Data Processor’s appointment or replacement of Sub-processor by providing a written objection to [email protected]within seven (7) days of the receipt of an appointment or replacement notice, which shall include those reasons for objecting to Processor’s use of such new Sub-processor. In such an event, Atera may choose to use commercially reasonable efforts to make available to Client an alternative solution to avoid the Processing of Client Data by the new Sub-processor that Client objected, as permitted in the above sentence. Until Atera makes a decision concerning Client’s objection, Atera may be required to temporarily suspend the Processing of the related Client Data, including, if required for this matter, suspend or limit access to Client’s account or suspend or limit certain features of the Services offered to the Client.

   5.2.3  If Atera finds that it is unable to resolve Client’s objection or to provide Client with such alternative solution, within thirty (30) days from receipt of the Client’s valid reasoned objection, Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Client will have no further claims against Data Processor due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph.

   5.2.4  If no objection has been raised to the replacement or appointing a new Sub-processor within the above mentioned time frame, Atera will deem Client to have authorized the new Sub-processor.

   5.3  Data Processor shall remain fully liable to Client for the performance of the Sub-processors’ obligations, to the same extent that Data Processor is liable under this DPA.
   
   

6.  AUDITS
   6.1 Third-Party Certifications and Audits. Upon Client’s 14 days prior written request at reasonable intervals (no more than once every 12 months), and subject to the confidentiality obligations set forth in the Agreement and this DPA, Data Processor shall make available to Client (or Client’s independent, third-party auditor that is not a competitor of, or is in conflict of interests with, Data Processor) a copy of Data Processor’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Client to assess compliance with this DPA and/or with Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without Data Processor’s prior written approval and, upon Data Processor’s first request, Client shall return all records or documentation in Client’s possession or control provided by Data Processor in the context of the audit and/or the certification). With respect to audits and inspections, the parties shall discuss in good faith and agree on the scope, timing, and details of the audits and inspections, provided however that the limitation set forth above with respect to the copies or audits certifications shall also apply to the audits. To the extent that Data Processor’s obligations in this section involve more than 8 hours/man of work, Client shall bear the costs and expenses of complying with this clause.6.2 Controls for the Protection of Client Data. Data Processor shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Client Data, including as described in: www.atera.com/trust/, as amended from time to time (the “Security Documentation”). Data Processor regularly monitors compliance with these measures. Client is responsible for reviewing the information Atera makes available from time to time regarding its data security, and making an independent determination as to whether the Services meet the Client’s needs, requirements and legal obligations, including Client’s obligations under Data Protection Laws to ensure the appropriate level of security when using the Services, taking into consideration any risks with respect to Client Data. Client is further responsible for properly configuring the Services and using features and functionalities made available by Atera to maintain appropriate security in light of the nature of the data processed by Client’s use of the Services.
7.   RETURN AND DELETION OF CLIENT DATA
   7.1 Subject to the Agreement, Data Processor shall, at the request of Client, delete or return the Client Data to Client after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Client Data. In any event, to the extent required or allowed by applicable law, Data Processor may retain one copy of the Client Data for evidence purposes and/or for the establishment, exercise or defense of egal claims and/or to comply with applicable laws and regulations. If the Client requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Data Processor’s Clients.7.2 Notwithstanding anything to the contrary, Data Processor may retain electronic copies of files containing Personal Data created pursuant to automatic archiving or backup procedures which cannot reasonably be deleted. Data Processor will delete the data in accordance with its internal data retention and deletion periods for backups.
8.   AUTHORIZED AFFILIATES
   8.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Data Processor. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Client.8.2 Communication. The Client shall remain responsible for coordinating all communication with Data Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
9.  INTERNATIONAL TRANSFERS
   9.1  General. Client acknowledges and agrees that Atera may Process Client Data anywhere in the world so long as it complies with Data Protection Laws and this DPA, as follows.9.2  Transfers to Atera. Client Data that Atera receives and Processes is initially transferred by Client and/or the applicable Data Subject to Atera Networks Ltd. in Israel under the European Commission’s adequacy decision 211/61/EU.

   9.3  Transfers to countries that offer adequate level of data protection. Client Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.

   9.4 Transfers to other countries:

   9.4.1 If the Processing of Client Data includes transfers of EU data to countries that do not offer an adequate level of data protection or which have not been deemed adequate by the EU Commission, the parties agree that such transfers shall be undertaken on the basis of the EU Standard Contractual Clauses (“EU SCCs”), published by the EU Commission (https://ec.europa.eu/info/sites/default/files/sccs_word.zip) which are incorporated herein by reference and construed in accordance with the Schedules below, unless another mechanism provided for in the Data Protection Laws of the applicable country applies. Module 2 of the EU SCCs (Controller to Processor) or Module 3 (Processor to Processor) shall apply, as applicable. In Clause 7 of the EU SCCs, the optional docking clause will not apply. For the purposes of Clause 9: option 2 shall apply, authorization period will be 14 days. In Clause 11 the optional language will not apply. For the purposes of Clause 13(a) and Annex I.C, the competent supervisory authority shall be the supervisory authority of the Member State where the Data Exporter is established or has a representative; for the purposes of Clause 17: option 2 applies, and the governing law will be Ireland; for the purposes of Clause 18: disputes shall be resolved by the courts of Ireland. For the purposes of Annex I: Atera is the ‘Data exporter’, Client is the ‘Data importer’. Other details are described in the Schedules below. ‘Signature and Date’: By entering into the Agreement and this DPA, each party is deemed to have signed these EU SCCs incorporated herein, including their exhibits, as of the effective date of the Agreement.

   9.4.2  If the Processing of Client Data includes transfers of United Kingdom (UK) data to countries that do not offer an adequate level of data protection or which have not been deemed adequate by the Information Commissioner Officer (ICO), the parties agree that such transfers shall be undertaken on the basis of the UK Standard Contractual Clauses (“UK SCCs”), meaning the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner (the “IDTA”), as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR published by the ICO (https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf). Module 2 of the UK SCCs (Controller to Processor) or Module 3 (Processor to Processor) shall apply, as applicable. In Clause 7 of the UK SCCs, the optional docking clause will not apply. For the purposes of Clause 9: option 2 shall apply, authorization period will be 14 days. In Clause 11 the optional language will not apply. In Clause 17, option 1 shall apply. The Parties agree that the UK SCCs shall be governed by the laws of England and Wales. And in Clause 18(b) the Parties choose the courts of England and Wales. Which Parties may end the UK SCCs as set out in Section 19: Importer and/or Exporter. For the purposes of Annex I: Atera is the ‘Data exporter’, Client is the ‘Data importer’. Other details are described in the Schedules below. ‘Signature and Date’: By entering into the Agreement and this DPA, each party is deemed to have signed these EU SCCs incorporated herein, including their exhibits, as of the effective date of the Agreement.

   9.4.3 For data transfers governed by Federal Act on Data Protection of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 14 June 1993) or the revised Federal Act on Data Protection of 25 September 2020 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 31 August 2022 (the “Swiss Data Protection Laws”), the EU SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws. In such circumstances, general and specific references in the EU SCCs to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in Swiss Data Protection Laws. In Section the Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Transfers exclusively. The Parties agree that the SCCs shall be governed by the laws and courts of Switzerland.

   9.5  Transfers at Client’s Instructions. In case of a transfer to a third party which is conducted by Data Processor at Client’s instructions, or directly by Client in accordance with an agreement between Client and such third-party (which Atera is not a party to), Client shall be solely and fully responsible and liable for the compliance with applicable laws, including, without limitation, with respect to the transfers of Client Data.

10.  TERMINATION
     This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Section 12 shall survive termination or expiration of this DPA by any reason.
11. CCPA
    To the extent that the Personal Information is subject to the CCPA, Atera shall not sell or share Client Data. Atera further agrees not to retain, use or disclose Client Users information for any other purpose than to provide the Services under the Agreement or for a commercial purpose other than providing the Services. Notwithstanding the foregoing, Atera may use, disclose, or retain Client Data to: (i) transfer the Client Data to other Atera’s entities among Atera Group (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Client and to comply with the Client’s instructions; (ii) to comply with applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by Atera to build or improve the quality of its services and/or for any other purpose permitted under the CCPAas well as to de-identify the information; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyse anonymous information.

12. RELATIONSHIP WITH AGREEMENT
    The terms of the Agreement shall apply to this DPA as applicable. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. To the extent permitted by law, notwithstanding anything to the contrary in the Agreement, this DPA and/or the agreements between the parties: (A) Atera’s and Atera’s Affiliates’ entire, total and aggregate liability (including any indemnification obligation (if any) regarding data protection or privacy), for or related to Personal Data or information, privacy, Client Users information, or any breach of this DPA and/or Data Protection Laws shall be limited to the amounts set forth in the Agreement. This limitation of liability is cumulative and not per incident; (B) In no event will Atera and/or its Affiliates or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section 12 shall apply: (i) even if Atera, Atera Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).

13. AMENDMENTS
    Client acknowledges and agrees that Atera may amend this DPA as may be required from time-to-time, by posting the relevant amended and DPA on Atera’s website, available at https://atera.com/dpa and any amendments to the DPA are effective as of the date of posting. Client’s continued use of the Services after the amended DPA is posted constitutes Client’s agreement to, and acceptance of, the amended DPA.

14. GENERAL
    14.1 If any provision of this DPA is deemed by a court of competent jurisdiction to be invalid, unlawful, void, or for any reason unenforceable, then such provision shall be deemed severable and will not affect the validity and enforceability of the remaining provisions.14.2 Any questions regarding this DPA should be addressed to [email protected]. Atera will attempt to resolve any complaints regarding the use of Client Data in accordance with this DPA and the Agreement.

    14.3 This DPA was written in English and may be translated into other languages for your convenience. If a translated (non-English) version of this DPA conflicts in any way with its English version, the provisions of the English version shall prevail.

SCHEDULE 1 – DETAILS OF THE PROCESSING
Subject Matter
Atera may Process Personal Data which may include, but is not limited to: Client Users’ email addresses, credentials, physical addresses, phone numbers, roles, geolocation, photos, internet protocol (IP) addresses, hardware and software details, Personal Data in files or communications that Client transmits or receives through the Service (where applicable), operating system (OS), browser type, in-Service activity, Windows or other operating systems’ logs and events, and online identifiers.

Nature and Purpose of Processing
Collection and Processing of Personal Data for providing the Service(s) to Client; for Atera to comply with documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement and/or pursuant to Client’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Client to facilitate the sharing of Personal Data between the Services and such third party services); Complying with applicable laws and regulations; for performing the Agreement, this DPA and/or other contracts executed by the parties, and for all tasks related to any of the above.

Duration of Processing
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Atera will Process Client Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Types of Data
1. Atera may Process Personal Data which may include, but is not limited to: Client Users’ email address, credentials, physical address, phone number, role, geolocation, photos, internet protocol (IP) address, hardware and software details, Personal Data in files or communications that Client transmits or receives through the Service (where applicable), operating system (OS), browser type, in-Service activity, Windows logs, and online identifiers.

2. Other than as set forth in Section 1) immediately above, Client is the responsible Party to determine all categories of Client Data that Atera may access while providing the Services and Atera does not have any control over the identity of the Data Subjects whose Personal Data is processed on Client’s behalf.

3. Atera’s Services are not intended to Process sensitive categories of Personal Data. Client shall not provide or allow Atera access to any sensitive Personal Data or special categories of Personal Data. Moreover, Client shall not provide or allow Atera to access to any data that would require executing a Business Associate Agreement (BAA) without having executed such BAA with Atera beforehand, and in accordance with the terms of the BAA.

4. For the avoidance of doubt, the log-in details to Atera’s platform and Client’s representatives’ contact details are subject to Atera’s privacy policy available here: https://www.atera.com/privacy/ and not to this DPA.

Categories of Data Subjects
Client may submit or allow Client Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which includes Client Users.