Data Processing Addendum

 

1.       This Addendum applies only if Purchaser separately commissions, authorizes and requests, and Cellebrite accepts and agrees, that Cellebrite provide Purchaser certain services relating to the Products (“Services), which services involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679, in Directive 2016/680 on the processing of personal data by authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, and in national laws supplementing the GDPR or transposing and implementing that directive (all collectively referred to as “Data Protection Law”)).

2.       When performing any Services, Cellebrite is acting as a Processor or a sub-processor on behalf of Purchase and Purchaser and Cellebrite are each responsible for complying with the Data Protection Law applicable to them in their roles as Controller and Processor/sub-processor, respectively (as these terms are defined and used in Data Protection Law).

3.       With respect to those activities of Cellebrite as a Processor, Cellebrite will Process the Personal Data, only on Purchaser’s behalf, for as long as Purchaser instructs Cellebrite to do so, only as set forth in this Addendum and shall not Process the Personal Data for any purpose other than the purpose set forth in the next section

4.       The subject matter and purposes of the Processing activities are the provision of a support services relating to unlocking of end-user digital devices (e.g., mobile phones), decoding data from digital devices, extracting data from digital devices, collecting end user data from cloud services, and performing analysis and analytics on such end user data – all as the case may be pursuant to the Agreement and Purchaser’s instructions. The Personal Data Processed may include, without limitation:

4.1.    Data and meta data from end-user digital devices; End user data and meta data from cloud services.

4.2.    Names, titles and contact information of Purchaser’s employees.

5.       The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are:

5.1.    Data subjects with respect to which Purchaser uses Cellebrite’s Products and Services.

5.2.    Purchaser’s employees.

6.       With respect to those activities of Cellebrite as a Processor, Cellebrite will Process the Personal Data only on documented instructions from Purchaser, unless Cellebrite is otherwise required to do so by law to which it is subject (and in such a case, Cellebrite shall inform Purchaser of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).

7.       Purchaser may only use the Services to process personal data pursuant to a recognized and applicable lawful basis under Data Protection Law. Purchaser is solely responsible for determining

 

the lawfulness of the data processing instructions it provides to Cellebrite and shall provide Cellebrite only instructions that are lawful under Data Protection Law.

8.       Cellebrite will make available to Purchaser all information in its disposal directly relevant to Purchaser and the services performed and necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Data Protection Law, and shall make them available to Purchaser upon request.

9.       Purchaser acknowledges and agrees that Cellebrite uses the following sub-processors to Process Personal Data: Microsoft Corporation, Amazon Web Services, Inc., Signiant Inc., Salesforce.com and Oracle.

10.   Purchaser authorizes Cellebrite to engage another sub-processor for carrying out specific processing activities of the Services, provided that Cellebrite informs Purchaser at least 21 days in advance of any new or substitute sub-processor, in which case Purchaser shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Purchaser so objects, Cellebrite may not engage that new or substitute sub-processor for the purpose of Processing Personal Data in the provision of the Services and may terminate the Agreement with Purchaser for convenience, without liability to Purchaser for such premature termination.

11.   Purchaser instructs Cellebrite and its sub-processors to Process the Personal Data only in member states of the European Economic Area, in territories and territorial sectors recognized under an adequacy decision pursuant to Data Protection (e.g., Israel; U.S. companies certified to Privacy Shield), or in territories in which the recipient is bound by adequate safeguards recognized by the European Commission as pursuant to Data Protection Law (e.g. Model Clauses).

12.   Cellebrite will procure that the sub-processors Process the Personal Data in a manner consistent with Cellebrite’s obligations under this Addendum and Data Protection Law, with such obligations imposed on that sub-processor by way of law or contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.

13.   In Processing Personal Data, Cellebrite will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access in accordance with Article 32 of the GDPR and Cellebrite's IT Security Policy which Purchaser can request a copy of from Cellebrite. Cellebrite will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

14.   Cellebrite shall allow for and contribute to audits, including carrying out inspections on Cellebrite's business premises conducted by Purchaser or another auditor mandated by Purchaser during normal business hours and subject to a prior notice to Cellebrite of at least 30 days as well as appropriate confidentiality undertakings by Purchaser covering such inspections in order to establish Cellebrite's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Cellebrite processes on behalf of Purchaser. If such audits entail material

 

costs or expenses to Cellebrite, the parties shall first come to agreement on Purchaser reimbursing Cellebrite for such costs and expenses.

15.   Cellebrite shall assist the Purchaser by any appropriate means available to it and applicable to its provision of the Services, to ensure compliance with the provisions of Data Protection Law on the data subject's rights.

16.   Subject to sections 17 and 18 below, Cellebrite will delete the Personal Data it has Processed on Purchaser's behalf under this Addendum from its own and its sub-processor’s systems in due course following the date of cessation of the provision of the Services involving the Processing of Personal Data. Upon Purchaser’s request, Cellebrite will furnish written confirmation that the Personal Data has been deleted pursuant to this section.

17.   Subject to section 18 below, Purchaser may, by written notice to Cellebrite, require Cellebrite to (a) return to Purchaser any Personal Data in Cellebrite's possession or control; or (b) delete the Personal Data it has Processed on Purchaser's behalf.

18.   Notwithstanding the foregoing, Cellebrite may retain the Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws, provided that Cellebrite shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purposes specified in the applicable laws requiring its storage and for no other purpose.

19.   Cellebrite shall without undue delay notify Purchaser of any ‘Personal Data Breach’ (as this term is defined and used in Data Protection Law) that it becomes aware of regarding Personal Data of Data Subjects that Cellebrite Processes. Cellebrite will use commercial efforts to mitigate the breach and prevent its recurrence. Purchaser and Cellebrite will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.

20.   Cellebrite will assist Purchaser with the eventual preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Cellebrite, the parties shall first come to agreement on Purchaser reimbursing Cellebrite for such costs and expenses.

21.   Cellebrite will provide Purchaser prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Purchaser’s behalf, so that Purchaser may contest or attempt to limit the scope of production or disclosure request.

22.   All notices required or contemplated under this Addendum to be sent by Cellebrite will be sent either by electronic mail to Purchaser to the email address that Cellebrite has on file for Purchaser’s main contact person.