Common Data Protection Terms

These Common Data Protection Terms (the “Common Terms”) form the shared processor-layer core that supports the regional Data Processing Addendum issued by Awide Labs Ltd. They are referenced in, and form part of, the Master Data Processing Addendum (EEA / UK / Switzerland / Israel) (“Master DPA”) and the US Data Processing Addendum (“US DPA”, together with the Master DPA, the “Regional DPAs”). These Common Terms apply only when Awide acts as a processor on behalf of the Customer in the processor layer described in Section 1.4 of the Awide Privacy Notice.

1. PARTIES, SCOPE AND ROLE ALLOCATION

1.1. These Common Terms apply between:

• Awide Labs Ltd., a company incorporated under the laws of the State of Israel, with registered offices in Tel Aviv, Israel (“Awide”, “Processor”); and
• the entity that has entered into the Agreement and the applicable Regional DPA with Awide (“Customer”, “Controller”, “Business”).

1.2. These Common Terms form part of, and are incorporated by reference into,

• (a) the End User License Agreement, master services agreement or other written or click-through agreement under which Awide makes the Software available to the Customer (the “Agreement”), and
• (b) each Regional DPA executed between the Parties.

The Common Terms do not stand alone. In the event of a conflict, the order of precedence is:

• (i) the Standard Contractual Clauses and the UK IDTA, where applicable;
• (ii) the relevant Regional DPA;
• (iii) these Common Terms;
• (iv) the Agreement.

1.3. Awide acts as Processor only when, and only to the extent that, it processes Personal Data on behalf of the Customer in connection with one or more of the following narrowly defined processing activities (the “Processor-Layer Activities”):

• (a) Support and Diagnostics: provision of product (license) support, diagnostics, incident response, or troubleshooting that requires Awide to access, receive, view, copy, or otherwise process Personal Data located inside the Customer environment, including support tickets, log files, database dumps, configuration files, query samples, performance traces, and similar diagnostic artefacts shared by the Customer or generated under Customer-authorised remote access; and
• (b) License Enforcement Telemetry: receipt and processing by Awide of technical signals generated inside the Customer environment by the Software for the purpose of verifying license validity and scope of use, but only to the extent such signals contain Personal Data.

1.4 Activities Outside Scope

For the avoidance of doubt, the following activities are not governed by these Common Terms or any Regional DPA, and Awide does not act as Processor in respect of them:

• (a) processing performed by the Software inside the Customer environment without transmission of Personal Data to Awide (the Customer is the sole Controller / Business; Awide has no role under the AWS Shared Responsibility Model and equivalent cloud shared-responsibility frameworks);
• (b) processing performed by Awide as Controller / Business in the Awide-controlled layer, including operation of the public website, pre-contract communications, negotiations, contract execution, marketplace transactions, License Administration (issuance of license keys, EULA acceptance records, billing, maintenance of licensing records), CRM, marketing where permitted, and business-record keeping, all of which are governed by the Awide Privacy Notice and not by the Regional DPAs; and
• (c) End User License Agreement workflows, including negotiation of contract terms, collection of signatory and representative data, and maintenance of licensing records (License Administration).

1.5. The Customer warrants and represents that, with respect to Personal Data made available to Awide under the Processor-Layer Activities:

• (a) the Customer is the Controller (or, where applicable, a Processor acting on behalf of a third-party Controller) and/or the Business / Third-Party / Service Provider customer, as those terms are defined under applicable Data Protection Laws;
• (b) the Customer has a valid legal basis under applicable Data Protection Laws for the processing it instructs Awide to perform and has obtained all consents, provided all notices, and undertaken all assessments (including, where required, data protection impact assessments and legitimate interest’s assessments) required for such processing;
• (c) the Customer has informed the relevant Data Subjects in accordance with Articles 13 and 14 GDPR, the equivalent provisions of the UK GDPR, the FADP and the Israel PPL, and applicable US state privacy laws, of the processing carried out under the Regional DPAs, including the involvement of Awide as Processor and its Sub-Processors; and
• (d) the Customer’s documented processing instructions, the use of the Software in accordance with the Documentation, and the support, diagnostic and License-Enforcement-Telemetry processes described in the Agreement constitute the Customer’s complete and final documented instructions to Awide. Any additional or modified instructions require mutual written agreement and may be subject to additional fees.

1.6. Nothing in these Common Terms, the Regional DPAs, or the Agreement shall be construed as creating a joint-controllership relationship within the meaning of Article 26 GDPR, Article 26 UK GDPR, Article 9 FADP, or any equivalent provision.

2. DEFINITIONS

Capitalized terms not defined herein have the meanings given to them in the EULA, the applicable Regional DPA, or applicable Data Protection Laws. In these Common Terms:

• “Agreement” has the meaning given in Section 1.2.
• “Awide-controlled layer” means processing activities performed by Awide for its own business purposes, as described in Section 1.1 of the Awide Privacy Notice.
• “Customer environment” means the Customer’s cloud account, on-premise infrastructure, or other infrastructure in which the Software is deployed, configured and operated by the Customer.
• “Data Protection Laws” means all laws, regulations, regulatory codes of practice, and binding guidance applicable to a Party in connection with its processing of Personal Data, including: Regulation (EU) 2016/679 (“GDPR”); the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the Data Protection Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”); the Israel Privacy Protection Law, 5741-1981, including the Privacy Protection (Data Security) Regulations, 5777-2017 and Amendment No. 13 (“Israel PPL”); and US state privacy laws including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Texas Data Privacy and Security Act (“TDPSA”), the Oregon Consumer Privacy Act (“OCPA”), the Montana Consumer Data Privacy Act (“MCDPA”), the Tennessee Information Protection Act (“TIPA”) and the Florida Digital Bill of Rights (“FDBR”).
• “Documentation” means the technical and user documentation made generally available by Awide in connection with the Software.
• “Effective Date” — date of this Common Terms acceptations by the Consumer.
• “License Administration” means the activities listed in Section 1.4(b).
• “License Enforcement Telemetry” has the meaning given in Section 1.3(b).
• “Personal Data” means any information relating to an identified or identifiable natural person, including “personal information” as defined under US state privacy laws, that is processed by Awide on behalf of the Customer in the Processor-Layer Activities.
• “Processor-Layer Activities” has the meaning given in Section 1.3.
• “Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed by Awide under the Processor-Layer Activities.
• “Software” means Awide PostgreSQL DBMS, the Awide PostgreSQL Operations Intelligence Suite (“PgSuite”), Awide Polar (Disaggregated Compute and Storage), and other Awide products licensed by Customer under the Agreement.
• “Standard Contractual Clauses” or “EU SCCs” means the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as in force from time to time.
• “Sub-Processor” means any third party engaged by Awide to process Personal Data on behalf of the Customer in the course of Processor-Layer Activities. For the avoidance of doubt, service providers engaged by Awide for the Awide-controlled layer are not Sub-Processors under these Common Terms or any Regional DPA.
• “Support Data” means Personal Data shared with, transmitted to, or accessed by Awide in connection with Support and Diagnostics, including support tickets, log files, database dumps, configuration files, query samples, performance traces and any incidental Personal Data embedded therein.
• “TOMs” means the technical and organizational measures set out in Exhibit 1.
• “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under section 119A of the Data Protection Act 2018 and laid before Parliament on 2 February 2022, as in force from time to time.

3. PROCESSING INSTRUCTIONS

3.1. Awide shall process Personal Data in the Processor-Layer Activities only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. Where such legal requirement applies, Awide shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2. The Parties agree that the Agreement, these Common Terms, the applicable Regional DPA, the Documentation, the Customer’s configuration and use of the Software, and the support tickets raised by the Customer through Awide’s designated channels constitute the Customer’s complete and final documented processing instructions to Awide as of the Effective Date. Any additional or modified instruction must be agreed by the Parties in writing and may, at Awide’s reasonable discretion, be subject to additional fees commensurate with the additional work required.

3.3. Awide shall promptly notify the Customer if, in its reasonable opinion, an instruction infringes applicable Data Protection Laws. Awide shall not be obliged to perform an audit or legal analysis of Customer’s instructions, but shall not be required to comply with any instruction that would, in its reasonable opinion, expose it to liability under applicable Data Protection Laws.

3.4. Awide shall not:

• (a) sell or share Personal Data within the meaning of the CCPA or any equivalent US state privacy law;
• (b) retain, use or disclose Personal Data for any purpose other than for the specific business purposes of providing the Processor-Layer Activities to the Customer, including any commercial purpose other than the business purposes specified in the Agreement and the Regional DPAs, or as otherwise permitted by applicable Data Protection Laws;
• (c) retain, use or disclose Personal Data outside the direct business relationship between the Parties;
• (d) combine Personal Data received from, or on behalf of, the Customer with Personal Data that Awide receives from, or on behalf of, another person, or collects from its own interaction with a consumer, except as permitted under §7050(b) of the CCPA Regulations or equivalent provisions.

3.5. Awide certifies that it understands the restrictions in this Section 3.4 and will comply with them.

4. CONFIDENTIALITY

Awide shall ensure that persons authorized to process Personal Data have:

• (a) committed themselves to confidentiality under a written agreement or are under an appropriate statutory obligation of confidentiality;
• (b) received training appropriate to the nature of the Personal Data processed and the role performed; and
• (c) been granted access to Personal Data on a need-to-know basis under role-based access controls, with access promptly revoked when no longer required.

5. TECHNICAL AND ORGANISATIONAL MEASURES

5.1. Awide shall implement and maintain the technical and organizational measures described in Exhibit 1 to ensure a level of security appropriate to the risk presented by the Processor-Layer Activities, having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons.

5.2. Awide may update the TOMs from time to time, provided that the overall level of security afforded to Personal Data is not materially diminished. Where required by applicable Data Protection Laws, Awide shall make available, on Customer’s reasonable request, information sufficient to demonstrate that the updated measures continue to meet the standard set out in Section 5.1.

5.3. The TOMs apply to the Awide-operated support infrastructure used by Awide to perform the Processor-Layer Activities. Security of the Customer environment (including key management, encryption configuration, network architecture, identity and access management, monitoring and logging within the Customer environment) is the responsibility of the Customer in accordance with the cloud provider’s shared-responsibility model. Awide is not responsible for security configurations, controls or incidents within the Customer environment that are not attributable to acts or omissions of Awide.

5.4. Where the Israel PPL applies to Personal Data, Awide shall comply with the security level applicable to the relevant database classification under the Privacy Protection (Data Security) Regulations, 5777-2017 (basic, medium or high), as determined in good faith by Awide on the basis of the nature, volume and sensitivity of the Personal Data shared by the Customer for Processor-Layer Activities.

6. SUB-PROCESSORS

6.1. The Customer provides Awide with general written authorization to engage Sub-Processors for the performance of the Processor-Layer Activities. Awide remains responsible to the Customer for the performance of its Sub-Processors’ data-protection obligations.

6.2. The current Sub-Processors authorized to process Personal Data in connection with the Processor-Layer Activities are listed in Exhibit 2.

6.3. Awide shall notify the Customer of any intended addition or replacement of a Sub-Processor by updating Exhibit 2 and by providing notice through Awide’s designated change-notification channel (email to the Customer’s designated privacy contact, in-product banner, or a dedicated subscription-based notification page), giving the Customer at least thirty (30) days to object on reasonable data-protection grounds.

6.4. If the Customer objects in writing during the objection period on reasonable data-protection grounds, the Parties shall work together in good faith to identify a mutually acceptable resolution. If no resolution is reached within thirty (30) days of the Customer’s objection, the Customer’s exclusive remedy is to terminate, on written notice, the affected portion of the Processor-Layer Activities, without prejudice to fees already paid for the period prior to termination.

6.5. Awide shall impose, by way of a written contract with each Sub-Processor, data-protection obligations no less protective than those set out in these Common Terms and the applicable Regional DPA. Awide shall remain liable to the Customer for the performance of each Sub-Processor’s obligations to the extent set out in Section 11 and the Agreement.

6.6. Where the Customer purchases the Software through a cloud marketplace (including AWS Marketplace, Microsoft Azure Marketplace, or Google Cloud Marketplace), the cloud provider’s own data-processing terms shall additionally apply to processing performed by that provider, in accordance with the marketplace terms accepted by the Customer. Such conditions are obligatory and are applied automatically when Customer using Software through a cloud marketplace.

7. SECURITY INCIDENT NOTIFICATION

7.1. Awide shall notify the Customer of a Security Incident affecting Personal Data processed under the Processor-Layer Activities without undue delay and, in any event, within seventy-two (72) hours after Awide has confirmed the occurrence of the Security Incident.

7.2. To the extent then known, the notification shall include:

• (a) a description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
• (b) the name and contact details of Awide’s designated privacy contact (info@awide.io);
• (c) a description of the likely consequences of the Security Incident; and
• (d) a description of the measures taken or proposed to be taken by Awide to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

7.3. Where, and to the extent that, the information required under Section 7.2 cannot be provided at the same time, Awide may provide it in phases without further undue delay.

7.4. A notification or response by Awide under this Section 7 shall not be construed as an acknowledgment by Awide of any fault, liability or responsibility for the Security Incident.

7.5. The Customer remains solely responsible for assessing whether the Security Incident triggers a notification obligation to a supervisory authority or to affected individuals under Articles 33 and 34 GDPR (and equivalent provisions of the UK GDPR, FADP, Israel PPL, and US state privacy laws), and for making any such notifications. Awide shall provide reasonable assistance to the Customer in accordance with Section 9.

8. DATA SUBJECT RIGHTS AND CONSUMER REQUESTS

8.1. Taking into account the nature of the Processor-Layer Activities and the information available to Awide, Awide shall assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to verified requests from Data Subjects or consumers exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure / deletion, restriction, objection, portability, opt-out of sale or sharing, opt-out of targeted advertising, limit use of sensitive personal information, opt-out of certain profiling, and appeal.

8.2. If Awide receives a Data Subject or consumer rights request directly in connection with the Processor-Layer Activities, Awide shall promptly redirect that request to the Customer, unless redirection is prohibited by applicable law.

8.3. Assistance that goes beyond the standard technical functionality of the Software and Awide’s standard support processes — for example, custom data extraction or bespoke deletion runs — may, at Awide’s reasonable discretion, be provided on a time-and-materials basis at Awide’s then-current professional-services rates, subject to advance written agreement on scope and cost.

9. DPIA, PRIOR CONSULTATION AND REGULATOR ASSISTANCE

Awide shall provide reasonable assistance to the Customer, at Customer’s reasonable request and at Customer’s cost (other than assistance that is part of Awide’s standard support offering), in connection with:

• (a) data protection impact assessments under Article 35 GDPR (and equivalent provisions);
• (b) prior consultations with supervisory authorities under Article 36 GDPR (and equivalent provisions); and
• (c) compliance with the Customer’s obligations regarding security of processing, Security Incident notification and Data Subject communication under Articles 32–36 GDPR (and equivalent provisions).

10. AUDIT

10.1. The Customer may, no more than once per twelve-month period and at Customer’s expense, conduct an on-site audit of Awide’s support infrastructure used for the Processor-Layer Activities only where:

• (a) a competent supervisory authority has issued a binding request for such audit; or
• (b) a Security Incident materially affecting the Customer’s Personal Data has been confirmed and the third-party reports referred to in Section 10.1 are insufficient to demonstrate compliance.

10.3. Any on-site audit shall:

• (a) be conducted by the Customer or a qualified independent auditor designated by the Customer that is not a competitor of Awide and is not engaged on a contingency-fee basis;
• (b) be subject to a written non-disclosure agreement substantially in the form requested by Awide;
• (c) be carried out during normal business hours on at least thirty (30) days’ prior written notice (except where shorter notice is required by a binding regulator request);
• (d) not unreasonably interfere with Awide’s operations;
• (e) not require Awide to disclose information that would breach its obligations of confidentiality to third parties, expose security-sensitive information beyond what is necessary to perform the audit, or breach applicable law; and
• (f) be limited in scope to verification of compliance with these Common Terms and the applicable Regional DPA.

11. LIABILITY

11.1. Each Party’s aggregate liability arising out of or in connection with these Common Terms, the applicable Regional DPA, and any Standard Contractual Clauses, UK IDTA or Swiss Addendum entered into between the Parties, whether in contract, tort (including negligence) or otherwise, is subject to the limitations and exclusions of liability set out in the Agreement, except where applicable Data Protection Laws prohibit such limitation.

11.2. To the extent permitted by applicable law, the aggregate liability of Awide for any and all claims arising out of or in connection with the processing of Personal Data under these Common Terms and the Regional DPAs in any twelve-month period shall not exceed two (2) times the fees paid or payable by the Customer to Awide under the Agreement during the twelve-month period preceding the event giving rise to the claim. This super-cap is part of, and not additional to, the general liability cap in the Agreement.

11.3. In no event shall either Party be liable to the other for any indirect, consequential, special, incidental, punitive or exemplary damages, including loss of profits, revenue, business opportunity, goodwill, anticipated savings or use of data, arising out of or in connection with these Common Terms or the Regional DPAs, even if advised of the possibility of such damages.

11.4. The Customer shall indemnify, defend and hold harmless Awide, its Affiliates and their respective directors, officers, employees and agents, from and against any and all third-party claims, losses, damages, liabilities, fines, penalties, costs and expenses (including reasonable legal fees) arising out of or in connection with:

• (a) the Customer’s breach of its warranties in Section 1.5;
• (b) the inclusion in any Personal Data shared with Awide of special-category data under Article 9 GDPR, sensitive personal information under US state privacy laws, criminal-offence data under Article 10 GDPR, or children’s data under COPPA, where such inclusion was not expressly agreed in writing by Awide;
• (c) the Customer’s failure to provide the notices, obtain the consents, or perform the assessments required by applicable Data Protection Laws; or
• (d) any instruction given by the Customer to Awide that infringes applicable Data Protection Laws.

11.5. Liability towards Data Subjects under Clause 12 of the EU SCCs, Clause 12 of the UK IDTA and the Swiss Addendum is not limited by this Section 11 to the extent prohibited by applicable law, but, as between the Parties, the cap and exclusions in Sections 11.1 to 11.3 apply.

12. RETURN AND DELETION OF PERSONAL DATA

12.1. Awide shall, at Customer’s choice expressed in writing, return to the Customer or delete all Support Data within thirty (30) days following the closure of the relevant support case or other Processor-Layer Activity to which it relates, unless retention is required by applicable law. Where Customer does not express a choice, Awide shall delete Support Data within thirty (30) days of closure as the default.

12.2. Awide may retain Personal Data in encrypted, access-controlled backups for so long as is reasonably necessary under Awide’s standard backup-rotation policy (and, in any event, no longer than ninety (90) days after the original deletion), subject to continued confidentiality and security obligations under these Common Terms. Backup copies shall not be used for any purpose other than disaster recovery and shall be overwritten in the ordinary course of backup rotation.

12.3. Awide may retain Personal Data to the extent and for as long as required by applicable law, in which case Awide shall continue to protect such Personal Data in accordance with these Common Terms until deletion is permitted.

12.4. Awide shall, on Customer’s reasonable written request, certify in writing that it has complied with this Section 12.

12.5. For the avoidance of doubt, Personal Data residing in the Customer environment remains under the Customer’s exclusive control and is not subject to Awide’s deletion obligations under this Section 12.

13. INTERNATIONAL TRANSFERS

13.1. Awide is established in Israel. Awide relies on the adequacy decision of the European Commission for Israel (Commission Decision 2011/61/EU, as maintained) and the equivalent recognition under the UK GDPR and the FADP for transfers of Personal Data from the EEA, the UK and Switzerland to Awide in Israel, subject to the scope and conditions of those decisions.

13.2. Where Awide engages a Sub-Processor that processes Personal Data outside the EEA, the UK or Switzerland and no adequacy decision applies, Awide shall ensure that the transfer is subject to an appropriate transfer mechanism, including the EU SCCs, the UK IDTA, the Swiss Addendum, or, where the importer is duly certified, the EU–US Data Privacy Framework, the UK Extension to the Data Privacy Framework, or the Swiss–US Data Privacy Framework.

13.3. Awide Labs Ltd., as an Israeli entity, does not itself participate in the EU–US, UK or Swiss–US Data Privacy Framework. Awide relies on the Israel adequacy decision and, where required, the SCCs / UK IDTA / Swiss Addendum executed under the applicable Regional DPA. Sub-Processors that are certified under the Data Privacy Framework (such as Amazon Web Services, Inc. and Google LLC) may rely on the DPF for onward transfers to the United States within the scope of their certifications.

13.4. Awide shall:

• (a) review the legality of any binding request for disclosure of Personal Data received from a public authority, in particular by considering whether the request is consistent with the safeguards required under applicable Data Protection Laws and the EU SCCs;
• (b) where legally permitted, promptly notify the Customer of the request and provide the Customer with reasonable assistance to challenge it;
• (c) where notification is prohibited, use reasonable efforts to obtain a waiver of the prohibition, and document its efforts; and
• (d) disclose only the minimum amount of Personal Data necessary to comply with the request and challenge the request where there are reasonable grounds to consider it unlawful.

14. NO AUTOMATED DECISION-MAKING IN PROCESSOR LAYER

Awide does not carry out, on behalf of the Customer in the Processor-Layer Activities, decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on Data Subjects within the meaning of Article 22 GDPR. Where the Customer uses the Software to carry out such processing in the Customer environment, the allocation of developer / deployer obligations under applicable law (including the EU AI Act, the Colorado AI Act and US state privacy laws) is set out in the EULA and any applicable rider, and not in these Common Terms.

15. NO CHILDREN’S DATA

The Software and the Processor-Layer Activities are intended for business users. The Customer shall not knowingly cause or permit Awide to process Personal Data relating to children under the age of 16 (or under 13 as defined by COPPA) in the Processor-Layer Activities. If the Customer becomes aware that such Personal Data has been transmitted to Awide, the Customer shall promptly notify Awide and the Parties shall cooperate to delete such Personal Data without undue delay.

16. SPECIAL CATEGORIES AND SENSITIVE PERSONAL INFORMATION

The Customer acknowledges that the Software is not designed for, and the Processor-Layer Activities are not intended to involve, the processing of special-category data within the meaning of Article 9 GDPR, criminal-offence data under Article 10 GDPR, or sensitive personal information under US state privacy laws (including, where applicable, biometric data, health data, precise geolocation, government identifiers, and information about racial or ethnic origin, religion, sexual orientation, or political opinions). The Customer shall use reasonable measures to redact, mask, pseudonymise or otherwise exclude such categories of Personal Data from Support Data and License Enforcement Telemetry before transmission to Awide.

17. TERM AND TERMINATION

These Common Terms shall remain in effect for the duration of the Agreement and any Regional DPA executed thereunder, and shall automatically terminate upon termination or expiration of the Agreement, subject to the survival of provisions intended to survive termination, including Sections 4, 7, 11, 12, 13, 16 and 18.

18. GENERAL PROVISIONS

18.1. If any provision of these Common Terms is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be replaced by a valid and enforceable provision that achieves, to the extent possible, the original commercial intent of the Parties.

18.2. These Common Terms, together with the Regional DPAs and any Standard Contractual Clauses, UK IDTA or Swiss Addendum incorporated by reference, constitute the entire agreement of the Parties on the subject matter described herein and supersede all prior agreements or understandings on that subject matter.

18.3. Except as expressly provided for Data Subjects under the EU SCCs, the UK IDTA, the Swiss Addendum and the US DPA, nothing in these Common Terms confers any rights or remedies on any person other than the Parties.

18.4. Notices to Awide under these Common Terms shall be sent to info@awide.io with a copy to the contact specified in the Agreement. Notices to the Customer shall be sent to the privacy contact specified by the Customer in the Regional DPA or, where none, the address for notices in the Agreement.

Awide Labs Ltd.
Derech Menachem Begin 150, We TLV Building
Tel Aviv, Israel
Email: info@awide.io

EXHIBIT 1 — TECHNICAL AND ORGANISATIONAL MEASURES

These technical and organizational measures (the “TOMs”) describe the security framework implemented by Awide in respect of its support infrastructure used to perform the Processor-Layer Activities. They apply to Personal Data while in Awide’s custody and control. The Customer is responsible for security in the Customer environment.

1. Governance and Policy

• Documented information-security policies covering acceptable use, access control, cryptography, secure development, incident response, business continuity, supplier management, and human-resources security, reviewed at least annually.
• Designated Privacy Contact (info@awide.io).
• Risk-assessment process to identify, assess and treat information-security and privacy risks.

2. Access Control

• Centralized identity provider with role-based access control (RBAC) and the principle of least privilege.
• Multi-factor authentication (MFA) enforced for all access to support infrastructure and administrative consoles.
• Access reviews performed at least quarterly.
• Prompt revocation of access upon personnel role change or termination (within one business day for routine changes; immediate for terminations).
• Separate administrative accounts for privileged operations; no shared accounts for production systems.

3. Encryption and Key Management

• Encryption of Personal Data in transit using TLS 1.2 or higher (TLS 1.3 preferred), with current industry-standard cipher suites.
• Encryption of Personal Data at rest using AES-256 or an equivalent algorithm.
• Cryptographic keys stored in hardware-backed key-management services (AWS KMS or equivalent) with rotation in accordance with industry best practice.

4. Network and Infrastructure Security

• AWS-based hosted support infrastructure with CIS-aligned hardening of operating system and application configurations.
• Network segmentation between production, staging and corporate environments.
• Web application firewall and DDoS protection at the perimeter.
• Centralized logging of administrative and security-relevant events, with retention sufficient for security investigations.
• Time-synchronized logs.

5. Endpoint and Workforce Security

• Managed endpoints with full-disk encryption, endpoint detection and response (EDR), and automatic patching.
• Mandatory security-awareness training for all personnel on hire and at least annually thereafter.
• Background screening, where permitted by applicable law, for personnel with access to Personal Data.

6. Secure Development

• Documented secure software-development life cycle (SDLC) including threat modelling, code review, dependency scanning and static analysis.
• Separation of development, testing and production environments.
• Restricted access to production data from non-production environments.

7. Vulnerability Management

• Regular vulnerability scanning of internet-facing assets and support infrastructure.
• Annual penetration testing by a qualified independent third party.
• Documented vulnerability-remediation timeframes prioritized by risk.

8. Incident Response and Business Continuity

• Documented incident-response plan covering identification, containment, eradication, recovery and post-incident review.
• Annual tabletop exercises for the incident-response team.
• Documented business-continuity and disaster-recovery plans for the support infrastructure, with defined recovery-time and recovery-point objectives.
• Encrypted backups with periodic restoration tests.

9. Physical Security

• Support infrastructure hosted in AWS data centres benefiting from physical-security controls described in the AWS shared-responsibility documentation (24x7 staffed perimeter, biometric access, CCTV).
• Awide’s corporate facilities operate under access controls appropriate to the sensitivity of activities performed on-site.

10. Sub-Processor Management

• Documented due-diligence process before onboarding Sub-Processors that may process Personal Data.
• Data-protection obligations imposed on Sub-Processors no less protective than those in these Common Terms.
• Periodic monitoring of Sub-Processor compliance.

11. Israel PPL Data-Security Regulations

Where Personal Data is subject to the Israel PPL, Awide implements controls aligned with the basic, medium or high security level as required by the Privacy Protection (Data Security) Regulations, 5777-2017, and notifies the Customer of material Security Incidents as required by Amendment No. 13.

12. Updates

Awide may update these TOMs from time to time in accordance with Section 5.2 of the Common Terms. The current version is available on request to info@awide.io.

EXHIBIT 2 — SUB-PROCESSORS

The following Sub-Processors are authorized as of the Effective Date to process Personal Data in connection with the Processor-Layer Activities. The current list is maintained by Awide and made available on request to info@awide.io.

Each Sub-Processor is engaged under data-protection terms no less protective than those in these Common Terms, in accordance with Section 6.5.

EXHIBIT 3 — DETAILS OF PROCESSING

This Exhibit describes the processing performed by Awide as Processor in the Processor-Layer Activities for purposes of Article 28(3) GDPR (and equivalent provisions) and Annex I.B of the EU SCCs.

A. Subject Matter

Provision by Awide of support, diagnostic and licence-enforcement-telemetry services to the Customer in connection with the Software, where and only to the extent such services involve processing of Personal Data on behalf of the Customer.

B. Duration of Processing

For the term of the Agreement and the applicable Regional DPA, plus any period during which Awide retains Personal Data in accordance with Section 12 of the Common Terms.

C. Nature and Purpose of Processing

• Receipt, storage, viewing, copying, analysis and deletion of Support Data shared by the Customer (support tickets, log files, database dumps, configuration files, query samples, performance traces) for the purpose of resolving support requests, performing diagnostics and providing troubleshooting.
• Receipt, storage and analysis of License Enforcement Telemetry generated inside the Customer environment, to the extent it contains Personal Data, for the purpose of verifying licence validity and scope of use.
• No use of Personal Data for marketing, product development unrelated to the specific support request, or training of models made available to third parties.

D. Types of Personal Data

To the extent embedded in Support Data or License Enforcement Telemetry, and not redacted by the Customer prior to transmission:

• Identifiers: usernames, account names, employee IDs, customer IDs, IP addresses, email addresses appearing in SQL query text or log records.
• Technical and usage data: timestamps, requested URLs, user-agent strings, application traces.
• Communications data: content of support tickets and related correspondence.
• Authentication metadata: hashed credentials, session tokens, certificate fingerprints (which the Customer is required to redact or rotate prior to transmission).

The Customer shall not knowingly include special-category, criminal-offence or sensitive personal information in Support Data or License Enforcement Telemetry (see Sections 15 and 16 of the Common Terms).

E. Categories of Data Subjects

• The Customer’s employees, contractors, agents and authorized users.
• End users of the Customer’s systems whose Personal Data may be incidentally embedded in Support Data or License Enforcement Telemetry.

F. Frequency

Ad hoc, on a per-ticket / per-session basis for Support and Diagnostics, and continuous or periodic for License Enforcement Telemetry, in accordance with the Customer’s deployment of the Software.

G. Retention Period

Support Data: up to thirty (30) days following ticket closure, with backups overwritten within ninety (90) days, in accordance with Section 12 of the Common Terms. License Enforcement Telemetry: rolling thirteen (13)-month retention or as otherwise required by applicable law.

H. Identity of Sub-Processors and Their Location

As set out in Exhibit 2.