Skip to content
Request a demo

Data processing agreement

Last updated August 28, 2024

1. Scope

  1. This Data Processing Addendum (“Addendum”) forms an integral part of any agreement between Copilot.cx and its customers and/or governs any performance, supply or use of services or products supplied by Copilot.cx to its customers (including through any third party reseller or distributor).
  2. This Addendum is an addition to any Terms of Service, Customer License Agreement, purchase order and/or product order form governing the supply, performance or use of services and products of Co-Pilot CX Ltd. (“Copilot.cx” and the “Agreement” respectively) and applies to the extent that Copilot.cx processes Personal Data, or has access to Personal Data, in the course of supply of services or products to its customers.
  3. Copilot.cx shall qualify as the Data Processor and the recipient of services or products (hereinafter referred to as the “Company” or the “Customer”) shall qualify as the Data Controller.

2. Definitions‍

All capitalized terms not defined in this Addendum have the meanings set forth in the respective Agreement governing the supply of services or products by Copilot.cx to the Customer.

  1. “Approved Jurisdiction” means a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission.

  2. “Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Copilot.cx hereunder. 

  3. “Data Controller”, “Data Processor”, “data subject”, “process” and “processing” shall have the meanings ascribed to them in the Data Protection Laws.

  4. “Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the Data Protection Act 2018 which is the UK's implementation of the General Data Protection Regulation (“UK GDPR”)  the Israeli Protection of Privacy Law, 5741-1981 (and any regulation thereof), , and the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), each to the extent applicable. 

  5. “Party” shall mean either Copilot.cx or Customer, and the “Parties” shall mean both Copilot.cx and Customer.

  6. “Personal Data” means any information that is about, or can be related to, an identifiable individual. Personal Data includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Personal Data shall be considered Confidential Information of the Customer.

  7. “Security Measures” means commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Copilot.cx's business, the level of sensitivity of the data collected, handled and stored, and the nature of Copilot.cx products and/or services offered by Copilot.cx.

  8. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission Decision (EU) 2021/915 of 4 June 2021, as may be amended, amended, superseded or replaced; in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (“IDTA”).

  9. “Sub-Processors” means any affiliate, agent or assignee of Copilot.cx that may process Personal Data on behalf of Copilot.cx as part of the supply or performance of services or products to the Customer.

3. Compliance with Laws

  1. Each Party shall comply with its respective obligations under the Data Protection Laws.

  2. Copilot.cx shall process Personal Data in accordance with the Agreement  and provide reasonable cooperation and assistance to Company in order to allow Company to comply with its obligations as a Data Controller under Data Protection Laws.

  3. Copilot.cx agrees to notify Company promptly if it becomes unable to comply with the terms of this Addendum and take reasonable and appropriate measures to remedy such non-compliance.

  4. Throughout the duration of the Agreement , Company agrees and warrants that:

a. Personal Data has been and will continue to be collected, processed and transferred by Company in accordance with the relevant provisions of the Data Protection Laws;

b. Any processing instruction to Copilot.cx in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be in accordance with the relevant provisions of the Data Protection Laws;

c. it has collected Personal Data and transferred such Personal Data to Copilot.cx for processing hereunder fairly and lawfully, pursuant to any applicable Data Protection Laws;

d. it has informed and obtained the consent of data subjects of the processing and transfer of Personal Data pursuant to this Addendum (including without limitation, any consent required in order to allow Copilot.cx to comply with the Processing Instructions and the performance under the Agreement) in advance. Company shall promptly inform Copilot.cx in connection with any change, amendment or request concerning the Personal Data of a data subject or the revocation of a data subject’s permission to use, process or disclose Personal Data. 

e. Company shall promptly notify Copilot.cx of: (i) any changes or limitations to the notice of privacy practices that it provides to data subjects, to the extent that such changes or limitations may affect Copilot.cx’s use or disclosure of Personal Data; or (ii) any arrangements permitted by or required of Company, including, but not limited to, restrictions on use or disclosure of Personal Data agreed to by Company, that may impact the use or disclosure of Personal Data by Copilot.cx under the Agreement or this Addendum. 

4. Processing: Purpose and Instructions

  1. ‍Copilot.cx shall process Personal Data only based on Company’s documented Processing Instructions and as necessary for the supply, performance and use of products and services of Copilot.cx under the Agreement. 

  2. Certain products and services of Copilot.cx, require Company to provide the Processing Instructions through a Platform. In respect of some of Copilot.cx products or services, Company may define the necessary data scope to be processed by Copilot.cx, and Copilot.cx shall provide the services based on these definitions. Processing Instructions may also include approved communications scope with Company’s end users. Company shall remain liable with respect to any Processing Instruction it provides, provided that Copilot.cx acted in accordance therewith. 

  3. In addition to the processing of Company’s end user data and Personal Data, Copilot.cx may collect device and usage information, such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when Company staff use Copilot.cx services and other technical information. This information is primarily needed to maintain the security and operation of the services, and for internal analytics and reporting purposes.

  4. Copilot.cx shall process Personal Data only for the purpose of providing the services in accordance with the Agreement and the Data Protection Laws. Unless permitted under the Agreement, this Addendum, or applicable law, Copilot.cx shall not otherwise modify, amend, disclose or permit the disclosure of any Personal Data to any third party unless instructed to do so by Company or the relevant data subject.

  5. Copilot.cx will not use Personal Data for any use other than as provided in the Agreement or this Addendum.

  6.  If Copilot.cx believes any Processing Instruction is not in compliance with applicable law, it will promptly inform the Company.

  7. Notwithstanding the foregoing, Copilot.cx shall be entitled to use the Personal Data for internal, statistical and financial purposes provided however that any personal attributes shall be removed from such Personal Data or on an aggregated basis. Furthermore, Copilot.cx may use the Personal Data to de-identify the information.

  8. The Personal Data processed by Copilot.cx will depend on the services that Company requires from Copilot.cx, the choices Company makes and the products and features Company uses, as shall be set forth in the applicable Copilot.cx Agreement, as well as, in respect of some products and services provided by Copilot.cx, the instructions and choices made by the product/service end user. The collected information may include Personal information of registered users of the Company, smart product use information of the registered users of the Company, purchase information, inquiry information, subscription information, connectivity information, metadata and analytics information, user data, account information (such as end user name, email address, phone number, location and other information that identifies an individual personally) and any other Personal Data collected by the Company or on its behalf. 

  9. The Personal Data processed will not include any Special Categories of Personal Data as they are defined under Article 9 of the GDPR. 

  10. The data subjects about whom Personal Data is processed are all end users of the Company and its products (including former end users), Company’s personnel   and leads.

5. Security and Safeguards

  1. Copilot.cx represents, warrants, and agrees to use appropriate Security Measures to (i) protect the availability, confidentiality, and integrity of any Personal Data processed by Copilot.cx in connection with the Agreement; and (ii) protect such data to minimize the possibility of Breach Incidents occurrence.

  2. Copilot.cx may update or modify the Security Measures from time to time provided that such updates and modifications shall not result in the degradation of the overall Security Measures.

  3.  Copilot.cx shall take reasonable steps to implement appropriate technical and organizational measures and to ensure the reliability of its staff who have access to and process Personal Data. Copilot.cx shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.‍Breach Incidents

  4. Upon becoming aware of a Breach Incident, Copilot.cx will notify Company as soon as reasonably practicable and without undue delay, and in any event no later than within 72 hours, and will provide information relating to the Breach Incident as reasonably requested by Company. Copilot.cx will use reasonable endeavors to assist Company in mitigating, where possible, the adverse effects of any Breach Incident‍.

6. Security Assessments and Audits

  1. Copilot.cx audits its compliance against data protection and information security standards on a regular basis, as required by applicable law. Such audits are conducted by Copilot.cx’s internal audit team or by third party auditors engaged by Copilot.cx.

  2. Copilot.cx shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected annually by Company in order to ascertain compliance with this Addendum. Copilot.cx shall cooperate in good faith with such audit requests by providing access to relevant knowledgeable personnel and documentation.

7. Cooperation and Assistance

  1. If Copilot.cx receives any request from individuals relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Law, (each a “Request”). Copilot.cx shall (unless legally compelled) promptly redirect the Request to Company and follow Company’s reasonable instructions and in the absence of such instructions respond directly to such Request. The Request may be received and communicated to the Company through an API, or any automatic means incorporated into Copilot.cx’s product.

  2. A response by Copilot.cx to any request from an applicable data protection authority, supervisory authority, other government or regulatory entity or as required by law, relating to the processing of Personal Data under the Agreement and the disclosure of Personal Data as part thereof, shall not be considered to be a breach of this Agreement, provided, however, that Copilot.cx shall (to the extent legally permitted) notify Company upon receipt of such request thereof to enable Company to seek a protective order or otherwise prevent or contest such request.

  3.  Notwithstanding the foregoing, Copilot.cx will (to the extent legally permitted) cooperate with Company with respect to any action taken by it pursuant to such order, demand or request.

  4. Upon reasonable notice, Copilot.cx shall provide reasonable assistance to Company in:

  • allowing data subjects to exercise their rights under the Data Protection Law, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or the right not to be subject to an automated individual decision-making;

  • ensuring compliance with any notification obligations of Breach Incidents to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;

  • ensuring Company’s compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data. Any such assistance to Company will be solely at Company’s expense and may include additional fees.

8. Use of Sub-Processors

  1. Company acknowledges and agrees that Copilot.cx use the services of Sub-processors listed in Annex A attached hereto, or otherwise specified in the list of Sub-processors on Copilot.cx’s website. The list shall be updated in accordance with this provision.

  2. Company authorizes Copilot.cx to engage Sub-Processors for carrying out specific processing activities of Copilot.cx’s services listed in Annex A or on Copilot.cx’s website. To the extent that Copilot.cx wishes to update such list and engage other Sub-Processor(s), it shall provide Company with prior notice through automatic means (including through Copilot.cx’s website).

  3. Copilot.cx will enter into an agreement with the Sub-Processor containing data protection obligations that are as restrictive as the obligations under this Addendum (to the extent applicable to the services provided by the applicable Sub-Processor) or as customary with such Sub-Processor.

9. International Data Transfers

  1. Copilot.cx may transfer and process Personal Data to and in other locations around the world where Copilot.cx or its Sub-Processors maintain data processing operations as necessary to provide the services as set forth in the Agreement which transfer shall be deemed approved by the Company hereunder.

  2. If Copilot.cx or its Sub-Processor processes Personal Data in a jurisdiction that is not an Approved Jurisdiction, Copilot.cx shall ensure that it has a legally approved mechanism, such as the Standard Contractual Clauses in place to allow for the international data transfer.‍

  3. Subject to the foregoing, the Company hereby authorizes and approves the transfer of Personal Data pertaining to  EU Data Subjects, to countries outside the EU.

10. Data Retention and Destruction

‍Copilot.cx will only retain Personal Data for as long as services are provided to Company in accordance with the Agreement. Notwithstanding the foregoing, Copilot.cx shall be entitled to maintain Personal Data following the termination of the Agreement for any purpose as and if required by law provided that Copilot.cx shall be further entitled to further maintain and use such Personal Data on an aggregate basis for internal research and development, statistical and financial purposes after having removed all personally identifiable attributes from such Personal Data, so that the Data is completely anonymized and no longer Personal Data. 

11. Indemnification and Limitation of Liability

  1. Each Party will indemnify and hold the other Party and each of its officers, employees and agents or Sub-Processors (subject to Section 9 above) (each an “Indemnified Party”) harmless from and against any losses, claims, actions, suits, proceedings, damages, liabilities or expenses including the aggregate amount paid in reasonable settlement of any actions, suits, proceedings, investigations or claims and the reasonable fees, disbursements and taxes of their counsel in connection with any action, suit, proceeding, investigation or claim that may be made or threatened against any Indemnified Party or in enforcing this indemnity (each a “Claim”) to which an Indemnified Party may become subject insofar as the Claim relates to, is caused by, results from, arises out of or is based upon, directly or indirectly, any failure by the Indemnifying Party to comply with the terms of this Addendum or any Data Protection Law and to reimburse each Indemnified Party forthwith, upon demand, for any cost, fine, damage, reasonable attorneys’ fee or other liability of any nature (whether direct, indirect or consequential) incurred by such Indemnified Party in connection with any Claim.

  2. The rights accorded to the Indemnified Party hereunder shall be in addition to any rights an Indemnified Party may have at common law, under Data Protection Law or otherwise.

  3. Any provision under the Agreement in which Copilot.cx’s liability is limited shall be incorporated herein by reference and shall be deemed Copilot.cx’s limitation of liability in connection with any Claim indemnified hereunder or mitigation efforts under Section 6 above.‍

12. General

  1. In the event of a conflict between the Agreement (or any document referred to therein) and this Addendum, the provisions of this Addendum shall prevail.

  2. Copilot.cx may modify the terms of this Addendum: (i) in circumstances such as (a) if required to do so by a supervisory authority or other government or regulatory entity, or (b) if necessary to comply with Data Protection Laws, and Copilot.cx will provide notice of such changes to Company in advance; and/or (ii) Copilot.cx may amend this Addendum from time to time without notice, provided that such changes do not adversely affect any material Company’s rights or Copilot.cx’s obligations. If Copilot.cx makes any material adverse change to Company’s rights or Copilot.cx’s obligations, Copilot.cx shall notify Company by posting an announcement on its site and/or by sending an email  and in such event the modified Addendum will become effective from the effective date motioned in the amended Addendum. Where changes to this Addendum will require the Company’s specific consent as set forth herein, the Company may terminate the Agreement for convenience by providing a notice to Copilot within ninety (90) days as of Copilot.cx’s notice of such changes without liability to either party for such premature termination. If Company’s approval is not provided within such ninety (90) days period, Copilot.cx shall be entitled to terminate the Agreement for convenience, without liability to either party for such premature termination.

  3. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and parties will promptly begin complying with such Data Protection Laws.

ANNEX A

Sub Processors List 

The below list indicates sub-processors used by Copilot.cx:

Sub-Processor

Provided Service

Location

Amazon Web Services

Virtual Private Cloud Services

USA

Google Cloud Platform

High-performance infrastructure for cloud computing, data analytics & machine learning

USA

Atlas (MongoDB)

Cloud Database Service

USA

CloudAmqp (RabbitMQ)

Open-source message-broker software

USA
















The latest stories from Copilot.cx

Explore the latest news from the world of smart technology, with advice and inspiration to help optimize user engagement for your brand.

View All Posts
Safari requires user permission to enable video autoplay