Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of and is governed by the agreement entered between the parties ("Agreement") executed by and between Hadar Ashuach Ltd. and the User, as such terms are defined in the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

This DPA shall be effective as of the updated date above, or the date both parties executed the Agreement, as applicable ("Effective Date"). The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement or, if later, the date on which Powerads.ai ceases all Processing of User Data.

WHEREAS, Powerads.ai provides User with the Services as defined under the Agreement; and

WHEREAS, the Services require Powerads.ai to Process User Data, that includes Personal Data (as such terms are defined below) on User's behalf, subject to the terms and conditions of this DPA and applicable Data Protection Laws.

1. Definitions

1.1. "Adequate Country" is a country that received an adequacy decision from the European Commission or other applicable data protection authority.

1.2. The terms "Business", "Business Purpose", "Consumer", "Controller", "Data Subject", "Database Owner", "Personal Data", "Personal Data Breach", "Personal Information", "Processing" (and "Process"), "Processor", "Holder", "Service Provider", "Sale", "Sell" and "Share", "Special Categories of Personal Data", "Sensitive Data" and "Supervisory Authority", shall all have the same meanings as ascribed to them under the applicable Data Protection Laws. Further, under this DPA: "Data Subject" shall also mean and refer to a "Consumer", "Personal Data" shall also mean and refer to "Personal Information" and "Special Categories of Data" or "Highly Sensitive Data" shall also mean and refer to "Sensitive Data".

1.3. "User Data" means User Data, including the Input and Output (as defined in the Agreement) containing Personal Data (or the equivalent term) Processed by Powerads.ai to the extent contains Personal Data, in the course of providing the Services, all as detailed in Annex I attached herein.

1.4. "Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law, the U.S. Data Protection Laws and any other applicable laws as may be amended or superseded from time to time.

1.5. "Deidentified Data" means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person, all as defined under applicable US Data Protection Laws.

1.6. "Data Privacy Framework" or "DPF" means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.

1.7. "DPF Principles" means the Principles and Supplemental Principles available at: https://www.dataprivacyframework.gov/program-articles/Participation-Requirements-Data-Privacy-Framework-(DPF)-Principles; as may be amended, superseded or replaced.

1.8. "EEA" means the European Economic Area.

1.9. "European Data Protection Law" means, collectively, the laws and regulations of the European Union, the EEA, their member states, and the United Kingdom, applicable to the Processing of Personal Data, including (where applicable): (i) "EU Data Protection Laws" – EU General Data Protection Regulation (Regulation 2016/679) ("EU GDPR"); Regulation 2018/1725; and the e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (ii) "UK Data Protection Laws" – the Data Protection Act 2018 (DPA 2018), as amended, and EU GDPR as incorporated into UK law as amended ("UK GDPR" and collectively with the EU GDPR shall be referred to herein as the "GDPR"); (iii) "Swiss Data Protection Laws" or "FADP"– the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) ("FDPA") and the Ordinance on the Federal Act on Data Protection ("FODP"); (iv) any national data protection laws made under, pursuant to, replacing or succeeding the EU GDPR or the e-Privacy Law; (v) any amendment or legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority.

1.10. "Instructions" means the written, documented instructions provided by the User to Powerads.ai directing Powerads.ai to perform a specific or general action with regard to User Data.

1.11. "Israeli Data Protection Laws" means, collectedly, the: (i) Israeli Protection of Privacy Law, 5741-1981 (as amended under Amendment 13); (ii) the regulations promulgated pursuant thereto, including the Israeli Protection of Privacy (Data Security) Regulations, 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing; and (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority.

1.12. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Data. Any Personal Data Breach will comprise a Security Incident.

1.13. "Standard Contractual Clauses" or "SCCs" means: (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and incorporated herein by reference ("EU SCC"); (ii) the UK "International Data Transfer Addendum to the European Commission Standard Contractual Clauses" available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and incorporated herein by reference ("UK SCC"); or (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner ("Swiss SCC").

1.14. "U.S. Data Protection Laws"means any and all applicable federal and state privacy laws and regulations applicable to the Supplier's Processing activities of Powerads.ai Data under this DPA, and any implementing regulations and amendment thereto, including without limitation the: (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time ('CCPA'); (ii) the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190) ('CPA'); (iii) the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022) ('CTDPA'); (iv) the Florida Digital Bill of Rights S.B 262 ('FDBR'); (v) the Montana Consumer Data Privacy Act 68th Legislature 2023, S.B. 0384 ('MTCDPA'); (vi) the Oregon Consumer Data Privacy Act ORS 646A.570-646A.589 ('OCDPA'); (vii) the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq ('TDPSA'); (viii) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq ('UCPA'); and (ix) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392). All as amended or superseded from time to time and including any implementing regulations and amendments thereto.

1.15. "Usage Data"means information about User's or its Authorized Users use of the Platform and Services, such information may include without limitation, access logs, sessions replays, clickstream, errors, and crashes, all as detailed in the Powerads.ai Privacy Policy.

2. Roles and Details of Processing

2.1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of User Data, Powerads.ai is acting as a Data Processor and User is acting as a Data Controller. Notwithstanding the above, Powerads.ai is the owner and Data Controller of the Usage and certain User Account information, such as contact information, transactions and other commercial information which is used to manage the User relationship, provide support, repair bugs, facilitate security, optimize the user experience, provide maintenance and carry out core business functions such as accounting, billing, and filing taxes.

2.2. For the purpose of the U.S. Data Protection Laws, Powerads.ai shall Process User Personal Data as the Service Provider on behalf of the User as the Business and shall not: (i) Sell or Share the User Personal Data; (ii) retain, use or disclose the User personal Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the User Personal Data with other Personal Data that it receives from, or on behalf of, another User.

2.3. The User shall be exclusively responsible to ensure its Instructions are compliant with applicable Data Protection Laws and enable a lawful Processing of User Data, including by obtaining any required consent and providing any required disclosures under applicable Data Protection Laws. Powerads.ai shall act on such Instructions as provided by the User.

2.4. The subject matter and duration of the Processing carried out by Powerads.ai on behalf of the User, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.

2.5. The User acknowledges and agrees that, as part of the Processing, the User Data will be processed using Artificial Intelligence features and technologies, as described in the Agreement and provided by Powerads.ai.

3. Processing of Personal Data

3.1.Powerads.ai represents and warrants that it shall Process User Data, on behalf of the User, solely for the purpose of providing the Services, all in accordance with User's Instructions. Notwithstanding the above, in the event Powerads.ai is required under applicable laws, including Data Protection Law, to Process User Data other than as instructed by User, it shall make its best efforts to inform the User of such requirement prior to Processing such User Data, unless prohibited under applicable law.

3.2.Powerads.ai shall inform User without undue delay in the event that, according to Powerads.ai's reasonable discretion, any of User's Instructions infringes applicable laws, and Powerads.ai shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction.

3.3. Powerads.ai shall provide reasonable cooperation and assistance to the User in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws, provided that, Powerads.ai shall only be required to assist as for information which is reasonably available to Powerads.ai and User does not have reasonable access to such information.

3.4. Powerads.ai shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may access or Process User Data; and (ii) that the staff or any other person authorized to Process the User Data has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Data Subjects Rights and Requests

4.1.It is agreed that where Powerads.ai receives a data subject request or a request from a regulator or authority in respect to User Data, where applicable, Powerads.ai will notify the User of such request promptly and direct the Data Subject or the applicable authority to the User in order to enable the User to respond directly to the Data Subject's or the applicable authority's request, unless otherwise required under applicable laws or prohibited.

4.2. Powerads.ai will reasonably cooperate and assist User in responding to such request, provided that the User cannot reasonably fulfill such obligations independently with help of available in the documentation, the website or any other self-service feature provided by Powerads.ai.

5. Sub-Processing

5.1.The User acknowledges that Powerads.ai may transfer User Data to and otherwise interact with third party data processors ("Sub-Processor"). The User hereby, authorizes Powerads.ai to engage and appoint such Sub-Processors to Process User Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Powerads.ai may continue to use those Sub-Processors already engaged by it. Powerads.ai may replace its existing Sub-Processors or add additional Sub-Processors provided it notifies the User before authorizing such Sub-Processor(s) to Process User Data in connection with the provision of the Services (email will suffice). User may reasonably object to the use of a new Sub-Processor by notifying Powerads.ai promptly in writing within 10 days after receipt of Powerads.ai's notice. User shall explain its reasonable grounds for objection. In the event User objects to a new Sub-processor, Powerads.ai will use commercially reasonable efforts to make available to User a change in the Services or recommend a commercially reasonable change to User's configuration or use of the Services to avoid Processing of User Data by the objected-to new Sub-processor without unreasonably burdening User. If Powerads.ai is unable to make available such change within a reasonable period of time, either party may terminate without penalty the Agreement with respect only to those Services which cannot be provided by Powerads.ai without the use of the objected-to new Sub-processor by providing written notice to the other party.

5.2. Powerads.ai shall, where it engages any Sub-Processor, impose, through a legally binding contract between Powerads.ai and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. Powerads.ai shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws.

5.3.Powerads.ai shall remain responsible to the User for the performance of the Sub-Processor's obligations in accordance with this DPA.

6. Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Powerads.ai hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the User Data as required under Data Protection Laws to ensure lawful Processing of User Data and safeguard User Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.

7. Security Incident

7.1.Powerads.ai will notify the User without undue delay (and no later than 48 hours) upon becoming aware of any Security Incident concerning User Data and will take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause. Upon User's request, Powerads.ai will reasonably co-operate with the User and provide the User with such assistance and information as it may reasonably require in connection with the containment, investigation, or mitigation of the Security Incident.

7.2.Powerads.ai will notify the User in writing and will keep the User informed of any material developments in connection with the Security Incident. Powerads.ai's notification or compliance with its obligations under this Section shall not be construed as an acknowledgment by Powerads.ai of any fault or liability with respect to the Security Incident.

8. Audit Rights

8.1.Powerads.ai shall maintain accurate written records of any and all the Processing activities carried out under this DPA and shall make such records available to the User upon 30-day prior written request, and not more than once per twelve (12) months during the Term of the Agreement. Such records provided shall be considered Powerads.ai's Confidential Information and shall be subject to confidentiality obligations.

8.2.Alternatively, in the event the records and documentation provided subject to Section 8.1 above are not sufficient for the purpose of demonstrating compliance, Powerads.ai shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the User, information necessary to reasonably demonstrate compliance with this DPA and Data Protection Laws, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the User Data ("Audit") in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including third parties). Powerads.ai may object to an auditor appointed by the User in the event Powerads.ai reasonably believes the auditor is not suitably qualified or is a competitor of Powerads.ai. User shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury, or disruption to Powerads.ai's premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.

8.3.Nothing in this DPA will require Powerads.ai to either disclose to User or its third-party auditor, or to allow User or its third-party auditor to access: (i) data related to other Users or partners; (ii) Powerads.ai's internal accounting or financial information; (iii) any trade secret of Powerads.ai or its Affiliates; (iv) any information that, in Powerads.ai's reasonable opinion, could compromise the security of any Powerads.ai's systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that User or its third-party auditor seeks to access for any reason other than the good faith fulfillment of User's obligations under the Data Protection Laws.

8.4. Without derogating from the generality of the aforesaid, subject to User request, Powerads.ai will provide the User with a report on the fulfillment of its obligations under the Data Protection Laws and this DPA, and at least annually.

9. Cross Border Personal Data Transfers

9.1. Powerads.ai shall ensure any recipients of User Data, including recipients of onward transfers are recognized as Adequate Country or certified under the DPF. Further, where European Data Protection Laws apply Powerads.ai will not transfer User Data originating from the EEA, UK or Switzerland, unless it takes all such measures as are necessary to ensure the transfer is in compliance with European Data Protection Laws. Such measures may include (without limitation): (i) transferring such User Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses.

9.2. When User and Powerads.ai rely on the SCC to facilitate a transfer to a third country the following shall apply:

9.2.1. Transfer from the EEA. For Transfer of User Data from the EEA the EU SCC shall apply and completed as follows: (1) Module II (Controller to Processors) will apply; (2) In Clause 7 the optional docking clause will not apply; (3) In Clause 9, option 2 (general written authorization) shall apply for the Sub-Processors listed in the Sub-Processors list and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) In Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of the Republic of Ireland; (6) In Clause 18(b) the parties choose the competent courts of the Republic of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: User is the Data Exporter, Powerads.ai is the Data Importer, the parties' contact details Agreement Effective Date; Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority Republic of Ireland; (8) Annex II of the EU SCC is deemed completed with the information set out in Powerads.ai's trust center; (9) Annex III of the EU SCC shall be completed with the list of Sub-Processors.

9.2.2. Transfer from the UK. For transfer of User Data from the UK, the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section (a)(7) above; (2) Table 2 shall be completed as set forth in Section (a)(1) – (a)(4) above; (3) Tables 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (a)(7) above; Annex 1B shall be completed with relevant information as set out in Annex I of this DPA; Annex II shall be completed with relevant information as set out in the trust center; Annex III shall be completed with the list of sub-processors; (4) Table 4 shall be completed with the "neither party" option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.

9.2.3. Transfer from Switzerland.For transfer of User Data from Switzerland, the Swiss SCC shall apply in with following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland".

10. Term, Termination and Conflict

10.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates or as long as Powerads.ai Processes User Data.

10.2.Following the termination or expiration of this DPA, Powerads.ai shall, upon User's written request, delete all User Data Processed on behalf of the User and certify to the User that it has done so, or, return all User Data to the User and delete existing copies, unless applicable law or regulatory requirements requires that Powerads.ai continue to store User Data. Until the User Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. User's choice shall be provided in writing to Powerads.ai, following effect of termination.

10.3. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect as between User and Powerads.ai.