Privacy and Information Security Agreement

1. Definitions

   1.1. “Company” – The entity providing the services and granted access to the Group's information pursuant to the terms and conditions of the duly executed services agreement by and between such entity and the Company.

   1.2. “Group” – Yad2 Group, which comprises, without limitation, Coral - Tel Ltd., Company Registration No. 512676289, the entity responsible for the operation of the Yad2 website, and Saknai Net Ltd., Company Registration No. 513775593, the entity responsible for the operation of the “Drushim” website and “The Worker” website, as well as any and all affiliated entities, subsidiaries and any associated or related companies and/or any entity that is, at any time, directly or indirectly, under the control of the Group.

   1.3. “Privacy Protection Laws” – The Privacy Protection Law 5741-1981, the regulations that have been and will be promogulated thereunder, including the Protection of Privacy Regulations (Information Security) 5777-2017, and the guidelines of the Privacy Protection Authority, as shall be in effect from time to time.

   1.4. “Information” – “Personal Information” and/or “Information of Special Sensitivity”.

   1.5. “Personal Information” – Any information relating to an identified or identifiable individual, including Information of Special Sensitivity. An “Identifiable Individual” is someone who can be identified with reasonable effort, directly or indirectly, including by means of an identifying detail, such as a name, identification number, biometric identifier, location data, online identifier, or one or more details relating to the individual’s physical, health, economic, social, or cultural status, all in accordance with the definition of such term in the Privacy Protection Laws.

   1.6 “Information of Special Sensitivity” – Information regarding an individual’s private family life, personal privacy, sexual orientation, health and mental condition, origin, criminal record, political opinions, religious beliefs, worldview, personality assessment conducted by a professional entity or by means intended for evaluating essential personality characteristics, location and traffic data, salary and financial activity data, genetic information, biometric identifiers, and information subject to confidentiality obligations under law, all in accordance with the definition of such term in the Privacy Protection Laws.

   1.7. “Data Subjects” – Individuals to whom the Information relates.

   1.8. “Processing” / “Use” – Any operation performed with respect to the Information, including its receipt, collection, storage, copying, review, disclosure, exposure, transfer, delivery, or granting access to it.

2. Confidentiality, Integrity and Availability of the Information

   2.1. Company hereby acknowledges and agrees that the Information disclosed to it, or to which it is granted access, in connection with the execution and performance of this Agreement, constitutes sensitive and confidential information. The Information will be provided to Company strictly in reliance upon Company's  representations, warranties, and covenants as set forth in this Undertaking.

   2.2. Company hereby undertakes to maintain the Information in the strictest confidence at all times and shall refrain from engaging in any Processing of the Information except to the extent strictly necessary for the performance of the Services as contemplated under the Agreement. Without limiting the generality of the foregoing, Company shall not, whether directly or indirectly, and whether for consideration or otherwise, copy, reproduce, publish, remove from its possession, transfer, or disclose the Information, or any part thereof (including the mere existence of such Information), to any third party, except to those employees, consultants, or subcontractors who are acting on its behalf and for its benefit, who have been expressly authorized in writing to receive such Information, and whose access to the Information is strictly necessary for the performance of the Services. Any such disclosure shall be made solely for the purpose of fulfilling Company's obligations under the Agreement and subject to and in accordance with this Undertaking.

   2.3. At all times during which the Information is in the possession, custody or control of Company, Company shall maintain and safeguard such Information with a degree of care, diligence, and security that is at least equivalent to, but in no event less stringent than, the measures employed by Company for the protection of its own sensitive and confidential information. In any event, Company shall implement and adhere to robust, industry-accepted security protocols and procedures, which shall not be less protective than those mandated by the Privacy Protection Laws and the terms and conditions set forth in this Undertaking, for the express purpose of preventing any unauthorized access, use, or disclosure of the Information. Furthermore, Company expressly covenants and agrees that any transfer or disclosure of the Information to any third party shall be subject to and in accordance with the provisions of this Undertaking, shall occur solely to the extent necessary for the performance of the Services, and shall be contingent upon the Group’s prior express written approval.

   2.4. Company hereby undertakes to maintain, safeguard, and ensure the ongoing integrity and availability of all Information that is or may hereafter be furnished to it, or to which it may be granted access, in connection with the performance of the Services.

3. Compliance with Privacy Protection Laws

   3.1. Company hereby undertakes to conduct itself, in all respects pertaining to the Information, in strict compliance with the terms and conditions set forth in the Agreement and this Undertaking, and in accordance with the provisions of the Privacy Protection Laws.

   3.2. Notwithstanding any provision to the contrary, Company shall not Process Information on behalf of the Group without first obtaining the Group’s prior written approval.

   3.2. Company shall provide all necessary assistance to facilitate the exercise by eligible Data Subjects of their rights pursuant to the Privacy Protection Laws in relation to the Information, including, without limitation, the right to access and review and the right to rectify the Information maintained concerning them. Company shall promptly notify the Group in writing upon receipt of any request from a Data Subject to access, review or rectify the Information stored about such Data Subject, and shall take no action in respect of such request except in accordance with the Group’s written instructions.

   3.3. Company undertakes to implement appropriate measures to ensure the logical segregation of the Group’s Information from any and all Information belonging to third parties. 

4. Restrictions and Limitations with respect to the Process of Information

   4.1. Company undertakes to Process the Information solely for the purpose of fulfilling its obligations in connection with the performance of the Services, and strictly within the scope and to the extent necessary to achieve such purpose.

   4.2. In the event that Company is required to disclose or transfer the Information to third parties in connection with the provision of the Services, Company undertakes that such transfer or disclosure shall be made solely to those employees, sub-contractors, representatives or other third parties acting on its behalf who have a demonstrable need to access the Information strictly for the purpose of fulfilling their obligations in direct relation to the performance of the Services, and to no other parties whatsoever (the “Information Recipients”).

   4.3. In the event that Company elects to transfer the Information to the Information Recipients pursuant to the provisions of this Undertaking, Company undertakes that such transfer of Information will be effected exclusively within the territorial boundaries of the State of Israel or to member states of the European Union, and in strict compliance with all applicable Privacy Protection Laws.

   4.4. Company shall procure that all Information Recipients strictly comply with all applicable laws, including the Privacy Protection Laws, and shall ensure that they maintain the confidentiality and security of information in accordance with the requirements set forth in this Undertaking. Company shall further require each Information Recipient to execute a written undertaking, the terms of which shall be substantially similar to those contained herein. Company shall assume full liability and responsibility for any act or omission of any Information Recipients, and any breach of any provision of this Undertaking or infringement of the rights of Data Subjects by any Information Recipients shall be deemed a direct breach of this Undertaking by Company for all intents and purposes.

5. Information Security

   5.1. Chief Information Security Officer (“CISO”)

To the extent required under the Privacy Protection Laws, Company hereby affirms that it has duly appointed a Chief Information Security Officer, who shall assume full responsibility for ensuring Company's compliance with all obligations imposed by the Privacy Protection Laws, as well as for the implementation and ongoing maintenance of the information security requirements set forth in the Agreement and this Undertaking.

5.2. Data Protection Officer

5.3. To the extent required under the Privacy Protection Laws, Company hereby affirms that it has duly designated a Data Protection Officer, who shall assume full responsibility for ensuring Company's compliance with all obligations imposed by the Privacy Protection Laws, including, without limitation, the implementation, supervision, and enforcement of all requirements and duties attendant to the DPO's position.

5.4. Policy and Procedure

Company confirms that it has duly adopted, implemented and maintain information security policies and procedures in full compliance with the Privacy Protection Laws.

5.5. Reporting and Auditing

5.5.1. Company shall, upon request by the Group, furnish ongoing written reports concerning the management, Processing, and safeguarding of the Information, including, without limitation, a description of all technical and organizational security measures implemented in connection therewith. Additionally, Company shall prepare and deliver to the Group, on an annual basis, a formal summary report detailing Company's performance under this Agreement and this Undertaking, as well as its adherence to the Privacy Protection Laws, as amended from time to time, specifically with respect to information security obligations.

5.5.2. Company shall permit the Group, upon the provision of reasonable prior notice (except in circumstances involving an Information Security Incident), to conduct comprehensive audits at Company’s premises and of its information systems, for the purpose of verifying Company’s compliance with the provisions of this Undertaking and the Privacy Protection Laws. Company undertakes to promptly and diligently remedy any deficiencies or non-compliance identified as a result of such audit.

5.6. Access Control; Authentication and Identification

5.6.1 Company shall implement and maintain robust procedures for the administration of access rights to the Information, ensuring that only duly authorized employees acting on its behalf are permitted to access Information strictly pertinent to their respective roles and responsibilities. Company shall maintain a current and accurate registry of all individuals authorized to access the Group’s Information and shall promptly revoke such access for any individual whose authorization is no longer required or has otherwise been terminated.

5.6.2. Company undertakes to maintain comprehensive records and logs of all actions undertaken by its employees with respect to the Information. Such documentation shall be diligently preserved and retained by Company for a minimum period of twenty-four (24) months.

5.6.3 Company shall ensure that access to the systems in which the Information is stored is granted exclusively to authorized users, and such access shall be permitted solely through the utilization of individual, personal, and unique usernames and passwords assigned to each authorized user. Each user password shall be comprised of a combination of letters, numbers, and special characters, shall be no less than eight 8 characters in length, and shall be subject to a maximum validity period of 90 days.

5.7. Personnel

5. 5.7.1. Access Adjustment – Company warrants that, prior to granting any access to the Group’s Information, it has conducted a thorough and diligent assessment of the suitability and reliability of its employees who are to be granted such access. Company further affirms that it has verified that such employees have not been convicted of, nor are they under investigation or suspicion for, any breach of trust, fiduciary duty, or any offenses relating to the unauthorized use, disclosure, or misuse of data derived from databases.

   5.7.2. Training and Employee Awareness – Company shall implement and conduct periodic training programs for all employees engaged in the performance of the Services, addressing information security requirements pursuant to the Privacy Protection Laws for the proper fulfillment of their respective duties. Such training programs shall be conducted no less frequently than once every two (2) years, and, with respect to newly hired employees, such training shall be provided as promptly as practicable following the commencement of their employment. Company shall maintain accurate records and  documentation of all training sessions, including a list of participants. Such documentation shall be made available for inspection by the Group or any third party acting on its behalf, upon request.

   5.8. Information Systems Security

Company undertakes to implement and maintain appropriate technical and organizational measures to safeguard and secure its information systems, in accordance with the provisions of the Privacy Protection Laws, industry standards, best practices and as follows:

5.8.1 Information Security Technologies – Company shall implement and maintain industry-standard information security measures designed to ensure the integrity, confidentiality and availability of its organizational network. Such measures shall be sufficient to prevent both accidental and intentional unauthorized access or intrusion to Company’s information systems. The aforementioned shall expressly include, but not be limited to, workstations, servers, network infrastructure, endpoint devices, and mobile equipment, all of which shall be safeguarded through the deployment of appropriate and recognized information security technologies in accordance with the Privacy Protection Laws, industry standards and best practices.

5.8.2. System and Security Updates – Company shall, on an ongoing basis, implement updates to all systems utilized under this Agreement, including, without limitation, updates prescribed by the respective manufacturers' specifications, definitions, and instructions. Such updates shall be performed in a timely manner to ensure the continued integrity, security and proper functioning of the systems in accordance with industry standards, best practices and the Privacy Protection Laws.

5.8.3. Encryption of Data in Networks – Company shall strictly prohibit any access to its information system infrastructures and databases via the internet, and shall not permit the transmission of Information through the internet or any other public network, unless such Information is encrypted utilizing a method of encryption that is commercially reasonable and accepted within the industry. Furthermore, access to such Information shall only be granted where the user is authenticated through physical means that remain under the exclusive control of said user.

5.8.4. Portable Devices – Company shall refrain from removing digital information storage devices containing the Group’s Information. Additionally, Company shall not store the Group’s Information on portable devices, unless such data is encrypted using methods that are reasonable and acceptable within the industry.

5.9. Physical Security

Company shall implement and maintain physical security measures as follows:

5.9.1. Access to Company’s premises shall be restricted solely to authorized personnel.

5.9.2. Company’s server rooms and central information systems shall be safeguarded through appropriate physical security measures. all access, and attempts to access, these areas shall be logged and retained for a minimum period of 24 months.

5.9.3. In the event that the Services are provided on the Group’s premises, Company shall ensure that its employees maintain the confidentiality of any authorization passwords provided, lock screens and workstations when unattended, and shut down all computers at the end of each workday.

6. Information Security Incident

   6.1. In the event of a breach, or a suspected breach, of any information security undertaking, or in any instance of suspected Information leakage, corruption, unavailability or unauthorized access or use of the Information, including a “Security Incident” and/or a “Severe Security Incident” as defined in the Privacy Protection Laws (collectively, an “Information Security Incident”), Company shall notify the Group without undue delay, and in any case no later than twelve (12) hours from the time Company becomes aware of such incident. Such notification shall be made to: privacy@yad2.co.il, confirmed by telephone, and shall be properly documented.

   6.2. Company shall document each Information Security Incident. In the event of such an incident, Company shall promptly conduct an initial investigation and, together with the aforementioned notification or shortly thereafter, provide the Group with a report describing the general technical details of the Information Security Incident, as well as the response measures and recovery actions undertaken by Company.

   6.3. Pursuant to the Group’s instructions, Company shall undertake all necessary actions for response, recovery, risk mitigation and restoration in connection with the Information Security Incident, and shall bear all costs and expenses arising from such actions.

   6.4. Company shall not disclose or publicize, in any form, any information regarding the Information Security Incident to any third party without the Group’s prior written consent, except where such disclosure is required by applicable laws or by a competent authority.

7. Retention Period; Destruction of Information

   7.1. Immediately upon the termination of the Agreement or upon the Group’s first request, whichever occurs earlier, Company shall, at the Group’s sole discretion, either return to the Group or securely destroy all Information provided to Company and/or otherwise in its possession, in any form or medium. This obligation includes all outputs, materials and derivatives prepared, processed or developed by Company in the course of providing the Services. Company shall also permanently delete such materials from all systems and storage under its control, ensuring that no copies remain in its or any Information Recipients possession. Company undertakes to provide the Group, upon request, with written certification verifying the execution of the deletion and destruction of the Information. In the event that Company is legally required to retain any portion of the Information, Company shall retain such Information in accordance with the terms of this Undertaking and solely for the duration of the applicable legal retention period.

8. General

   8.1. Company agrees that the Group may update the information security requirements set forth in this Undertaking as necessary, including to reflect any amendments or updates that may occur during the term of the engagement, including with respect to the Privacy Protection Laws. Company further undertakes to comply with and implement any such updates.

   8.2. Company acknowledge that the Privacy Protection Authority has the authority to oversee and supervise its activities under the Agreement. accordingly, Company undertakes to fully cooperate with the Authority and to provide ongoing written updates to the Group.

   8.3. Company agrees that, in the event of a breach by Company or any Information Recipient of any obligation set forth in this Undertaking, the Group shall be entitled to seek and obtain any and all remedies and/or relief available to it, including, without limitation, injunctive relief and enforcement orders, and Company shall not oppose or object to the granting of such remedies. The foregoing shall be without prejudice to, and in addition to, any other rights or remedies available to the Group under applicable laws.

   8.4. Company agrees that any delay or failure by the Group exercise a right granted to it under the Agreement or this Undertaking shall not constitute a waiver of such right, Furthermore, any partial or limited exercise of a right shall not preclude the Group from subsequently exercising that right in full or from exercising any other rights to which it is entitled.

   8.5. This Undertaking shall be governed exclusively by the laws of the State of Israel. The competent court in Tel Aviv shall have exclusive and sole jurisdiction over the disputes that arise with respect to this Undertaking.