Data Process Agreement

Last Updated: March, 2026

This Data Processing Agreement (“DPA”) is entered into by and between GlanceAI (hereinafter, the “Processor”), and the entity or individual accepting this DPA (hereinafter, the “Customer” or the “Controller”). This DPA supplements and forms an integral part of the agreement executed between the parties regarding the provision of services by the Processor (the “Main Agreement”).

By accepting this DPA, either by clicking to accept or by executing a document referencing this DPA, the Customer affirms and warrants that: (a) they have the full legal authority to bind the Customer to the terms of this DPA; (b) they have read and comprehended the terms contained herein; and (c) they agree, on behalf of the Customer, to be legally bound by this DPA.

1. DEFINITIONS

Applicable Data Protection Law

All applicable international, national, federal, and state-level privacy and data protection legislation relevant to the processing of Personal Data governed by this DPA, including, where applicable, the European General Data Protection Regulation (Regulation (EU) 2016/679), the Israeli Protection of Privacy Law, 1981, and its implementing regulations, including the Israeli Privacy Protection Regulations (Data Security), 2017, and official guidance issued by the Israeli Privacy Protection Authority.

Controller

The legal entity or individual that determines the purposes and means of the processing of Personal Data.

Personal Data

 Any information, including identifiers, that relates to an identified or identifiable natural person, including in accordance with the definition set forth in this matter in the Israeli Protection of Privacy Law, 1981.

Data Subject

The natural person to whom the Personal Data relates.

Services

The services and/or products provided by the Processor to the Controller under the Main Agreement.

2.1 Relationship of the Parties

The Customer is the Controller and GlanceAI is the Processor, acting on behalf of the Controller for the exclusive purpose of processing Personal Data, strictly in accordance with the documented instructions provided by the Controller and solely for the purposes specified in Annex 1 and in accordance with the conditions and obligations set out in Annex 1.

2.2 Purpose Limitation

The Processor shall process Personal Data exclusively for the purposes defined in this DPA and in accordance with the Controller’s documented instructions. Any use or processing beyond the scope of such instructions shall require prior written consent from the Controller.

2.3 International Transfers of Data

The Processor shall not process or transfer Personal Data originating from the European Economic Area (EEA) or from Israel to any jurisdiction that has not been recognized as ensuring an adequate level of data protection under applicable law and has been granted adequacy status in accordance with GDPR. Without derogating from the above, for Israeli Personal Data, any such transfer shall be subject to the requirements of the Israeli Protection of Privacy Law and any applicable regulatory guidance.

2.4 Confidentiality

The Processor shall ensure that any person authorized to process the Personal Data has committed to written confidentiality obligations or is under an appropriate statutory obligation of confidentiality and has agreed to a written obligation to comply with the data security requirements under this DPA. Access to Personal Data shall be strictly limited to those individuals who require such access to perform the Processor’s obligations under the Main Agreement.

2.5 Security

The Processor shall implement and maintain technical and organizational security measures to ensure a level of security appropriate to the risks inherent in the processing, as described in Annex 2. These security measures must meet at least the required level of security for “databases to which a high level of security applies” as specified in the Israeli Privacy Protection Regulations (Data Security), 2017.

2.6 Sub processors

The Controller grants the Processor authorization to appoint Sub-processors for the purposes of carrying out specific processing activities. The Processor shall engage with the Sub-processors in an agreement stipulating all the conditions to which the Processor is bound under this DPA.

All Sub-processors are specified in Annex 3. The Processor shall inform the Controller in writing of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, and the Processor shall have the right to object to the change for reasonable reasons. Any change to the list of Sub-processors shall be noted by way of an amendment to Annex 3. The Processor remains fully liable for any acts or omissions of its Sub-processors.

At the request of the Controller, the Processor shall provide the Controller with details of the Processing to be undertaken by each Sub-processor.

The Processor shall carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Controller Personal Data as is required by this DPA, including sufficient guarantees to implement appropriate technical and organisational measures.

Upon request, the Processor shall deliver a copy of its agreements with Sub-processor(s) to the Controller for its review; the Processor may redact all information that does not relate to data protection from such copy. Any agreement between the Processor and its Sub-processor(s) delivered to the Controller shall constitute Confidential Information of the Processor which the Controller shall not disclose to any other party.

2.7 Assistance to the Controller

The Processor shall provide reasonable assistance to the Controller, insofar as possible, to enable the Controller to respond to requests for exercising Data Subjects’ rights under Applicable Data Protection Law.

2.8 Data Protection Impact Assessments

The Processor shall assist the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities.

2.9 Security Incidents

In the event that the Processor becomes aware of a Personal Data breach or other security incident affecting Personal Data, the Processor shall notify the Controller without undue delay and, in any event, within twelve (12) hours of becoming aware of the incident. The Processor shall provide timely updates, cooperate with the Controller’s investigation, and take reasonable steps to mitigate the effects of the breach.

2.10 Return or Deletion of Data

Subject to the provisions of paragraph 9.4 of the Agreement, upon expiration or termination of the Main Agreement or this DPA, the Processor shall, at the Controller’s option, return or delete all Personal Data. The Processor shall report to the Controller regarding the deletion or return of the data, as applicable, after the Processor has carried out the Controller’s order. Backups containing Personal Data may be retained for a period not exceeding eighteen (18) months following termination, provided such retention is required by applicable law or justified under a legal obligation or necessity, and subject to continuing protection under the terms of this DPA.

2.11 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, provided that: (i) audits shall not occur more than once in any twelve-month period, unless required due to a security incident or regulatory mandate; (ii) the Controller provides reasonable prior notice; and (iii) such audits shall not unreasonably disrupt the Processor’s operations.
Without derogating from the foregoing, The Processor shall provide the Controller, at least once a year, a summary of The Processor’s compliance with the obligations applied to it under this DPA.

2.12 Indemnification

The Processor shall indemnify, defend and hold harmless the Controller against any and all damages, costs, claims, liabilities, and expenses (including reasonable attorney’s fees) incurred as a result of the Processor’s breach of this DPA, subject to the limitation of liability terms set forth in the Main Agreement.

2.13 Remediation of Unlawful Processing

In the event that continued processing of Personal Data under this DPA becomes unlawful or impermissible under Applicable Data Protection Law or as a result of regulatory determination, the parties shall cooperate in good faith to suspend, amend, or terminate the processing activities in order to ensure compliance.

This DPA shall commence on the date it is accepted by the Customer and shall remain in full force and effect for as long as the Processor is processing Personal Data on behalf of the Controller.

This DPA shall be governed by, construed, and enforced in accordance with the laws of the State of Israel, without regard to conflict of laws principles. The parties agree that the competent courts in Tel Aviv, Israel shall have exclusive jurisdiction over all disputes arising out of or in connection with this DPA.

Types of Customer Personal Data and Categories of Data Subjects:

Customer Personal Data:
Personal Data processed by the Processor may include, without limitation:

  • Audio recordings of customer interactions (calls, conversations)
  • Transcripts of conversations generated by the Services
  • Metadata related to interactions (date, time, duration, agent ID, channel)
  • Customer identifiers (name, phone number, email address, account ID)
  • Content of communications between Customer and its end-users
  • Internal employee identifiers (agent names, IDs, performance data)
  • Behavioral and analytical data derived from interactions (e.g., sentiment analysis, scoring, alerts)

Categories of Data Subjects:

  • Customers and end-users of the Customer
  • Individuals who interact with Customer’s sales, service, or support centers
  • Customer employees, agents, representatives, and contractors
  • Customer suppliers or business partners (to the extent included in communications)

The Customer Systems to which the Processor may be granted access:

  • Telephony and call center systems
  • CRM systems (including customer records and interaction logs)
  • Customer support platforms and ticketing systems
  • Communication platforms (voice, chat, messaging channels)
  • Internal knowledge bases and operational systems
  • Any other systems explicitly integrated by the Customer for the purpose of using the Services

Type of Processing the Processor is Authorized to Perform:
The Processor is authorized to perform the following processing activities:

  • Collection and ingestion of Customer Personal Data from integrated systems
  • Recording and storage of interactions
  • Transcription of audio into text
  • Analysis of interactions
  • AI models (including sentiment, compliance, and performance analysis)
  • Generation of insights, summaries, alerts, and recommendations
  • Aggregation and anonymization of data for analytical and product improvement purposes
  • Retrieval and querying of data through dashboards and AI interfaces
  • Storage, backup, and restoration of data in accordance with the Agreement

The Processor has implemented, and shall maintain throughout the term of this DPA, appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, and at least the security measures required for “databases to which a high level of security applies” as specified in the Israeli Privacy Protection Regulations (Data Security), 2017, including, where applicable, the measures set out below:

  • Encryption of Personal Data in transit and at rest using industry-standard protocols (TLS/SSL)
  • Access controls based on role-based authorization and “just-in-time” provisioning
  • Physical and environmental security of data center facilities used to host data, with independent certification (e.g., ISO/IEC 27001, ISO/IEC 27799, SOC 2 Type II)
  • Regular internal and external vulnerability assessments and penetration testing
  • Intrusion detection systems and web application firewalls (WAF)
  • Detailed audit logging of user and administrator activities
  • High availability and disaster recovery strategies
  • Secure development practices, static code analysis, and version control protocols
  • Security awareness training and confidentiality agreements for personnel

These measures are implemented in alignment with the requirements of the Israeli Privacy Protection Regulations (Data Security), 2017, and are reviewed periodically to ensure continued adequacy.

Sub-Processor – Google Cloud Platform (GCP)|


Purpose of Processing – Cloud infrastructure, hosting, storage, processing, and backup of Customer Personal Data


Location – EU / Israel / USA

Ready to hear everything your customers are saying?

Let us show you how 100% of your interactions can fuel growth.

Join Waiting List