Data Process agreement

Last Updated: June, 2025

This Data Processing Agreement (“DPA”) is entered into by and between GlanceAI (hereinafter, the “Processor”), and the entity or individual accepting this DPA (hereinafter, the “Customer” or the “Controller”). This DPA supplements and forms an integral part of the agreement executed between the parties regarding the provision of services by the Processor (the “Main Agreement”).

By accepting this DPA, either by clicking to accept or by executing a document referencing this DPA, the Customer affirms and warrants that: (a) they have the full legal authority to bind the Customer to the terms of this DPA; (b) they have read and comprehended the terms contained herein; and (c) they agree, on behalf of the Customer, to be legally bound by this DPA.

1. Definitions

Applicable Data Protection Law

All applicable international, national, federal, and state-level privacy and data protection legislation relevant to the processing of Personal Data governed by this DPA, including, where applicable, the European General Data Protection Regulation (Regulation (EU) 2016/679), the Israeli Protection of Privacy Law, 1981, and its implementing regulations, including the Israeli Privacy Protection Regulations (Data Security), 2017, and official guidance issued by the Israeli Privacy Protection Authority.

Controller

The legal entity or individual that determines the purposes and means of the processing of Personal Data.

Customer

GlanceAI, acting on behalf of and under the documented instructions of
the Controller, for the purpose of processing Personal Data pursuant to
the Main Agreement and this DPA.

Personal Data

Any information, including identifiers, that relates to an identified or identifiable natural person.

Data Subject

The natural person to whom the Personal Data relates.

Services

The services and/or products provided by the Processor to the Controller under the Main Agreement.

Documentation

All documentation made available at https://support.GlanceAI.ai and
any applicable policies, terms, and agreements issued by the Processor.

2.1 Relationship of the Parties

The Customer is the Controller and GlanceAI is the Processor, acting on behalf of the Controller for the exclusive purpose of processing Personal Data, strictly in accordance with the documented instructions provided by the Controller and solely for the purposes specified in Annex 1.

2.2 Purpose limitation

The Processor shall process Personal Data exclusively for the purposes defined in this DPA and in accordance with the Controller’s documented instructions. Any use or processing beyond the scope of such instructions shall require prior written consent from the Controller. The Processor may use aggregated, de-identified, and non-attributable data, which cannot reasonably be used to identify any Data Subject, for its legitimate business purposes including internal operations, analytics, service improvement, billing, support, and product development.

2.3 International Transfers of Data

The Processor shall not process or transfer Personal Data originating from the European Economic Area (EEA) or from Israel to any jurisdiction that has not been recognized as ensuring an adequate level of data protection under applicable law, unless (i) such transfer is subject to appropriate safeguards, or (ii) the Controller has provided prior written consent. For Israeli Personal Data, any such transfer shall be subject to the requirements of the Israeli Protection of Privacy Law and any applicable regulatory
guidance.

2.4 Confidentiality

The Processor shall ensure that any person authorized to process the Personal Data has committed to confidentiality obligations or is under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be strictly limited to those individuals who require such access to perform the Processor’s obligations under the Main Agreement.

2.5 Security

The Processor shall implement and maintain technical and organizational security measures to ensure a level of security appropriate to the risks inherent in the processing, as described in Annex 2. The Controller acknowledges and agrees that the Services are not designed for the processing of Sensitive Data as defined under applicable law, and undertakes not to submit such data.

2.6 Sub processors

The Controller grants the Processor general authorization to appoint Sub processors for the purposes of carrying out specific processing activities. The Processor shall inform the Controller in writing of any intended changes concerning the addition or replacement of Sub processors at least thirty (30) days in advance. The Processor remains fully liable for any acts or omissions of its Sub processors.

2.7 Assistance to the Controller

The Processor shall provide reasonable assistance to the Controller, insofar as possible and as required by law, to enable the Controller to respond to requests for exercising Data Subjects’ rights under Applicable Data Protection Law.

2.8 Data Protection Impact Assessments

The Processor shall assist the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where such assessments are required under applicable law.

2.9 Security Incidents

In the event that the Processor becomes aware of a Personal Data breach or other security incident affecting Personal Data, the Processor shall notify the Controller without undue delay and, in any event, within thirty-two (32) hours of becoming aware of the incident. The Processor shall provide timely updates, cooperate with the Controller’s investigation, and take reasonable steps to mitigate the
effects of the breach.

2.10 Return or Deletion of Data

Upon expiration or termination of the Main Agreement or this DPA, the Processor shall, at the Controller’s option, return or delete all Personal Data. Backups containing Personal Data may be retained for a period not exceeding eighteen (18) months following termination, provided such retention is required by applicable law or justified under a legal obligation or necessity, and subject to continuing protection under the terms of this DPA.

2.11 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, provided that: (i) audits shall not occur more than once in any twelve-month period, unless required due to a security incident or regulatory mandate; (ii) the Controller provides reasonable prior notice; and (iii) such audits shall not unreasonably disrupt the Processor’s operations.

2.12 Indemnification

The Processor shall indemnify, defend and hold harmless the Controller against any and all damages, costs, claims, liabilities, and expenses (including reasonable attorney’s fees) incurred as a result of the Processor’s breach of this DPA, subject to the limitation of liability terms set forth in the Main Agreement.

2.13 Remediation of Unlawful Processing

In the event that continued processing of Personal Data under this DPA becomes unlawful or impermissible under Applicable Data Protection Law or as a result of regulatory determination, the parties shall cooperate in good faith to suspend, amend, or terminate the processing activities in order to ensure compliance.

This DPA shall commence on the date it is accepted by the Customer and shall remain in full force and effect for as long as the Processor is processing Personal Data on behalf of the Controller.

GlanceAI is the registered owner of a Personal Data Database in Israel, registered with the Israeli
Registrar of Databases (Ministry of Justice) under Registration Number 700053060, in
accordance with the Israeli Protection of Privacy Law, 1981 and its implementing regulations.

This DPA shall be governed by, construed, and enforced in accordance with the laws of the State of Israel, without regard to conflict of laws principles. The parties agree that the competent courts in Tel Aviv, Israel shall have exclusive jurisdiction over all disputes arising out of or in connection with this DPA.

This DPA shall be governed by, construed, and enforced in accordance with the laws of the State of Israel, without regard to conflict of laws principles. The parties agree that the competent courts in Tel Aviv, Israel shall have exclusive jurisdiction over all disputes arising out of or in connection with this DPA.

SECURITY MEASURES

The Processor has implemented, and shall maintain throughout the term of this DPA, appropriate
technical and organizational measures designed to ensure a level of security appropriate to the
risk, including, where applicable, the measures set out below:

  • Encryption of Personal Data in transit and at rest using industry-standard protocols (TLS/SSL);

  • Access controls based on role-based authorization and “just-in-time” provisioning;

  • Physical and environmental security of data center facilities used to host data, with independent certification (e.g., ISO/IEC 27001, SOC 2 Type II);

  • Regular internal and external vulnerability assessments and penetration testing;

  • Intrusion detection systems and web application firewalls (WAF);

  • Detailed audit logging of user and administrator activities;

  • High availability and disaster recovery strategies,

  • Secure development practices, static code analysis, and version control protocols;

  • Security awareness training and confidentiality agreements for personnel.

These measures are implemented in alignment with the requirements of the Israeli Privacy Protection Regulations (Data Security), 2017, and are reviewed periodically to ensure continued adequacy.

Ready to hear everything your customers are saying?

Let us show you how 100% of your interactions can fuel growth.

Join Waiting List

You're on the list!

We’re honored by the growing interest — and we take each request personally.
We’ll be in touch shortly, with care and intention.