Legal

Data Processing Addendum

Last updated: May 14, 2026

This addendum (the "Addendum") is entered into by and between the Customer and Ventos Agents Ltd., a company organized under the laws of Israel ("Ventos"), and together with Customer, "the Parties", or individually as a "Party".

WHEREAS, the Parties have previously entered into a service agreement for access and use of Ventos software-as-a-service AI Operations System for VCs ("the Service") (the "Agreement"), pursuant to which Ventos may process Personal Data regarding Data Subjects that it may receive from Customer or to which Customer provides it access ("Customers' Personal Data"); and

WHEREAS, the Parties wish to determine their rights and obligations regarding the processing of Customer's Personal Data by Ventos; and

WHEREAS, this Addendum forms an integral part of the Agreement and is incorporated therein by reference, and the Agreement and this Addendum shall be read together as one instrument;

THEREFORE, the Parties agree as follows:

Definitions

  • Applicable Data Protection Laws: Including the Israeli Protection of Privacy Law, 1981 (the "Protection of Privacy Law"), and any regulation and guideline issued by virtue of its power, including the Israeli Protection of Privacy (Information Security) Regulations, 2017 (the "Information Security Regulations"), the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 2001 and the Protection of Privacy Authority 2/2011 Guidelines concerning the use of outsourcing to process personal data.
  • Data Subject: The identified or identifiable natural person to whom the Personal Data relates, excluding any individuals acting as a contact person, representative, or point of contact on behalf of the Customer.
  • Personal Data: Shall have the meaning ascribed to the terms "personal data", "personal information", under Applicable Data Protection Laws.
  • Controller, Processor, Process, Processing: Shall have the meaning ascribed to these terms under Applicable Data Protection Laws.

General

  1. 1.The Parties acknowledge and agree that with regard to the Processing of Customers' Personal Data by Ventos (i) Customer is the Controller of Personal Data, and (ii) Ventos is the Processor. The terms "Controller" and "Processor" below hereby signify Customer and Ventos, respectively.
  2. 2.Processor shall process Customers' Personal Data only on documented instructions from Customer, as set out in the Agreement, this Addendum, and any other written instructions agreed by the Parties, unless otherwise required by applicable laws.
  3. 3.Processor will process Customers' Personal Data on behalf of Customer, solely for the following purposes: (i) to provide, maintain, and support the Service, including providing technical support, troubleshooting, and performing testing and quality assurance activities (including in non-production, pre-production or staging environments), as necessary to provide, secure, and improve the Service; (ii) in accordance with the Agreement and this Addendum; and (iii) to comply with applicable laws.
  4. 4.Processor will only process Customers' Personal Data in compliance with the Applicable Data Protection Laws.
  5. 5.Processor will implement data security measures in accordance with the Information Security Regulations. In any event, Processor will implement appropriate technical and organizational data security measures.
  6. 6.Customer, in its use of the Services, and Customer's instructions to the Processor, shall comply with all Applicable Data Protection Laws. Customer shall establish and have any and all required legal basis in order to collect, Process and transfer to Processor Customer's Personal Data, and to authorize the above-mentioned Processing by Processor.

Collection of Personal Data Directly from Customer's Data Subject

  1. 7.If applicable, Processor undertakes not to collect Personal Data directly from Customer's data subjects without the prior, written consent of Customer. In case Customer approves the collection of Customers' Personal Data, Processor undertakes to comply with the provisions of Section 11 of the Protection of Privacy Law.

Confidentiality

  1. 8.Prior to accessing Customers' Personal Data, Processor will ensure that its personnel authorized to process Customers' Personal Data under the Agreement are legally bound to maintain the confidentiality of Customers' Personal Data, as well as act in accordance with this Addendum.

Sub-Processors

  1. 9.Processor may engage third parties to act on its behalf in connection with the provision of the Service ("Sub Processors"). Customer authorizes Processor to process Customer's Personal Data through its Sub Processors.
  2. 10.Processor shall enter into a written agreement with each Sub Processor imposing data protection obligations that are no less protective in any material respect than those applicable to Processor under this Addendum.

Data Subject Rights

  1. 11.Processor will notify Customer within a reasonable time, of any relevant Data Subject request received by Processor to exercise Data Subjects' rights under Applicable Data Protection Laws, such as a request to access, correct, or delete Personal Data concerning them ("Data Subjects Request").
  2. 12.Taking into account the nature of the processing, Processor will reasonably cooperate with Customer to assist Customer in responding to Data Subjects Requests, subject to Applicable Data Protection Laws.

Transfers of Personal Data

  1. 13.Customer authorizes Processor to transfer Customers' Personal Data, including through its affiliates and Sub Processors, to any country in which they operate, including outside Customer's country.
  2. 14.Customer shall be responsible for posting and obtaining all required notifications and consents from the data subjects involved in such transfer of Personal Data, if such notifications and consents are required under Applicable Data Protection Laws.

Reporting and Auditing

  1. 15.Subject to Customer's written request, and no more than once annually, Processor will make available to Customer information reasonably necessary to demonstrate the manner in which Processor implements its obligations under Applicable Data Protection Laws.
  2. 16.To the extent Customer cannot reasonably satisfy its audit rights under the Agreement or pursuant to documentation provided by Processor under Section 15, Customer may, no more than once annually and upon at least thirty (30) days' prior written notice, conduct a reasonable audit of Processor's compliance with this Addendum during normal business hours approved by Processor, either by Customer or by an independent third party auditor bound by confidentiality obligations and reasonably acceptable to Processor. Any such audit shall be limited in scope, shall not unreasonably interfere with Processor's business operations or compromise the confidentiality, security, or privacy of other customers, and shall be at Customer's expense unless a material breach by Processor is identified.
  3. 17.Processor shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Severe Data Security Incident (as defined under the Information Security Regulations) affecting Customers' Personal Data processed by Processor on behalf of Customer under this Addendum.

Term and Termination

  1. 18.This Addendum will remain in force for as long as Processor processes Customers' Personal Data on behalf of Customer under the Agreement.
  2. 19.Processor will retain Personal Data as long as required to perform its obligations in accordance with the Agreement. Processor will delete or return (at Customer's election and only to the extent feasible under the circumstances) Customers' Personal Data in its possession within ninety (90) days after the Agreement is no longer in force, or upon Customer's written request, except as provided in Section 20 below. Upon requirement by Customer, Processor will provide written certification regarding deletion or return of such data.
  3. 20.Notwithstanding the foregoing, Processor may retain Customers' Personal Data to the extent required by applicable law, to defend against lawsuits in connection with the Agreement, or when Processor has a legal basis to do so.

Miscellaneous

  1. 21.In any case of a contradiction between the provisions of this Addendum and the provisions of the Agreement, the provisions of this Addendum will apply.
  2. 22.Israeli law applies to this Addendum. Jurisdiction regarding this Addendum shall rest exclusively with the courts in Tel Aviv-Jaffa, Israel.