Data Processing Addendum

Effective Date: 16 June 2026  |  Version 1.0

0. About This DPA

This Data Processing Addendum (“DPA”) forms part of the AssistantLabs Terms & Conditions (the “Agreement”) between Ben Hadad, ID 300107661, trading as “AssistantLabs” (“Processor”, “we”), and the Customer (“Controller”, “you”). It governs the Processing of Personal Data carried out by AssistantLabs on the Customer’s behalf in providing the Service. Where this DPA conflicts with the Agreement on data-protection matters, this DPA prevails. Capitalised terms not defined here have the meaning given in the Agreement.

1. Definitions

“Data Protection Laws” means all laws applicable to the Processing under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”) where applicable and the Israeli Privacy Protection Law, 5741-1981 and its regulations. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” and “Personal Data Breach” have the meanings given in the GDPR. “Sub-processor” means any third party engaged by AssistantLabs to Process Personal Data. “SCCs” means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

2. Roles & Scope

2.1 As between the Parties, the Customer is the Controller and AssistantLabs is the Processor of the Personal Data of the Customer’s end-users Processed through the Service. For account and billing data of the Customer’s own personnel, AssistantLabs acts as an independent Controller as described in the Privacy Policy.

2.2 AssistantLabs will Process Personal Data only as a Processor on behalf of the Customer, for the subject-matter, duration, nature and purposes, and in respect of the categories of Personal Data and Data Subjects, set out in Annex A.

2.3 Customer warranties & lawful basis. The Customer warrants that, as Controller, it has a valid lawful basis for the Personal Data it collects, uploads, or Processes through the Service, and that its instructions to AssistantLabs comply with applicable Data Protection Laws.

2.4 Marketing & outbound messaging. Where the Customer uses the Service to send marketing, promotional, or other advertising messages (including WhatsApp template broadcasts, segment sends, and follow-up sequences), the Customer warrants that it has obtained the prior consent or established the lawful basis required under applicable law — including section 30A of the Israeli Communications Law (Telecommunications and Broadcasting), 5742-1982 (the “Spam Law”) and the Meta/WhatsApp Business messaging policies — before instructing AssistantLabs to send such messages. AssistantLabs sends such messages solely as Processor on the Customer’s documented instruction. The Customer remains solely responsible for the lawful basis and content of those messages.

2.5 Opt-outs. The Service records and enforces recipient opt-outs: a recipient who withdraws consent (e.g., by replying “הסר” / “STOP”) is marked opted-out and is automatically suppressed from subsequent marketing sends. This suppression is a technical safeguard and does not relieve the Customer of its obligation to hold a lawful basis under clause 2.4; the Customer will not instruct sends to recipients it knows have withdrawn consent.

3. Processor Obligations

AssistantLabs will:

4. Sub-processors

4.1 General Authorisation – The Customer grants a general authorisation for AssistantLabs to engage the Sub-processors listed in Annex B and others added in accordance with this Section.

4.2 New Sub-processors – AssistantLabs will give the Customer reasonable prior notice of any intended addition or replacement of a Sub-processor. If the Customer reasonably objects on data-protection grounds, the Parties will work in good faith to find a resolution; if none is found, the Customer may terminate the affected part of the Service.

4.3 Flow-down – AssistantLabs will impose on each Sub-processor data-protection obligations no less protective than those in this DPA and remains liable to the Customer for each Sub-processor’s performance.

5. Personal Data Breach

AssistantLabs will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data, and will provide the information reasonably available to enable the Customer to meet its own notification obligations, including the nature of the breach, likely consequences, and measures taken or proposed.

6. Audits

AssistantLabs will, on reasonable written request and no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), make available the information reasonably necessary to demonstrate compliance with this DPA. Where an on-site audit is required by Data Protection Laws, it will be conducted on reasonable prior notice, during business hours, subject to confidentiality, and in a manner that does not disrupt the Service; the Customer bears its own audit costs.

7. Retention, Return & Deletion

On termination or expiry of the Agreement, AssistantLabs will, at the Customer’s election and within thirty (30) days of a written request, delete or return the Customer’s Personal Data and delete existing copies, except to the extent retention is required by law (e.g., billing records retained for 7 years under Israeli tax law) or as held in routine encrypted backups, which are purged on a rolling 30-day cycle.

8. International Transfers

8.1 The Customer acknowledges that AssistantLabs and its Sub-processors Process Personal Data in the United States and other locations as described in the Privacy Policy and Annex B.

8.2 Where the transfer of Personal Data from the EEA, UK or Switzerland to a country without an adequacy decision is required, the SCCs are incorporated into this DPA by reference and apply to that transfer, with AssistantLabs as “data importer” and the Customer as “data exporter”, completed with the details in the Annexes. For UK transfers, the UK International Data Transfer Addendum applies; for Swiss transfers, the SCCs apply with Swiss-law adaptations.

9. Liability

Each Party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement (as may be modified by any applicable Enterprise & Public-Sector Addendum).

Annex A – Details of Processing

ItemDetails
Subject matterProvision of the AssistantLabs AI assistant platform and related Service
DurationFor the term of the Agreement, plus the retention/deletion periods in Section 7
Nature & purposeHosting, storage, transmission, AI processing and analytics necessary to operate AI assistants across messaging and web channels and the CRM
Types of Personal DataContact identifiers (name, phone, email), conversation content and metadata, consent/opt-out status, custom fields, and any Personal Data the Customer or its end-users include in messages or configuration
Special categoriesNot intended; the Customer must not submit special-category data except as strictly necessary and lawful
Categories of Data SubjectsThe Customer’s end-users, contacts, leads and customers; the Customer’s personnel/users of the dashboard

Annex B – Sub-processors

Sub-processorPurposeLocation
Google Cloud Platform / FirebaseHosting, database, authentication, analytics, runtime, storageIowa, USA
OpenAIAI model processing for assistant responsesUSA
AnthropicAI model processing for the Logos configuration assistantUSA
Google (Gemini / Generative AI)AI model processingUSA
Meta Platforms Ireland LtdWhatsApp, Instagram, Messenger deliveryIreland / USA
ResendTransactional and notification email deliveryUSA
Google (Gmail API)Organisation notification email delivery, when the Customer connects a Gmail accountUSA
FlashyWhatsApp template / marketing-message delivery (when used)Israel
Tranzila (InterSpace Ltd)Payment processing and card tokenizationIsrael
Customer-enabled integrations (Wix, Monday.com, Shopify, WooCommerce, Fireberry, Calendly, Google)Contact, order, scheduling and CRM synchronization, only when connected by the CustomerVaries

Annex C – Technical & Organisational Measures

Acceptance

This DPA is entered into and incorporated into the Agreement as of its Effective Date. Where signature is required, it may be executed alongside the Order.

AssistantLabs (Processor)Customer (Controller)
Name: ____________________
Title: ____________________
Signature: ________________
Date: ____________________
Name: ____________________
Title: ____________________
Signature: ________________
Date: ____________________