Data Processing Addendum

Last updated: December 30, 2024

This Data Processing Addendum ("DPA") forms an integral part of, and is subject to the Silverbee Terms of Service, entered into by and between you, the customer ("Customer") and Silverbee AI Inc. ("Silverbee" and the "Terms"). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms.

1. Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:

  • "Applicable Law" means whichever of the following legal regimes is applicable to the processing of Personal Data under this DPA, including but not limited to:
    • EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR;
    • The California Consumer Privacy Act of 2018 (CCPA);
    • The Israel Protection of Privacy Law, 1981, and related regulations.
  • "Customer Personal Data" means any Personal Data Processed by Silverbee on behalf of Customer pursuant to or in connection with the Terms;
  • "Data Subject" shall mean the person whose Personal Data is Processed;
  • "Personal Data" shall mean Personal Data as defined under the GDPR, 'Personal Information' as defined under the CCPA, and 'Personal Information' ('meda') as defined under Israeli Privacy Law;
  • "Processing" shall be as defined in the GDPR, CCPA, and Israeli Privacy Law;
  • "Sub-Processor" means any person appointed by or on behalf of Silverbee to Process Personal Data on behalf of the Customer in connection with the Terms.

2. Applicability and Roles of the Parties

2.1 For Processing subject to the GDPR

When Customer Personal Data is subject to the GDPR, Customer serves as a Controller of such Personal Data and Silverbee serves as a Processor on its behalf.

2.2 For Processing subject to the CCPA

When Customer Personal Data is subject to the CCPA, Customer serves as a Business with respect to such Personal Data and Silverbee serves as a Service Provider on its behalf. Silverbee shall not sell, retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in the Terms, or as otherwise permitted by the CCPA.

2.3 For Processing subject to Israeli Privacy Law

When Customer Personal Data is subject to Israeli Privacy Law, Customer serves as a Database Owner and Silverbee serves as a Holder on its behalf.

3. Details of Processing

The subject matter, nature, purpose, and duration of the Processing are as follows:

  • Subject Matter: Personal Data provided by Customer in connection with Customer's use of Silverbee's SEO automation services.
  • Nature and Purpose: Processing necessary to provide the services described in the Terms, including AI-powered SEO analysis, workflow automation, and related functionalities.
  • Duration: For the term of the agreement between Customer and Silverbee, plus the period from the expiry of such term until deletion of all Customer Personal Data by Silverbee.
  • Categories of Data Subjects: Customer's employees, contractors, clients, and end users whose data is submitted to the platform.
  • Types of Personal Data: Contact information, professional information, usage data, content submitted to the platform, and data from connected third-party SEO tools.

4. Silverbee Obligations

Silverbee shall:

  • Process Customer Personal Data only in accordance with Customer's documented instructions, unless Processing is required by Applicable Law to which Silverbee is subject;
  • Ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Not engage another Processor (Sub-Processor) without prior specific or general written authorization of Customer;
  • Assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights;
  • Assist Customer in ensuring compliance with the obligations relating to security of processing, notification of personal data breaches, and data protection impact assessments;
  • At Customer's choice, delete or return all Customer Personal Data after the end of the provision of services and delete existing copies unless Applicable Law requires storage;
  • Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

5. Security Measures

Silverbee implements and maintains appropriate technical and organizational security measures to protect Customer Personal Data, including:

  • Encryption: Data encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege.
  • Network Security: Firewalls, intrusion detection systems, and DDoS protection.
  • Physical Security: Data centers with 24/7 security, biometric access controls, and environmental controls.
  • Monitoring: Continuous security monitoring, logging, and alerting for suspicious activities.
  • Incident Response: Documented incident response procedures and regular testing.
  • Employee Training: Regular security awareness training for all personnel with access to Customer Personal Data.
  • Vulnerability Management: Regular security assessments, penetration testing, and timely patching.

6. Sub-Processors

Customer provides general authorization for Silverbee to engage Sub-Processors. Silverbee maintains a list of current Sub-Processors and will notify Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving Customer the opportunity to object to such changes.

Silverbee ensures that Sub-Processors are bound by written agreements that require them to provide at least the same level of data protection as required under this DPA. Silverbee remains fully liable for the performance of its Sub-Processors' obligations.

Current Sub-Processors include infrastructure providers for cloud hosting, database services, and communication services.

7. Data Subject Rights

Silverbee will assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Law, including:

  • Right of access to Personal Data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling

If Silverbee receives a request directly from a Data Subject, Silverbee will promptly inform Customer and will not respond to such request without Customer's prior authorization, unless required by Applicable Law.

8. International Transfers

Customer Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), Israel, or other jurisdictions with data protection laws. Where such transfers occur, Silverbee ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission;
  • Transfer to countries recognized as providing adequate data protection;
  • EU-U.S. Data Privacy Framework certification where applicable;
  • Other legally recognized transfer mechanisms under Applicable Law.

9. Audit Rights

Silverbee will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that minimizes disruption to Silverbee's operations. Customer shall bear the costs of any audit unless the audit reveals material non-compliance by Silverbee.

10. Data Breach Notification

In the event of a Personal Data breach affecting Customer Personal Data, Silverbee will notify Customer without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include:

  • A description of the nature of the breach, including the categories of Data Subjects and records affected;
  • The name and contact details of Silverbee's data protection contact;
  • A description of the likely consequences of the breach;
  • A description of the measures taken or proposed to address the breach and mitigate its effects.

Silverbee will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11. Data Deletion

Upon termination of the services or upon Customer's written request, Silverbee will, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless Applicable Law requires storage of the Customer Personal Data.

Deletion will be completed within 30 days of the request or termination. Silverbee will provide written certification of deletion upon Customer's request.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms. Silverbee shall be liable for damages caused by Processing that violates this DPA or Applicable Law.

Where Silverbee has paid compensation for damages, it is entitled to claim back from Customer the portion of compensation corresponding to Customer's responsibility for the damage.

13. Term and Termination

This DPA shall remain in effect for as long as Silverbee Processes Customer Personal Data. Upon termination of the Terms, this DPA will automatically terminate, subject to the provisions that must survive termination, including data deletion obligations and confidentiality.

If you have questions about this DPA, please contact us at dpa@silverbee.ai.

You're on the list! We'll be in touch soon with your early access details.