Data Processing Agreement

1. Parties & scope

This Data Processing Agreement ("DPA") is entered into between you (the "Customer", acting as Data Controller) and Erez Avital, an individual conducting business in Israel as a registered sole proprietor (עוסק מורשה) under the trade name 'Toran' (the "Processor"), notice address available on request at trust@toranhq.com, and governs the processing of Personal Data by Toran on behalf of Customer in connection with the Toran service ("Services").

This DPA supplements and forms part of the Toran Terms of Service and Privacy Policy. Where this DPA conflicts with those documents on a question of Personal Data processing, this DPA controls.

Toran intends to incorporate as an Israeli limited company (בע״מ) before onboarding the first Enterprise-tier customer; upon incorporation this DPA will be novated to the successor entity on 30 days' written notice to Customer.

2. Definitions

Terms used in this DPA have the meanings given to them in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), including "Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Personal Data Breach". "Applicable Data Protection Law" means the GDPR, the UK GDPR & Data Protection Act 2018, the Indian Digital Personal Data Protection Act 2023 ("DPDP"), and applicable US state laws (CCPA / CPRA, VCDPA, TDPSA, etc.) to the extent each applies to the Customer's processing.

3. Subject matter & duration

Toran processes Personal Data on behalf of Customer solely as necessary to deliver the Services described in the Terms of Service: ingesting visitor / lead data via the embedded widget, applying AI lead scoring and enrichment, dispatching notifications to Customer's configured channels, and persisting leads for Customer's dashboard access. Processing duration matches the term of Customer's subscription, plus the limited retention windows described in §10.

4. Customer instructions

Customer's lawful and documented instructions are: (a) the configuration of the widget and notification channels in Customer's Toran dashboard; (b) Customer's use of the dashboard, APIs, and other Service surfaces; and (c) any written instructions that Customer provides to Toran by email or contract. Toran will process Personal Data only on Customer's instructions, except where applicable law requires Toran to process otherwise — in which case Toran will inform Customer of the legal requirement before processing, unless that law prohibits such notice.

Toran will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

5. Confidentiality

Toran will ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations and that access is limited to those persons who need access to deliver the Services or to operate the underlying infrastructure.

6. Security (TOMs)

Toran maintains the technical and organizational measures set out in Annex II and on the live Trust Center. These include, without limitation: TLS 1.2+ encryption in transit; AES-256 encryption at rest; Row-Level Security on all tables; multi-factor authentication for all administrative access; audit logging; isolated EU data residency; documented incident-response runbooks; and the sub-processor controls in §8.

Toran will review and update its TOMs as needed to maintain a level of security appropriate to the risk.

7. Personal Data Breach notification

Toran will notify Customer without undue delay and in any event within twenty-four (24) hours of confirmed detection of a Personal Data Breach affecting Customer's data, providing the information Customer reasonably requires to meet its own Art. 33 / 34 obligations: categories & approximate volume of records affected, likely consequences, measures taken or proposed, and a named Toran contact for follow-up.

8. Sub-processors

Customer hereby grants Toran general written authorisation to engage Sub-processors, subject to: (a) the current list of authorised Sub-processors published at /legal/subprocessors, which is incorporated by reference; (b) Toran imposing on each Sub-processor data protection obligations no less protective than those in this DPA; (c) Toran giving Customer at least 30 days' advance notice of any intended addition or replacement of a Sub-processor (notice via email to the Customer's account contact and/or publication on the Sub-processors page).

Customer may object on reasonable data-protection grounds within 14 days of notice. If the objection cannot be reasonably resolved, Customer may terminate the affected portion of the Services for breach.

9. Data Subject rights

Toran will, considering the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising rights under Applicable Data Protection Law. Customer may use the dashboard's data export & delete tools to action most Data Subject requests directly. For more complex requests Toran will assist at privacy@toranhq.com, ordinarily within 30 days.

10. Deletion or return of Personal Data

On termination of the Services, Toran will, at Customer's election, return or delete all Customer's Personal Data, except to the extent retention is required by applicable law. Toran retains the right to keep backup snapshots that age out per the normal rotation (point-in-time backups expire ~14 days after deletion); those snapshots are not used to restore deleted records.

11. Audit

Toran will make available to Customer all information necessary to demonstrate compliance with Art. 28 and will allow for and contribute to audits by Customer or another auditor mandated by Customer, on reasonable advance notice, at Customer's cost. In lieu of an in-person audit, Toran may satisfy this obligation by providing its then-current Trust Center documentation, security questionnaire responses, and any independent third-party attestations.

12. International transfers (SCCs incorporated)

Toran's primary processing infrastructure is hosted in the European Union (Supabase eu-west region). Where any transfer of Personal Data to a Sub-processor outside the EEA / UK is necessary for the Services, the parties hereby incorporate by reference the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 Standard Contractual Clauses, Module 2 (Controller-to-Processor), with the following selections: Clause 7 (docking) not in use; Clause 9(a) Option 2 (general written authorisation, 30 days' notice) applied; Clause 11(a) optional language not included; Clause 17 (governing law) — Ireland; Clause 18 (forum) — Ireland.

Note on transfers from the EEA to Toran: Toran is established in Israel, which the European Commission has formally recognized as providing an adequate level of personal-data protection (Commission Decision 2011/61/EU of 31 January 2011). Accordingly, transfers of Personal Data from EEA Customers to Toran do not require additional safeguards under GDPR Article 46 to legitimise the transfer itself. The SCCs incorporated above continue to apply to onward transfers from Toran to any Sub-processor outside the EEA, UK, or another adequate jurisdiction. (Subject to periodic Commission review under GDPR Article 45(3); Toran will update this DPA if the adequacy decision status changes.)

UK transfers are governed by the UK International Data Transfer Addendum to the EU SCCs (Version B1.0). Swiss transfers are governed by the SCCs with the modifications required by the FDPIC.

13. Miscellaneous

In case of conflict, the SCCs (where applicable) prevail. This DPA is governed by the law specified in the Terms of Service (or, where the SCCs apply to a transfer, the law specified in Clause 17 of the SCCs as selected in §12 above). Each party will bear its own costs in performance.