top of page

Data Processing Agreement - Users
Last Updated: April 20, 2020

In order to provide the Services to its Users, LeverIT processes data from customers or visitors of the Users' site or services (hereinafter: "User Customers"). The processing of such data by WIX shall hereinafter be referred to as "Processing." The following Data Processing Agreement ("DPA") sets forth the terms of such processing by LeverIT.

​

This Agreement supplements the LeverIT Terms of Use, Privacy Policy, and any other applicable LeverIT terms (hereinafter, the "Terms of Use," the "Privacy Policy," and collectively, the "LeverIT Policies"). The terms of the LeverIT Policies shall apply to this Agreement as appropriate. In the event of a conflict between this DPA and any of the LeverIT Policies, the provisions of this DPA shall prevail. Any term capitalized but not defined herein shall have the meaning ascribed to such term in the LeverIT Policies.

​

Insofar as the User's Customer Data processed by LeverIT on behalf of the User, Users acknowledge and agree that LeverIT will process personal data as necessary to provide the Services under the DPA. By using LeverIT's Services, the User has instructed WIX to process such Personal Data on their behalf in accordance with this DPA.


Definitions

​

For the purposes of this DPA, the following terms have the following meanings: The terms 'Controller', 'Data Subject', 'Personal Data', 'Personal Data Breach', 'Processing', and 'Processor', as used in this DPA, have the meanings given to them in the GDPR and as specified in other regulations established in Annex 2.

​

User Customer Data refers to the personal data of User Customers processed by WIX on behalf of Users.

Terms of processing of personal data by LeverIT:


1. LeverIT International shall:

 

1.1 Process the Customer Data for the provision of Services to LeverIT Users and in accordance with LeverIT Policies.


1.2 Ensure that any person acting on its behalf shall process the Customer Data in accordance with the provisions of the Privacy Policy and applicable data protection regulations.


1.3 Implement appropriate technical, organizational, and security measures to protect the privacy and security of the Customer Data.

 

2. Users shall:

 

2.1 Collect, use, and process personal data in accordance with the GDPR and all and any data protection laws and regulations set forth in Annex 2.

 

2.2 Be solely responsible for the accuracy, quality, and legality of the user's customer data and the means by which it was obtained.


2.3 Ensure the appropriate level of security when using LeverIT Services, taking into account any risk regarding the Customer Data.


2.4 Any storage and/or transfer of Customer Data by the User to any third party or platform other than LeverIT shall be at the sole risk and responsibility of the User.

 

3) Hereby, each User grants LeverIT a general authorization to engage subprocessors without obtaining any further specific written authorization from the User. If the User objects to any subprocessing by LeverIT, such User must immediately suspend their use of the Services. LeverIT will enter into an agreement with each subprocessor to ensure compliance by such subprocessor with terms that guarantee at least the same level of protection and security as those set forth in this DPA.

 

4) By using any of LeverIT's Services, the User agrees to the adequacy of the organizational, technical, and security measures implemented by LeverIT to protect Personal Data. Some of these measures can be seen here.

 

5) If LeverIT becomes aware of any personal data breach, LeverIT will, without undue delay, notify the affected users in accordance with applicable regulations. LeverIT will make all reasonable efforts to include the following information in such notifications: details of the nature of such breach and the number of records affected, the category and estimated number of affected data subjects, anticipated consequences, and any actual or proposed measures that LeverIT takes (or on its behalf) to mitigate the potential negative effects of such breach.

​

LeverIT's notification of a personal data breach shall not be deemed as an acknowledgment by LeverIT of any failure or liability regarding such incident.

​

In the event of a personal data breach, the user shall be required to take the measures required by applicable laws regarding their user's customer data.

 

6) Upon reasonable written request, LeverIT:

 

6.1 Make available to the User certifications demonstrating WIX's compliance with its obligations under this DPA and applicable law; and/or

 

6.2 Make available to the user the necessary information to demonstrate compliance with its obligations under this DPA and applicable law.

 

7) LeverIT will assist its Users, within reasonable timeframes, with appropriate measures and, to the extent reasonably possible (considering the nature of the Processing), in fulfilling the rights of data subjects and all other relevant obligations under data privacy regulations, including the GDPR and other applicable regulations set forth in Annex 2 below.

 

8) The processing of user's customer data shall take place within the territory of the European Union, Israel, or a third country, territory, or one or more specific sectors within that third country from which the European Commission has decided that it ensures an adequate level of protection, including, among others, the US under the EU-US Privacy Shield (transfer based on an adequacy decision pursuant to Article 45(3) of EU Regulation 2016/679 and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC). Any transfer and processing in a third country outside the European Union that does not ensure an adequate level of protection according to the European Commission.


9) This DPA shall remain in effect in relation to each User for as long as such User uses any of LeverIT's Services, provided that, in the event LeverIT is required, pursuant to the terms of this DPA or LeverIT's Policies, to maintain a Client Customer's Personal Data after the termination of the Services, this DPA shall continue in effect as long as WIX holds such Personal Data.


10) Upon the termination of the User's use of the Services, and unless LeverIT is required to retain such Customer Data under LeverIT's Policies, any agreement or applicable legislation, LeverIT, including upon written request from the User, shall delete the User's Personal Data as soon as reasonably possible and in accordance with LeverIT's Policies and applicable laws.

 

11) LeverIT shall have the right to amend and/or adjust any of the terms of this DPA as necessary from time to time, to comply with applicable laws or regulations.

 

12) Any inquiries related to this DPA or requests from Users to exercise Data Subject Rights as described in this document, in the GDPR, or other applicable regulation, should be directed to LeverIT's Data Protection Officer at solutions@leverit.com. LeverIT will attempt to resolve any complaints related to the use of its user's customer data in accordance with this DPA and LeverIT's Policies.

 

Annex 1 - Standard Contractual Clauses (PROCESSORS)


For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries that do not ensure an adequate level of data protection.

​

The entity identified as the "User" in the DPA (the "data exporter") and Wix.com Ltd 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel (the "data importer") are each party, together 'the parties'.

​

HAVE AGREED to the following contractual Clauses (the Clauses) in order to provide adequate guarantees with respect to the protection of privacy and the fundamental rights and freedoms of persons for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 

Clause 1 - Definitions


A. 'personal data', 'special categories of data', 'processing', 'controller', 'processor', 'data subject', and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.


B. 'data exporter': the controller transferring the personal data.


C. 'data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC.

 

D. 'subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses, and the terms of the written subcontract.

 

E. 'applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established.

 

F. 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

 

Clause 2 - Transfer details

​

The transfer details, and in particular, the special categories of personal data, where applicable, are specified in Appendix 1, which forms an integral part of the Clauses.

 

Clause 3: Third Party Beneficiary Clause


1) The data subject may enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e) and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as a third-party beneficiary.

 

2) The data subject may enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or ceased to exist in law unless any successor entity has assumed all legal obligations of the data exporter by contract or by operation of law, as a result of which it has assumed the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

 

3) The data subject may enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed all legal obligations of the data exporter by contract or by operation of law as a result of which it has assumed the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such liability of the subprocessor shall be limited to its own processing operations under the Clauses.

 

4) The parties do not object to a data subject being represented by an association or other body if the data subject expressly wishes and if permitted by national law.

 

Clause 4 - Data Exporter's Obligations

​

The data exporter agrees and warrants:

 

A. that the processing, including the transfer itself, of personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State.

 

B. that it has instructed and will continue to instruct the data importer throughout the duration of the data processing services to process the transferred personal data only on behalf of the data exporter and in accordance with the applicable data protection law and the Clauses.

 

C. that the data importer will provide sufficient guarantees with regard to the technical and organizational security measures specified in Appendix 2 of this contract.

 

D. that, after assessing the requirements of the applicable data protection law, the security measures are appropriate to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected, taking into account the state of the art and the cost of their implementation.

 

E. that it will ensure compliance with the security measures.

 

F. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that his/her data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC.

 

G. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or lift the suspension.

 

H. to make available to data subjects, upon request, a copy of the Clauses, with the exception of Appendix 2, and a summarized description of the security measures, as well as a copy of any subprocessing services agreement that must be entered into in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case such commercial information may be removed.

 

I. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of the data subject as the data importer under the Clauses.

 

J. to ensure compliance with Clause 4(a) to (i).

 

Clause 5 - Data Importer's Obligations

​

The data importer agrees and warrants:

 

A. to process the personal data solely on behalf of the data exporter and in accordance with its instructions and the Clauses; if it cannot provide such compliance for any reason, it agrees to immediately inform the data exporter of its inability to comply, in which case the data exporter has the right to suspend the transfer of data and/or terminate the contract.

 

B. that it has no reason to believe that the applicable law prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that, in the event of a change in this law likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will notify the data exporter immediately of the change as soon as it becomes aware of it, in which case the data exporter has the right to suspend the transfer of data and/or terminate the contract;

​

C. that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the transferred personal data.

 

D. that it will notify the data exporter promptly about.

 

E. any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.


ii) any accidental or unauthorized access.


iii) any request received directly from the data subjects without responding to that request, unless otherwise authorized to do so.

 

E. to promptly and properly address all inquiries from the data exporter related to the processing of the transferred personal data and comply with the advice of the supervisory authority regarding the processing of the transferred data.

 

F. upon request by the data exporter, to submit its data processing facilities for audit of the processing activities covered by the Clauses to be carried out by the data exporter or an inspection body composed of independent members and possessing the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority; mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, i.e., if they constitute a necessary measure to safeguard national security, defense, public security, the prevention, investigation, detection, and prosecution of criminal offenses or breaches of professional ethics, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements that do not go beyond what is necessary in a democratic society include, among others, internationally recognized sanctions.

 

G. to make available to the data subject, upon request, a copy of the Clauses, or any existing subcontracting agreement, unless the Clauses or the contract contain commercial information, in which case such commercial information may be removed, with the exception of Appendix 2, which shall be replaced by a summarized description of the security measures in cases where the data subject cannot obtain a copy from the data exporter;

​

H. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;


I. that the processing services by the subprocessor will be carried out in accordance with Clause 11;

​

J. to promptly provide a copy of any subprocessor agreement concluded under the Clauses to the data exporter.

 

Clause 6 - Liability


1) The parties agree that any data subject who has suffered damage as a result of any breach of the obligations mentioned in Clause 3 or Clause 11 by any party or subprocessor has the right to receive compensation from the data exporter for the damage suffered.

 

2) If a data subject is unable to bring a claim for compensation pursuant to paragraph 1 against the data exporter due to a breach by the data importer or its subprocessor of any of their obligations mentioned in Clause 3 or Clause 11, because the data exporter has disappeared or ceased to exist legally or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entirety of the legal obligations of the data exporter by contract or by operation of law, in which case the data subject may enforce its rights against such entity. The data importer cannot rely on a breach by a subprocessor of its obligations to avoid its own responsibilities.

​

3) If a data subject is unable to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, as a result of a breach by the subprocessor of any of its obligations mentioned in Clause 3 or Clause 11 because both the data exporter and the data importer have disappeared or ceased to exist legally or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the subprocessor with respect to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed all of the legal obligations of the data exporter or data importer by contract or by law, in which case the data subject may enforce its rights against such entity. The subprocessor's liability shall be limited to its own processing operations under the Clauses.

 

Clause 7 - Mediation and jurisdiction


1) The data importer agrees that if the data subject invokes against it rights of third-party beneficiaries and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject.

 

A. to refer the dispute to mediation, by an independent person or, where appropriate, by the supervisory authority.

 

B. to refer the dispute to the courts of the Member State in which the data exporter is established.

 

2) The parties agree that the choice made by the data subject shall not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

 

Clause 8 - Cooperation with Supervisory Authorities


1) The data exporter agrees to deposit a copy of this contract with the supervisory authority if requested or if such deposit is required by applicable data protection law.

 

2) The parties agree that the supervisory authority has the right to conduct an audit of the data importer and any subprocessor, which shall have the same scope and be subject to the same conditions as would apply to an audit of the data exporter under applicable data protection law.

 

3) The data importer shall promptly inform the data exporter of the existence of any applicable legislation preventing the conduct of an audit of the data importer, or any subprocessor, in accordance with paragraph 2. In such a case, the data exporter shall have the right to take the measures provided for in Clause 5 (b).

 

Clause 9 - Applicable Law

​

The clauses shall be governed by the law of the Member State in which the data exporter is established.

 

Clause 10 - Variation of the Contract

​

The parties undertake not to vary or modify the Clauses. This does not prevent the parties from adding clauses on matters related to the business when necessary, provided they do not contradict the Clause.

 

Clause 11 - Subprocessing


1) The data importer shall not subcontract any of its processing operations carried out on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. When the data importer subcontracts its obligations under the Clauses, with the data exporter's consent, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under Clause 3. Where the subprocessor fails to fulfill its data protection obligations under such written agreement, the data importer shall remain fully liable to the data exporter for the fulfillment of the subprocessor's obligations under such agreement.

 

2) The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is unable to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

 

3) The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

 

4) The data exporter shall keep a list of subprocessing agreements entered into pursuant to the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

 

Clause 12 - Obligation after termination of personal data processing services


1) The parties agree that upon termination of the provision of data processing services, the data importer and the subprocessor, at the choice of the data exporter, shall return all the transferred personal data and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the transferred personal data. In that case, the data importer warrants that it will guarantee the confidentiality of the transferred personal data and will no longer actively process the transferred personal data.

 

2) The data importer and the subprocessor warrant that, upon request of the data exporter and/or the supervisory authority, they will submit their data processing facilities for an audit of the measures mentioned in paragraph 1.

 

Appendix 1 of the Standard Contractual Clauses

​

This appendix is part of the clauses and must be completed and signed by the parties. Member States may complete or specify, in accordance with their national procedures, any additional information required to be included in this Appendix.

 

Data exporter

The data exporter is the entity identified as the "User" in the DPA.

 

Data importer

The data importer is Wix.com Ltd., the provider of the services.

 

Data Subjects

The data subjects are defined as User Customers in the DPA.

 

Categories of Data

Personal data are those defined in the DPA.

 

Processing Operations

The personal data transferred shall be subject to the following basic processing activities:

 

The purpose of processing personal data by the data importer is the performance of the Services in accordance with the Agreement.

 

Appendix 2 of the Standard Contractual Clauses

​

This Appendix is part of the Clauses and must be completed and signed by the parties.

​

Description of technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

​

The technical and organizational security measures implemented by the data importer are described at: security- https://support.wix.com/en/about-wix/security

 

Appendix 2 - Applicable Regulations


1. California:

 

1.1 The "Applicable Regulation" definition includes the California Consumer Privacy Act ("CCPA").

 

1.2 The definition of (i) "Personal Data" includes "Personal Information", (ii) "Data Subject" includes "Consumer", (iii) "Controller" includes "Company", (iv) "Processor" includes "Service Provider", as defined in CCPA.

 

1.3 WIX will process, retain, use, and disclose personal data only as necessary to provide its Services, which constitutes a business purpose.

 

1.4 WIX agrees not to: (i) sell (as defined by the CCPA) the User's Customer Data; (ii) retain, use, or disclose the User's Customer Data for any business purpose (as defined by the CCPA) other than to provide the Services; or (iii) retain, use, or disclose User Customer Data outside the scope of WIX Policies.

 

1.5 WIX certifies that its subprocessors, as described in Section 3 of the Annex, are Service Providers under CCPA, with whom WIX has signed a written contract that includes terms that guarantee at least the same level of protection and security as those established in this DPA.

Argentina

Arroyo 932 of 6A

Federal capital

Tel. (54) 11 4393 4884

Colombia

Av. El Dorado # 68C61 Torre Central building, office 831.

Bogota DC

Email: colombia@leverit.com

Cell: 300 216 4000 | 317 438 0705 | 317 428 3995

U.S

​

Skype: +1 682 285 2300

Mexico

LeverIT Soluciones SA de CV Movil1: 55 4264 2733

Mobile2: 5542 93 8089 mexico@leverit.com

Blvd. Miguel de Cervantes Saavedra 169 P 11-108, Granada, CP 11520, Mexico, CDMX

Peru

Calle las Camelias 891 2nd Floor Urb. Santa Cruz Lima - Lima - San Isidro

Phone: +51 442 30 63

Página_leverit_pie_de_pagina_final-07.pn
bottom of page