Data Processing Agreement (DPA)

"Data Processor" — LeadHub Systems Ltd. ("the Company"), providing the platform service.

"Data Controller" — The Customer (you), who determines the purposes and means of processing personal data.

"Personal Data" — Any information relating to an identified or identifiable natural person, including name, phone, email, and any other data entered into the system.

"Processing" — Any operation performed on personal data, including collection, storage, use, transfer and deletion.

"Data Subject" — The individual to whom the personal data relates (leads, customers, contacts).

The Company processes personal data solely for the purpose of providing the platform services, as detailed in the Terms of Service:

• Storage and management of leads and customer data entered by you
• Sending SMS, WhatsApp and email messages on your behalf
• Performing integrations with external services (Facebook, Google, etc.) per your configurations
• Generating reports and statistical analyses
• Data backup and recovery

The Company will not use personal data for its own purposes or for third-party purposes unrelated to the service.

The Company undertakes to:

• Process personal data only according to Controller instructions and for defined purposes
• Ensure employees with data access are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Notify the Controller without undue delay of any data breach
• Assist the Controller in responding to data subject requests (access, rectification, deletion)
• Delete or return personal data upon termination, at your choice
• Allow and support reasonable audits by the Controller

The Customer undertakes to:

• Ensure personal data is collected lawfully and with data subjects' consent
• Use the system only for lawful purposes
• Not upload data whose collection or use is prohibited by law
• Comply with all applicable data protection laws

The Company implements the following security measures:

• Encryption: TLS/SSL encrypted communication, encryption of sensitive data at rest
• Access Control: Multi-layered permission system, two-factor authentication
• Monitoring: Activity logging and tracking, anomaly detection
• Backup: Automated daily backups with fast recovery
• Infrastructure: Secured servers in certified data centers
• Personnel: Staff training, need-to-know access only

The Company may engage sub-processors (third-party service providers) to deliver the service, such as:

• Cloud hosting and infrastructure providers
• SMS and WhatsApp service providers
• Email service providers (SMTP)
• Payment service providers

The Company ensures sub-processors are bound by equivalent data protection obligations. An up-to-date list of sub-processors is available upon request.

The Company will notify of material changes to sub-processors with 30 days advance notice. The Customer may object within 14 days.

Data is primarily stored on servers located in Israel and/or Europe.

Where transfer to countries without adequate protection is required, the Company will ensure appropriate safeguards in accordance with applicable law.

In the event of a data breach, the Company will:

• Notify the Controller within 72 hours of becoming aware of the breach
• Provide detailed information: type, scope, impact, and corrective actions
• Take all necessary steps to minimize damage
• Cooperate with the Controller and relevant authorities

Personal data is retained while the account is active and per the retention periods detailed in the Privacy Policy.

Upon termination:

• The Customer may export all data in a standard format
• The Company will delete data within 90 days of account closure
• Backups will be deleted per backup policy (up to 180 days)
• Data required by law will be retained for the mandated period

The Company will assist the Customer in fulfilling data subject requests under Israel's Privacy Protection Law and Amendment 13:

• Right of access — viewing personal data
• Right of rectification — correcting inaccurate data
• Right of erasure — removing data
• Right to restrict processing
• Right to object to processing
• Right to data portability — receiving data in a structured format

The Company will respond to requests within 30 days.

This agreement is effective as long as the Customer uses the Service. Confidentiality and data protection obligations survive termination.

This agreement is governed by the laws of the State of Israel, including the Privacy Protection Law, 5741-1981, and its regulations.

Any disputes shall be adjudicated in the competent courts of Tel Aviv-Jaffa.

For questions regarding data processing and privacy:

• Email: info@leadhub.systems
• Support: support@leadhub.systems
• Telegram: @leadhubil