Data Processing Agreement
עודכן לאחרונה:
1. Roles
The Customer is the “Controller” and EntryBit is the “Processor” of personal data processed under the Main Agreement.
2. Subject Matter and Duration
EntryBit processes personal data only to deliver the EntryBit Service, for the term of the Main Agreement plus any required retention period.
3. Nature and Purpose of Processing
Identity and access management, event logging, notifications, reporting, integrations, and customer support.
4. Categories of Data Subjects
Customer’s employees, contractors, visitors, and other individuals whose access is managed via the Service.
5. Categories of Personal Data
Identification data, contact data, authentication credentials, access events, device identifiers, and — only when enabled by Customer — biometric templates, license plate numbers, and photographs.
6. Sub-processors
EntryBit maintains a current list of sub-processors. Customer is notified at least 30 days before adding or replacing any sub-processor and may object in writing. Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Infrastructure hosting | EU (AMS) / US |
| SendGrid (Twilio) | Transactional email delivery | US |
| Tranzila | Payment processing | Israel |
| Google LLC | Marketing site analytics (Google Analytics 4) | EU/EEA |
Google processes only anonymized, cookie-consented analytics data from the marketing site (entrybit.net). No personal data from the application platform is shared with Google. Analytics cookies are blocked by default and only activated after explicit visitor consent — see our Cookie Policy.
7. Security Measures
Encryption in transit (TLS 1.2+), encryption at rest (AES-GCM + ChaCha20-Poly1305), Argon2id password hashing, hardware-backed key storage, RBAC, audit logging, and vulnerability management.
8. Data Subject Rights
EntryBit assists the Customer in responding to data subject requests (access, rectification, erasure, portability) within the timelines required by applicable law.
9. Personal Data Breach
EntryBit notifies the Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer data.
10. International Transfers
Transfers outside the EEA are governed by Standard Contractual Clauses (SCCs, 2021/914) and supplementary technical and organizational measures.
11. Audit
Customer may audit EntryBit’s compliance with this DPA once per year, upon reasonable notice, subject to confidentiality. Independent security audit reports are accepted in lieu of on-site audits.
12. Deletion or Return of Data
Upon termination, EntryBit returns or deletes all Customer personal data within 30 days, except where retention is required by law.