Back to Home
Legal

Data Processing Addendum

Last revised: April 16, 2026

1. INTRODUCTION

This Data Processing Addendum ("DPA") forms part of and supplements the Terms & Conditions (the "Agreement") between Awide Labs Ltd., a company incorporated under the laws of Israel, with registered offices at Tel Aviv, Israel ("Awide Labs," "Processor"), and the entity or individual accepting the Agreement ("Customer," "Controller").

This DPA applies where and only to the extent that Awide Labs processes Personal Data on behalf of the Customer as a data processor in the course of providing the Services under the Agreement, specifically for SaaS deployments of:

  • Awide PostgreSQL DBMS ("AwideDB"); and/or
  • Awide PostgreSQL Operations Intelligence Suite ("PgSuite").

For On-Premise deployments, Awide Labs does not process Personal Data on behalf of the Customer, and this DPA does not apply, unless Customer explicitly shares data with Awide Labs for support purposes.

2. DEFINITIONS

In this DPA, unless the context otherwise requires:

  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and the Israel Privacy Protection Law, 5741-1981, as applicable.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Awide Labs on behalf of Customer in connection with the Services.
  • "Processing" means any operation or set of operations performed on Personal Data, as defined in the GDPR.
  • "Sub-Processor" means any third party engaged by Awide Labs to process Personal Data on behalf of the Customer.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission.
  • "Operational Data" means metrics, query telemetry, performance logs, and configuration data collected by PgSuite from Customer's database instances, as defined in the PgSuite EULA.

3. SCOPE AND ROLES

3.1 Roles

With respect to the processing of Personal Data under this DPA:

  • Customer is the data controller and determines the purposes and means of processing;
  • Awide Labs is the data processor and processes Personal Data solely on behalf of and under the documented instructions of the Customer.

3.2 Categories of Data Subjects

Personal Data processed under this DPA may relate to:

  • Customer's employees, contractors, and agents who use the Services ("Customer End-Users");
  • Individuals whose Personal Data may be included in Customer Data or Operational Data processed through the Services.

3.3 Types of Personal Data

  • AwideDB (SaaS): Account data, database connection metadata, and any Personal Data contained in Customer Data processed through the hosted database service.
  • PgSuite (SaaS): Account data, Operational Data (which may include Personal Data embedded in SQL query text, such as user identifiers, email addresses, or IP addresses), and performance metrics.

3.4 Purpose and Duration

Awide Labs processes Personal Data solely to provide the Services as described in the Agreement and the applicable EULA. Processing continues for the duration of the Agreement, unless otherwise specified herein.

4. PROCESSOR OBLIGATIONS

Awide Labs shall:

  • Process Personal Data only on documented instructions from the Customer, unless required by applicable law (in which case Awide Labs shall inform the Customer of such legal requirement before processing, unless prohibited by law);
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of Personal Data in transit (TLS) and at rest (AES-256 or equivalent), access controls, and regular security assessments;
  • Not engage another processor (Sub-Processor) without prior specific or general written authorization of the Customer, as further described in Section 7;
  • Assist the Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws;
  • Assist the Customer in ensuring compliance with obligations regarding data security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities;
  • At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage;
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor.

5. CONTROLLER OBLIGATIONS

Customer shall:

  • Comply with its obligations under Data Protection Laws regarding the processing of Personal Data and the use of the Services;
  • Ensure it has a lawful basis for processing Personal Data and that all necessary consents have been obtained from Data Subjects;
  • Provide documented processing instructions to Awide Labs;
  • Be responsible for the accuracy, quality, and legality of the Personal Data provided to Awide Labs;
  • Be responsible for ensuring that individuals whose Personal Data may be included in Operational Data (e.g., in SQL query text) are adequately informed.

6. DATA SECURITY

Awide Labs maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Encryption of data in transit using TLS 1.2 or higher;
  • Encryption of data at rest using AES-256 or equivalent;
  • Logical access controls and role-based access management;
  • Network segmentation and firewall protections;
  • Regular security testing and vulnerability assessments;
  • Employee security awareness training;
  • Physical security of data center facilities (managed by AWS).

7. SUB-PROCESSORS

7.1 Authorization

Customer provides general written authorization for Awide Labs to engage Sub-Processors to process Personal Data on behalf of Customer. Awide Labs shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving the Customer the opportunity to object to such changes within thirty (30) days.

7.2 Current Sub-Processors

The following Sub-Processors are authorized as of the date of this DPA:

Sub-Processor Purpose Location
Amazon Web Services EMEA SARL Cloud infrastructure hosting for SaaS deployments Luxembourg (data centers in customer-selected AWS Region)
Amazon Web Services, Inc. Cloud infrastructure hosting for SaaS deployments (US customers) United States (data centers in customer-selected AWS Region)

7.3 Sub-Processor Obligations

Where Awide Labs engages a Sub-Processor, Awide Labs shall impose data protection obligations on the Sub-Processor that are no less protective than those set out in this DPA, by way of a written contract. Awide Labs shall remain fully liable for the performance of the Sub-Processor's obligations.

8. DATA BREACH NOTIFICATION

Awide Labs shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include:

  • A description of the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned;
  • The name and contact details of Awide Labs's point of contact;
  • A description of the likely consequences of the breach;
  • A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

Awide Labs shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

9. INTERNATIONAL DATA TRANSFERS

Personal Data may be transferred outside of the European Economic Area (EEA), the United Kingdom, or Switzerland only where appropriate safeguards are in place:

  • Adequacy decisions: Transfers to countries deemed adequate by the European Commission (including Israel, as recognized by Commission Decision 2011/61/EU);
  • Standard Contractual Clauses (SCCs): Where no adequacy decision applies, Awide Labs and the Customer shall enter into the SCCs as adopted by the European Commission;
  • Data Privacy Framework: Awide Labs's participation in the EU-U.S., UK, and Swiss-U.S. Data Privacy Framework programs;
  • Other mechanisms: Any other transfer mechanism permitted under applicable Data Protection Laws.

For transfers involving AWS as a Sub-Processor, the AWS Data Processing Addendum provides additional safeguards, including SCCs.

10. DATA SUBJECT RIGHTS

Awide Labs shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

If Awide Labs receives a request directly from a Data Subject, Awide Labs shall promptly redirect such request to the Customer, unless otherwise required by applicable law.

11. DATA RETENTION AND DELETION

Upon termination or expiration of the Agreement, Awide Labs shall, at Customer's choice:

  • Return all Personal Data to the Customer in a commonly used, machine-readable format; or
  • Delete all Personal Data and confirm such deletion in writing.

Customer Data shall be available for export for thirty (30) days following termination of SaaS Services. After this period, Awide Labs may delete all remaining Personal Data, except where retention is required by applicable law.

12. AUDIT RIGHTS

Upon Customer's written request and subject to reasonable confidentiality obligations, Awide Labs shall make available information necessary to demonstrate compliance with this DPA. Customer may conduct an audit (or appoint a qualified third-party auditor) no more than once per year, with at least thirty (30) days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Awide Labs's operations.

Awide Labs shall also make available relevant third-party audit reports and certifications (including SOC 2, ISO 27001, or equivalent) upon request, to the extent available.

13. LIABILITY

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.

14. TERM AND TERMINATION

This DPA shall remain in effect for the duration of the Agreement. The DPA shall automatically terminate upon termination or expiration of the Agreement, subject to Awide Labs's obligations regarding data deletion or return as set forth in Section 11.

15. GOVERNING LAW

This DPA shall be governed by and construed in accordance with the governing law of the Agreement, unless required otherwise by applicable Data Protection Laws. For matters related to GDPR, the laws of the EU Member State in which the Customer is established may apply to the extent mandated by the GDPR.

16. CONFLICT

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

17. CONTACT

For questions about this DPA or to exercise any rights under it, please contact:

Awide Labs Ltd.
Tel Aviv, Israel
Email: info@awide.io