Data Processing Addendum (DPA)

Last Updated: May 28, 2026

This Data Processing Addendum ("DPA") forms part of the agreement governing the Customer's use of the ZeKol Services (the "Agreement") between Merhav Technologies (מרחב טכנולוגיות), an Israeli sole proprietorship (Business ID / עוסק 323836130), of Tel Aviv, Israel — operator of the ZeKol platform ("ZeKol," "Processor") — and the entity that accepts the Agreement ("Customer," "Controller"). Capitalized terms not defined here have the meaning given in the Agreement.

By using the Services or accepting the Agreement, the Customer agrees to this DPA on its own behalf and, where applicable, on behalf of its Affiliates.

1. Definitions

• "Affiliate" means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of more than 50% of the voting interests.
• "Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the EU GDPR and UK GDPR, Israel's Protection of Privacy Law (PPL) and its data-security regulations, the California Consumer Privacy Act as amended by the CPRA (together, "CCPA/CPRA"), and other comparable laws, each as amended.
• "Personal Data," "Controller," "Processor," "processing," "Data Subject," and "Personal Data Breach" carry the meanings given in the GDPR. Where processing is governed by Israeli law, these roles map to the equivalent concepts under the PPL — the Controller corresponds to the database owner (בעל מאגר), and the Processor to a holder / processor (מחזיק / גורם מעבד) — and ZeKol acts as the Processor (holder) accordingly.
• "Customer Personal Data" means the Personal Data that ZeKol processes on the Customer's behalf in providing the Services — principally the text transcripts of, and technical metadata about, conversations between End Users and the Customer's voice agent.
• "End User" means a visitor to the Customer's website or property who interacts with a ZeKol voice agent the Customer has deployed there.
• "Sub-processor" means a third party engaged by ZeKol to process Customer Personal Data in connection with the Services.

2. Roles, Scope, and Instructions

2.1 Controller and Processor. For End-User interactions with voice agents the Customer deploys on its properties, and for the related conversation records and analytics shown to the Customer, the Customer is the Controller and ZeKol is the Processor.

2.2 Subject matter and purpose. ZeKol processes Customer Personal Data only to provide and support the Services — namely hosting; transcribing End-User speech; retrieving relevant knowledge and generating responses; synthesizing speech; storing and displaying conversation transcripts to the Customer; analytics for the Customer; and operating, securing, maintaining, and improving the Services and preventing abuse — and for no other purpose, except as required by law.

2.3 Instructions. ZeKol processes Customer Personal Data only on the Customer's documented instructions, which include this DPA, the Agreement, and the Customer's configuration choices in the product. ZeKol will inform the Customer if, in its reasonable opinion, an instruction infringes Data Protection Laws (without obligation to provide legal advice).

2.4 Duration. Processing continues for the term of the Agreement and for any period afterward reasonably needed to return or delete Customer Personal Data, or as required by law.

3. Customer Responsibilities

3.1 Lawful basis; notices and consents. The Customer is responsible for establishing a lawful basis for the processing, and for giving End Users the notices and obtaining any consents required by Data Protection Laws — including informing End Users that the voice agent records and transcribes the conversation, and requesting microphone access. The Customer is responsible for its configuration choices.

3.2 Accuracy and legality. The Customer is responsible for the accuracy and legality of the content it supplies to build the agent's knowledge base, and warrants that it has the right to have ZeKol scan and process that content.

3.3 Prohibited data. The Customer will not configure its agent to solicit, and will use reasonable measures to avoid submitting, special categories of Personal Data (Article 9 GDPR), children's data, payment-card numbers, government identifiers, or health, genetic, or biometric data — and any category treated as "especially sensitive information" under Israel's PPL (which also covers, among others, data about a person's location and movements, financial circumstances, political or religious beliefs and opinions, and intimate family matters) — unless ZeKol has agreed to such processing in writing in advance. ZeKol does not store raw audio and does not generate voiceprints, so it does not use voice as a biometric identifier.

4. ZeKol's Obligations

4.1 Confidentiality. ZeKol ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

4.2 Security. Taking into account the state of the art, the nature and risks of the processing, ZeKol implements and maintains appropriate technical and organizational measures to protect Customer Personal Data, as described in Exhibit C.

4.3 Sub-processors. The Customer gives ZeKol general authorization to engage Sub-processors. ZeKol imposes data-protection obligations on each Sub-processor that are materially equivalent to those in this DPA, and remains responsible for its Sub-processors' performance. The current Sub-processors are listed in Exhibit B. Where required by law, ZeKol will give the Customer notice of any intended addition or replacement of a Sub-processor and a reasonable opportunity to object on reasonable data-protection grounds; if the parties cannot resolve the objection and no reasonable alternative is available, the Customer may discontinue the affected Service.

4.4 Assistance. Taking into account the nature of the processing and the information available to it, ZeKol will provide reasonable assistance to the Customer (using standard product features at no additional charge; reasonable documented costs may apply to out-of-scope effort) with: (a) responding to Data Subject requests; (b) maintaining the security of the processing; (c) notifying and addressing Personal Data Breaches; and (d) data protection impact assessments and prior consultations with supervisory authorities.

4.5 Breach notification. ZeKol will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide the information reasonably available to it to help the Customer meet its own notification obligations. Where Israeli law applies, ZeKol will give this notice promptly enough to allow the Customer, as controller, to meet any severe-security-incident reporting obligation to the Israeli Privacy Protection Authority (PPA).

4.6 Deletion and return. On termination or expiry of the Services, or on the Customer's written request, ZeKol will delete or return Customer Personal Data, unless retention is required by law (see Section 8).

5. Data Subject Requests

If ZeKol receives a request directly from a Data Subject (for example, an End User seeking access to or deletion of conversation data), ZeKol will, where lawful, direct the requester to the Customer and will not respond substantively except as legally required. ZeKol will assist the Customer in responding as described in Section 4.4.

6. International Transfers

6.1 Locations. Customer Personal Data may be processed in Israel (the primary database region), the European Union, the United States, and other locations where ZeKol or its Sub-processors operate. The real-time voice infrastructure operates in the EU, and some AI processing may take place in the United States.

6.2 Transfer mechanisms. Where Data Protection Laws require safeguards for a transfer, the parties incorporate by reference:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with Module Two (Controller-to-Processor) for transfers from the Customer to ZeKol and Module Three (Processor-to-Sub-processor) for transfers from ZeKol to its Sub-processors, completed as set out in Exhibit D; and
• the UK International Data Transfer Addendum for transfers subject to the UK GDPR, completed as set out in Exhibit D.

Israel benefits from a European Commission adequacy decision for many transfers from the EEA. For transfers of personal data out of Israel to its sub-processors, ZeKol relies on the transfer conditions permitted under Israeli law (for example, the recipient being subject to adequate data-protection standards or bound by appropriate contractual safeguards).

6.3 Supplementary measures and government access. ZeKol maintains appropriate supplementary technical, organizational, and contractual measures. ZeKol will not voluntarily disclose Customer Personal Data to a government authority. If legally compelled to disclose, ZeKol will, where lawful, notify the Customer and seek to redirect the request to the Customer.

7. Audits and Records

7.1 Records. ZeKol maintains records of its processing activities and security measures sufficient to demonstrate compliance with this DPA.

7.2 Audits. No more than once in any twelve (12) months, and on reasonable written notice, ZeKol will make available the information necessary to demonstrate compliance with this DPA, in the form of security documentation or summaries of any third-party assessments. Where such materials are not reasonably sufficient under Data Protection Laws, the Customer (or an independent auditor it appoints, who must not be a competitor of ZeKol) may conduct a focused audit of the relevant systems, subject to reasonable notice, confidentiality, normal business hours, and minimal disruption. The Customer bears its own costs and ZeKol's reasonable costs of supporting the audit. More frequent audits may occur where a supervisory authority requires them.

8. Retention and Deletion

8.1 Retention. ZeKol retains Customer Personal Data for as long as the Customer's account and the relevant site are active, and for as long as needed for the purposes described in Section 2 and this DPA. ZeKol does not store raw audio after a conversation is processed into a transcript and response.

8.2 No fixed-timer default; deletion on request. ZeKol does not apply an automatic time-based deletion schedule by default. On the Customer's written request, on closure of the account, or on termination of the Services, ZeKol will delete or de-identify the relevant Customer Personal Data, unless retention is required by law. ZeKol may introduce self-serve retention and deletion controls in the future and will document them when available.

8.3 Backups. Deletions are applied to active systems promptly and propagate from backups within a reasonable period.

8.4 De-identified data. Data that ZeKol has de-identified and/or aggregated so that it can no longer reasonably be linked to an identified or identifiable person is no longer Customer Personal Data, and ZeKol may retain and use it without time limit (see Section 9.2).

9. Use Restrictions and Service Data

9.1 Processor-only use. ZeKol will not sell Customer Personal Data, will not use it to train foundation or general-purpose AI models, and will not share it for cross-context behavioral advertising. Customer Personal Data is processed only to provide the Services and as otherwise permitted by this DPA or required by law.

9.2 Aggregated and de-identified metrics. ZeKol may create and use de-identified, aggregated metrics — which cannot reasonably be linked to an identified or identifiable person — to operate, secure, maintain, and improve the platform, to measure and demonstrate service performance, and in confidential business communications (including with prospective investors). ZeKol will not disclose the Customer's raw conversation transcripts for these purposes.

9.3 ZeKol as independent controller for account data. ZeKol acts as an independent Controller — outside the scope of this DPA — for its own account, billing, security-log, and platform-telemetry data, as described in the ZeKol Privacy Policy.

10. CCPA/CPRA (Service Provider)

With respect to Personal Data subject to the CCPA/CPRA, ZeKol acts as a "service provider." ZeKol will not "sell" or "share" such personal information; will not retain, use, or disclose it except to provide the Services or as otherwise permitted by the CCPA/CPRA; and will not combine it with personal information from other sources except as permitted. ZeKol will comply with applicable service-provider obligations and certifies that it understands and will abide by these restrictions.

11. Liability and Order of Precedence

This DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of a conflict, the following order of precedence applies: (1) the SCCs and UK Addendum; (2) this DPA; (3) the Agreement; (4) the ZeKol Privacy Policy.

12. Acceptance and Updates

12.1 Acceptance. This DPA is incorporated into the Agreement and takes effect when the Customer accepts the Agreement or uses the Services. No separate signature is required, though ZeKol will execute a countersigned copy on reasonable request.

12.2 Governing law. Except where the SCCs or the UK Addendum require otherwise (see Exhibit D), this DPA and the Agreement are governed by the laws of the State of Israel, and the competent courts of Tel Aviv-Yafo have exclusive jurisdiction.

12.3 Updates. ZeKol may update this DPA to reflect changes in Data Protection Laws, Sub-processors, or transfer mechanisms, giving notice where legally required.

Exhibit A — Details of Processing (SCCs Annex I.A / I.B)

• Subject matter. Processing of End-User voice-conversation transcripts and related metadata through the Services.
• Nature of processing. Speech-to-text transcription, retrieval and generation of responses, text-to-speech synthesis, real-time transmission, storage, organization, display to the Customer, limited analysis for the Customer's analytics, security and abuse prevention, and deletion or return.
• Purpose. To provide and support the Services for the Customer — including voice-agent responses, conversation history, analytics, and service operations and security.
• Categories of Data Subjects. End Users who interact with the Customer's voice agent; the Customer's personnel who administer the Service.
• Categories of Personal Data. Conversation transcript content; technical metadata needed to operate the Service (e.g., masked IP address, approximate location derived from it, browser/device and OS information, timestamps, session and request identifiers); and Customer administrator data (e.g., name, email).
• Special categories. Not intended or permitted without ZeKol's prior written agreement (see Section 3.3).
• Frequency. Continuous, for the duration of the Customer's use of the Services.
• Duration. For the term of the Agreement, or until deletion or return as directed by the Customer or required by law.
• Roles. Customer = data exporter / Controller; ZeKol = data importer / Processor; Sub-processors per Exhibit B.
• Competent supervisory authority. For the EU SCCs, the authority determined under Clause 13 (typically that of the Customer's EU place of establishment, or its EU representative). For the UK Addendum, the UK Information Commissioner's Office (ICO).

Exhibit B — Sub-processors (SCCs Annex I.B / III)

ZeKol engages the following Sub-processors to process Customer Personal Data:

Where ZeKol enables an alternative speech provider for quality or availability — currently Microsoft Azure (speech-to-text) or Deepdub (text-to-speech) — that provider acts as a Sub-processor under the terms of Section 4.3. ZeKol maintains a current list and will notify Customers of material changes where legally required.

Exhibit C — Security Measures (SCCs Annex II)

• Encryption. TLS for data in transit; encryption at rest for stored data.
• Access control. Role-based access on a least-privilege basis; strong authentication for production access; credential management; periodic access reviews.
• Tenant isolation. Each Customer's data is logically segregated; client applications cannot write directly to the database — all writes go through ZeKol's server-side application using administrative credentials, governed by database security rules.
• Network and infrastructure. Secure managed cloud environment; logging and monitoring; rate limiting; origin/domain allow-listing for embedded widgets; short-lived, scoped access tokens for voice sessions.
• Data management. Retention governed by Section 8; deletion of Customer Personal Data on request, with propagation to backups within a reasonable period.
• Secure development and change control. Version control; code review; controlled releases; dependency management.
• Incident response. Documented procedures and breach notification to the Customer without undue delay upon confirmation (Section 4.5).
• Personnel. Confidentiality obligations and security/privacy awareness for personnel with access to Customer Personal Data.
• Vendor management. Sub-processor due diligence and contractual data-protection terms (including SCCs/UK Addendum where applicable), with periodic review.

Exhibit D — Cross-Border Transfers (SCCs / UK Addendum)

EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply to transfers of Customer Personal Data from the EEA, as follows:

• Module Two (Controller-to-Processor) for transfers from the Customer to ZeKol; Module Three (Processor-to-Sub-processor) for transfers from ZeKol to its Sub-processors.
• Clause 7 (Docking): not used.
• Clause 9 (Sub-processors): Option 2 (general written authorization); notice as provided in Section 4.3.
• Clause 11 (Optional independent dispute resolution): not used.
• Clause 17 (Governing law): the law of Ireland.
• Clause 18(b) (Forum): the courts of Ireland.
• Annexes: Annex I, II, and III are completed by Exhibits A, C, and B of this DPA, respectively.

UK International Data Transfer Addendum. For transfers subject to the UK GDPR, the UK Addendum is incorporated, with its tables completed by reference to Exhibits A–C of this DPA. Governing law and forum: England and Wales. The competent authority is the UK Information Commissioner's Office (ICO).

Conflict. If there is any conflict between the SCCs or UK Addendum and this DPA, the SCCs or UK Addendum prevail with respect to the relevant transfer.

Contact

Merhav Technologies (operator of ZeKol) Israeli sole proprietorship · Business ID (עוסק) 323836130 Tel Aviv, Israel Privacy and legal: zekol.agents@gmail.com