Skip to main content
Legal documents

Data Processing Agreement (DPA)

Last updated: ·Version 1.0

Introduction

This Data Processing Agreement (the "DPA" or "Agreement") is supplementary to the SaaS Platform Terms of Service and applies to every Customer using the Platform to process personal data of natural persons ("End Users" / "Data Subjects").

The DPA constitutes the parties' agreement under GDPR Article 28 and in accordance with the Israeli Privacy Protection Regulations (Data Security) 2017.

1. The Parties

  • Controller (Customer) — You, the entity managing End User data through the Platform.
  • Processor (SoulBe) — Service provider, acting on your instructions.
  • Sub-processors — Service providers SoulBe uses (detailed in Annex A).

2. Subject Matter of Processing

Purpose of processing: Providing CRM services, marketing automation, communication and lead management to the Customer.

Duration of processing: For the period of the Customer's subscription to the Platform + 90 days post-termination (for export and backup).

Types of personal data that may be processed:

  • Identification details: Name, email, phone, address.
  • Communication details: Email/SMS/WhatsApp history.
  • Profile data: Role, company, interests.
  • Interaction data: Clicks, opens, visits.
  • (Any additional type the Customer inputs into the Platform.)

Categories of End Users:

  • Leads, contacts, and potential customers of the Customer.
  • Existing customers of the Customer.
  • Visitors to the Customer's landing pages.
  • (Any additional group the Customer manages in the Platform.)

3. Customer Obligations (Controller)

The Customer undertakes to:

  • Be the legal basis for processing (consent, contract, legitimate interest, etc.).
  • Obtain all required consents from End Users.
  • Provide End Users with its own privacy policy and respond to their requests.
  • Ensure data uploaded to the Platform is accurate and legitimate.
  • Not upload sensitive data (Special Category Data per GDPR Art. 9) without explicit legal basis.

4. SoulBe Obligations (Processor)

SoulBe undertakes to:

  • Process personal data solely per documented Customer instructions, as expressed in the Terms of Service and the Customer's actions in the Platform.
  • Process only for service provision, security, and maintenance.
  • Not use personal data for its own purposes (e.g. self-marketing, profile building).
  • Ensure authorized personnel are bound by confidentiality.
  • Implement appropriate security measures (section 6).
  • Assist the Customer in fulfilling its obligations (section 7).
  • Report a breach within 72 hours (section 8).
  • Delete or return data upon termination (section 9).
  • Allow audits subject to conditions (section 10).

5. Sub-processors

5.1 General Consent

The Customer explicitly approves the use of sub-processors listed in Annex A.

5.2 Cascading Obligations

SoulBe will ensure that every sub-processor is bound by obligations substantively equivalent to those in this DPA.

5.3 Adding a New Sub-processor

  • 30 days' advance notice by email and on a notice board in the Platform.
  • The Customer may object on reasonable grounds and terminate the service if the objection is not resolved.

5.4 Liability

SoulBe bears full liability for the acts of its sub-processors.

6. Security Measures (Article 32)

SoulBe implements at minimum:

  • Encryption — TLS 1.2+ in transit, AES-256 at rest for sensitive data.
  • Access controls — Strong authentication, role-based, principle of least privilege.
  • Resilience & DR — Daily backups, disaster recovery plan.
  • Security testing — Periodic pen-testing, security code review.
  • Logs — Secure storage, anomaly tracking.
  • Response processes — Incident response procedure, defined team.
  • Training — Employee training on data protection.

Security measures may be updated in response to technological developments and threats, subject to maintaining equivalent or stronger standards.

7. Assistance to Customer

SoulBe will assist the Customer (primarily through Platform functionality) with:

  • End User request fulfillment — Access, rectification, erasure, portability, objection.
  • DPIA (Data Protection Impact Assessment) — Upon request, to a reasonable extent.
  • Cooperation with authorities in case of regulatory investigation.

End Users contacting SoulBe directly — If we receive direct contact from a Customer's End User, we will refer them to the Customer and notify the Customer within 5 business days.

8. Breach Notification

  • Initial notice — Within 72 hours from the time SoulBe becomes aware of a security incident likely to affect the Customer's personal data (consistent with GDPR Art. 33).
  • Notice contents: Nature of breach, estimated categories and volume of affected data, expected impact, steps taken.
  • Cooperation with the Customer for notice to authorities and End Users as required by law.

9. Termination

  • Upon Customer subscription termination:

    • - 30 days for data export in CSV/JSON format. - After 90 days — full deletion from Production. - Backups deleted within an additional 30 days.

  • Legal retention — Certain data will be retained per legal obligations (accounting, tax) or authority order.

10. Audit Rights

  • The Customer may request periodic security reports (once a year).
  • On-site audit by the Customer or qualified third party — subject to:

    • - 30 days' advance notice. - Scheduling that does not disrupt operations. - NDA signature. - Funding at the Customer's expense (unless the audit revealed a material breach).

  • Alternative: SoulBe will provide SOC 2 / ISO 27001 reports of major sub-processors if available.

11. International Transfers

  • Transfers from EEA are made with safeguards:

    • - Standard Contractual Clauses (SCCs) of the Commission. - Data Privacy Framework (for certified U.S. providers).

  • Transfers from Israel in accordance with the Privacy Protection Regulations (Transfer of Data Abroad) 2001.

12. Liability

  • SoulBe liability — Subject to the limits in the SaaS Terms (section 11).
  • Customer liability — Indemnify SoulBe against claims arising from the Customer's failure to fulfill its obligations under this DPA.

13. Conflicts

In case of conflict between this DPA and the SaaS Terms — the DPA prevails with respect to personal data processing. With respect to all other matters — the SaaS Terms prevail.

14. Changes

SoulBe may update the DPA to meet evolving regulatory requirements. Material changes will be announced by email and in the Platform 30 days in advance.

15. Governing Law

Laws of the State of Israel and GDPR (insofar as it applies to EU End Users). Exclusive jurisdiction — the competent courts in the Tel Aviv-Jaffa District.

---

Annex A — Sub-processor List

| Provider | Role | Location | Transfer Basis | |---|---|---|---| | GoHighLevel / LeadConnector | CRM infrastructure, storage | U.S. | SCCs + DPF | | Cloudflare / Ludicrous Cloud | CDN, security | Global | SCCs | | AWS | Adjacent storage | U.S. / EU | SCCs + DPF | | Vercel | Landing page hosting | U.S. / EU | SCCs + DPF | | Stripe | Payment processing | U.S. | SCCs + DPF | | Mailgun / SendGrid | Email delivery | U.S. | SCCs + DPF | | Twilio | SMS delivery | U.S. / EU | SCCs + DPF | | Meta WhatsApp Business | WhatsApp delivery | U.S. / EU | SCCs + DPF |

(This list may be updated per section 5.3)

---

Annex B — Data Protection Contact

  • DPO/Soulbe contact: hello@soulbe.io
  • Breach reporting: hello@soulbe.io (mark "DATA BREACH" in subject)
  • Israeli Privacy Protection Authority: privacyprotection.gov.il

---

Signature (Optional)

This contract does not require a separate physical signature — acceptance of the Terms of Service and joining the Platform constitute acceptance of this DPA. Customers requiring a separate signature (for internal compliance purposes) may contact hello@soulbe.io.

All documents·Questions? Contact us
שלחו הודעה