Sign in Get started
Legal

Data Processing Addendum

Last updated: 6 June 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Kaligon Ltd, a company incorporated in the State of Israel (company no. 515713865), Yaakov St 26, Rehovot, 7626237, Israel (“Kaligon”, “Processor”), and the customer (“Customer”, “Controller”). It applies whenever Kaligon processes personal data on the Customer’s behalf in connection with the Services, and reflects Article 28 of the EU and UK General Data Protection Regulation (“GDPR”) and Israel’s Protection of Privacy Law, 5741-1981 and the Protection of Privacy (Data Security) Regulations, 5777-2017.

1. Roles and scope

For Customer Content that contains personal data, the Customer is the controller (or processor acting for a third-party controller) and Kaligon is the processor (or sub-processor). Each party will comply with the data-protection laws applicable to it. Kaligon’s separate handling of account, billing, and website personal data — where it acts as a controller — is described in the Privacy Policy, not this DPA.

2. Processing on documented instructions

Kaligon will process personal data only on the Customer’s documented instructions — including the Terms, this DPA, and the Customer’s configuration and use of the Services — and as required by law, in which case Kaligon will (where legally permitted) inform the Customer first. Kaligon will tell the Customer if it believes an instruction infringes applicable data-protection law.

3. Confidentiality

Kaligon ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and are trained on their responsibilities.

4. Security

Kaligon implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking account of Article 32 GDPR and the Data Security Regulations, 5777-2017. These measures are summarized in Annex 2 and may be updated provided protection is not materially reduced.

5. Sub-processors

The Customer grants Kaligon general authorization to engage sub-processors to provide the Services. A current list of sub-processors is available on request at hello@kaligon.cloud (and summarized in Annex 3). Kaligon will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for its sub-processors’ performance. Kaligon will give the Customer reasonable prior notice of any intended addition or replacement of a sub-processor, during which the Customer may object on reasonable data-protection grounds.

6. Data-subject requests

Taking into account the nature of the processing, Kaligon will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If Kaligon receives such a request directly, it will, where lawful, refer the data subject to the Customer.

7. Assistance

Kaligon will provide reasonable assistance to the Customer with security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to Kaligon.

8. Personal-data breaches

Kaligon will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer personal data, and will provide information reasonably available to it to help the Customer meet its own notification obligations to authorities and data subjects.

9. International transfers

Where processing involves a transfer of personal data out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism — including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated by reference — together with supplementary measures as needed.

10. Audits and information

Kaligon will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable prior notice, subject to confidentiality and to limits that protect other customers’ security and data. Where available, third-party reports and certifications may be provided to satisfy audit requests.

11. Deletion or return

On termination of the Services, and at the Customer’s choice, Kaligon will delete or return Customer personal data and delete existing copies within a reasonable period (and in any case within the deletion window stated in the Terms), unless retention is required by applicable law.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Order of precedence and governing law

If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails. Except where mandatory data-protection law (including the GDPR or the SCCs) provides otherwise, this DPA is governed by the law and jurisdiction stated in the Terms.

Annex 1 — Details of processing

  • Subject matter and duration — provision of the Services for the term of the Terms.
  • Nature and purpose — hosting, storage, transmission, and computation of Customer Content as configured by the Customer.
  • Types of personal data — any personal data the Customer chooses to include in Customer Content; Kaligon does not require or control its contents.
  • Categories of data subjects — as determined by the Customer (e.g., the Customer’s users, customers, or staff).

Annex 2 — Security measures

Encryption in transit and at rest; access controls and least-privilege; network segmentation and project-scoped isolation; logging, monitoring, and a 90-day audit log; secure development and change management; and incident response. Full details are available on request.

Annex 3 — Sub-processors

Stripe (payment processing); infrastructure and datacenter partners in the regions Kaligon operates (Texas and New York, United States; London, United Kingdom; Amsterdam, Netherlands); and a transactional email provider. A current, itemized list is available at hello@kaligon.cloud.

Contact

Questions about this DPA or to request the sub-processor list, the SCCs, or security documentation: hello@kaligon.cloud.