Data Processing Agreement

• Controller — you, the registered business owner in the system, or your company • Processor — My Special Offer, operated by Niv Einy • Sub-processors — the sub-processors listed in §4 This agreement applies to the processing of personal data of your clients (not your own data as a business owner — that is covered by the main Privacy Policy).

• "Personal Data" — as defined in GDPR Art. 4(1) • "Processing" — as defined in GDPR Art. 4(2) • "Data Subject" — your clients whose data appears in proposals you create • "Personal Data Breach" — as defined in GDPR Art. 4(12) • "Supervisory Authority" — the relevant data-protection authority

• Scope — personal data of your clients included in proposals: name, phone, email, business details, payment details • Duration — the period during which you use the Service • Nature — storage, creation, modification, sharing via public link, digital signing • Purpose — delivering the Service you ordered (creating proposals, sending them to clients, managing the account)

The current list of sub-processors we rely on. By entering into this DPA you authorize their use. Addition or change of a sub-processor will be announced 30 days in advance, and you have the right to object (an objection may result in termination of the Service).

We will assist you, the Controller, in responding to requests by your Data Subjects (your clients) under GDPR Art. 15-22. Timeline: • Access, correction or portability requests — 30 days from receipt • Deletion requests — 30 days, subject to legal retention duties for signed proposals • Cost — free for reasonable requests. Repeat / bulk requests may cost up to €10

We implement technical and organizational security measures: • Row-Level Security (RLS) at the database layer • Transport-layer encryption (HTTPS / TLS 1.3) • Encryption at rest (Supabase AES-256) • Controlled access — fewer than 3 people with service-role access • Daily backups • Anomaly monitoring • Periodic vulnerability scanning We do not guarantee the system is impenetrable. In case of incident — see §8.

Some sub-processors operate outside the European Union. These transfers are performed under the European Commission's Standard Contractual Clauses (SCCs) — Commission Decision 2021/914, module 2 (Controller-to-Processor). No data is transferred to countries without an Adequacy Decision or appropriate SCCs.

In case of a personal-data breach affecting data of your clients, we will notify you without undue delay — and in any case no later than 24 hours from becoming aware — so you can meet your own notification duty under GDPR Art. 33 (72 hours to the supervisory authority). The notification will include: description of the incident, types and approximate volume of data exposed, likely consequences, containment measures taken.

You may request an annual audit of processing activities, with 30 days' advance notice. The audit must be conducted during business hours and may not interfere with the Service. For extensive on-site audits we may charge a fee at cost. Questionnaire / documentary audits are free. You may rely on third-party certifications (SOC 2, ISO 27001) in lieu of an independent audit where available.

Upon termination of the Agreement (cancellation of the plan or account closure), we will, at your option: • Return the data — export in JSON format + HTML files of published proposals • Delete the data — within 30 days, except for signed proposals subject to the 7-year retention duty Default — deletion if no instruction is received within 30 days.

Our liability as Processor is limited in accordance with the main Terms of Service. We are responsible only for our own actions — not for your mistakes as Controller. Each party bears responsibility under GDPR Art. 82 for its share of the breach.

This agreement is governed by the laws of the State of Israel. Jurisdiction — the competent court in Tel-Aviv.

This agreement takes effect automatically when you use the Service as a business. No manual signature is required. If your organization requires a physically-signed DPA, contact hello@alma-ads.co.il and we will provide a signed PDF version by email within 5 business days.