Data Processing Addendum
Last updated: 2 June 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (the “Customer”) and Asas Labs Ltd (company no. 517341970), 27 Al-Wurud, Tamra 3081100, Israel (“Asas Labs”), and applies where Asas Labs processes personal data on the Customer’s behalf in providing the QalamSign service (the “Service”).
In this DPA the Customer is the controller (“owner” of the database, in the language of Israeli law) and Asas Labs is the processor (“holder”/processor). Terms not defined here have the meaning given in the Terms of Service and in the Protection of Privacy Law, 5741-1981 and the GDPR where applicable.
1. Scope and roles
The Customer determines the purposes and means of processing the personal data it uploads or generates through the Service (including data about recipients and signers). Asas Labs processes that personal data only as a processor, to provide the Service and on the Customer’s documented instructions, which include the Terms of Service, this DPA and the Customer’s use of the Service’s features.
2. Details of the processing
| Element | Description |
|---|---|
| Subject matter | Provision of the QalamSign electronic-signature Service |
| Duration | For the term of the Customer’s account, plus applicable retention periods |
| Nature and purpose | Hosting, storing, transmitting, displaying and processing documents for preparation, sending, signing and record-keeping |
| Categories of data subjects | The Customer’s users, recipients and signers, and other individuals named in documents |
| Categories of personal data | Identity and contact data, signatures, document contents, technical data (IP, device, log and audit metadata) |
| Special-category / sensitive data | Only if the Customer chooses to upload it within documents; the Customer is responsible for any such data |
3. Customer obligations
- The Customer warrants that it has a lawful basis to collect and process the personal data it uploads and to instruct Asas Labs to process it, including a lawful basis to contact recipients for signature.
- The Customer is responsible for the accuracy, quality and legality of the personal data and for providing any required notices and obtaining any required consents from data subjects.
- The Customer must not instruct Asas Labs to process personal data in a manner that breaches applicable data-protection law.
4. Asas Labs’ obligations as processor
- Process personal data only on the Customer’s documented instructions, unless required otherwise by law (in which case Asas Labs will inform the Customer where legally permitted).
- Ensure that personnel authorised to process the personal data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (see “Security measures” below).
- Assist the Customer, taking into account the nature of the processing, in responding to data-subject requests and in meeting its security, breach-notification and impact-assessment obligations.
- On termination, delete or return personal data as described below.
5. Sub-processors
The Customer authorises Asas Labs to engage the sub-processors listed below to process personal data in connection with the Service. Each sub-processor is bound by data-protection obligations consistent with this DPA.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Neon | Cloud PostgreSQL database (application data) | Outside Israel [confirm region] |
| Cloudflare R2 | Object storage for documents and files | Outside Israel |
| Vercel | Application hosting and delivery | Outside Israel |
| Resend | Transactional and notification email delivery | Outside Israel |
| 019 (019sms.co.il) | SMS / OTP delivery | Israel |
| Cloudflare Turnstile | Bot protection during sign-up and sign-in | Outside Israel |
Asas Labs will give the Customer reasonable notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds. To request the current list or to register an objection, contact admin@asaslabs.com.
6. International transfers
Where a sub-processor processes personal data outside Israel, Asas Labs ensures an appropriate transfer mechanism is in place under the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001 — typically a data transfer agreement imposing protections equivalent to Israeli law, and equivalent safeguards under the GDPR where applicable.
7. Security measures
- Encryption of personal data in transit (TLS).
- Hashing of account passwords.
- Role-based access controls and least-privilege access for personnel.
- Logging and monitoring of access to systems and audit trails for document events.
- Regular backups and measures to support availability and recovery.
- Measures appropriate to the security level applicable under the Protection of Privacy (Data Security) Regulations, 5777-2017.
8. Assistance with data-subject requests
If Asas Labs receives a request from a data subject relating to personal data it processes on the Customer’s behalf, it will, where lawful, refer the request to the Customer and assist the Customer in responding within the statutory time frame (30 days under Israeli law).
9. Personal-data breach notification
Asas Labs will notify the Customer without undue delay after becoming aware of a personal-data breach affecting personal data processed on the Customer’s behalf, and will provide the information reasonably available to enable the Customer to meet its own notification obligations to the Israeli Privacy Protection Authority (within 72 hours) and to affected data subjects.
10. Audit and compliance
On reasonable written request, and subject to confidentiality, Asas Labs will make available information necessary to demonstrate compliance with this DPA, and will contribute to audits conducted by the Customer or an independent auditor mandated by it, in a manner that does not compromise the security or confidentiality of other customers’ data.
11. Return and deletion of data
On termination of the account, Asas Labs will, at the Customer’s choice, delete or return the personal data it processes on the Customer’s behalf, except to the extent retention is required by law or for evidentiary records as described in the Terms and Privacy Policy. Default deletion timelines are described on our Account Deletion page.
12. Liability and governing law
The liability provisions of the Terms of Service apply to this DPA. This DPA is governed by the laws of the State of Israel, and the competent courts of the Tel Aviv-Yafo district have exclusive jurisdiction. If there is a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.
13. Contact
For matters relating to this DPA, contact Asas Labs Ltd at admin@asaslabs.com.