Data Processing Agreement (DPA)
Last updated: July 9, 2026
A standard data processing addendum offered to business customers of build it up (formerly ProPage) under the Israeli Privacy Protection Law, 5741–1981—including Amendment No. 13, effective August 2025—and the Israeli Privacy Protection Regulations (Data Security), 5777–2017.
This Addendum forms an integral part of the Terms of Use of the build it up Platform, operated by Otef Digital Agency (“build it up” or the “Processor”), and applies whenever the Customer (the “Controller”) uploads, stores, or processes third parties’ Personal Data—including end Users, Leads, and Visitors—through the System.
The Controller represents that it is responsible for determining the purposes of processing, providing privacy notices to its Visitors, obtaining required consents, responding to Data Subject requests, and ensuring that its use of the System is appropriate for its activities and complies with applicable law.
1. Definitions
- “Personal Data” means personal information as defined by the Israeli Privacy Protection Law, 5741–1981, as amended, including by Amendment No. 13, and any personally identifiable information uploaded to the System by the Controller, such as Leads, inquiries, and customer details.
- “Controller” means a build it up business customer that determines the purposes and means of processing its Personal Data.
- “Processor” means build it up, which processes Personal Data on the Controller’s behalf under its instructions and this Addendum.
- “Sub-Processor” means an external service provider to which build it up transfers Personal Data to provide the Service, as listed in Section 5.
- “Data Security Incident” has the meaning assigned to it under the Israeli Privacy Protection Regulations (Data Security), 5777–2017.
2. Scope and Purpose of Processing
Subject matter: hosting landing pages, managing content, and receiving Leads and contact forms for the Controller.
Types of Personal Data: name, email address, phone number, message content, IP address, and any other field configured by the Controller in a form.
Categories of Data Subjects: end Users of the Controller’s websites, including prospective customers and Visitors.
Duration: for as long as the engagement remains in effect and for a reasonable retention period afterward, as described in Section 8.
build it up will process Personal Data solely in accordance with the Controller’s documented instructions and subject to applicable law.
3. Processor Obligations (build it up)
build it up undertakes to:
- Process Personal Data solely to provide the Service to the Controller and in accordance with the Controller’s instructions.
- Implement reasonable technical and organizational security measures, including HTTPS/TLS encryption in transit, password encryption, role-based access controls (RBAC), backups, and log retention.
- Impose confidentiality obligations on employees, contractors, and stakeholders who access Personal Data, and limit access to personnel with a need to know.
- Assist the Controller, to the extent reasonably possible, in fulfilling its legal obligations, including responding to Data Subject requests under Section 6.
- Not transfer Personal Data to a third party without the Controller’s consent or instruction, except to the Sub-Processors listed in Section 5.
4. Information Security Measures
According to the security level required under the Israeli Privacy Protection Regulations (Data Security), 5777–2017—basic or intermediate, depending on the type of database—build it up implements measures including:
- TLS 1.2+ encryption in transit and HTTPS-only access.
- Encryption at rest for the Neon Postgres database and backups.
- Strong authentication, including encrypted passwords and OAuth, and role-based permission management.
- Separation of development and production environments and access controls.
- Logical logging of access and material changes to Personal Data.
- Periodic security reviews and vulnerability testing.
5. Sub-Processors
The Controller authorizes the transfer of Personal Data to the following Sub-Processors, which are subject to corresponding data-security and privacy obligations:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and CDN | United States / global |
| Neon, Inc. | PostgreSQL database | United States / European Union |
| Cloudinary Ltd. | Image storage and CDN | United States / Israel |
| Resend Inc. | Transactional email delivery | United States / European Union |
build it up will notify the Controller of the replacement or addition of a material Sub-Processor, and the Controller may object on reasonable grounds.
6. Data Subject Rights
build it up will assist the Controller, through reasonable measures and subject to the System’s technological capabilities, in responding to Data Subject requests to exercise rights under applicable law, including access, correction, deletion, and objection.
The Controller is responsible for receiving and documenting requests from its Data Subjects and submitting them in writing to support@builditup.io.
Privacy inquiries (Amendment 13): inquiries concerning privacy and processing under this Addendum may be submitted through the official support address above. Whether build it up is required to appoint a Privacy Protection Officer under Amendment No. 13 to the Israeli Privacy Protection Law is currently under legal review. If an officer is appointed, their contact details will be added to this document.
7. Data Security Incidents and Notification
In the event of a material Data Security Incident affecting the Controller’s Personal Data, build it up will notify the Controller without undue delay and no later than 72 hours after becoming aware of the Incident. The notice will include the reasonably available information, including:
- The nature and time of the Incident.
- The types of Personal Data that may be affected.
- Measures taken or proposed to mitigate harm.
- A contact person for further inquiries.
8. Return and Deletion upon Termination
Upon termination of the engagement, and at the Controller’s choice, build it up will return Personal Data to the Controller in a commonly used format, such as a CSV or JSON export of Leads, and/or delete it from its systems within a reasonable period, except for information that must be retained by law.
9. International Transfers
The Controller acknowledges that the Sub-Processors listed in Section 5 may store or process Personal Data in countries outside Israel, including the United States and the European Union. build it up will ensure that such transfers are subject to reasonable safeguards under applicable Israeli law, including the Israeli Privacy Protection Regulations (Transfer of Data to Databases Outside the State Borders), 5761–2001.
10. Liability and Its Limitation
build it up’s liability under this Addendum is subject to the limitations of liability in the System’s Terms of Use. The Controller bears full responsibility for the lawfulness of its collection of Personal Data from end Users, including obtaining required consents and complying with the Israeli Privacy Protection Law and its regulations.
build it up is not responsible for the content of forms created by the Controller, the wording of consents presented by it, marketing messages sent by it, the Controller website’s privacy policy, or any use the Controller makes of Leads after they are provided to it.
11. Governing Law and Jurisdiction
This Addendum is governed by the laws of the State of Israel. The competent courts in the Southern District (Beer Sheva) shall have exclusive jurisdiction over any dispute relating to this Addendum.
12. DPA Effectiveness and Contact
This Addendum automatically applies to every build it up business customer that processes Personal Data through the System. Customers requiring a physically signed copy or customized commercial terms may contact us:
build it up (formerly ProPage) — operated by Otef Digital Agency
Email: support@builditup.io
Phone: 055-996-6472
Business hours: Sunday–Thursday, 9:00 AM–6:00 PM
Location: Kerem Shalom, Israel
Other legal documents: Terms of Use | Privacy Policy | Cookie Policy | Accessibility Statement
