Noviq Data Processing Addendum
This Data Processing Addendum (the “DPA”) is part of the Terms of Service between Rallyve (“Noviq”, “we”) and each Customer, and governs our processing of personal data contained in Customer Data (capitalized terms are defined in the Terms).
This DPA is published in Hebrew and in English. The Hebrew version is the binding version; this English text is provided for convenience.
1. Roles
For personal data in Customer Data, the Customer is the controller(the “owner of the database” under the Israeli Protection of Privacy Law, 1981) and we are its processor(“holder”). Where the GDPR applies to a Customer, the terms “controller” and “processor” have their GDPR Article 4 meanings, and this DPA is intended to satisfy Article 28(3).
2. Details of processing
| Item | Description |
|---|---|
| Subject matter | Operation of the Noviqshift-scheduling platform for the Customer’s Workspace. |
| Duration | The term of the Customer’s use of the Service, plus the wind-down period in section 10. |
| Nature and purpose | Hosting, storage, display, computation (schedules, hours, pay-relevant summaries), notification delivery, backup, and support — solely to provide the Service. |
| Categories of data subjects | The Customer’s Authorized Users — employees, managers, finance staff, and administrators. |
| Categories of personal data | Identification and contact details (name, email, phone), employment details (role, teams, employment dates, weekly hours, employee number), scheduling and availability data, leave requests (a leave type may indicate health-related information), attendance and hours, and in-app notifications. |
3. Instructions
We process Customer Data only on the Customer’s documented instructions: the Terms, this DPA, and the configuration choices the Customer makes in the Service. We will inform the Customer if, in our view, an instruction violates applicable data-protection law. We may process Customer Data where required by law; in that case we will notify the Customer unless the law forbids it.
4. Confidentiality
Access to Customer Data on our side is limited to persons who need it to provide and secure the Service, and who are bound by confidentiality obligations.
5. Security measures
We implement technical and organizational measures appropriate to the risk, in line with the Israeli Privacy Protection (Data Security) Regulations, 2017, including:
- Access control — role-based permissions enforced server-side on every read and write; per-Workspace data isolation in a multi-tenant architecture; direct client writes blocked by database security rules.
- Encryption — TLS in transit; encryption at rest via Google Cloud.
- Authentication — managed by Google Identity Platform (passwords are never stored by us); sessions expire after 14 days.
- Auditability— every data-changing action is recorded in the Workspace’s audit log with the acting user.
- Monitoring — error and security monitoring with incident triage.
6. Subprocessors
The Customer authorizes the subprocessors listed at /legal/subprocessors, each bound by data-protection terms no less protective than this DPA. We will update that page before adding or replacing a subprocessor that processes Customer Data and notify Workspace administrators of material changes at least 14 days in advance; a Customer that objects on reasonable data-protection grounds may terminate and export under section 10.
7. International transfers
Customer Data is hosted on Google Cloud / Firebase in the United States. The transfer relies on our contractual data-protection commitments with Google (including its data-processing terms) and on the safeguards in section 5, in accordance with the Israeli Privacy Protection (Transfer of Data Abroad) Regulations, 2001. We will not transfer Customer Data to a country or provider lacking equivalent safeguards.
8. Assistance
Taking into account the nature of the processing, we assist the Customer in fulfilling its data-protection obligations: the Service provides self-service inspection, export, correction, and deletion tools; for requests not covered by those tools, we respond to the Customer’s reasonable written requests at support@rallyve.com within 10 business days.
9. Security incidents
We notify affected Customers’ administrators without undue delay, and no later than 48 hours, after becoming aware of a security incident affecting their Customer Data — with the information reasonably available to us about its nature, scope, and mitigation, supplemented as our investigation progresses. Where the incident is a “severe security incident” under the Data Security Regulations, we also report it to the Israeli Privacy Protection Authority as required.
10. Deletion and return on termination
Following termination of a Workspace, the Customer has a 30-day wind-down period to export Customer Data using the Service’s export tools (or to request an export from us). After that period we delete Customer Data from production systems, with residual copies removed from backups on their rotation cycle. The Customer is responsible for exporting, before deletion, any records it must retain under statutory record-keeping duties (for example, wage and attendance records under Israeli labor law).
11. The Customer’s duty to inform employees
The Customer confirms it has a lawful basis for the personal data it enters into the Workspace and that it informs its employees about the processing — including data entered about them by managers — as required by the Protection of Privacy Law. Our Privacy Policyand the employee-notice template we make available can support that duty, but the duty itself is the Customer’s.
12. Individual user deletion
When an individual user deletes their account through the Service, we delete the personal data we control (account, preferences, availability, pending requests) and minimize their employee profile in each Workspace — removing contact details and free-text notes while retaining the identified employment records the Customer must keep under statutory retention duties (timesheets, decided leave, published schedules). Workspace administrators are notified.
13. Compliance information
On the Customer’s reasonable written request (no more than once a year, unless following a security incident), we will provide the information reasonably necessary to demonstrate compliance with this DPA — including a description of our security measures and our subprocessor agreements’ data-protection commitments.
14. Precedence and law
If this DPA conflicts with the Terms regarding the processing of personal data, this DPA prevails. Liability under this DPA is subject to the limitations in the Terms. Governing law and jurisdiction follow the Terms (Israel; Tel Aviv–Jaffa courts).