Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

It governs the Provider's processing of personal data on the Customer's behalf through the TSD Service. It is designed to meet Article 28 of the GDPR and the Israeli Protection of Privacy Law, 5741‑1981 (as amended, including Amendment 13) and the Privacy Protection (Data Security) Regulations, 5777‑2017 (the "Security Regulations"). Capitalised terms not defined here have the meaning in the Terms.

Effective date: 2026-06-27


1. Definitions

2. Roles and scope

2.1 The Customer is the Controller and the Provider is the Processor of Customer Personal Data. Where the Customer is itself a processor for a third party, the Provider acts as sub-processor and the Customer warrants it has the authority to engage it.

2.2 The Provider processes Customer Personal Data only to provide and support the Service and only on the Customer's documented instructions, including those in the Terms, this DPA, the Order Form, and the configuration choices the Customer makes in the Service. The Provider will inform the Customer if, in its opinion, an instruction infringes Data Protection Law (without obligation to give legal advice).

2.3 Details of the processing (subject matter, duration, nature, purpose, categories of data and data subjects) are set out in Annex I.

3. Provider (Processor) obligations

The Provider will:

(a) Instructions — process Customer Personal Data only as in §2.2; if law requires processing beyond the Customer's instructions, notify the Customer first unless that notice is legally prohibited.

(b) Confidentiality — ensure personnel authorised to process Customer Personal Data are bound by confidentiality and access it on a need-to-know basis.

(c) Security — implement and maintain the technical and organisational measures in Annex II, appropriate to the risk and to the security level required by the Security Regulations and GDPR Art. 32.

(d) Sub-processors — engage Sub-processors only under §5.

(e) Data-subject requests — taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to Data-Subject requests to exercise their rights (access, correction, deletion, objection, portability, etc.). If a Data Subject contacts the Provider directly, the Provider will refer them to the Customer and not respond substantively except on the Customer's instruction or as required by law.

(f) Assistance — assist the Customer, taking into account the information available to the Provider, with: security of processing; personal-data breach notification; data-protection impact assessments; and prior consultation with a Supervisory Authority (GDPR Arts. 32–36).

(g) Breach notification — notify the Customer without undue delay (and, where feasible, within 72 hours) after becoming aware of a personal-data breach affecting Customer Personal Data, with the information the Customer reasonably needs to meet its own notification duties (including, under Israeli law, to the Privacy Protection Authority where applicable).

(h) Deletion/return — at the Customer's choice, delete or return Customer Personal Data at the end of the services, and delete existing copies unless law requires retention (see §7).

(i) Audits & records — make available the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set out in §6; maintain records of processing as required by law.

4. Customer (Controller) obligations

The Customer will:

(a) comply with its own obligations as Controller under Data Protection Law, including providing all required notices and having a valid legal basis (and any required consents) for the Provider's processing;

(b) ensure its instructions for processing are lawful and that Customer Personal Data was collected lawfully;

(c) be responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it was acquired (it originates in the Customer's data within ERPNext and in the Customer's operations);

(d) configure and use the Service in accordance with Data Protection Law, including managing Operator access and off-boarding.

5. Sub-processors

5.1 The Customer provides general authorisation for the Provider to engage the Sub-processors listed in Annex III (and the sub-processor register).

5.2 The Provider will impose on each Sub-processor data-protection obligations no less protective than those in this DPA (including security and international-transfer terms), and remains liable to the Customer for its Sub-processors' acts and omissions.

5.3 The Provider will give the Customer prior notice of any intended addition or replacement of a Sub-processor (by email or via https://kadimasoft.com/legal), giving the Customer a reasonable opportunity (at least 14 days) to object on reasonable data-protection grounds. If the Customer reasonably objects and the parties cannot resolve it, the Customer may terminate the affected Service as its exclusive remedy.

6. Audits

6.1 The Provider will make available to the Customer information reasonably necessary to demonstrate compliance, such as security documentation and summaries of controls.

6.2 Where required by Data Protection Law, the Customer (or an independent auditor it mandates, bound by confidentiality) may audit the Provider's compliance once per 12 months (or after a breach), on at least 30 days' notice, during business hours, without unreasonably disrupting the Provider's operations, and at the Customer's cost. The parties will agree scope in advance.

7. Return and deletion

On termination or expiry of the Service, or on the Customer's earlier request, the Provider will, at the Customer's choice, return or delete Customer Personal Data within 30 days, including from Sub-processors, except copies required to be retained by law (which remain protected by this DPA for as long as retained). The Customer can also delete data itself through Service functions where available. On full account closure the Provider's tenant-deletion process removes the Customer's tenant-scoped records. Where the Provider hosts the Customer's ERPNext, return/deletion covers the hosted ERPNext instance and its data (a data export is available on request before deletion), and deletion extends to backups in line with the Provider's backup-rotation cycle.

8. International transfers

8.1 The Provider hosts Customer Personal Data — including the hosted ERPNext instance in which the Customer's business data is stored, the license_server database, and backups — primarily in Germany (EU), with netcup GmbH.

8.2 Some Sub-processors (notably Google, for push and crash reporting) may process limited data outside Israel and the EEA, including in the United States. For any transfer to a country without an adequacy decision, the parties rely on appropriate safeguards under GDPR Chapter V (e.g. the EU Standard Contractual Clauses, which are incorporated by reference and, where required, completed in Annex IV) and on the lawful-transfer mechanisms under Israeli law. Israel benefits from an EU adequacy decision for transfers from the EEA to Israel.

8.3 To the extent the EU SCCs apply, in case of conflict the SCCs prevail over this DPA for the relevant transfer.

9. Liability

The parties' liability under this DPA is subject to the limitations and exclusions in the Terms (clause 12), to the extent permitted by Data Protection Law. Nothing in this DPA limits a Data Subject's rights under Data Protection Law, or either party's liability that cannot be limited under that law.

10. Term, conflict, governing law

10.1 This DPA runs for as long as the Provider processes Customer Personal Data.

10.2 In conflict between this DPA and the Terms on data-protection matters, this DPA prevails; the SCCs prevail for the transfers they cover.

10.3 This DPA is governed by the law and jurisdiction stated in the Terms, without prejudice to mandatory Data Protection Law (including the rights of Data Subjects and Supervisory Authorities).


Annex I — Details of processing

Item Detail
Subject matter Provision of the TSD warehouse/sales terminal, the license_server sync/proxy backend, and — unless the Customer uses its own ERPNext — the hosting and operation of a dedicated ERPNext instance for the Customer
Duration For the term of the Terms / until deletion under §7
Nature & purpose Hosting and operating the Customer's ERPNext instance, in which the Customer's business and personal data is stored; mirroring, caching, proxying, and synchronising that data to/from authorised devices; enabling warehouse and sales workflows (picking, delivery, orders); identity binding for the manager-helper bot where enabled
Categories of Data Subjects The Customer's Operators (pickers, sales reps, drivers, admins); the Customer's customers and their contact persons (as held in ERPNext)
Categories of Personal Data Operators: username, full name, roles/permissions, device id, IP, device metadata, telemetry tied to a device, audit records, optional Telegram chat id/username. Customers/contacts: name, customer/contact identifiers, billing/shipping addresses, email, phone/mobile (incl. normalised forms), company name, territory/group; and the commercial records stored in the hosted ERPNext — sales orders, delivery notes, pick lists, invoices, prices/amounts, and related transaction history
Special categories None intended. The Customer must not submit special-category data (health, biometrics, etc.) through the Service unless agreed in writing with appropriate safeguards
Frequency Continuous / on-demand during use; daily telemetry

Annex II — Technical and organisational security measures

The Provider maintains measures appropriate to the risk, including:

  1. Encryption — TLS in transit; device-side AES‑256‑GCM for credentials/tokens and SQLCipher for the local mirror; Fernet (authenticated) encryption of server-side secrets (ERP credentials, channel tokens).
  2. Access control — role-based access enforced at the server boundary; bearer tokens; refresh tokens stored only as hashes, rotated, with device-family revocation on suspected theft; least-privilege staff access.
  3. Tenant isolation — per-tenant row-level security in the database so one Customer's data is not accessible to another. (Provider to ensure RLS is enforced in production — see README checklist.)
  4. Network & abuse controls — rate limiting; trusted-proxy IP handling; input validation.
  5. Logging & monitoring — audit logs of significant write actions; security logging; incident detection and response.
  6. Resilience — backups of the databases and of the hosted ERPNext instance, encrypted at rest where supported; documented restore procedures; log rotation.
  7. Hosting & data residency — the hosted ERPNext instances, the license_server database, and backups are hosted with netcup GmbH in Germany (EU); access to the hosting environment is restricted, authenticated, and logged.
  8. Organisational — confidentiality undertakings; need-to-know access; change control via version-controlled deployments; sub-processor due diligence.
  9. Data Security Regulations 2017 — controls aligned to the database's assessed security level (basic/medium/high), including access logging and periodic review at medium/high levels.

(These measures evolve with the Service; the Provider may update them provided the level of protection is not reduced.)

Annex III — Approved Sub-processors

Sub-processor Purpose Location
netcup GmbH Hosting of backend, database, backups Germany (EU)
Google (Firebase Cloud Messaging) Push / sync-trigger delivery USA / global
Google (Firebase Crashlytics) Crash reporting USA / global
Telegram (Bot API) Manager-helper bot binding (opt-in) Global
GitHub App update distribution (no personal data) USA

(Kept in sync with the register. ERPNext is open-source software the Provider operates for the Customer; it runs on the hosting sub-processor above and is not a separate third-party sub-processor. Where the Customer instead uses its own ERPNext instance, that instance is the Customer's own system.)

Annex IV — Standard Contractual Clauses (if applicable)

Where Customer Personal Data of EEA data subjects is transferred to a third country without adequacy, the EU Commission Standard Contractual Clauses (Decision 2021/914), Module Two (Controller→Processor) — or Module Three where the Provider acts as sub-processor — are incorporated by reference, with:

(Complete with counsel if/when EEA-origin transfers occur.)


Signatures. Acceptance of the Terms constitutes acceptance of this DPA. Where a signed copy is required:

Controller (Customer) Processor (Provider)
Name: ______ Name: Peter Gimpeliovsky
Title: _____ Title: Owner (עוסק מורשה)
Date: ______ Date: ______