← חזרה לאתר

Data Processing Agreement

גרסה 1.0 · 22 ביוני 2026

⚠️ טיוטה — תושלם ע״י עו״ד לפני חתימה ראשונה.

This Data Processing Agreement ("DPA") is incorporated into the Master Services Agreement between ganesh AI Ltd. ("Processor") and the customer ("Controller").

1. Scope & Purpose

ganesh processes personal data of Controller's patients/customers ("Data Subjects") solely to provide the Services as defined in the MSA.

2. Roles

  • Controller — the clinic / business — determines means and purposes.
  • Processor — ganesh — processes on Controller's instructions.

3. Categories of Data

  • Identifiers: name, phone, email.
  • Communication: message bodies, voice transcripts.
  • Health-adjacent: appointment service types, consent flags. (Not full medical records.)

4. Sub-processors

Current sub-processors with signed DPAs:

  • Supabase Inc. (DB hosting) — EU/US region
  • Vercel Inc. (web hosting)
  • Anthropic PBC (LLM)
  • OpenAI Inc. (LLM fallback)
  • Voyage AI (embeddings)
  • Meshulam Ltd. (payments, IL)

Adding a new sub-processor → 30-day notice to Controller.

5. Cross-border Transfers

Where data leaves Israel, ganesh ensures Standard Contractual Clauses (SCCs) are in place. Israel adequacy decisions apply.

6. Security Measures

  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Row-Level Security per-clinic in Postgres.
  • Audit logs retained 90 days.
  • Annual penetration test (planned 2026 Q4).

7. Breach Notification

ganesh notifies Controller within 72 hours of discovering any breach affecting Controller's data.

8. Data Subject Rights

ganesh assists Controller in fulfilling rights of access, rectification, erasure, and portability under Israeli Privacy Protection Law Amendment 13 and GDPR (where applicable).

9. Audit Rights

Controller may request a SOC 2 Type II report annually (planned 2027). Until then, a written compliance attestation is provided on request.

10. Termination

On termination, ganesh deletes all Controller data within 30 days, unless retention is required by law. Backups deleted within 90 days.

11. Signatures

This DPA becomes effective on the date the Controller signs the MSA digitally via Adobe Sign / DocuSign.