DPO DPO Israel
Open as Markdown

Vendor Privacy
and DPAs that work.

Your vendor chain is the most common privacy-breach surface. Professional vendor privacy: tailored questionnaires, DPA addenda (Hebrew/English), Vendor Privacy Assessments, Transfer Impact Assessment for cross-border, and contract lifecycle tracking — from day-one engagement to closure and deletion.

What's included

Six services in one pack

01

Vendor privacy questionnaire

30-80 question questionnaire (risk-based), Hebrew and English. Reviews data handling, security, certifications, incident history, data-subject rights.

02

DPA addendum

Data Processing Agreement covering Amendment 13 + GDPR Article 28 requirements. Hebrew and English templates, adjusted for vendor role.

03

Transfer Impact Assessment

For transfer to vendors processing outside Israel — assessment of destination country protection level, supplementary safeguards.

04

Vendor Risk Tiering

Vendor classification into tiers: sensitive-data handlers, basic-data handlers, infrastructure. Each tier gets a calibrated review level.

05

Engagement approval flow

Structured process for new vendor approval before signature — DPA check, classification, questionnaire, joint signature. Stops problem contracts pre-engagement.

06

Contract lifecycle tracking

Renewal reminders for questionnaires, review of post-M&A vendors, DPA relevance check, closure of inactive engagements.

What's in the DPA

12 essential clauses in every DPA

ClauseDetail
Vendor role definition Processor / Sub-processor / Joint controller / Controller — per Amendment 13 and GDPR
Processing purpose Exact purpose the vendor is allowed to process — no further
Data types and subjects Which personal data, of whom, how much
Processing duration Defined period, with deletion/return obligation at end
Security (2017 Regs / Article 32) Security level, audits, required certifications (ISO 27001/27701)
Incident notification Vendor duty to notify customer of a security incident within a defined window (24-72 hours)
Sub-processors Prior approval / dynamic list, customer’s right to object
Data subject rights Vendor duty to forward every access / correction / deletion request to customer
Cross-border transfer Allowed mechanisms — Standard Contractual Clauses, BCRs, adequacy decision
Audits Customer right to audit vendor or receive SOC 2 / ISO report
Termination and data deletion How return/deletion occurs at end of engagement, with documentation
Liability and insurance Liability cap, cyber / privacy liability policy, breach compensation
Tiering

Not every vendor is the same — Tier model

Tier 1 — Critical

Vendor processing special-sensitive data or massive scale. Examples: main CRM, medical record system, payment processor.

Requirements: Full DPA + extended questionnaire (80q) + ISO 27001/27701 or SOC 2 + annual audit

Tier 2 — Medium

Vendor with access to personal but non-sensitive data. Examples: mail platform, HR system, logistics provider.

Requirements: Short DPA + 30-50q questionnaire + basic security documentation

Tier 3 — Low

Vendor with minimal personal-data touch. Examples: cloud infra without content access, open-source tools with support.

Requirements: Short standard DPA + declaration

Frequent questions about vendor privacy

Why is DPA important?
Amendment 13 places responsibility on the data controller, even when processing happens at a vendor. Without a DPA, if a vendor breaches privacy obligations — the liability falls on you. The DPA is the legal instrument defining vendor obligations and customer rights. Israel’s 2017 Security Regulations also require documented vendor agreements.

How many vendors does an average org have?
Mid-size organization (50-300 employees) usually has 60-150 software and service vendors. Of those, 15-40 handle personal data. So even if only 15 need DPAs — it’s serious work.

Is there a standard privacy questionnaire?
There are frameworks (SIG, CSA CAIQ), but no one-size-fits-all. We use questionnaires tailored to vendor type and data type — not "one for all".

Difference between DPA and master contract?
Master contract defines the service. DPA is an addendum defining privacy obligations. Complementary, not substitutes. Without a DPA, master contract isn’t enough under Amendment 13.

What if vendor refuses to sign our DPA?
Classic. Most large vendors (Microsoft, Google, AWS, Salesforce) have their own DPA — usually good enough with adjustments. Smaller vendors often don’t want to engage. We help manage the negotiation — sign vendor DPA (after review), push our DPA, or find an alternative vendor.

Do you have a management platform?
We don’t sell a SaaS platform. But we have Excel templates and structured plays, plus expertise on configuring an existing CRM / Notion / Airtable for vendor management. DPO as a Service includes ongoing monitoring.

What about GDPR and Cross-border transfers?
If the organization operates in Europe or the US, or uses American/Asian vendors — Transfer Impact Assessment is part of the service. We handle SCCs, Data Privacy Framework (EU-US), and BCRs for large organizations.

How many vendors do you have without a DPA?

30-minute call, initial mapping, written proposal within 48 hours.

Discuss vendors