# Vendor Privacy & DPA Israel | Data Processing Agreements + Transfer Impact

> Vendor privacy management for Israeli organizations: vendor privacy questionnaires, Data Processing Agreements (DPA) in Hebrew and English, Vendor Privacy Assessments, Transfer Impact Assessment for cross-border, new engagement review, and contract lifecycle tracking.

**Canonical:** https://dpoisrael.com/en/services/vendor-privacy/  
**Locale:** en-IL

---
and DPAs that work.

Your **vendor chain** is the most common privacy-breach surface. Professional **vendor privacy**: tailored questionnaires, **DPA** addenda (Hebrew/English), Vendor Privacy Assessments, **Transfer Impact Assessment** for cross-border, and contract lifecycle tracking — from day-one engagement to closure and deletion.

## Vendor Privacy — what to know

- **Average org:** 60-150 software/service vendors
- **Personal-data vendors:** 15-40 in mid-size
- **Amendment 13 requirement:** DPA for every vendor processing personal data
- **2017 Reg. requirement:** Documented vendor agreements and security checks
- **GDPR Art. 28 requirement:** Detailed DPA for every Processor
- **SCCs / DPF requirement:** For non-EU transfers
- **Pricing model:** 3,500-9,000 ILS per pack/round
- **Retainer option:** Included in DPO + GRC

## Six services in one pack

01

### Vendor privacy questionnaire

30-80 question questionnaire (risk-based), Hebrew and English. Reviews data handling, security, certifications, incident history, data-subject rights.

02

### DPA addendum

Data Processing Agreement covering Amendment 13 + GDPR Article 28 requirements. Hebrew and English templates, adjusted for vendor role.

03

### Transfer Impact Assessment

For transfer to vendors processing outside Israel — assessment of destination country protection level, supplementary safeguards.

04

### Vendor Risk Tiering

Vendor classification into tiers: sensitive-data handlers, basic-data handlers, infrastructure. Each tier gets a calibrated review level.

05

### Engagement approval flow

Structured process for new vendor approval before signature — DPA check, classification, questionnaire, joint signature. Stops problem contracts pre-engagement.

06

### Contract lifecycle tracking

Renewal reminders for questionnaires, review of post-M&A vendors, DPA relevance check, closure of inactive engagements.

## 12 essential clauses in every DPA

| Clause | Detail |
| --- | --- |
| Vendor role definition | Processor / Sub-processor / Joint controller / Controller — per Amendment 13 and GDPR |
| Processing purpose | Exact purpose the vendor is allowed to process — no further |
| Data types and subjects | Which personal data, of whom, how much |
| Processing duration | Defined period, with deletion/return obligation at end |
| Security (2017 Regs / Article 32) | Security level, audits, required certifications (ISO 27001/27701) |
| Incident notification | Vendor duty to notify customer of a security incident within a defined window (24-72 hours) |
| Sub-processors | Prior approval / dynamic list, customer’s right to object |
| Data subject rights | Vendor duty to forward every access / correction / deletion request to customer |
| Cross-border transfer | Allowed mechanisms — Standard Contractual Clauses, BCRs, adequacy decision |
| Audits | Customer right to audit vendor or receive SOC 2 / ISO report |
| Termination and data deletion | How return/deletion occurs at end of engagement, with documentation |
| Liability and insurance | Liability cap, cyber / privacy liability policy, breach compensation |

## Not every vendor is the same — Tier model

### Tier 1 — Critical

Vendor processing special-sensitive data or massive scale. Examples: main CRM, medical record system, payment processor.

Requirements: Full DPA + extended questionnaire (80q) + ISO 27001/27701 or SOC 2 + annual audit

### Tier 2 — Medium

Vendor with access to personal but non-sensitive data. Examples: mail platform, HR system, logistics provider.

Requirements: Short DPA + 30-50q questionnaire + basic security documentation

### Tier 3 — Low

Vendor with minimal personal-data touch. Examples: cloud infra without content access, open-source tools with support.

Requirements: Short standard DPA + declaration

## Frequent questions about vendor privacy

### Why is DPA important?

Amendment 13 places responsibility on the **data controller**, even when processing happens at a vendor. Without a DPA, if a vendor breaches privacy obligations — the liability falls on you. The DPA is the legal instrument defining vendor obligations and customer rights. Israel’s 2017 Security Regulations also require documented vendor agreements.

### How many vendors does an average org have?

Mid-size organization (50-300 employees) usually has 60-150 software and service vendors. Of those, 15-40 handle personal data. So even if only 15 need DPAs — it’s serious work.

### Is there a standard privacy questionnaire?

There are frameworks (SIG, CSA CAIQ), but no one-size-fits-all. We use questionnaires tailored to vendor type and data type — not "one for all".

### Difference between DPA and master contract?

Master contract defines the **service**. DPA is an addendum defining **privacy obligations**. Complementary, not substitutes. Without a DPA, master contract isn’t enough under Amendment 13.

### What if vendor refuses to sign our DPA?

Classic. Most large vendors (Microsoft, Google, AWS, Salesforce) have their own DPA — usually good enough with adjustments. Smaller vendors often don’t want to engage. We help manage the negotiation — sign vendor DPA (after review), push our DPA, or find an alternative vendor.

### Do you have a management platform?

We don’t sell a SaaS platform. But we have Excel templates and structured plays, plus expertise on configuring an existing CRM / Notion / Airtable for vendor management. [DPO as a Service](/en/services/dpo) includes ongoing monitoring.

### What about GDPR and Cross-border transfers?

If the organization operates in Europe or the US, or uses American/Asian vendors — Transfer Impact Assessment is part of the service. We handle SCCs, Data Privacy Framework (EU-US), and BCRs for large organizations.

## How many vendors do you have without a DPA?

30-minute call, initial mapping, written proposal within 48 hours.

[Discuss vendors](/en/contact)