Data Processing Addendum

Last updated: May 2026

This document is an addendum to Tamit's Terms of Service and Privacy Policy. It applies automatically to every customer that processes personal data of third parties (customers, employees, suppliers) through the system — in accordance with GDPR (Art. 28) and the Privacy Protection Law 5741-1981 (Israel).

1. The Parties

Data Controller: the customer (the business) using Tamit.
Data Processor: Tamit — which provides the infrastructure and tools that enable the customer to process the data.
Data Subjects: the customer's end customers, its employees, and its suppliers.

2. Types of Data

Tamit may process the following types of personal data on behalf of the customer:

Category	Examples
Contact details	Name, phone, email, address
Financial documents	Invoices, quotes, receipts (including amounts)
Appointments and services	Visit dates, services provided
Employee attendance	Clock-in/out times, vacation days
Digital signatures	Signature image, IP, handwritten signature, ID number
Communications	WhatsApp message history (Tami), chatbot conversations

We do not process credit card numbers — these are passed directly to the payment provider (ZCredit/Tranzila) and are not stored by us.

3. Purpose of Processing

Tamit processes personal data only to provide the service to the customer — according to its instructions. We do not use end-customer data for marketing, cross-tenant statistics, or model training — unless the customer has explicitly authorized it.

4. Security

Tamit implements reasonable technical and organizational security measures, described in detail in our Security document. These include:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Full isolation between customers (schema-level multi-tenancy)
Daily backups, off-site retention
Role-based access control + 2FA
24/7 monitoring and centralized logging

5. Sub-processors

Tamit relies on external service providers to support its operations. These providers act as sub-processors:

Provider	Service	Location
Hostinger	Application server (VPS)	Netherlands (EU)
Resend	Email delivery	EU/US
Anthropic	AI services (Claude)	US
Replicate	AI image generation	US
Meta (WAHA)	WhatsApp Business API	US
Cloudflare	CDN + Email Routing	Global
Google Cloud	OAuth (Google sign-in, Calendar)	US

Any change to this list will be published here 30 days in advance. The customer may object to the appointment of a new sub-processor.

6. International Transfers

Data may be transferred outside the EEA/Israel for use of the services listed above. Each provider has signed Standard Contractual Clauses (SCCs) or equivalent, or operates within the EEA / under an Adequacy Decision.

7. Data Subject Rights

The customer is responsible for honoring data subject rights (access, rectification, erasure, portability). Tamit will assist as required:

Access: full export of end-customer data from the dashboard (JSON/CSV)
Rectification: editing records directly from the dashboard
Erasure: via the dashboard or by request to [email protected]
Portability: export to standard formats

8. Security Incident Notification

In the event of a security incident that may affect personal data, Tamit will notify the customer within 72 hours of discovery, with a description of the incident, the expected impact, and the mitigation steps taken.

9. Service Termination and Data Return/Deletion

Upon termination, the customer can export all data from the dashboard (full JSON + media files).
Data is retained for an additional 30 days in a closed state, to allow restoration.
After 30 days, the data is permanently deleted, including from backups.
A Certificate of Erasure will be provided on request.

10. Audit

The customer may verify Tamit's compliance with this agreement through:

Annual audit questionnaire (we will respond within 30 days)
Written review of security controls (conducted once a year)
In the event of an incident — an unscheduled audit, by arrangement

11. DPO Contact

For any questions regarding the DPA and personal data processing, contact our DPO: [email protected].

12. Source Language

The source version of this document is in Hebrew. In the event of any conflict with a translation, the Hebrew version prevails.