If you run a software company in Israel and your legal team hasn’t mentioned the Privacy Protection Law (PPL) amendments yet, they will soon.
The new requirements are quiet but expensive: they affect where your logs live, how long you keep them, who can access them, and what happens when you get breached. And almost no one in Israel is ready.
What Changed
The Israeli Privacy Protection Law was updated in 2023–2024 to align with GDPR-style protections while accommodating local business needs. The key changes for log management:
1. Data Residency Requirements
Personal data must be stored within Israel or in approved jurisdictions. This means:
- Your logs (which contain IP addresses, user IDs, session tokens, API keys tied to individuals) are considered personal data
- Logs must be stored in Israeli data centers or AWS
il-central-1(Israel Central region) - Logs stored in US regions (
us-east-1,us-west-2) or EU regions (eu-west-1) violate the law unless you’ve anonymized them
What this breaks: Most Israeli companies use AWS US regions because they’re cheaper and have more mature services. Migrating to il-central-1 adds cost and complexity.
2. Encryption Requirements
Personal data must be encrypted at rest and in transit. The law specifies:
- AES-256 or equivalent for data at rest
- TLS 1.2 or higher for data in transit
- You must hold the encryption keys (third-party key management is allowed but you must control access)
What this breaks: Default AWS setups (unencrypted S3, unencrypted CloudTrail) no longer comply. You need to enable KMS encryption on all log storage.
3. Retention Limits
Personal data must not be retained longer than necessary for its purpose. The law doesn’t specify a fixed retention period, but it requires:
- A documented retention policy per data category
- Automatic deletion after the retention period
- Justification for why you need to keep each type of log
What this means: You can’t just keep 7 years of logs “just in case.” You need to prove why you need 30 days vs. 6 months vs. 2 years.
4. Breach Notification
If personal data is breached, you must notify affected individuals within 30 days (not 72 hours like GDPR). You also must notify the Israeli Privacy Commissioner.
What this requires: A documented incident response process, audit logs proving when the breach was detected, and communication logs to individuals.
5. Data Processing Agreements
Any service provider handling your logs (cloud provider, log aggregator, SIEM vendor) must sign a Data Processing Agreement (DPA) that specifies:
- What data they process and why
- How long they retain it
- Where it’s stored
- Who can access it
- How they handle breaches
What this breaks: Informal vendor relationships. You need signed agreements with your cloud provider, your log shipper, and your monitoring tools.
The Specific Impact on Log Management
Here’s how this plays out in practice:
Scenario 1: CloudTrail Logs
You ship your AWS CloudTrail logs to S3 for audit and compliance purposes. Under the new law:
- S3 bucket must be in
il-central-1(or you must anonymize the logs) - Logs must be encrypted with KMS
- You must set a deletion policy (typically 1–2 years for compliance, not indefinite)
- Your DPA with AWS must specify that they’re a data processor
Most companies do none of this.
Scenario 2: Application Logs
Your app logs include user IDs, session tokens, and API request paths. These are personal data.
- Logs must be stored in Israel or encrypted and approved jurisdictions
- You can’t log user authentication tokens in plaintext (encrypt them or hash them)
- You need to document why you keep 30 days of logs vs. 90 days
- If you use a third-party logging service (Datadog, Splunk, CloudWatch), they need a signed DPA
Scenario 3: Third-Party Integrations
You use Okta for identity, Stripe for payments, and Segment for analytics. Each one generates logs with personal data:
- These providers must have signed DPAs
- If they store data outside Israel, you need a legal basis for the transfer
- You’re liable if they breach and don’t notify you within contractually agreed timeframes
The GDPR Comparison
Israeli companies building for European customers are familiar with GDPR. Here’s how PPL differs:
| Aspect | GDPR | Israeli PPL |
|---|---|---|
| Scope | Any EU resident’s data | Any individual’s data in Israel |
| Notification deadline | 72 hours | 30 days |
| Fines | Up to €20M or 4% revenue | Up to ₪350k (~$95k) per violation (lower) |
| Data residency | EU-only (with exceptions) | Israel + approved jurisdictions |
| Key requirement | Lawful basis for processing | Purpose limitation + proportionality |
Key difference: GDPR fines are punitive and massive. PPL fines are lower, but the operational requirements are similar. Both require documented compliance.
What Most Israeli Companies Are Missing
We talk to companies in Tel Aviv, Ramat Gan, and beyond. Here’s what we hear:
- “Our legal team said we’re fine” ← Usually means they haven’t been asked to verify
- “We use AWS, so they handle compliance” ← AWS handles their compliance, not yours
- “Our logs are anonymized” ← Nine times out of ten, they’re not (an IP address + user ID = identifiable)
- “We’ll deal with it during our SOC 2 audit” ← By then, you’ve been non-compliant for 18 months
The problem: There’s no active enforcement yet. The Privacy Commissioner’s office is under-resourced. Companies assume they’ll get a warning before penalties hit.
But as enforcement increases, the cost of retrofitting compliance is 5–10x higher than building it in from the start.
What You Need to Do
If you’re an Israeli software company:
Step 1: Audit your current logs
Document what logs you’re keeping, where they’re stored, and why.
- CloudTrail logs → Where? S3 in which region?
- Application logs → What data? Where stored?
- Third-party logs (Okta, Stripe, etc.) → Who has access?
Step 2: Identify personal data
Personal data includes:
- IP addresses
- User IDs / email addresses
- Session tokens or API keys tied to individuals
- Request paths that reveal behavior (e.g.,
/user/john-smith/documents)
Anything tied to a living individual, even indirectly, is personal data.
Step 3: Implement technical controls
- Move logs to
il-central-1(or encrypt and document legal basis for other regions) - Enable KMS encryption on all storage
- Set retention policies (don’t keep more than you need)
- Configure automatic deletion
Step 4: Get agreements in place
- DPA with AWS / cloud provider
- DPA with any SIEM / log aggregator / monitoring vendor
- Document your data processing activities (data flow diagram)
Step 5: Document your process
- Incident response plan (breach notification in 30 days)
- Data retention policy (by log type)
- Access controls (who can access production logs?)
- Audit trail (who accessed what, when?)
The Xpernix Advantage
If this sounds complex, it’s because it is. Most SIEM vendors in the US and Europe don’t understand Israeli PPL requirements. They can’t help you.
Xpernix is built for the Israeli market. We:
- Store logs in
il-central-1by default - Encrypt all data with customer-controlled KMS keys
- Implement role-based access control and audit logging
- Provide signed DPA and Data Processing Addendums
- Help you document retention policies per log type
- Provide audit reports for Privacy Commissioner inquiries
You get compliance out of the box, not as an afterthought.
The Cost of Not Doing This
If you get breached and your logs were stored non-compliantly:
- The Privacy Commissioner can fine you up to ₪350k per violation
- You lose the ability to prove what happened (no audit logs)
- Affected customers can sue you under PPL (liability is higher if you were non-compliant)
- Your insurance may not cover the breach if you weren’t following reasonable security practices
The cost of compliance now (a few thousand sheqels in tooling) is far cheaper than the cost of a breach in a non-compliant environment.
Ready to get your logs compliant? Israeli PPL requirements aren’t optional anymore. Book a call and we’ll walk you through what you need and how to get there.