Keypup
7 months ago
Data Processing Agreement
Version 1.0 Issued 21st June 2023
This Data Processing Agreement(“DPA”) forms an integral part of, and is subject to the Keypup Services Terms of Service (the “Services Agreement”) entered into by and between you, the customer (the “Controller”) and Keypup SAS (the “Processor”). Capitalized terms not otherwise defined herein shall have the meaning given to them in theServices Agreement.
1. Definitions.
In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:
1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest in the subject entity.
1.2. “Applicable Law”means whichever legal regime is applicable to the Processing of Personal Data under this DPA, including, but not limited to, the following:
1.2.1. Regulation 2016/679of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(General Data Protection Regulation) (“GDPR”) and laws implementing or supplementing the GDPR;
1.2.2. The GDPR as amended and adopted into UK law in accordance with the European Union (Withdrawal) Act2018 and the UKs Data Protection Act, 2018 (collectively, “UK GDPR”); and/or
1.2.3. The IsraelProtection of Privacy Law, 1981, all related regulations enacted thereunder and the Israel Privacy Protection Authority’s Guidelines and the Israeli Protection of Privacy Regulations (Information Security) – 2017 (collectively,Israeli Privacy Law).
1.3. “Controller PersonalData” means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Services Agreement.
1.4. “Data Subject” shall mean the person whose Personal Data is Processed and is a ‘Data Subject’.
1.5. “Personal Data” shall mean Personal Data as defined under the GDPR and ‘Information’ (‘media’) as defined under Israeli Privacy Law, in each case as applicable.
1.6. “Processing” shall be as defined in the GDPR and Israeli Privacy Law, in each case as applicable.
1.7. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to data importers established in third countries pursuant to Regulation(EU) 2016/679 of the European Parliament and of the Council, as set out inCommission Implementing Decision (EU) 2021/914 and available at:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2021:199:FULL;
1.8. “Sub Processor” means any person (excluding an employee of Processor or any Processor Affiliate)appointed by or on behalf of Processor or any Processor Affiliate to Process Controller Personal Data on behalf of the Controller in connection with the Services Agreement.
1.9. The terms “Controller”, “Data Subject”, “Member State”, “Personal Data Breach”, “Processor”, and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.
2. Applicability and Roles of the Parties.
2.1. For Processing subject to the GDPR or the UK GDPR: When Controller Personal Data is subject to the GDPR and/or UK GDPR, Controller serves as a Controller of such Personal Data and Processor serves as a Processor on its behalf. In such case, the Applicable Law shall be as described in Section 1.2.1 and 1.2.2, each as applicable, and this DPA shall be interpreted accordingly.
2.2. For Processing subject to Israeli Privacy Law: When Controller Personal Data is subject to Israeli Law, Controller shall be considered the party controlling the database of Controller Personal Data and Processor serves as an outsourced service provider on its behalf. In such case, the Applicable Law shall be as described in Section 1.2.3 and this DPA shall be interpreted accordingly.
3. Processing of Controller Personal Data.
3.1. For the avoidance of doubt “Processor” in this DPA shall be deemed to designate Keypup SAS. Processor shall Process Controller Personal Data on Controller’s behalf and at Controller’s instructions as specified in the Services Agreement and in thisDPA, including without limitation with regard to transfers of Controller Personal Data to a third country or international organization. For the avoidance of doubt, Processor may use aggregated and/or anonymized data(“Aggregate Data”) for purpose of providing benchmarks and for improving the Services, as defined below, including the algorithms and models used by the Services. Any other Processing shall be permitted only in the event that such Processing is required by any Applicable Law to which the Processor is subject. In such event, Processor shall, unless prohibited by such Applicable Law on important grounds of public interest, inform Controller of that requirement before engaging in such Processing.
3.1.1. Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) (i)to Process Controller Personal Data for the provision of the services, as detailed in the Services Agreement (“Services”) and as otherwise set forth in the Services Agreement and in this DPA, and/or as otherwise directed by Controller; and (ii) to transfer Controller Personal Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Applicable Law.
3.2. Controller sets forth the details of the Processing of Controller Personal Data, as required by Article28(3) of the GDPR are set forth in Schedule 1 (Details of Processing ofController Personal Data), attached hereto.
3.2.1.Processor will not solicit Personal Data from Controllers Data Subjects except as expressly directed by Controller in writing. Processor is expressly prohibited from collecting and/or using Personal Data obtained from any source not specifically detailed in the Services Agreement and/or this DPA, and/or as otherwise instructed by Controller, including illegal sources. Processor will not disclose any Controller Personal Data to any person or entity without the prior written approval of Controller.
3.2.2.Processor shall document its activities and decision-making processes regarding the implementation of this DPA. In addition, Processor shall disclose unusual events promptly following occurrence.
3.3. To the extent that the Processor Processes Controller Personal Data and such Processing is subject to GDPR in countries outside of the European Economic Area that do not provide an adequate level of data protection, as determined by the European Commissionor other adequate authority as determined by the EU, the Standard Contractual Clauses shall apply and shall be incorporated herein upon execution of this DPA by the parties. Annexes 1, 2 and 3 attached hereto shall apply as Annexes 1, 2and 3 of the Standard Contractual Clauses.
3.4. To the extent that the Processor Processes Controller Personal Data that is protected by and subject to the UK GDPR and the Processor Processes such data in a country other than the United Kingdom whose data protection laws were deemed inadequate by the United Kingdom, the UK Addendum attached hereto as Schedule C shall apply and shall be incorporated herein upon entering into this DPA by the parties.
4. Controller.
Controller represents and warrants that it has and shall maintain throughout the term of the Services Agreement and this DPA, all necessary rights to provide the Controller Personal Data to Processor for the Processing to be performed in relation to the Services and in accordance with the Services Agreement and this DPA. To the extent required by Applicable Law, Controller is responsible for obtaining any necessary Data Subject consents to the Processing, and for ensuring that a record of such consents is maintained throughout the term of the ServicesAgreement and this DPA and/or as otherwise required under Applicable Law.
5. Processor Employees.
Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know and/or access basis and that all Processor employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access to and use of Controller Personal Data.
6. Security.
Processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data as set forth in the Binding Security Document attached hereto as Schedule 2. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by the nature of the Processing and the information available to the Processor.
7. Personal Data Breach.
7.1. Processor shall notify Controller without undue delay and, where feasible, not later than within 48 (forty eight) hours upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data. In such event, Processor shall provide Controller with reasonable and available information to assist Controller in meeting any obligations to inform Data Subjects or Supervisory Authorities of the Personal Data Breach as required under Applicable Law.
7.2. At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or required under Applicable Law to assist in the investigation, mitigation and remediation of any Personal Data Breach.
8. Sub Processing.
8.1. Controller authorizes Processor to appoint (and permits each Sub Processor appointed in accordance with this Section 8 to appoint) Sub Processors in accordance with this Section 8.
8.2. Processor may continue to use those Sub Processors already engaged by Processor as identified to Controller as of the date of this DPA.
8.3. Processor may appoint new Sub Processors and shall give notice of any such appointment to Controller. If, within seven (7) days of such notice, Controller notifies Processor in writing of any reasonable objections to the proposed appointment, Processor shall not appoint the proposed Sub Processor for the Processing of Controller Personal Data until reasonable steps have been taken to address the objections raised by Controller and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections, each of Controller or Processor may, by written notice to the other party and with immediate effect, terminate theServices Agreement to the extent that it relates to the Services requiring the use of the proposed Sub Processor. In such event, the terminating party shall not bear any liability for such termination.
8.4. With respect to each new Sub Processor, Processor shall:
8.4.1. Prior to the Processing of Controller Personal Data by Sub Processor, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that Sub Processor is committed and able to provide the level of protection for Controller Personal Data required by this DPA; and
8.4.2. ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms that offer a materially similar level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Applicable Law.
8.5. Processor shall remain fully liable to the Controller for the performance of any SubProcessor’s obligations.
9. Data Subject Rights.
9.1. Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Applicable Law (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Processor shall, at Controller’s sole expense, use commercially reasonable efforts to assist Controller in fulfilling Controller’s obligations with respect to such Data Subject requests, as required under Applicable Law.
9.2. Upon receipt of a request from a Data Subject under any Applicable Law in respect to Controller Personal Data, Processor shall promptly notify Controller of such request and shall not respond to such request except on the documented instructions of Controller or as required by Applicable Law to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Law, inform Controller of such legal requirement prior to responding to the request.
10. Data Protection Impact Assessment and Prior Consultation.
At Controller’s written request and expense, the Processor and each Sub Processor shall provide reasonable assistance to Controller with respect to any Controller Personal Data Processed by Processor and/or a Sub Processor, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Applicable Law.
11. Deletion or Return of Controller Personal Data.
Processor shall promptly and in any event within 60 (sixty) days of the date of cessation of provision of the Services to Controller involving the Processing of Controller Personal Data, delete, return, or anonymize all copies of such Controller Personal Data, provided however that Processor may retain Controller Personal Data, as permitted by Applicable Law and further provided that Processor will not be required to delete or return Aggregate Data.
12. Audit Rights.
12.1. Subject to Sections 11.2 and 11.3, Processor shall make available to an auditor mandated by Controller in coordination with Processor, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
12.2. Any audit or inspection shall be at Controller’s sole expense, and subject to Processor’s reasonable security policies and obligations to third parties, including with respect to confidentiality. The results of any audit or inspection shall be considered the confidential information of the Processor and subject to the confidentiality provisions under the Services Agreement.
12.3. Controller and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to the Processors’ premises, equipment, employees and business and shall not interfere with the Processors day-to-day business.Controller and Processor shall mutually agree upon the scope, timing and duration of the audit or inspection and the reimbursement rate, for which Controller shall be responsible. Processor need not give access to its premises for the purposes of such an audit or inspection:
12.3.1. to any individual unless he or she produces reasonable evidence of identity and authority;
12.3.2. if Processor was not given a prior written notice of such audit or inspection;
12.3.3. outside of normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or
12.3.4. for the purposes of more than one (1) audit or inspection in any calendar year, except for any additional audits or inspections which:
12.3.4.1. Controller reasonably considers necessary because of genuine concern as to Processor’s compliance with this DPA; or
12.3.4.2. Controller is required to carry out by Applicable Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Law in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
12.3.5. Processor shall immediately inform Controller if, in its opinion, an instruction received under this DPA infringes the GDPR or other Applicable Law
13. Indemnity and Limitation of Liability.
Controller shall indemnify and hold Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Processor and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Applicable Law by Controller. Each partys liability toward the other party shall be subject to the limitations on liability under the Services Agreement.
14. General Terms.
14.1. Governing Law andJurisdiction.
14.1.1. The parties to this DPA hereby agree that the competent courts of France shall have exclusive jurisdiction regarding all disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity, and the parties expressly consent to such jurisdiction.
14.1.2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of France. To the extent that the Standard Contractual Clauses apply, the above mentioned jurisdiction shall be deemed the jurisdiction specified in Clause 17 of the Standard Contractual Clauses, provided that such law allows for third-party beneficiary rights.
14.2. Order of Precedence.
14.2.1. Nothing in this DPA reduces Processor’s obligations under the Services Agreement in relation to the protection of Controller Personal Data or permits Processor to Process (or permit the Processing of) Controller Personal Data in a manner that is prohibited by the Services Agreement.
14.2.2. This DPA is not intended to, and does not in any way limit or derogate from Controller’s obligations and liabilities towards the Processor under the Services Agreement and/or pursuant to Applicable Law or any law applicable to Controller in connection with the collection, handling and use of Controller Personal Data byController or other processors or their sub processors, including with respect to the transfer or provision of Controller Personal Data to Processor and/or providing Processor with access thereto.
14.2.3. Subject to this Section 14.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Services Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. In the event of inconsistencies between the provisions of this DPA and the Standard Contractual Clauses or UK Addendum (to the extent they apply), the Standard Contractual Clauses or UK Addendum, as applicable, shall prevail.
14.3. Changes in Applicable Law.
14.3.1. Controller may, by at least 45 (forty five) calendar days’ prior written notice to Processor, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under any Applicable Law in order to allow Controller Personal Data to be Processed (or continue to be Processed) without breach of that Applicable Law.
14.3.2. If Controller gives notice with respect to its request to modify this DPA under Section 13.3.1, (i) Processor shall make commercially reasonable efforts to accommodate such modification request and (ii) Controller shall not unreasonably with hold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
14.3.3. Severance. Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Schedule 1 - Details of Processing of Controller Personal Data
This Schedule 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Controller Personal Data.
The subject matter and duration of the Processing of the Controller PersonalData are set out in the Services Agreement and this DPA.
The nature and purpose of the Processing of Controller Personal Data:
Rendering Services in the nature of the Keypup solution that provides software development productivity analytics, as detailed in the Services Agreement.
The types of Controller Personal Data to be Processed are as follows:
Data regarding how the Controller’s systems and code are used, planned, accessed and developed by employees and service providers of Customer. Additionally, names, emails and git profiles may be processed.
The categories of Data Subject to whom the Controller Personal Data relates to areas follows:
Data Subjects who are Controller’s employees or service providers who access the Controller’s systems and code.
The obligations and rights of Controller.
The obligations and rights of Controller are set out in the Services Agreement and this DPA.
Schedule 2 - Binding Security Document
Processor uses firewalls to protect our internet connection
This will be your first line of defense against an intrusion from the internet.
Supplementary details of firewalls used: Processor leverages Firewalls with IDS/IPS capabilities with an extra layer of WAF. Access is monitored and reviewed on a regular basis.
Processor will maintain measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Processor computing environments.
Security measures include: Patch management Threat notification advisories Vulnerability scanning and periodic penetration testing (Internet facing systems) with remediation of identified vulnerabilities.
Processor uses the most appropriate secure settings for its devices and software.
Most hardware and software will need some level of set-up and configuration in ordert o provide effective protection.
Supplementary details of security settings used: Before using any new software the Processor’s team checks that the product meets the necessary security and compliance requirements in addition to applying latest updates. Processor’s team adopted the OWASP top 10 framework as a starting point combined with various scans, Encryption Procedures and multiple monitoring systems.
Processor controls who has access to your data and services
Restrict access to your system to users and sources you trust.
Processor will maintain proper controls for governing user access to systems and applications containing Personal Data. All access requests will be approved based on individual role-based access and reviewed on a regular basis for continued business need. Processor will limit privileged access to individuals for a limited period and usage will be monitored and logged.
Supplementary details of how access to your system is controlled: Access is granted based on role hierarchy and lease privilege access, along with audit logs covering all systems. The system is fully monitored with manually reviews of the AppSec and Dev team.
Processor protects itself from viruses and other malware.
Supplementary details of antivirus and malware protection used: Processor utilizes antivirus on all workstations.
Processor keeps its software and devices up-to-date.
Hardware and software needs regular updates to fix bugs and security vulnerabilities.
Supplementary details of how software and devices are kept up to date: Processor’s systems are fully managed and updated automatically every month, some services are automatically managed and updated by GCP.
Processor regularly backs-up its data.
Regular backups of your most important data will ensure it can be quickly restored in the event of disaster or ransomware infection.
Supplementary details of how data is backed up: Processor has a fully backup availability procedures and process plans with a fully redundancy to different zone location.
Document Management
Processor will validate that necessary documentation is in place between Processor and the Controller where Processor processes Personal Data covered by GDPR. In case of a change to the defined scope, any change to the processing of Personal Data will be reviewed to determine any impact on required TOMs and other contract exhibits.
Security Incidents
Processor will maintain an incident response plan and follow documented incident response policies including data breach notification to Data Controller without undue delay where a breach is known or reasonably suspected to affect Controller Personal Data.
Risk Management
Processor will assess risks related to processing of Personal Data and create an action plan to mitigate identified risks.
Security Policies
Processor will maintain and follow IT security policies and practices that are integral to Processor’s business and mandatory for all Processor employees, including supplemental personnel. IT security policies will be reviewed periodically and amend such policies as Processor deems reasonable to maintain protection of services and Content processed therein.
Processor employees will complete security and privacy education annually. Additional policy and process training will be provided to persons granted administrative access to security components that is specific to their role within Processor’s operation and support of the service, and as required to maintain compliance and certifications.
System and Network Security
Processor will employ encrypted and authenticated remote connectivity to Processor computing environments.
Controls and Validation
Processor will maintain policies and procedures designed to manage risks associated with the application of changes to Processor’s systems.
Workstation Protection
Processor will implement protections on end-user devices and monitor those devices to be in compliance with the security standard.
Privacy by Design
Processor will incorporate Privacy by Design principles for systems and enhancements at the earliest stage of development as well as educate all employees on security and privacy annually.
Annexure 1 - Authorized sub-processors
In accordance with clause 8, the Controller has authorized the use of the following sub-processors:
Platform operations
1. Google Cloud Platform (GCP): for the infrastructure of the Keypup platform (Cloud Run, SQL, Memorystore, Logging, Alerting, IAM)
2. Cloudflare: for external-level security (firewall & web routing)
3. New Relic: for application performance monitoring
Customer operations
4. Intercom: for users support (chat, emails, surveys)
5. Forest Admin: for users support (backend & operations)
Security operations
6. GitHub Dependabot: for dependency scanning
7. Snyk: for dependency scanning and Keypups internal dynamic code analysis
8. Detectify / OWASP ZAP: for dynamic application scanning
9. Red Sentry Agency: for independent penetration testing