Data Processing Agreement

Data Processing Agreement


In connection with its use of the Software, Recipient may make certain Personal Data (as defined herein) available to the Company in connection with the authentication service related to the use of the Software (the "Service"). This Data Processing Agreement (the "DPA") describes commitments concerning the processing of such Personal Data and shall govern the processing of Personal Data of which the Recipient is the controller under the Data Protection Laws, providing the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the Recipient, in accordance with the Data Protection Laws. The terms of this DPA are not intended to limit any data protection obligations of either party as provided in the Agreement. Any capitalised term not defined in this DPA will have the meaning given it in the main body of the Agreement.


    The terms used in this DPA have the meaning given to them under Data Protection Laws and shall be interpreted accordingly. In particular:

    1. "Data Protection Laws" means to the extent applicable to the Personal Data in question the EU General Data Protection Regulation 2016/679 ("GDPR") and any other national legislation or act having force of law regarding data protection, including the decision of the Supervisory Authority;
    2. "Personal Data" means any information relating to the end user for which the Recipient acts as data controller ("Data Subject");
    3. "Personal Data Breach" means any occurrence leading to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
    4. "Sub-processor" means any third party engaged by the Company pursuant to the Article 28, par. 2, GDPR;
    5. "Supervisory Authority" means the Authority provided for under Article 51, GDPR, which performs the tasks set forth in Section 57, GDPR;
    6. "Security Measures" means the minimal security measures provided for by Article 32, GDPR, and by the relevant Supervisory Authority’s measures/decisions.

    Recipient is the controller of the Personal Data described in Section 3 of this DPA and the Company shall process the Personal Data solely (a) as a processor on Recipient’s behalf and (b) in accordance with the provisions set out in this DPA and with the Recipient’s documented processing instructions.

    Recipient agrees that the provisions set out in the Agreement and in this DPA constitute Recipient ’s complete processing instructions regarding the processing of Personal Data by the Company and any additional or alternative processing instructions must be provided in writing. The Company shall inform the Recipient if it becomes aware that Recipient’s processing instructions infringe Data Protection Laws but without any obligation to actively monitor Recipient's compliance with Data Protection Laws.


    The details of the Personal Data processed by the Company under this DPA are as follows:

    1. subject matter: collection and processing of Personal Data relating to Data Subjects in connection with the Service;
    2. categories of data subjects: end users for whom a subscription to the authentication services provided by the Company has been procured by the Recipient, including Recipient’s employees, consultants, contractors or end-customers depending on the Recipient’s use case;
    3. types of personal data: Data Subject profile information (username or email address) that the Data Subject uses to login and device data from the Data Subject’s device (IP address);
    4. purpose and nature of the processing: providing, maintaining, and improving the services related to the use of the Software, as described in the Agreement;
    5. duration of processing: as long as the Recipient uses the Software in accordance with the licence granted by the Company under the Agreement.

    The Recipient shall be responsible for complying with its obligations as a controller under Data Protection Laws and agrees that it shall be responsible for (a) determining whether the Service are appropriate for processing Personal Data in a manner consistent with Recipient’s legal and regulatory obligations; (b) complying with Data Protection Laws with respect to its use of the Service; and (c) obtaining the necessary rights and consents, if applicable and providing any required notices under Data Protection Laws.


    The Company shall ensure that any persons it authorises to process Personal Data (including Company’s employees) are subject to a duty of confidentiality (whether contractual or statutory) and shall only process the Personal Data only as necessary to perform the Service.


    The Company will maintain security measures pursuant to the Data protection Laws (including Article 32 of the GDPR) to ensure an appropriate level of security of the processing activities. Such measures shall include, at a minimum, all those technical/IT and organisational measures aimed at ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services, the ability to restore timely availability and access to personal data in the event of a physical or technical incident, and a procedure to regularly test, verify and evaluate the effectiveness of technical and organisational measures to ensure the security of processing. The complete list of security measures adopted by the company is available upon request by writing to gianluigi.strazzo@keyless.io.


    Upon Recipient’s request, the Company shall make available to the Recipient all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the Recipient. The Recipient shall provide reasonable prior notice of any such audit or inspection, and any such audit or inspection shall take place at a mutually agreeable date and time and not be unreasonably disruptive to the Company’s business. The Recipient shall be responsible for the costs of any such audit or inspection, including reimbursing Keyless for any time expended dealing with the audit or inspection.


    In the event of a Personal Data Breach, the Company shall inform the Recipient without undue delay and shall provide the Recipient with reasonable assistance to comply with its obligations under Data Protection Laws with respect to notifying the relevant supervisory authority and/or data subjects affected by the Personal Data Breach.


    The Recipient provides a general authorisation for the Company to appoint Sub-processors including the Subprocessors listed in the webpage available at https://keyless.io/sub-processors provided that: (a) the Company imposes the same data protection obligations as set out in this DPA by way of a contract or other legal act under the Data Protection Laws and Sub-processors ensure sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws; (b) the Company remains liable for any breach of this DPA; and (c) the Recipient shall raise any reasonable objections about the Sub-processors on grounds of data protection. If the Recipient raises objections by notifying the Company in writing any intended additions or replacements, the parties shall discuss Recipient’s objections in good faith with a view to achieving resolution.


    The Company does not transfer any Personal Data of the Data Subjects outside the European Union. In any case, where such a transfer should be required, such transfer will be governed, depending on the recipients, through the use of standard contractual clauses adopted by the European Commission or, alternatively, on the basis of a European Commission adequacy decision and/or any other appropriate safeguards provided by the Data Protection Laws.


    The Company shall provide the Recipient with reasonable assistance to enable the Recipient to comply with its obligations under Data Protection Laws. In particular, the Company shall promptly notify the Recipient of any request, inquiry or complaint from a Data Subject, Supervisory Authority or other competent authority that it receives concerning its processing of Personal Data on the Recipient’s behalf and reasonably assist the Recipient to respond to such correspondence to the extent that the Recipient is itself unable to do so without further assistance or information. The Recipient shall be responsible for any costs and expenses arising from any such assistance by the Company.


    The Company shall provide the Recipient with reasonable cooperation and assistance as required under Data Protection Laws for the Recipient to conduct a data protection impact assessment and/or to consult with Supervisory Authorities with respect to the Company processing of Personal Data, provided that the Recipient does not otherwise have access to the relevant information.


    Upon termination or expiry of the Agreement, the Company shall (at the Recipient’s election) delete or return to the Recipient all Personal Data in its possession or control. This requirement shall not apply to the extent that the Company is required to retain Personal Data by applicable law, in which event the Company shall isolate and protect the Personal Data from any further processing until deletion is legally permissible.


    In the event of a change in Data Protection Laws or a determination by a Supervisory Authority or competent court affecting the data processing undertaken under this DPA, the parties shall work together in good faith to make any amendments to this DPA or changes to the Service as are reasonably necessary to ensure continued compliance with Data Protection Laws.