Thank you for reviewing the Keyless Master Subscription Agreement ("Agreement") and order form (collectively, "Documents"). We recognize that sometimes attorneys and contract professionals are asked to redline an agreement without a complete understanding of how the service works. We hope that this Guide will be useful as you review the Documents. This Guide is for informational purposes only and should not be construed as legal advice. It does not form part of the contract and will be deleted in the next version of the Documents you receive.What is your company purchasing?
Keyless is a passwordless, multi-factor authentication (MFA) solution that provides strong authentication for users using biometric authentication technology that includes liveness detection. It does not rely on passwords, PIN codes or time codes but instead provides secure authentication without processing any biometric data. Keyless offers two products, and the specific one will be identified on the applicable order form.
We acknowledge that our service is complex, and therefore have provided an outline below.Enrollment flow
In the first phase, the end user enrolls their device with your company software that has been integrated with the Keyless software (e.g., software development kit or mobile or Windows app for desktop).
In the second phase, the end user authenticates their identity in order to log into your website/app or confirm a transaction. The initial steps are the same seen in the Enrollment:
Customers integrate through Keyless application programming interface (API) and integration of the Keyless SDK into your mobile application, if applicable.Does Keyless process biometric data, and what data is processed within the service?
Our privacy-preserving service does not process biometric data. All biometric data stays on the end user device. Instead, Keyless may receive from your end users:
Keyless will generate a unique Keyless identifier (cryptographic key) within its systems.What data privacy and security commitments does Keyless provide?
This Master Subscription Agreement (this "Agreement"), effective as of the date of the Order Form (the "Effective Date"), is between You and KEYLESS TECHNOLOGIES SRL (if You are based in the European Union) or KEYLESS TECHNOLOGIES LIMITED (if You are based outside the European Union) (in both cases "Keyless" or "Us" or "We").
KEYLESS TECHNOLOGIES SRL is a private limited company incorporated in Italy with company number ID and VAT No. 14880901005, whose registered office is at Viale Luca Gaurico 9-11, 00144 Rome, Italy wholly owned by KEYLESS TECHNOLOGIES LIMITED incorporated and registered in England and Wales with company number 11362854 whose registered office is at Milton Gate 60 Chiswell Street London United Kingdom EC1Y 4AG.
By installing our SDK You accept to be bound by the terms and conditions set out in this Agreement.
We provide the Services (as defined herein) to which You intend to subscribe, and this Agreement establishes the business relationship and allocation of responsibilities regarding the Services; now, therefore, the parties agree as follows:
"Affiliates" means, in respect to a party to this Agreement, any company or entity controlled by, controlling or under common control with such party. For this purpose, a party is deemed to "control" a company or entity if it (a) owns, directly or indirectly, at least 50 percent of the capital of the other company, or (b) in the absence of such ownership interest, substantially has the power to direct or cause the direction of the management and set the policies of such company or entity, whether through the ownership of voting securities or other ownership interests, by contract or otherwise.
"Applicable Laws" means all laws, rules, and regulations applicable to the Services, including but not limited to those relating to privacy, data protection, and data security.
"Authorized User" means an individual (such as Your employees, consultants, contractors or agents) who is authorized by You to implement and manage the use of the Services.
"Documentation" means Keyless documentation, guides and policies, including those available at https://docs.keyless.io as updated from time to time, provided by Keyless to You or End Users in connection with the Services.
"End User" means individuals for whom a subscription to the Services has been procured by You in accordance with Section 5.4, and may include, for example, Your employees, consultants, contractors, or end-customers, depending on the use case.
"End User Subscriptions" means the End User subscriptions to the Services purchased by You pursuant to this Agreement and the applicable Order Form.
"Keyless Privacy Notice" means Keyless publicly-facing service privacy notice located at https://keyless.io/privacy or such successor site, which Keyless may update from time to time.
"Location and Purpose Exhibit": The preliminary questionnaire by which You undertake to not use the Software for illegal purposes and that You must fill out in order to obtain a copy of the Software as per Exhibit D.
"Order Form" means an ordering document (including any online order form), specifying the Services to be provided by Keyless, that is entered into between You and Keyless and incorporates the terms of this Agreement by reference.
"Output" means the output generated by Keyless in connection with Your or End Users’ use of the Services and includes the outcome of an End User authentication (e.g., successful authentication or error report, such as failed authentication, timeout, no match, connection error).
"Sensitive Personal Information" means for the purposes of this Agreement (a) full credit or debit card numbers or financial account information; Social Security numbers or local equivalents; passport numbers; driver’s license numbers or similar identifiers; passwords; physical or mental health condition or information; any information subject to the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standards, as well as other applicable regulations, laws or industry standards designed to protect similar sensitive information; (b) information related to children under the age of 13 (or in the EEA, UK or Switzerland under 16); (c) any information defined under the EU General Data Protection Regulation 2016/679 as a "special category" of personal data and (d) any other information We reasonably determine is sensitive, provided that We communicate such determination to You.
"Services" means the passwordless authentication services provided by Us to You under this Agreement, and any Support Services, if applicable as per Exhibit E. The specific Services are identified on the applicable Order Form.
"Software" means the software applications and platform provided by Us as part of the Services which may include the Keyless application programming interface, software development kit, Keyless Authenticator and Keyless Workforce Authentication application, as applicable.
"Support Services" means the support services to be provided by Us in connection with the Services according to Exhibit E, as identified on an Order Form, if applicable.
"Your Data" means any data that You or End Users send, submit or upload to the Services, including data received or collected about the End User through their device.
"Your Properties" means Your services and digital applications or properties (e.g., webpages, apps, endpoints, platforms) that You integrate with the Services.
"Your Provider" means a third party application, platform or service utilized by You in connection with Your business.
End User Subscriptions. You acknowledge and agree that:
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:
THE PROVISIONS OF THIS SECTION ALLOCATE THE RISKS UNDER THIS AGREEMENT BETWEEN THE PARTIES, AND THE PARTIES HAVE RELIED ON THE LIMITATIONS SET FORTH HEREIN IN DETERMINING WHETHER TO ENTER INTO THIS AGREEMENT.
Suspension of Services. We shall use commercially reasonable endeavors to make the Services available 24 hours a day, seven days a week, except for:
Intending to be legally bound, the parties have had this Agreement signed by their duly authorized representatives as of the Effective Date.
With this policy notice - provided pursuant to Regulation (EU) 2016/679 ("Regulation" or "GDPR"), as well as Swiss Data Protection Act of 19 June 1992 ("Swiss DPA") and United Kingdom Data Protection Act 2018, as amended ("UK DPA") (GDPR, Swiss DPA and UK DPA, together, "Data Protection Laws") - We aim to provide You with the purposes of collecting and processing Your Data, which categories of data are processed, what are your rights granted by the data protection legislation and how can be exercised.
Keyless Technologies S.r.l., with registered office in Viale Luca Gaurico 9-11, 00144 - Rome, VAT no. 14880901005 - with a sole shareholder -
Keyless Technologies Limited incorporated and registered in England and Wales with company number 11362854 whose registered office is at Milton Gate 60 Chiswell Street London United Kingdom EC1Y 4AG.
(one of the above depending on whether you are located is the controller of Your personal data and both are referred to as "Keyless", the "Data Controller" or the "Company")
The Data Controller can be contacted by e-mail at firstname.lastname@example.org it or by regular mail at Keyless Technologies S.r.l., at Viale Luca Gaurico 9-11, 00144 – Rome or Keyless Technologies Limited at Milton Gate 60 Chiswell Street London United Kingdom EC1Y 4AG
Keyless has appointed a Data Protection Officer ("DPO") who can be contacted by email at email@example.com
The Data Controller shall process only the common personal data related to You (for example, first and last name) necessary for the establishment and the management of the contractual relationship, in order to achieve the following purposes.
The Data Controller will process your personal data for the establishment and subsequent management of the contractual relationship with You and for all activities connected therewith, including, but not limited to, the ordinary administrative management of the agreement and the performance of services under the agreement. This processing is necessary for the performance of a contract to which you are a party or in order to take steps at Your request.
Your personal data will be processed by the Data Controller for the fulfillment of legal obligations that may be imposed in connection with pre-contractual checks, establishment and management of the contractual relationship. This processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
Your personal data may be processed for purposes related to policy compliance and/or the development of synergies with Keyless sole shareholder. This processing is necessary for the purposes of the legitimate interests pursued by the Data Controller.
The provision of data is optional, but without it Keyless will not be able to establish the contractual relationship with You.
Keyless may disclose some of your personal data to third parties that it uses for the performance of activities and/or services that are necessary, functional or otherwise related to the purposes specified in paragraph 2 above.
In particular, the personal data may be communicated - as an integral part of the processing activities - to third parties located within the European Union that offer outsourced services to the Data Controller (e.g., administrative services) as well as to external advisors. These parties will carry out the processing as data processors in accordance with Data Protection Laws (including Article 28 of the GDPR). The updated list of data processors is available upon request.
In addition, the Data Controller may communicate - as appropriate - Your personal data to third parties to whom the communication is due by virtue of legal obligations, to Public Administrations and to credit institutions with which Keyless operates for payment purposes. These parties process the data referring to You as autonomous data controllers.
Keyless may transfer Your personal data to its sole shareholder, whose registered office is in the USA, for the purposes set out in paragraph 2(c) above. This transfer will take place in accordance with the conditions set forth in the Data Protection Laws and is governed by standard contractual clauses adopted by the European Commission.
Any further transfers outside the EU will be governed, depending on the recipients, through the use of standard contractual clauses adopted by the European Commission or, alternatively, on the basis of a Commission adequacy decision and/or any other appropriate safeguards provided by the Data Protection Laws.
You will be able to obtain more information about where the personal data has been, if any, transferred by writing to the Data Controller or the DPO at the addresses in paragraphs 1 and 2.
More information about where the data has been transferred may be obtained by writing to the Data Controller or the DPO.
Keyless will process Your personal data for the purposes of establishment, management and execution of the contract for the entire duration of the contractual relationship. Thereafter, the data will be stored for 11 years, exclusively for purposes related to the fulfillment of legal obligations or the defense of rights of Keyless.
Please note that You - as a data subject - have the rights provided by Data Protection Laws and, in particular:
To exercise Your rights, please contact the Data Controller or the DPO at the addresses indicated in paragraph 1 above. Finally, please note that, pursuant to the applicable regulations, you may lodge any complaints regarding the processing of your personal data with the Italian Data Protection Authority or the Information Commissioner’s Officer.
In connection with its use of the Services, You may make certain Personal Data (as defined herein) available to Keyless in connection with Your use of the Services. This EEA, UK and Swiss Data Processing Addendum (this "Addendum") describes commitments concerning the processing of such Personal Data and shall govern the processing of Personal Data (as defined below) of which You are the controller under the Data Protection Laws (as defined below), providing the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and Your obligations and rights, in accordance with the Data Protection Laws. The terms of this Addendum are not intended to limit any data protection obligations of either party as provided in the Agreement. Any capitalized term not defined in this Addendum will have the meaning given it in the main body of the Agreement.
"Data Protection Laws" means to the extent applicable to the Personal Data in question: (i) the EU General Data Protection Regulation 2016/679 ("GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) ("e-Privacy Directive"); (iii) any national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); and (v) in respect of the United Kingdom ("UK"), the GDPR as it forms part of United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR") and any other privacy and data protection laws applicable in the UK (in each case as may be amended, extended or re-enacted from time to time).
"Personal Data" means any End User Data for which You act as a data controller under the Data Protection Laws.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Keyless. The term "Personal Data Breach" does not include an unsuccessful attempt to access Personal Data, including without limitation unsuccessful pings and other broadcast attacks of firewalls or edge servers, port scans, log-on attempts, denial of service attacks, packet sniffing or similar incidents.
"Sub-processor" means any third party processor (including Keyless Affiliates) used by Keyless to process Personal Data.
The terms "controller", "personal data", "data subject" "supervisory authority", "processor" and "processing", "process", "processes" and "processed" shall have the meaning given to them under Data Protection Laws and shall be interpreted accordingly.
Details of Processing. The details of the Personal Data processed by Keyless under this DPA are as follows:
The following is a description of the technical and organizational security measures implemented by Keyless pursuant to Data Protection Laws (including Article 32 of the GDPR) in its provision of the Services to You. Measures apply to all products within the Services except where noted otherwise or unapplicable for feasibility reasons.ORGANIZATIONAL MEASURE
Keyless has adopted an organizational model aimed at ensuring the correctness of the processing activities carried out in accordance with privacy by design principle, including inter alia:
Policies. Keyless maintains a comprehensive set of information security and risk management policies, including as they relate to business continuity, access management, vulnerability management, operational security, incident response management, asset management and vendor management, as well as procedure and/or policies aimed inter alia at:
Encryption. Keyless encrypts personal data as follows:
We certify that we are the end-user of the Software which is to be supplied by Keyless. We further certify that we shall use the Software solely for the purposes described above; that the Software will not be used for any purpose connected with chemical, biological or nuclear weapons, or missiles capable of delivering such weapons; that it will not be re-exported or otherwise re-sold or transferred if it is known or suspected that they are intended or likely to be used for such purposes; that the end user is not the armed forces or internal security forces of any country; that the Software will not be re-exported or otherwise re-sold or transferred to a destination subject to UN, EU, UK, OSCE embargo where that act would be in breach of the ; and that the Software will not be used in any nuclear explosive activityi or unsafeguarded nuclear fuel cycleii.Notes
For the purposes of this Exhibit E, the following terms have the meanings set forth below.
"Contact List" means a current list of Your contacts and telephone numbers You provided to Us from time to time to enable Us to escalate Your Support Requests, including:
"Your Cause" means any of the following causes of an Error, except, in each case, any such causes resulting from any action or inaction that is authorised by this Exhibit E or the Agreement, specified in the then-current Documentation, or otherwise authorised in writing by Us:
"Your Systems" means Your information technology infrastructure, including Your computers, software, databases, electronic systems (including database management systems), and networks.
"Error" means any failure of the Software to operate in all material respects in accordance with the Documentation, including any problem, failure or error referred to in the Service Level Table.
"Out-of-Scope Services" means any of the following:
"Resolve" and the correlative terms, "Resolved," "Resolving," and "Resolution" each have the meaning set forth in paragraph 1.2.
"Service Levels" means the defined Error severity levels and corresponding required service level responses, response times, Resolutions, and Resolution times referred to in the Service Level Table.
"Service Level Table" means the table set out in paragraph 1.2.
"Severity Level 1 Error" has the meaning set forth in the Service Level Table.
"Severity Level 2 Error" has the meaning set forth in the Service Level Table.
"Severity Level 3 Error" has the meaning set forth in the Service Level Table.
"Support Hours" means  hours a day,  days a week (Monday to Friday, regular working hours in Italy), excluding public holidays in Italy or in the UK depending on whether You are contracting with Keyless Technologies S.r.l. or Keyless Technologies Limited.
"Support Period" means the subscription term identified in the Order Form.
"Support Request" has the meaning set forth in paragraph 2.1.
"Technical Contact" has the meaning set forth in paragraph 2.2.
"Third-Party Products" means all third-party software (including all Open Source Components), computer hardware, network hardware, electrical, telephone, wiring, and all related accessories, components, parts, and devices.
We shall perform Third Line Support, and other Support Services during the Support Hours throughout the Support Period in accordance with the terms and conditions of this Exhibit E and the Agreement, including the Service Levels and other our obligations set forth in this paragraph 1.
Response and Resolution times will be measured from the time We receive a Support Request until the respective times We have (a) responded to that Support Request, in the case of response time and (b) Resolved that Support Request, in the case of Resolution time. "Resolve," "Resolved," "Resolution," and correlative capitalized terms mean, with respect to any particular Support Request, that We have corrected the Error that prompted that Support Request and that You have confirmed such correction and Your acceptance of it in writing. We shall respond to and Resolve all Support Requests within the following times based on Your designation of the severity of the associated Error, subject to the parties' written agreement to revise such designation after Our investigation of the reported Error and consultation with You:
|Severity Level of Error||Definition||Required Service Level Response and Response Time||Required Service Level Resolution Time|
Business Critical Failures: An Error that:
|Level 1 Response:|
We shall acknowledge receipt of a Support Request within 180 minutes.Level 2 Response:
We shall work on the problem continuously and:
We shall Resolve the Support Request as soon as practicable and no later than 24 hours after Our receipt of the Support Request.
If We Resolve the Support Request by way of a work-around You have accepted in writing, the severity level assessment will be reduced to a Severity Level of Error 2.
|2||System Defect with Work-around:||Level 1 Response:|
We shall acknowledge receipt of a Support Request or, where applicable, Your written acceptance of a Severity Level 1 Error work-around, within 12 hours.Level 2 Response:
We shall, within 2 Business Days after the Level 1 Response time has elapsed, provide:
We shall Resolve the Support Request as soon as practicable and no later than 2 Business Days after the Our receipt of the Support Request or, where applicable, Your written acceptance of a Severity Level 1 Error work-around.
An isolated or minor Error in the Software and/or Services that meets each of the following requirements:
|Level 1 Response:|
We shall acknowledge receipt of the Support Request within 24 hours.
We shall Resolve the Support Request as soon as practicable and no later than 5 Business Days after the Our receipt of the Support Request.
If We do not respond to a Support Request within the relevant Service Level response time, You may escalate the Support Request to the parties' respective relationship managers identified below and then to their respective senior management identified below:
KEYLESS Tech Lead - firstname.lastname@example.org
You shall, by and through its Technical Contact(s), provide Us with:
each of the following to the extent reasonably necessary to assist Us in reproducing operating conditions similar to those present when You detected the relevant Error and to respond to and Resolve the relevant Support Request: