Policy
Data Processing Agreement
Last Updated: May 5th, 2025
Contents

This Data Processing Agreement (“DPA”) is entered into by and between Keep Aware, Inc. (“Keep Aware”) and the customer that is a party to the Keep Aware Service Agreement (the “Customer”). This DPA is incorporated by reference into the Keep Aware Service Agreement (the “Agreement”). Capitalized terms not defined herein have the meanings given in the Agreement. Any terms not defined by this DPA or the Agreement shall have the meaning given by GDPR.

1. DEFINITIONS.

  1. Agreement” means the Keep Aware Service Agreement (including any Order Form, Quotation, or Purchase Order) under which Products are provided to Customer.
  2. Data Protection Laws” means all privacy and data‑protection laws and regulations that govern the processing of Personal Data under the Agreement, including, as applicable, U.S. Cyber Incident Reporting Laws, Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection, each as amended or replaced from time to time.
  3. Controller”, “Processor”, “process” (and cognate terms), “Personal Data”, “Personal Data Breach”, and “Supervisory Authority” shall have the meanings assigned to such terms in the Data Protection Laws.
  4. Customer” means the legal entity identified as “Customer” in the Agreement and any of its Affiliates that access or use the Products.
  5. Data Retention Schedule” means Keep Aware’s published log-retention policy at https://keepaware.com/compliance/security
  6. Personal Data” means any information submitted to the Products by or on behalf of Customer that is defined as “personal data,” “personal information,” or a similar term under the Data Protection Laws and is processed by Keep Aware on Customer’s behalf.
  7. Products” means the Keep Aware software, cloud services, support, and related offerings provided to Customer pursuant to the Agreement.
  8. Security Measures” means the administrative, technical, and organizational safeguards Keep Aware applies to protect Personal Data, as described at https://keepaware.com/compliance/security.
  9. Subprocessor” means any third‑party service provider engaged by Keep Aware to process Personal Data on Keep Aware’s behalf in connection with the Products.
  10. Subprocessor List” means the current list of authorized Subprocessors published at https://keepaware.com/compliance/subprocessors.

2. DATA PROCESSING.

  1. Roles of the Parties. The parties acknowledge and agree that this DPA applies to the processing of Personal Data for the provision of the Products, Customer is the Controller, and Keep Aware is the Processor.
  2. Customer Instructions. Keep Aware will process Personal Data only in accordance with (a) the Agreement and this DPA, (b) Customer’s documented instructions (including configuration of the Products), and (c) Data Protection Laws.  Keep Aware will promptly inform Customer if, in its opinion, an instruction violates Data Protection Laws.
  3. Customer Responsibilities. Customer is responsible for the legality of Personal Data it supplies, the accuracy of such data, and ensuring it has obtained all consents or authorisations required under Data Protection Laws.
  4. Assistance and Cooperation. Taking into account the nature of the processing, Keep Aware will provide reasonable assistance to Customer to (a) respond to Data Subject requests, and (b) meet the obligations in Articles 32 to 36 of the GDPR.
  5. Return, Deletion, and Retention. (a) At Customer’s written election upon termination of the Agreement, Keep Aware will delete or return all Personal Data and remove any remaining copies, unless retention is required by law.(b) During the Term, Personal Data (including logs) will be retained in accordance with the Data Retention Schedule published at https://keepaware.com/compliance/security

3.TYPES OF PERSONAL DATA

  1. Categories of Data Subjects
    • Employees including volunteers, agents, temporary workers, and independent contractors
    • Contractors
    • Customer clients and prospective clients
    • Suppliers and vendors
    • Advisors and consultants
    • Customer officers and directors
  1. Types of Personal Data
    • IP addresses
    • Email addresses
    • User names
    • Host names
    • User agents
    • File names
    • And any other types of Personal Data that may be contained in Controller’s web traffic.

4. INTERNATIONAL TRANSFERS.

  1. General. Customer authorizes Keep Aware to transfer and process Personal Data globally, provided Keep Aware complies with Data Protection Laws.
  2. Transfer Mechanisms. Where legally required, the Parties will rely on an approved data‑transfer mechanism (for example the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or the EU‑US Data Privacy Framework). On Customer’s written request, Keep Aware will execute the then‑current form of such mechanism.

5. SUBPROCESSORS.

  1. General. Customer grants Keep Aware a general authorisation to engage Subprocessors listed on the Subprocessor List to support the Products.
  2. Subprocessor Obligations. Keep Aware will enter into a written contract with each Subprocessor requiring protections no less protective of Personal Data than this DPA and remains liable for each Subprocessor’s acts and omissions.
  3. Changes to Subprocessor List. Keep Aware will provide advance notice of any addition or replacement of a Subprocessor. Customer may object on reasonable data‑protection grounds within thirty (30) business days; the Parties will in good faith seek a commercially reasonable resolution. If no resolution is reached, Customer may suspend or terminate the affected Product and Keep Aware will refund any prepaid Fees for the unused Term of that Product.

6. RIGHTS AND OBLIGATIONS OF THE CONTROLLER.

The Controller instructs the Processor to take such steps in the processing the Personal Data only in accordance with any documented instructions from the Controller with respect to the processing of such Personal Data and in a manner necessary for the provision of the Products which will include processing in accordance with this DPA and the Agreement.

7. RIGHTS AND OBLIGATIONS OF THE PROCESSOR.

  1. The Processor will only process Personal Data in accordance with any documented instructions from the Controller and will not use Personal Data except in a manner necessary for the provision of the Products as instructed by this DPA and the Agreement.
  2. The Processor shall promptly notify the Controller if it receives a request from a Data Subject under Data Protection Laws in respect of Controller Personal Data
  3. The Processor shall ensure that is does not respond to that request except on the documented instructions of the Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement by the Processor responds to the request.

8. SECURITY MEASURES AND ACCESS.

  1. Implementation. Keep Aware will maintain the Security Measures and will not materially diminish them during the Term.
  2. Confidentiality. Keep Aware will ensure that persons authorized to process Personal Data are bound by confidentiality obligations and process Personal Data only as necessary to perform their duties.

9. SECURITY INCIDENTS.

Keep Aware will notify Customer without undue delay, and in any event within seventy‑two (72) hours, after confirming a Personal Data Breach. The notice will describe the nature of the breach, steps taken, and measures to mitigate its possible adverse effects.

10. DATA PROTECTION IMPACT ASSESSMENT.

Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with competent data privacy authorities, which the Controller reasonably considers to be required by the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controller Personal Data by, and considering the nature of the Processing and information available to, the Contracted Processors.

11. AUDIT AND DOCUMENTATION.

  1. Records. Keep Aware will maintain records of Processing activities and, on written request, provide summaries of third‑party audit reports (e.g., SOC 2 Type II).
  2. Customer Audit Right. Customer may audit Keep Aware’s compliance with this DPA once per twelve‑month period, subject to thirty (30) days’ notice, during normal business hours, and subject to reasonable confidentiality and cost‑recovery conditions.