Data Processing Agreement

1. Parties Lawyer Review Required

This Data Processing Agreement ("DPA") is entered into between:

This DPA supplements and forms part of the main service agreement between the parties. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

2. Definitions Lawyer Review Required

3. Scope of Processing Lawyer Review Required

4. Processor Obligations Lawyer Review Required

Keygent, as the Data Processor, agrees to:

4.1 Processing Instructions

• Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries
• Immediately inform the Controller if, in Keygent's opinion, an instruction infringes applicable data protection law
• Not process personal data for any purpose other than as necessary to provide the services

4.2 Personnel Confidentiality

• Ensure that all personnel authorized to process personal data are bound by confidentiality obligations
• Limit access to personal data to personnel who require such access to perform the services
• Ensure personnel receive appropriate data protection training

4.3 Security Measures

• Implement and maintain appropriate technical and organizational measures to protect personal data
• Regularly test, assess, and evaluate the effectiveness of security measures
• Measures shall be detailed in Section 6 (Security Measures) of this DPA

4.4 Data Subject Rights

• Assist the Controller in responding to requests from data subjects exercising their rights under applicable law
• Promptly notify the Controller of any data subject request received directly
• Not respond directly to data subjects unless authorized by the Controller

4.5 Data Deletion

• Upon termination of the service agreement, delete or return all personal data as instructed by the Controller
• Deletion shall occur within 30 days of termination unless retention is required by applicable law
• Provide written certification of deletion upon request

5. Sub-Processors Lawyer Review Required

The Controller authorizes Keygent to engage the following Sub-processors:

5.1 New Sub-Processors

• Keygent shall provide the Controller with 30 days' advance notice before engaging any new Sub-processor
• Notice shall be provided via email to the Controller's designated contact and posted on the Keygent website
• The notice shall include the Sub-processor's name, processing activities, and location

5.2 Right to Object

• The Controller may object to a new Sub-processor within 14 days of receiving notice
• Objections must be based on reasonable data protection grounds and submitted in writing
• If the parties cannot resolve the objection, the Controller may terminate the affected services without penalty

5.3 Sub-Processor Agreements

• Keygent shall impose data protection obligations on each Sub-processor no less protective than those in this DPA
• Keygent remains fully liable to the Controller for the performance of Sub-processors

6. Security Measures Lawyer Review Required

Keygent implements the following technical and organizational measures to protect personal data:

6.1 Encryption at Rest

• All credentials are encrypted using AES-256-GCM with tenant-bound Additional Authenticated Data (AAD)
• Encryption keys are managed using industry-standard key management practices
• Keys are rotated according to a defined schedule

6.2 Token Security

• API tokens and access keys are hashed using SHA-256 before storage
• Original token values cannot be recovered from stored hashes
• Token validation occurs through secure comparison methods

6.3 Encryption in Transit

• All data transmitted between systems uses TLS 1.3 encryption
• Strong cipher suites are enforced; weak protocols are disabled
• Certificate validation is strictly enforced

6.4 Access Control

• Row-level security (RLS) ensures data isolation between tenants
• Role-based access controls (RBAC) limit personnel access based on job function
• Multi-factor authentication is required for administrative access

6.5 Audit Logging

• All access to personal data is logged with timestamp, user identity, and action performed
• Logs are retained for 90 days and protected against tampering
• Logs are available for review upon request

7. Data Breach Notification Lawyer Review Required

7.1 Notification Contents

Data Breach notifications shall include, to the extent known:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of Keygent's data protection contact
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate possible adverse effects

7.2 Cooperation

• Keygent shall cooperate with the Controller in investigating and remedying the Data Breach
• Keygent shall assist the Controller in meeting its obligations to notify supervisory authorities and data subjects
• Keygent shall not communicate directly with data subjects about a breach without the Controller's prior written consent, unless required by law

8. Audit Rights Lawyer Review Required

The Controller has the right to verify Keygent's compliance with this DPA:

8.1 Audit Requests

• The Controller may request an audit once per calendar year with at least 30 days' advance written notice
• Additional audits may be conducted following a Data Breach or upon reasonable suspicion of non-compliance
• Audits shall be conducted during regular business hours and shall not unreasonably disrupt Keygent's operations

8.2 Audit Process

• Keygent shall provide reasonable access to relevant documentation, systems, and personnel
• The Controller may engage a qualified third-party auditor, subject to confidentiality obligations acceptable to Keygent
• Audit reports and findings shall be treated as confidential information

8.3 Certifications

In lieu of an on-site audit, Keygent may provide:

• Current SOC 2 Type II audit reports
• Security certifications and third-party assessment results
• Completed security questionnaires or assessments

9. International Data Transfers Lawyer Review Required

Where personal data is transferred to countries outside the European Economic Area (EEA) that have not received an adequacy decision:

9.1 Transfer Mechanisms

• Keygent relies on the European Commission's Standard Contractual Clauses (SCCs) for international data transfers
• The Controller and Keygent agree to be bound by the SCCs as incorporated by reference into this DPA
• Where required, supplementary measures are implemented to ensure adequate protection

9.2 Transfer Impact Assessments

• Keygent conducts transfer impact assessments for transfers to countries without adequacy decisions
• Assessments evaluate the legal framework and practices of the destination country
• Supplementary measures are implemented where assessments identify risks

10. Term and Termination Lawyer Review Required

10.1 Term

This DPA shall remain in effect for the duration of Keygent's processing of personal data on behalf of the Controller under the service agreement.

10.2 Effects of Termination

• Upon termination or expiration of the service agreement, Keygent shall cease all processing of personal data
• At the Controller's election, Keygent shall either return all personal data or securely delete it within 30 days
• Keygent shall provide written confirmation of deletion upon request
• This DPA shall survive termination to the extent necessary to address ongoing data protection obligations

10.3 Survival

Sections relating to confidentiality, data breach notification, and audit rights shall survive termination of this DPA.

Contact Information