This Data Processing Agreement (this "DPA") is by and between KeyStrike Inc., a software company whose address is at 8 The Green, Suite #1128, Dover, DE 19901, Kent County, Delaware USA (the "Data Processor"), and the corporation, limited liability company, partnership, sole proprietorship, other business entity or individual executing this DPA (the "Company"). The Data Processor and the Company are sometimes referred to herein collectively as the "Parties" and individually as a "Party".
The Parties have agreed to enter into this DPA in consideration of their mutual obligations and commitments hereunder.
1.1. This DPA reflects the Parties' agreement with respect to the processing of personal data by the Data Processor on behalf of the Company in connection with the Data Processor's services under the Hybrid Cloud Subscription Terms of Service and License Agreement ("the ToS and LA") between the Company and the Data Processor.
1.2. By signing this DPA with electronic means, such as by acceptance box, the Company agrees to be bound by this DPA as of the date of signature (the "Effective Date").
2.1. On behalf of the Company, the Data Processor is permitted to process the personal data necessary to provide the services described under the ToS and LA and otherwise for the processing activities described below.
2.2. The processing of personal data is for the purposes of the following Processing Activities:
2.2.1. Provide, maintain, develop and improve the services of the Data Processor described in the ToS and LA as well as for security purposes, fraud prevention, marketing and promotional purposes;
2.2.2. Disclosure in accordance with the ToS and LA and this DPA and/or as compelled by applicable laws.
2.3. The Data Processor is permitted to process the following types of Personal Data, as further described in the Data Processor's Privacy Policy:
2.4. The Data Processor is permitted to process the following categories of Data Subjects:
3.1. The Data Processor shall:
3.1.1. Comply with all applicable data protection law in the processing of Company Personal Data;
3.1.2. Only process Company Personal Data in accordance with this DPA;
3.1.3. Only process Company Personal Data in accordance with the Company's documented instructions, which are identified in this DPA. In cases where the Data Processor believes that the Company's instructions are not compatible with the GDPR or other relevant legal provisions concerning the processing of personal data, he must notify the Company without delay;
3.1.4. Ensure that the employees who have access to personal data in connection with the execution of the contract have signed a confidentiality statement or are bound by the law to confidentiality and that they receive appropriate training in the protection of personal data;
3.1.5. Make sure that devices, products, programmes and services are designed with built-in and default personal protection as a guiding principle.
4.1. As a general authorisation of the Company, the Data Processor is entitled to engage another processor (hereinafter referred to as "Sub-Processor").
4.2. The Data Processor's use of Sub-Processors is based on written agreements that ensure the continuation of at least the same level of protection as the level specified in this DPA.
4.3. At the acceptance of this DPA, the Company simultaneously authorises the Data Processor's use of the following Sub-Processors:
4.4. As a consequence of the general authorisation, the Data Processor shall inform the Company of any intended changes concerning the addition or replacement of Sub-Processors with a notice of 14 days, thereby giving the Company the opportunity to object to such changes within 10 days. In case of an objection from the Company, which the Data Processor cannot meet the content of, the services of the Data Processor, as described in the ToS and LA, will be considered terminated by the Company.
4.5. When using a Sub-Processor, the Data Processor shall ensure that the Sub-Processor is subject to the same data protection obligations as those set out in this DPA.
The Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
Taking into account the nature of the processing, the Data Processor shall assist the Company by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR.
The Data Processor shall notify the Company without undue delay after becoming aware of a personal data breach. Such notification shall include, to the extent possible, a description of the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach.
The Data Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with supervisory authorities that the Company reasonably considers to be required pursuant to Articles 35 and 36 of the GDPR.
Upon termination of the ToS and LA, the Data Processor shall, at the choice of the Company, delete or return all personal data to the Company and delete existing copies unless applicable law requires storage of the personal data.
The Data Processor shall make available to the Company all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Company or an auditor mandated by the Company.
Any transfer of personal data to a third country or an international organisation by the Data Processor shall only take place in accordance with the applicable provisions of the GDPR and this DPA. Where such transfers occur, the Data Processor shall ensure that appropriate safeguards are in place.
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, USA. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts located in Kent County, Delaware.
For questions regarding this DPA, please contact KeyStrike Inc. at [email protected] or by mail at 8 The Green, Suite #1128, Dover, DE 19901, USA.
You may also download a copy of this agreement: Keystrike Data Processing Agreement (PDF).