Data Processing Agreement

Last update: 19.06.24

1. Introduction

This Data Processing Addendum (DPA) forms part of the Terms and Conditions and Agreement between Customer and Keelvar Systems Limited (Keelvar). Customer and Keelvar are referred to, collectively, as the Parties.
‍
The purpose of this DPA is to ensure an accurate, secure and lawful processing of personal data, to ensure adequate protection for the personal data processed within the scope of the Agreement.  In the event of any contradiction between this DPA and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, this DPA shall prevail.

2. Definitions

• A. Applicable Data Protection Laws means all national and state data protection, privacy and data security laws applicable to the processing of personal data, including but not limited to:
  a. GDPR;
  b. the United Kingdom Data Protection Act 2018 (UK GDPR);
  c. the Swiss Federal Act on Data Protection Act (SFADP);
  d. the California Consumer Privacy Act of 2018 (CCPA) and the regulations promulgated pursuant thereto (CPRA)
• B. Controller, Data Subject, Member State, Personal Data Breach, Processor, Processing and Supervisory Authority shall have the same meaning as in the GDPR.
• C. EEA means the European Economic Area.
• D. GDPR means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA.
• E. Personal Data means any information that identifies, describes, relates to, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is processed by Keelvar on Customer’s behalf, under this DPA and the Agreement between Customer and Processor.
• F. Personal Data Breach means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• G. Sub-processor means a third party that Keelvar engages to process any Personal Data under this DPA, as a Processor on Customer’s behalf.
• H. Standard Contractual Clauses/SCC means the Appendix to the European Commission implementing Decision ((EU) 2021/914 of 4 June 2021) on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
• I. Keelvar Security Measures means the security standards attached to this DPA as Annex III.
• J. UK Addendum means the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.
• K. For clarity, this DPA covers any Processing that takes place pursuant to the CCPA and the CPRA. Therefore, the following references in the CCPA and the CPRA have the following meanings in this DPA: 
  a. Business means Controller
  b. Service Provider means Processor
  c. Third Party means Sub-processor
  d. Personal Information means Personal Data
  e. Consumer means Data Subject

3. Roles and Processing of Personal Data

• 3.1 With regard to the processing of Personal Data, the Parties agree that Customer is the Controller of Personal Data and Keelvar is the Processor of Personal data.
• 3.2. Annex I describes the scope of service; duration; nature and purpose of the processing; types of Personal Data; and categories of Data Subject types in respect of which Keelvar may process the Personal Data to provide the service.

4. Obligations of the Controller

• The Controller shall remain responsible to comply with the provisions of the Applicable Data Protection Laws with regard to the processing of Personal Data, and stays responsible for the integrity, accuracy, content, reliability and legality of the Personal data provided to Keelvar.

5. Obligations of the Processor

• 5.1. Keelvar shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless it receives further instructions from the Controller or additional processing is required by Applicable Data Protection Laws, in which case Keelvar shall process Controller Personal Data to the extent permitted by the Applicable Data Protection Laws.
• 5.2. Keelvar shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. Keelvar shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• 5.3. Keelvar shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the data (Personal Data Breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the Data Subjects.
• 5.4. Keelvar shall promptly notify the Controller of any request it has received from the Data Subject. It shall not respond to the request itself, unless authorized to do so by the Controller. The process shall assist the Controller in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the processing.
• 5.5. To the extent the Controller Personal Data is subject to the CCPA:
  5.5.1. Keelvar will not sell or share Personal data owned by the Controller, as defined.
  5.5.2. Keelvar will not to use, retain or disclose the Controller Personal Data for any purpose other than the described under this Agreement;
• 5.6. Upon reasonable written request, Keelvar will reasonably cooperate with and provide reasonable assistance to the Controller as it relates to Controller’s undertaking any Data Protection Impact Assessments (DPIAs) and/or prior consultations with any appropriate authority under Applicable Data Protection Laws.

6. Audit

• 6.1. Keelvar shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with DPA.
• 6.2. Keelvar shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA. At the Controller’s request, Keelvar shall also permit and contribute to audits of the processing activities covered by these DPA, at reasonable intervals or if there are indications of non-compliance.
• 6.3. In deciding on a review or an audit, the Controller may take into account relevant certifications held by Keelvar, and recognize that the obligations under this clause may be satisfied in whole or part by the provision to the Controller of appropriate information, certifications and/or audit reports issued by reputable independent third parties, as long as there were no material changes to the controls used by Keelvar since the certification or audit report was issued.
• 6.4. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of Keelvar and shall, where appropriate, be carried out with reasonable notice.

7. Sub-processors

• 7.1. Keelvar has the Controller’s general authorisation for the engagement of Sub-processors from the agreed list under ANNEX IV.
• 7.2. For the duration of the Agreement, or if the Customer subscribes to automatically receive updates by following the relevant instructions on the Sub-processor online page, Keelvar shall inform the Controller at least 30 days in advance, via email, of any changes to the list of Sub-processors, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned Sub-processors(s).
• 7.3. Where Keelvar engages a Sub-processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-processor, in substance, the same data protection obligations as the ones imposed on the data Processor in accordance with this DPA.
• 7.4. At the Controller’s request, Keelvar shall provide a copy of such a Sub-processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect business secrets or other confidential information, including personal data, Keelvar may redact the text of the agreement prior to sharing the copy.
• 7.5. Keelvar shall remain fully responsible to the Controller for the performance of the Sub-processor’s obligations in accordance with its contract with the Processor. Keelvar shall notify the Controller of any failure by the Sub-processor to fulfill its contractual obligations.
• 7.6. Keelvar shall agree a third party beneficiary clause with the Sub-processor whereby - in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent - the Controller shall have the right to terminate the Sub-processor contract and to instruct the Sub-processor to erase or return the personal data.

8. International transfers

• 8.1. The Controller authorizes Keelvar and its Sub-processors to make international transfers of the Personal Data in accordance with this DPA, as long as Applicable Data Protection Laws and respective measures for such transfers are respected.
• 8.2 Such measures may include but are not limited to
  8.2.1. transferring the Controller’s data to a recipient in a country subjected to a recognized framework, or deemed as adequate by the European Commission as providing an adequate level of protection for personal data;
  8.2.2. or, where applicable and as listed under Annex II, to a recipient that has executed Standard Contractual Clauses together with any supplementary measures that may be necessary.

9. Notification of a Personal Data Breach

• 9.1. In the event Keelvar becomes aware of a Personal Data Breach, Keelvar shall, cooperate with the Controller in order to comply with its obligations under Applicable Data Protection Laws, as well as, without undue delay, take reasonable steps to notify the Controller.
• 9.2. Such notification shall contain, at least:
  9.2.1. a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);
  9.2.2. the details of a contact point where more information concerning the Personal Data Breach can be obtained;
  9.2.3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
  9.2.4. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

10. Duration and Termination

• 10.1. This DPA shall remain in force for the duration of the Agreement.
• 10.2. Following termination of the contract, Keelvar shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller within 60 days and certify to the Controller that it has done so, or, return all the personal data and delete existing copies unless Applicable Data Protection Laws requires storage of the personal data. Until the data is deleted or returned, Keelvar shall continue to ensure compliance with this DPA.
  10.2.1 In the absence of a specific request within sixty (60) days after termination, Keelvar shall have the right to delete all Controller’s personal data.

11. Miscellaneous

• 11.1. Liability. Parties liability stipulated in the Agreement shall apply to this DPA, unless otherwise stated by Applicable Data Protection Laws.
• 11.2. Governing law and dispute resolution. This DPA is governed by the laws governing the Agreement. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts referenced in the Agreement.

ANNEX I - DATA PROCESSING DESCRIPTION

LIST OF PARTIES

• Controller(s):
  Name:
  Address:
  Contact person’s name:
  Contact person’s position:
  Contact person’s email:
  Signature:
  Date:
• Processor(s):
  Name: Keelvar Systems Ltd.
  Address: 2B, 6 Lapps Quay, Cork, Ireland
  Contact person’s name: 
  Contact person’s position: 
  Contact person’s email: privacy@keelvar.com
  Signature: 
  Date:

DESCRIPTION OF PROCESSING

1. Scope of Service

• Keelvar SaaS solution offers advanced eSourcing and automation capabilities including RFI, RFQ, and eAuctions between purchasing and bidder organizations, as described in service terms and on the Keelvar Support Portal.

2. Frequency of the transfer

• Personal data will be transferred on a continuous basis, for the duration of the Agreement.

3. Nature and purpose of the processing

• Keelvar will process personal data as the Customer's Processor in order to enable the use of the SaaS Services as defined under the Terms & Conditions according to documented instructions (in accordance with the service functionality) of the Customer and/or its users. This essentially covers the processing of the transmitted content as well as the organization of the contents of the user account. When using Keelvar platform, Keelvar will carry out the following processing of personal data on behalf of the Customer:

• • Processing of data in the context of user registration and session management
• • Processing in the context of data analysis for service.
• • Processing user generated content such as messages between bidders and purchasers as well as file uploads
• • Processing user details when matching bidders and purchaser preferences
• • Processing in the context of supporting the customer to resolve service issues
• • Processing customer details to provide product training (optional service for customers).

The further specification of Keelvar SaaS is provided under the Keelvar Support Portal.
‍

4. Types of personal data

In connection with Keelvar SaaS, the following types of personal data are processed by Keelvar as a Processor:

• A. User account information, e.g. name, email, user UUID, optional phone number, IP address, password.
• B. Personal data processed in connection with password reset (e.g., email with reset link, assignment of the new password to the account) as well as trusted device management (e.g., email notifications to prevent misuse of a device for login).
• C. User generated content data that is exchanged between Keelvar SaaS users during the use of this service such as file uploads and message content.
• D. Personal data in connection with the optional user training including Email Address, Name, training logs (how many times a user attempts training, questions responses).
• E. Personal data recording the session and connection interactions such as log files.
• F. Personal data processed within the customer support tools to resolve issues including name, email, and messages notifying, updating, and reporting on raised tickets.

5. Categories of Data Subjects

The following categories of Data Subjects are affected by the data processing:

• A. The Customers (to the extent that the Customer's personal data is processed in accordance with section 4) and, if applicable, the Customer's users.
• B. Other Counterparties whose personal data is passed on by the Customer/the Customer users in a communication connection. 

ANNEX II - SCCs ADDENDUM (IF APPLICABLE)

• 1. For transfer of personal data from the EEA to other countries with a non-adequate data protection level, the parties agree that the terms of the Standard Contractual Clauses (SCCs), as set out in the European Commission's Decision 2021/914 of 4 June 2021, are hereby incorporated by reference, and shall apply as follow:
  1.1. Module 2 (Controller to Processor) of the SCCs - shall apply when the Customer is the Controller and Keelvar is the Processor;

  1.2. Clause 7 - Docking Clause shall apply;

  1.3. Clause 9 - Option 2 (General Written Authorization) shall apply, and the time period to be set is described under clause ANNEX IV of this DPA;
  1.4. Clause 11 - optional text shall not apply;
  1.5. Clause 17 - Option 1 shall apply, and the EU SCCs will be governed by Irish law;
  1.6. Clause 18(b) - disputes shall be resolved before the courts of Ireland;
  1.7. Annex I of the EU SCCs - shall be deemed completed with the information set out in Annex I of this DPA;
  1.8. Annex II of the EU SCCs - shall be deemed completed with the information set out in Annex III of this DPA;
  1.9. Annex III of the EU SCCs - shall be deemed completed with the information set out in Annex IV of this DPA. Any Sub-processor name and contact can be provided by Keelvar upon request.
• 
  2. For transfer of personal data from the UK to other countries with a non-adequate data protection level, the Parties agree that the terms of the UK Addendum, Version B1.0, in force 21 March 2022, are hereby incorporated by reference into this DPA and should be completed per below:

  2.1. Table 1: Start date - shall be deemed completed per the effective date of this Agreement;

  2.2. Table 1: Parties’ details - shall be deemed completed per Annex II of this DPA;
  2.3. Addendum EU SCCs - shall be deemed completed per Clause 1. of this Annex II;
  2.4. Table 3: Appendix Information (Annex 1A) - shall be deemed completed per Annex I of this DPA;
  2.5. Table 3: Appendix Information (Annex 1B) - shall be deemed completed per Annex I of this DPA;
  2.6. Table 3: Appendix Information (Annex II) - shall be deemed completed per Annex III of this DPA;
  2.7. Table 3: Appendix Information (Annex III) (Module 2) - shall be deemed completed per Annex IV (List of Sub-processors) of this DPA;
  2.8. Table 4: Ending this Addendum when the Approved Addendum Changes - Importer and Exporter options shall be deemed selected.
• 
  3. For transfer of personal data from Switzerland to other countries with a non-adequate data protection level, the Parties agree that the terms of the Swiss Federal Data Protection Act are hereby incorporated by reference into this DPA and should be completed per below:

  3.1. References to Regulation (EU) 2016/679 shall be interpreted as references to the Swiss Federal Data Protection Act. References to articles under the same Regulation shall be replaced with the equivalent one under the Swiss Federal Data Protection Act;
  3.2. References to EU, Union, and Member State shall be replaced with Swiss Law and/or Switzerland;
  3.3. Member State shall not be interpreted in a way that would prevent Data Subjects in Switzerland to redress their rights at their place of habitual residence (Switzerland);
  3.4. References to the competent supervisory authority and competent courts shall be interpreted as references to the Swiss Federal Data Protection Information Commissioner and the applicable Swiss courts;
  3.5. The SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the applicable Swiss courts.

ANNEX III: TECHNICAL AND ORG MEASURES

Please view a comprehensive list of our technical and organizational measures at https://www.keelvar.com/security.

ANNEX IV: LIST OF SUB-PROCESSORS

Please view the list of our Sub-processors at www.keelvar.com/legal/subprocessors

Please email privacy@keelvar.com for a signed copy of this agreement.