7.3. Duration of the processing of personal data
7.4. Security of processing
7.5. Sensitive data
7.6 Documentation and compliance
7.7. Use of sub-processors
7.8. International transfers
9.1 Data breach concerning data processed by the controller
9.2 Data breach concerning data processed by the processor
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
Keelvar SaaS solution offers advanced eSourcing and automation capabilities including RFI, RFQ, and eAuctions between purchasing and bidder organizations, as described in service terms and on the Keelvar Support Portal.
Except as otherwise specified in your service upon termination of services or at your request, Keelvar will delete your data including its back-ups held in our data stores within 60 days or by our sub-processors unless there is a legal obligation imposed on Keelvar preventing it from deleting all or part of the data.
Keelvar will process personal data as the Customer's Processor in order to enable the use of the SaaS Services as defined under the Terms & Conditions according to documented instructions (in accordance with the service functionality) of the Customer and/or its users. This essentially covers the processing of the transmitted content as well as the organization of the contents of the user account. When using Keelvar platform, Keelvar will carry out the following processing of personal data on behalf of the Customer:
The further specification of Keelvar SaaS is provided under the Keelvar Support Portal.
In connection with Keelvar SaaS, the following types of personal data are processed by Keelvar as a Processor:
The following categories of data subjects are affected by the data processing:
Keelvar aligns our organizational and technical security and privacy measures in line with best practice, security standard ISO/IEC 27001:2013, privacy management standard ISO/IEC 27701:2019, and the GDPR. This Annex is structured based on the controls in ISO/IEC 27001:2013. Keelvar may update or modify security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Keelvar maintains a security page at https://keelvar.com/securityThese Security Measures are in effect on the DPA Effective Date.
Keelvar monitors the internal and external factors relevant for appropriate security and privacy management, including understanding the needs of our customers. Keelvar has a defined information security and privacy management system in place, scoped to ensure appropriate security measures for Services. Keelvar is the data processor in the context of the Services.
Keelvar’s management is committed to a strong information security and privacy management system with appropriate resources, objectives, and continual improvement as key components. Keelvar has developed a Policy framework appropriate to the organization with key leadership roles and responsibilities defined in relation to information security, including a dedicated Chief Information Security Officer.
Keelvar ensures information security objectives and planning is in line with and responsive to external changes including new threats or regulatory changes. Risk assessments are reviewed at regular intervals based on Keelvar’s Risk Assessment Methodology. Risk treatments are actioned based on risk analysis. Keelvar maintains a Statement Of Applicability in line with ISO/IEC 27001:2013 and ISO/IEC 27701:2019 controls.
Keelvar ensures the information security and privacy systems have appropriate support and resources to fulfill information security objectives and continual improvement. Keelvar employees are hired through a structured recruitment process to ensure competence in their role, and with additional training and awareness support provided during their employment. All employees are trained on Keelvar policies importance of information security and privacy. Keelvar Service status and uptime is accessible at https://status.keelvar.com for communication on Service uptime.
Keelvar's Security Steering Group is made up of senior leadership and management. This group meets on a quarterly basis to review the continuing suitability, adequacy, and effectiveness of our information security and privacy management system. Key inputs to these reviews are results from internal audits, security KPIs, penetration test results, and risk assessments. Keelvar has contracted an external security consultancy to perform internal audits on our behalf. External audits are completed yearly as part of our ISO/IEC 27001:2013 certification programme.
Keelvar manages nonconformities identified in the implementation or auditing of our security and privacy system. Nonconformities, incident actions, and other findings are logged and corrective actions planned and implemented. Keelvar has committed to continued improvement in line with our information security objectives and planning.
Keelvar has a comprehensive set of information security policies in line with ISO/IEC 27001:2013 and ISO/IEC 27701:2019 requirements. Policies are reviewed on a yearly basis. Policy changes are approved by management and communicated to all employees.
Keelvar’s Information Security Policy outlines roles and responsibilities for employees and contractors. Keelvar applies segregation of duties to all employees and contractors based on the principle of least privilege. Access is granted to systems and data based on role and responsibility. Systems have a defined information owner who administers the system and implements the joiner, mover, leaver procedures to ensure access has management approval and permission is revoked as soon as no longer required. Keelvar maintains contact with relevant authorities and special interest groups to ensure we remain up to date in the areas of information security and privacy.
Mobile device management software is installed on employee laptops facilitating auditing and compliance in line with mobile computing and teleworking policy. Employee laptops are encrypted, have controls in place against malware, and are patched to a secure OS version.
Keelvar employs a multistage interview process to ensure a candidate's competence for the role and fit to Keelvar ethics and culture. Background checks such as references, identity, and academic records are verified in line with jurisdiction. Employee contracts have clauses for confidentiality, protection of intellectual property, and disciplinary procedure.
Keelvar uses a security awareness and training platform to streamline employee security training both for new hires and existing employees. Policy training, data protection/privacy, security best practices along with department or role specific training is included. Regular employee phishing tests are performed and results reported on.
Keelvar maintains an asset register tracking physical and information assets from acquisition through to asset destruction and disposal. Assets are assigned an owner, classified, and acceptable usage and handling documented.
Keelvar operates an access control policy with the principle of least privilege where access to data and systems is granted to employees whose role and responsibility requires access. Keelvar implements joiner/mover/leaver procedures in conjunction with security audits to ensure access is approved. Access is removed as soon as it is no longer required. Keelvar uses SSO including multi-factor authentication on systems and mandates the use of strong and unique passwords per service. Access to production data is restricted to approved employees whose role and responsibilities require it.
All data in transit and at rest is encrypted in our infrastructure. Traffic from the public internet is encrypted using TLS 1.2 and decrypted at our load balancer before being re-encrypted for communication to application servers. Application server and database volumes are encrypted with AES-256, with keys stored in FIPS 140-2 compliant hardware security modules. Communication between application servers and databases is encrypted with a certificate signed by AWS CA.
Keelvar uses Amazon AWS IaaS for hosting of the Service based on a shared responsibility model. AWS has responsibility for “Security of the Cloud” involving protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS has comprehensive security certifications including ISO/IEC 27001:2013. Further details are provided here: https://aws.amazon.com/compliance/programs/
Keelvar works on a quarterly cadence of goal setting allowing for structured planning and change management. Keelvar has a change management system where policies and procedures ensure stringent analysis, design, implementation, review, test, and release phases. Product, Development, QA, and DevOps teams collaborate in the change management process. Code changes undergo full review and quality assurance via automated and manual testing before being approved for release. Hotfix releases follow the same process but are actioned and deployed outside of the standard release cycle where a serious issue has been identified. Keelvar maintains a separation of development, test, and production environments within our AWS infrastructure.
The Service scans all uploaded files with antivirus software and will quarantine any detected malicious files. The Service uses Amazon GuardDuty for threat detection and notification within our infrastructure. Suspicious behavior is automatically alerted to our DevOps team for investigation. Employee laptops have controls against malware in place.
Machine images, databases, and files are securely backed up in Amazon AWS. The underlying backup storage is via the high availability S3 data storage service. Point in time recovery is enabled on the database with 30 days of database daily backups maintained. A nightly snapshot is synchronized to a separate AWS data center for failover purposes.
Keelvar has detailed logging, monitoring, and alerting for our application health and infrastructure. Our application API exposes a health check endpoint that is called frequently to monitor application health and uptime. AWS Cloudwatch monitors server CPU, memory, disk space, and will alarm when specified thresholds are reached. Logs from application usage are securely stored for audit purposes.
Keelvar uses GitHub as the repository for our application source code, dependencies, and infrastructure code including strong inbuilt auditing controls. Keelvar receives security alerts from multiple sources for triage and actioning, including GitHub Dependabot alerts for when one of our dependencies has a vulnerability.
Keelvar uses a combination of AWS Virtual Private Clouds (VPCs), VPC subnets, Network Access Control Lists (Network ACLs), AWS Security Groups, and AWS DB Subnet Groups to provide logical network level isolation between production and lower environments, and between the public internet and non-public infrastructure components. This follows a defense in depth design. Keelvar uses AWS Security Hub and Inspector to support the auditing of security controls and configuration. All data is encrypted in transit and at rest in our infrastructure.
Keelvar has a software development life cycle and secure coding policy that considers security during the change management process. Third party dependencies are security assessed and packages are retrieved from secure package managers. Code development occurs on a feature code branch and follows OWASP secure coding principles. A suite of automated security tests is run using GitHub Actions on each request to merge code. Additional workflow steps are automated including static code analysis (e.g. flake8, shell-linter, bandit). All code is manually reviewed before being approved for merging. Keelvar incorporates front end and back end web frameworks as core security building blocks. A formal QA process is initiated in a segregated QA environment for each release candidate, involving manual and automated functional, regression, performance, and security testing. Releases to production are typically zero downtime and follow strict change management procedures. Where production data is required for test or analysis purposes, appropriate technical and organizational controls are in place including minimisation of data, pseudonymisation of PII data, and limitation on data retention.
Keelvar assesses suppliers from an information security perspective including compliance with data protection regulations before approving suppliers. Keelvar monitors suppliers on an ongoing basis.
Keelvar has documented incident management procedures to ensure Keelvar appropriately responds to any suspected or actual incident. Responsibilities and steps for incident reporting, response, customer reporting, resolution, and actioning improvements are documented.
Keelvar maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of unavailability. Keelvar has disaster recovery infrastructure in Frankfurt, Germany (eu-central-1) to allow failover should our primary datacenter in Dublin, Ireland (eu-west-1) encounter availability issues. Keelvar performs regular testing to verify an RTO and RPO of 24 hours.
Keelvar monitors compliance with legal and contractual requirements and has committed to an internal and external auditing program in compliance with ISO/IEC 27001:2013. Yearly independent penetration tests are completed.
The following processors will be used by Keelvar SaaS as part of the core functionality.
IaaS / Core System functionality / data storage / Back-Up
Sends operational email messages including during user registration procedure and service usage such as alerts and event invitations.
Customer and user support.
Business operation tools including email/calendar for customer communication. User emails sent email@example.com processed by Google.
Analysing service usage to improve service performance for customers.
Wildbit, LLC, 225 Chestnut St., Philadelphia, PA, 19106, USA.
LearnUpon Limited, First Floor Ocean House, Arran Quay, Dublin 7, D07 DHT3, Ireland.
InnoCraft Ltd,7 Waterloo Quay,PO Box 625,6140 Wellington,New Zealand
Zendesk, Inc., 1019 Market St, San Francisco, CA 94103.
Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
Product analytics to improve user and product experience.
To provide users training on product functionality.
Planhat AB, c/o PE Accounting, BOX 90255, 12024, Stockholm, Sweden.
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg.
Please email firstname.lastname@example.org for a signed copy of this agreement.