Skip to main content

Keygraph Data Processing Addendum

Last Updated: June 1, 2026

Scope and Application

These Standard Data Processing Terms form the Keygraph Data Processing Addendum (the "DPA") and apply to Customer's use of the Keygraph Cloud Service to the extent Keygraph Processes Customer Personal Data on Customer's behalf under the Keygraph Cloud Service Agreement (the "Agreement"). These Standard Data Processing Terms are referred to in this DPA as the "Standard DPA Terms".

If Customer and Keygraph have executed a separately signed data processing agreement or addendum, that signed agreement or addendum controls in all respects and these Standard DPA Terms do not apply. These Standard DPA Terms apply only to Customers who have not executed a separately signed data processing agreement or addendum with Keygraph.

Updates to These Terms

Keygraph may update these Standard DPA Terms from time to time. Material changes will be notified by email to Customer's designated administrator and by updating the "Last Updated" date above, in each case at least thirty (30) days before the change takes effect. Continued use of the Cloud Service after the effective date constitutes acceptance.

Keygraph will not update these Standard DPA Terms in a manner that materially reduces the level of protection for Customer Personal Data during the then-current subscription term, unless required by Applicable Data Protection Laws or agreed by Customer. The EEA SCCs and the UK Addendum cannot be modified except as permitted by those instruments.

1. Definitions

Capitalized terms used but not defined here have the meanings given in the Agreement.

"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the GDPR, the UK GDPR, the Swiss Federal Data Protection Act, the CCPA, and any other applicable U.S. state privacy laws.

"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and binding regulations promulgated thereunder.

"Controller" has the meaning given in Applicable Data Protection Laws.

"Customer Personal Data" means Personal Data that Customer uploads or provides to Keygraph (or that Keygraph collects from systems Customer has authorized) as part of the Cloud Service.

"EEA" means the European Economic Area.

"EEA SCCs" means the standard contractual clauses annexed to European Commission Implementing Decision 2021/914 of 4 June 2021.

"GDPR" means European Union Regulation 2016/679.

"Personal Data" has the meaning given in Applicable Data Protection Laws.

"Processing" or "Process" has the meaning given in Applicable Data Protection Laws.

"Processor" has the meaning given in Applicable Data Protection Laws.

"Restricted Transfer" means (a) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the UK Data Protection Act 2018.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data within Keygraph's control or within the control of Keygraph's Subprocessors, excluding Customer AI Providers and Customer-selected Third-Party Services; provided that unsuccessful attempts that do not result in actual unauthorized access to or loss of Customer Personal Data are not Security Incidents.

"Special Category Data" has the meaning given in Article 9 of the GDPR.

"Subprocessor" has the meaning given in Applicable Data Protection Laws.

"UK GDPR" means European Union Regulation 2016/679 as implemented by section 3 of the UK European Union (Withdrawal) Act of 2018 in the United Kingdom.

"UK Addendum" means the international data transfer addendum to the EEA SCCs issued by the UK Information Commissioner's Office.

2. Roles and Processing

2.1 Roles of the Parties

With respect to Customer Personal Data, Customer is the Controller (or, where Customer is itself a Processor, Customer's customer is the Controller and Customer is the Processor) and Keygraph is the Processor (or Subprocessor, as applicable).

2.2 Processing Instructions

Customer instructs Keygraph to Process Customer Personal Data: (a) to provide and maintain the Cloud Service; (b) as further specified through Customer's use of the Cloud Service (including Customer's configuration choices, integrations, and administrative actions); (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Keygraph. Keygraph will abide by these instructions unless prohibited by Applicable Laws and will inform Customer if it cannot follow them.

2.3 Processing by Keygraph

Keygraph will only Process Customer Personal Data in accordance with these Standard DPA Terms. If Keygraph updates the Cloud Service to add or modify products, features, or functionality, Keygraph may update the categories of Personal Data Processed, the nature and purpose of Processing, and related Processing details by updating these Standard DPA Terms in accordance with the "Updates to These Terms" section above.

2.4 Customer Obligations

Customer represents and warrants that it has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Keygraph, including making all required disclosures, obtaining all required consents, and implementing relevant safeguards. Customer is responsible for the lawfulness of any data it elects to submit to the Cloud Service.

2.5 No Model Training; Restricted Use

For purposes of this Section, "Protected AI Data" means Customer Personal Data, Customer Content, customer-specific embeddings, model inputs, model outputs, retrieved context, content-bearing agent traces, and Usage Data attributable to an identified or identifiable Customer. Keygraph will not use Protected AI Data to train or fine-tune any generalized or shared AI or machine learning model, including any third-party model. Keygraph will not itself opt in to, configure, or authorize any third-party model provider to use Customer Content transmitted by Keygraph for such training or fine-tuning, except as Customer expressly instructs. Keygraph may process Protected AI Data solely to deliver the Cloud Service to Customer in accordance with Customer's configuration and instructions, and will not use customer-specific embeddings, runtime context, or content-bearing agent traces for other customers or third parties. Keygraph will not use raw Customer Content, prompts, model outputs, retrieved context, customer-specific embeddings, or content-bearing agent traces to create shared evaluation datasets or benchmarks except with Customer's express written opt-in. This Section does not limit Keygraph's ability to use aggregated, de-identified, or otherwise non-identifying Usage Data and operational telemetry as permitted by the Agreement.

3. Subprocessors

3.1 General Authorization

Customer provides a general authorization for Keygraph to engage Subprocessors to Process Customer Personal Data. The current list of Keygraph's Subprocessors is published at keygraph.io/subprocessors and is updated from time to time.

3.2 Notice of Changes

The list of Keygraph's Subprocessors is published at keygraph.io/subprocessors, which is the authoritative source for the current list. Keygraph will provide notice at least ten (10) business days before authorizing any new or replacement Subprocessor to Process Customer Personal Data. Notice is provided by updating the Subprocessor page and, where Customer has subscribed to updates or where required by Applicable Data Protection Laws or the SCCs, by email or other written notice. Customer is responsible for monitoring the published list. Customer may also email legal@keygraph.io to confirm the current list at any time. Changes that do not involve the Processing of Customer Personal Data do not require notice.

3.3 Objection Right

If Customer objects in writing to a new Subprocessor within ten (10) business days of notice, the objection must (i) be made by Customer's designated administrator, (ii) identify specific, reasonable, documented data-protection deficiencies of the proposed Subprocessor under Applicable Data Protection Laws, and (iii) not be based on commercial, competitive, or non–data-protection considerations. If the parties cannot agree on a resolution within forty-five (45) days of a properly noticed objection, Keygraph may elect to either (x) refrain from using the proposed Subprocessor with respect to Customer's tenant (if technically feasible without material impact on the Cloud Service), or (y) allow Customer to terminate the affected portion of the Cloud Service (limited to the portion that requires the new Subprocessor), with a refund of pre-paid, unused fees for the terminated portion only. Termination under this Section is Customer's sole and exclusive remedy.

3.4 Subprocessor Obligations

When engaging a Subprocessor that will Process Customer Personal Data, Keygraph will impose data-protection obligations on the Subprocessor that are substantially equivalent to the obligations applicable to Keygraph under these Standard DPA Terms, taking into account the nature of the Subprocessor's services.

3.5 Subprocessor Information on Request

Upon Customer's reasonable written request, Keygraph will make available a summary or description of the material data-protection terms applicable to its Subprocessors. Keygraph will provide such information on a confidential basis and no more than once in any twelve (12) month period, absent (a) a Security Incident materially affecting Customer or (b) a documented regulatory requirement. To the extent Applicable Data Protection Laws (including Article 28(9) of the GDPR) require Keygraph to make available a copy of its data-protection terms with a particular Subprocessor, Keygraph may redact commercial terms and other non–data-protection content prior to providing such copy.

3.6 Keygraph Responsibility

As required by Article 28(4) of the GDPR, Keygraph remains responsible for its Subprocessors' performance of the data-protection obligations subcontracted to them under these Standard DPA Terms, subject to the limitations of liability in the Agreement. Keygraph will notify Customer without undue delay upon becoming aware of any material failure by a Subprocessor to fulfill its data-protection obligations with respect to Customer Personal Data.

4. International Data Transfers

4.1 Authorization

Customer agrees that Keygraph may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Cloud Service. If Keygraph transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Keygraph will implement appropriate safeguards consistent with Applicable Data Protection Laws.

4.2 EEA Transfers (Standard Contractual Clauses)

If the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer within the EEA to Keygraph outside the EEA, and the transfer is not governed by an adequacy decision, then by accepting the Agreement and these Standard DPA Terms, Customer and Keygraph are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. The EEA SCCs are completed as follows:

  • Module Two (Controller to Processor) applies when Customer is a Controller and Keygraph is Processing Customer Personal Data for Customer as a Processor.
  • Module Three (Processor to Subprocessor) applies when Customer is a Processor and Keygraph is Processing Customer Personal Data on behalf of Customer as a Subprocessor.
  • For each module:
    • The optional docking clause in Clause 7 does not apply.
    • In Clause 9, Option 2 (general written authorization) applies; the minimum time period for prior notice of Subprocessor changes is ten (10) business days (consistent with Section 3.2 above).
    • In Clause 11, the optional language does not apply.
    • All square brackets in Clause 13 are removed.
    • In Clause 17 (Option 1), the EEA SCCs are governed by the laws of Ireland.
    • In Clause 18(b), disputes will be resolved in the courts of Ireland.
  • The Annexes to the EEA SCCs are completed using the information in Section 8 of these Standard DPA Terms.

4.3 UK Transfers (UK Addendum)

If the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer within the UK to Keygraph outside the UK, and the transfer is not governed by an adequacy decision, then by accepting the Agreement and these Standard DPA Terms, Customer and Keygraph are deemed to have signed the UK Addendum and its Annexes, which are incorporated by reference. The UK Addendum is governed by the laws of England and Wales. Section 8 of these Standard DPA Terms provides the information required by Tables 1, 2, and 4 of the UK Addendum. Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

4.4 Swiss Transfers

For Personal Data transfers where Swiss law applies, references to the GDPR in Clause 4 of the EEA SCCs are amended to refer to the Swiss Federal Data Protection Act, and the concept of supervisory authority includes the Swiss Federal Data Protection and Information Commissioner.

5. Security Incident Response

Upon becoming aware of any Security Incident, Keygraph will: (a) notify Customer without undue delay, and in any event no later than seventy-two (72) hours after Keygraph becomes aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer, to the extent then known and to the extent providing such information does not compromise the integrity of the investigation or violate Applicable Laws; and (c) promptly take reasonable steps to contain, investigate, and mitigate the Security Incident. Keygraph may provide information in phases as it becomes available, and any initial notice will not constitute an acknowledgment of fault, liability, or final determination. Keygraph's notification of or response to a Security Incident will not be construed as an acknowledgment of fault or liability. Keygraph's notification obligations under this Section do not apply to unsuccessful attempts to interfere with the Cloud Service or its operation (including unsuccessful log-on attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems) that do not result in actual unauthorized access to, or loss of, Customer Personal Data.

6. Audit and Reports

6.1 Audit Rights

Keygraph will give Customer information reasonably necessary to demonstrate its compliance with these Standard DPA Terms, subject to this Section. Keygraph may restrict access to data or information if Customer's access would negatively impact Keygraph's intellectual property rights, Keygraph's confidentiality obligations to third parties, the security of Keygraph's systems or other customers' data, or other obligations under Applicable Laws. Customer will exercise its audit rights under these Standard DPA Terms and any audit rights granted by Applicable Data Protection Laws by instructing Keygraph to comply with the reporting and due-diligence requirements in this Section. Keygraph will maintain records of its compliance with these Standard DPA Terms for three (3) years.

6.2 Security Reports

Keygraph maintains a SOC 2 Type II audit conducted annually by an independent third-party auditor. Upon written request, Keygraph will make available to Customer, on a confidential basis under appropriate non-disclosure terms, a copy of its then-current SOC 2 Type II report or, where available, an executive summary thereof.

6.3 Security Due Diligence

Keygraph will respond to reasonable requests for information made by Customer to confirm Keygraph's compliance with these Standard DPA Terms, including responses to information security questionnaires. All such requests must be made in writing to security@keygraph.io and, absent (a) a Security Incident materially affecting Customer or (b) a documented regulatory or material customer-policy requirement, may be made no more than once in any 12-month period. Keygraph will use reasonable efforts to respond within thirty (30) days. Any on-site audit will be subject to a separate written agreement, may not occur more than once in any 24-month period absent a Security Incident or regulator order, must be conducted by qualified personnel under reasonable confidentiality and security protections, may not unreasonably interfere with Keygraph's operations or other customers' data, and will be at Customer's sole expense.

7. Cooperation, Data Subject Rights, and Deletion

7.1 Cooperation

If Keygraph receives any inquiry or request from anyone other than Customer about the Processing of Customer Personal Data (including a judicial, administrative, or regulatory order, or a request from a data subject), Keygraph will notify Customer where legally permitted. Where Keygraph is legally compelled to respond, Keygraph will disclose only the Customer Personal Data it is legally required to disclose and will, where legally permitted, use reasonable efforts to seek to limit the scope of any such disclosure. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer's giving of Customer Personal Data to Keygraph, Keygraph will assist Customer in fulfilling the request. Keygraph will cooperate with and provide reasonable assistance to Customer, at Customer's expense for non-routine assistance, in any legal response or procedural action.

7.2 DPIAs and DTIAs

If required by Applicable Data Protection Laws, Keygraph will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and the information reasonably available to Keygraph.

7.3 Deletion

Keygraph will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Cloud Service. After termination or expiration of the Agreement, Keygraph will make Customer Personal Data available for export in a commercially reasonable format upon Customer's written request made within thirty (30) days of termination, to the extent such Customer Personal Data is then available in Customer's tenant and supported by Keygraph's then-current export functionality or another commercially reasonable method. Following the export period (or, if no export is requested, following the date of termination), Keygraph will delete or render inaccessible Customer Personal Data from active production systems within sixty (60) days, unless retention is required by Applicable Law, legal hold, dispute-resolution obligations, or retention in routine backups subject to documented retention schedules and overwrite cycles.

8. Description of Processing (SCC Annex I and Annex II)

8.1 List of Parties (Annex I.A)

Data Exporter: Customer (Controller, or Processor where applicable). Contact details as provided by Customer in its Cloud Service account.

Data Importer: Keygraph, Inc., a Delaware corporation. Notice/Mailing Address: 2261 Market Street STE 22013, San Francisco, CA 94114, USA. Contact: Keygraph Legal — legal@keygraph.io. Role: Processor (or Subprocessor where applicable).

8.2 Description of Transfer and Processing (Annex I.B)

Service: Keygraph's AI-native, agentic application security platform (the "Cloud Service"), which consolidates application security tooling into a single integrated solution for finding, triaging, fixing, and verifying remediation of vulnerabilities. The Cloud Service unifies penetration testing workflows, static application security testing (SAST), software composition analysis (SCA), secrets scanning, container scanning, CI/CD integration, findings management, ticketing integration, and assistive code patching on a single deduplicated data model. The Cloud Service includes related support and professional services.

Data Storage Location: At account setup, Customer may elect the EU Data Residency option, in which case Customer Content stored at rest in the production tenant database and object storage of the Cloud Service is stored in Amazon Web Services regions located within the EEA. The election is permanent for the life of the account. This storage commitment does not apply to account metadata, billing data, support communications, security telemetry, Usage Data, Operational Telemetry, operational logs, personnel access, edge/CDN/security processing, transactional email, Customer-selected Third-Party Services, or Customer AI Providers. Those activities are governed by these Standard DPA Terms generally, including applicable transfer safeguards. Keygraph is incorporated in the United States, and Keygraph personnel may access Customer Personal Data from the United States and other jurisdictions outside the EEA to provide, support, secure, monitor, troubleshoot, and improve the Cloud Service for Customer. Such access is subject to the EEA SCCs and UK Addendum (Section 4 above) and the technical and organizational measures in Section 8.5 below.

AI Features: AI features of the Cloud Service operate on a Bring-Your-Own-Key ("BYOK") basis against Customer AI Providers designated by Customer using Customer's own credentials. Customer's BYOK configuration controls the Customer AI Provider, credentials, account, and provider-side settings, but not each individual prompt, request, context item, tool output, or data element transmitted by the Cloud Service during ordinary operation. When Customer enables or uses AI features, Customer instructs Keygraph to transmit Customer Content, prompts, model outputs, retrieved context, and related operational metadata to the Customer AI Provider as reasonably necessary to provide those features, subject to the Agreement, these Standard DPA Terms, Documentation, and Customer's available configuration settings. Customer AI Providers are Customer's vendors, not Keygraph Subprocessors, and Keygraph does not maintain agreements with them for Processing Customer Content. Keygraph-operated routing, logging, observability, security, and support infrastructure that transmits, processes, or stores Customer Content remains part of the Cloud Service and is governed by the Agreement and these Standard DPA Terms. Keygraph does not use Customer Content (including AI prompts and responses) to train or fine-tune any generalized or shared AI or machine learning model, consistent with Section 2.5.

Categories of Data Subjects:

  • Customer's developers, security personnel, and other employees and contractors who use or are referenced in the Cloud Service
  • Customer's administrators and designated representatives
  • Other individuals whose Personal Data may be incidentally present in source code, code artifacts, container images, vulnerability findings, ticketing data, or other Customer Content that Customer elects to submit to the Cloud Service (Customer is strongly advised not to submit Personal Data of end users or other individuals that is not necessary for application security testing)

Categories of Personal Data:

  • Identity and contact data: name, business email address, and (where applicable) username of administrators, developers, and other authorized users
  • Authentication data via Customer-controlled identity provider (Google SSO or SAML): identity-provider claims (email, name, group/role assertions) and session metadata
  • System and usage data: IP address, browser and operating system, activity and audit logs, and feature usage associated with authorized users
  • Source code and code artifacts (Customer-authorized): source code repositories, files, diffs, commits, branches, pull request metadata, and related artifacts that Customer expressly authorizes the Cloud Service to access (e.g., for SAST, SCA, secrets scanning, and assistive code patching), which may incidentally contain Personal Data of authors (commit metadata) or other individuals embedded in code, comments, or test fixtures
  • Container images and image artifacts (Customer-authorized): container images, image manifests, layers, and software bill-of-materials information that Customer expressly authorizes the Cloud Service to scan
  • CI/CD and pipeline metadata: build, pipeline, and deployment event metadata, commit and pull request metadata, and associated actor identifiers
  • Code-hosting and ticketing integration metadata (Customer-authorized): repository, organization, and project metadata, access tokens for integration purposes, issue/ticket metadata, and related workflow configuration from systems such as GitHub, GitLab, Bitbucket, Jira, and Linear
  • Vulnerability findings and pentest workflow data: detected vulnerabilities, deduplicated finding records, severity and triage metadata, suggested or applied code patches, remediation status, evidence artifacts, and remediation tracking data
  • AI request and response data: prompts and responses exchanged with Customer AI Providers in connection with AI features of the Cloud Service
  • Support and communication data: support tickets, chat, email, and error/troubleshooting data

Special Category Data: Keygraph does not intentionally collect Special Category Data and the Cloud Service is not designed or intended to Process Special Category Data. Keygraph strongly advises Customer not to submit Personal Data (including Special Category Data) to the Cloud Service that is not necessary for application security testing. Any Special Category Data that may be incidentally present in Customer Content is the responsibility of Customer to identify, lawfully process, and where appropriate exclude or redact before submission. To the extent the Agreement (including any restriction on Prohibited Data or similar category) prohibits Customer from submitting Special Category Data or other Personal Data, that prohibition applies only to intentional submission by or on behalf of Customer; the incidental presence of such data in Customer Content is not a breach of any such prohibition and is governed by these Standard DPA Terms.

Frequency of Transfer: Continuous and on-demand, throughout the term of the Agreement.

Nature and Purpose of Processing: Vulnerability discovery (SAST, SCA, secrets scanning, container scanning, in each case against Customer-authorized assets); penetration testing workflow orchestration; findings management (deduplication, triage, prioritization, remediation tracking); assistive code patching against Customer AI Providers (BYOK); remediation verification; CI/CD integration; ticketing integration; metrics and reporting; authentication and access management via Customer-controlled identity providers; audit and security logging; customer support; operating, securing, monitoring, troubleshooting, and improving the Cloud Service for Customer; and using Usage Data and operational telemetry as permitted by the Agreement.

Duration of Processing: Keygraph will Process Customer Personal Data for as long as required to provide the Cloud Service (generally aligning with the subscription period under the Agreement and any wind-down period) or as required by Applicable Laws.

8.3 Competent Supervisory Authority (Annex I.C)

For Customers established in the EU: the supervisory authority of the EU Member State where Customer is established. For Customers not established in the EU but to whom the GDPR otherwise applies: the Irish Data Protection Commission. For UK transfers: the UK Information Commissioner's Office (ICO).

8.4 CCPA Service Provider Relationship

To the extent the CCPA applies, the parties acknowledge that Keygraph is a Service Provider receiving Personal Data from Customer to provide the Cloud Service as set forth in the Agreement and these Standard DPA Terms, which constitutes a limited and specified business purpose. Keygraph will not: (a) sell or share any Personal Data; (b) retain, use, or disclose any Personal Data outside the direct business relationship between Keygraph and Customer; (c) retain, use, or disclose any Personal Data for any purpose other than for the business purposes specified in the Agreement (or as otherwise permitted by the CCPA); or (d) combine the Personal Data with personal information that Keygraph receives from or on behalf of another person or persons (or that Keygraph collects from its own interactions with consumers), except as permitted by the CCPA. Keygraph will notify Customer if it can no longer meet its obligations under the CCPA. Keygraph certifies that it understands the restrictions in this Section and will comply with them. Customer has the right to take reasonable and appropriate steps to ensure that Keygraph uses Personal Data in a manner consistent with Customer's obligations under the CCPA, and to stop and remediate unauthorized use of Personal Data.

8.5 Technical and Organizational Security Measures (Annex II)

Keygraph implements and maintains the following technical and organizational measures to protect Customer Personal Data:

  • Access Control: Role-based access control (RBAC), multi-factor authentication (MFA), least-privilege access, and periodic access reviews for personnel with access to Customer Personal Data.
  • Encryption: Encryption in transit using current industry-standard protocols (TLS 1.2 or higher) and at rest using AES-256 or equivalent.
  • Tenant Isolation: Logical isolation of Customer Content between Customer tenants; access scoping by integration token and Customer-authorized scope.
  • Infrastructure Security: The Cloud Service is hosted on Amazon Web Services (AWS) with physical, network, and operational security controls maintained by AWS.
  • EU Data Residency Option: At account setup, Customer may elect the EU Data Residency option. If elected, Customer Content stored at rest in the production tenant database and object storage of the Cloud Service is stored in Amazon Web Services regions located within the EEA. This storage commitment does not apply to account metadata, billing data, support communications, security telemetry, Usage Data, Operational Telemetry, operational logs, personnel access, edge/CDN/security processing, transactional email, Customer-selected Third-Party Services, or Customer AI Providers. Those activities are governed by these Standard DPA Terms generally, including applicable transfer safeguards. The election is permanent for the life of the account.
  • Personnel Access Locations: Keygraph is incorporated in the United States, and Keygraph personnel may access Customer Personal Data from the United States and other jurisdictions outside the EEA to provide, support, debug, secure, monitor, troubleshoot, and improve the Cloud Service for Customer, subject to the access controls in this Section and, where applicable, the EEA SCCs and UK Addendum.
  • AI Features: AI features operate on a BYOK basis against Customer AI Providers designated by Customer using Customer's own credentials. Customer AI Providers are Customer's vendors, not Keygraph Subprocessors. Customer's BYOK configuration controls the provider, credentials, account, and provider-side settings, but not each individual prompt, request, context item, tool output, or data element transmitted during ordinary operation. Keygraph does not use AI prompts or responses to train or fine-tune any generalized or shared model, consistent with Section 2.5.
  • Source Code and Container Scope Controls: Source code and container images are accessed only with Customer's express authorization, scoped per repository, registry, or integration.
  • Secrets and Integration Credentials: Customer integration credentials, access tokens, and secrets used by the Cloud Service to access Customer-authorized integrations (such as source-code hosting, CI/CD, and ticketing systems) are stored using encrypted secret-management systems, are access-controlled on a least-privilege basis, are used only to provide Customer-authorized integrations and Cloud Service functionality, and are revocable by Customer. Access to such credentials is logged and restricted to authorized personnel and systems.
  • Source Code and Container Image Handling: Source code and container images accessed pursuant to Customer-authorized integrations are processed by ephemeral, isolated scanning environments. Source code and container images are not retained beyond what is necessary to complete the requested scan and produce findings; full code and image artifacts are deleted from the scanning environment upon completion of the scan. Persistent storage by the Cloud Service is limited to derived findings, metadata, and remediation artifacts as further described in this Annex II.
  • Patch Generation and Workflow Integration: Where the Cloud Service generates suggested code patches or initiates pull requests, branches, or tickets in Customer-authorized systems, such actions are performed only with Customer's express integration authorization and within the scope of permissions granted by Customer in the relevant integration. Customer retains ultimate authority to accept, reject, or modify any suggested change.
  • AI Request and Response Handling: AI prompts and responses generated in connection with the Cloud Service's AI features are processed through the following layers, each with distinct retention characteristics:

(a) LLM Routing and Observability: The Cloud Service uses a self-hosted LLM routing and observability layer (operated by Keygraph on Keygraph's infrastructure) to direct AI requests to Customer AI Providers, record routing telemetry, and enable Keygraph personnel to troubleshoot Customer-reported issues with AI features. Prompts and responses processed by this layer are retained on a rolling seven (7) day window and then deleted.

(b) Agent Memory and Cached Context: The Cloud Service operates agentic AI workflows that retain prior prompts, responses, and intermediate reasoning artifacts as cached context to improve the performance, cost, and quality of subsequent scans for the same Customer. This cached context is tenant-scoped, is not shared across Customer tenants, and is retained for the duration necessary to provide that performance and cost benefit, consistent with the deletion capabilities of the Cloud Service and Section 7.3.

(c) Findings and Scan Output: Vulnerability findings, suggested patches, remediation status, and related scan output derived from AI processing are retained as persistent Customer Content consistent with Section 7.3 and the deletion capabilities of the Cloud Service.

Consistent with Section 2.5, prompts and responses are not used to train or fine-tune generalized or shared AI or machine learning models, and raw Customer Content, prompts, model outputs, retrieved context, customer-specific embeddings, or content-bearing agent traces are not used to create shared evaluation datasets or benchmarks except with Customer's express written opt-in. Customer-initiated deletion is available through the Cloud Service and the termination procedures described in Section 7.3.

  • Production Access Controls: Keygraph personnel access to production systems requires multi-factor authentication, is governed by approval workflows for elevated privileges, is logged for audit purposes, and is granted on a time-bounded, least-privilege basis.
  • Resilience and Availability: Backup, replication, and disaster recovery processes designed to support the availability and resilience of the Cloud Service consistent with the Agreement.
  • Vulnerability Management: Regular vulnerability scanning, secure software development lifecycle, and continuous internal penetration testing and red-team exercises of the Cloud Service using Keygraph's own platform and security personnel. Keygraph maintains an annual SOC 2 Type II audit conducted by an independent third-party auditor.
  • Logging and Monitoring: Centralized logging of security-relevant events, anomaly detection, and incident response monitoring.
  • Personnel Security: Background checks (where legally permitted), confidentiality obligations, and mandatory security and privacy training for personnel with access to Customer Personal Data.
  • Incident Response: A documented incident response program covering detection, investigation, containment, notification, and post-incident review.
  • Configuration and Governance: Secure configuration baselines, change management, and an information security governance program reviewed at least annually.
  • Data Minimization and Erasure: Documented retention schedules and overwrite cycles; export and deletion capabilities consistent with Section 7.3 above.

9. Limitation of Liability

Each party's total cumulative liability arising out of or related to these Standard DPA Terms is subject to the waivers, exclusions, and limitations of liability set forth in the Agreement.

Any claims against Keygraph or its affiliates arising out of or related to these Standard DPA Terms may only be brought by the Customer entity that is a party to the Agreement.

These Standard DPA Terms do not limit any liability to an individual regarding the individual's data protection rights under Applicable Data Protection Laws, and do not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

10. Conflicts

These Standard DPA Terms form part of and supplement the Agreement. If there is any inconsistency between these Standard DPA Terms and the Agreement, the EEA SCCs or UK Addendum will control over these Standard DPA Terms, which will control over the Agreement, in each case to the extent of the inconsistency.

If Customer and Keygraph have executed a separately signed data processing agreement or addendum, that signed agreement or addendum controls in all respects and these Standard DPA Terms do not apply.

11. Term

These Standard DPA Terms apply for as long as Keygraph Processes Customer Personal Data on Customer's behalf under the Agreement and continue until the Agreement expires or is terminated. The obligations relating to data subject to the EEA SCCs and UK Addendum continue until Customer stops transferring Customer Personal Data to Keygraph and Keygraph stops Processing Customer Personal Data.

12. Governing Law

These Standard DPA Terms are governed by the laws of the State of California, without regard to its conflict of laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California for any legal suit, action, or proceeding arising out of or relating to these Standard DPA Terms. Governing law and forum for (a) the EEA SCCs and (b) the UK Addendum are as set forth in Section 4 above.

13. Contact

Questions about these Standard DPA Terms, Subprocessors, or general data-protection matters may be directed to legal@keygraph.io. Security-related questions, including incident reports and security questionnaire responses, may be directed to security@keygraph.io.

These Standard Data Processing Terms are derived from the Common Paper Data Processing Agreement Standard Terms Version 1.1 (https://commonpaper.com/standards/data-processing-agreement/1.1/), with modifications by Keygraph, Inc., under the Creative Commons Attribution 4.0 International License (CC BY 4.0).

Keygraph, Inc. | © 2026 All rights reserved.