Data Processing Addendum

Last Updated: September 2, 2025

This Data Processing Addendum ("DPA") forms a part of the master agreement between Keygraph Inc. ("Keygraph") and the customer entity ("Customer") that has executed an agreement for the use of Keygraph's Services (the "Agreement").

This DPA applies to the extent Keygraph processes Customer Personal Data on behalf of the Customer in the course of providing the Services.

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the GDPR and the CCPA.

"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any binding regulations promulgated thereunder.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, Customer is the Controller.

"Customer Personal Data" means any Personal Data that Keygraph processes on behalf of the Customer as a Processor in connection with providing the Services.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"Personal Data" means any information relating to a Data Subject that is subject to protection under Applicable Data Protection Law.

"Processor" means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Keygraph is the Processor.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed.

"Services" means the services provided by Keygraph to the Customer under the Agreement.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"Sub-processor" means any third-party processor engaged by Keygraph to process Customer Personal Data.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner's Office.

2. Roles and Scope of Processing

2.1. Roles of the Parties

The parties acknowledge and agree that with regard to the processing of Customer Personal Data, Customer is the Controller and Keygraph is the Processor.

2.2. Customer's Obligations

Customer represents and warrants that it has a valid legal basis for the processing of Customer Personal Data and for Keygraph's processing of the same on its behalf as contemplated by the Agreement.

2.3. Keygraph's Processing

Keygraph will process Customer Personal Data only in accordance with the Customer's documented instructions. The Agreement (including this DPA) constitutes the Customer's complete and final instructions to Keygraph for the processing of Customer Personal Data. Any additional instructions require a written agreement between the parties.

2.4. Details of Processing

The details of the data processing are described in Appendix 1 to this DPA.

3. Sub-processing

3.1. Authorization

Customer provides a general authorization for Keygraph to engage Sub-processors to process Customer Personal Data. Keygraph will maintain an up-to-date list of its Sub-processors, which is available in Appendix 3.

3.2. New Sub-processors

Keygraph will provide Customer with at least thirty (30) days' prior written notice of any intended new Sub-processor. Notice may be provided via email or through the Services.

3.3. Objection Rights

Customer may object to the appointment of a new Sub-processor within fourteen (14) days of receiving notice by providing a written explanation of the reasonable grounds for the objection. If the parties cannot resolve the objection, either party may terminate the applicable Order Form with respect to the Services that cannot be provided without the new Sub-processor.

3.4. Sub-processor Obligations

Keygraph will enter into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA. Keygraph shall remain fully liable to the Customer for the performance of the Sub-processor's obligations.

4. Security Measures

4.1. Technical and Organizational Measures

Keygraph will implement and maintain appropriate technical and organizational measures designed to protect the security, confidentiality, and integrity of Customer Personal Data. These measures are described in Appendix 2.

4.2. Confidentiality

Keygraph will ensure that its personnel authorized to process Customer Personal Data are subject to a duty of confidentiality.

5. International Data Transfers

5.1. Transfer Mechanisms

To the extent that the processing of Customer Personal Data involves a transfer of data subject to transfer restrictions under the GDPR or UK GDPR, the parties agree that the Standard Contractual Clauses (SCCs) and/or the UK Addendum will apply as follows:

  • For GDPR: The SCCs will be deemed incorporated by reference. Module Two (Controller to Processor) will apply. The parties' details will be those of the signatories to the Agreement, and the details of the processing will be as set forth in Appendix 1.
  • For UK GDPR: The UK Addendum will be deemed incorporated by reference and will be completed with the information set forth in the Appendices.

6. Data Subject Rights and Audits

6.1. Assistance with Data Subject Rights

Keygraph will, to the extent legally permitted, provide reasonable assistance to the Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.

6.2. Audits

Upon reasonable request, Keygraph will make available to the Customer information necessary to demonstrate compliance with this DPA. Customer may conduct an audit, no more than once annually, upon thirty (30) days' prior written notice, to verify Keygraph's compliance. Such audits shall be limited to reviewing Keygraph's existing third-party audit reports (e.g., SOC 2) and/or responding to a written security questionnaire. Any on-site audit shall be subject to a separate written agreement and will be at the Customer's expense.

7. Security Incident Management

7.1. Notification

If Keygraph becomes aware of a Security Incident, Keygraph will notify the Customer without undue delay, and in any event within forty-eight (48) hours.

7.2. Details

The notification will, to the extent known, describe the nature of the Security Incident, the categories and approximate number of Data Subjects and records concerned, and the likely consequences.

7.3. Cooperation

Keygraph will take reasonable steps to mitigate the effects of the Security Incident and will provide reasonable cooperation to the Customer in its investigation and remediation of the incident.

8. Return or Deletion of Data

Upon termination or expiration of the Agreement, Keygraph will, at the Customer's choice, either delete or return all Customer Personal Data, and delete existing copies unless applicable law requires storage of the data. This process is further described in the Agreement's termination clause.

9. Jurisdiction-Specific Terms

9.1. GDPR

Keygraph will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities, as required under GDPR Articles 35 and 36.

9.2. CCPA

For the purposes of the CCPA, Keygraph is a "Service Provider." Keygraph will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purposes specified in the Agreement; or (c) combine Customer Personal Data with personal information it receives from other sources, except as permitted under the CCPA.

10. Miscellaneous

10.1. Precedence

In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to the subject matter of data processing.

10.2. Term

This DPA will remain in effect as long as Keygraph processes Customer Personal Data on behalf of the Customer.

Appendix 1: Details of Processing

(A) List of Parties

Data Exporter / Controller: Customer, as defined in the Agreement.

Data Importer / Processor: Keygraph Inc., a cybersecurity SaaS provider offering application security, AI pentesting, and managed security services.

(B) Description of Transfer

Categories of Data Subjects:

  • Customer's employees, contractors, and authorized users.
  • Customer's administrators and designated representatives.

Categories of Personal Data:

User Profile & Authentication Data

  • Name, email address, username, job title, department, organizational role/permissions, MFA enrollment status.
  • Directory attributes from HRIS or identity providers (e.g., manager, hire/termination dates, employment type, team assignment).
  • Authentication and authorization events, login history, and access policies applied.

System & Usage Data

  • IP addresses, device identifiers, browser type, OS version, network metadata, session information, activity logs, and feature usage.

Device & Endpoint Management Data

  • Device inventory: model, serial number, UUID, IMEI, MAC address.
  • Configuration & posture: OS version, patch status, encryption state, firewall, installed applications, security checks, jailbreak/root detection.
  • Certificates & credentials: enrollment certificates, tokens, cryptographic material for secure communication.
  • Location data: approximate geolocation (if enabled by Customer policies).

HRIS-Sourced Data

  • Employment attributes: name, email, job title, department, manager, hire/termination dates, employment type (FTE/contractor).
  • Status indicators: active/inactive, leave of absence.
  • Exclusion: Keygraph does not require salary, benefits, or health data unless explicitly configured by Customer.

Third-Party Integrations (Customer-Authorized)

  • Cloud Providers (e.g., AWS, GCP, Azure): metadata on accounts, roles, permissions, service configurations, audit logs.
  • Code Repositories (e.g., GitHub, GitLab, Bitbucket): repository metadata, user commit activity, access rights, branch protections, pull request status.
  • Communication Tools (e.g., Slack, Google Workspace, Microsoft Teams): user and channel metadata, message retention policies, security configurations, audit events.
  • Ticketing/Project Management (e.g., Linear, Jira, Asana): ticket metadata (IDs, status, assignees, timestamps), workflow configuration, project-level access rights.
  • Other SaaS Tools: additional integrations explicitly enabled by the Customer, limited to metadata and configuration/state data required for security automation and access governance.

Note: Keygraph does not access or process message content, code payloads, or customer intellectual property unless explicitly authorized and necessary for security workflows.

Customer-Uploaded Content

  • Policy documents, security evidence, attestations, signed acknowledgments, or other materials uploaded by Customer.

Payment & Billing Data

  • Billing contact details, subscription history, payment details (processed via Sub-processors).

Support & Communication Data

  • Information provided in support tickets, chat, or email, including error logs or troubleshooting data.

Sensitive Data Processed:

  • Authentication & HRIS Data: Employment attributes (hire/termination status, leave, roles) may be considered sensitive.
  • Device Data: Device telemetry (security posture, installed apps, geolocation, identifiers) is treated as sensitive.
  • Integrations: Depending on Customer configuration, Keygraph may process metadata from cloud, code, communication, or ticketing tools. Content-level data is only processed if the Customer explicitly grants access for security workflows.
  • Special Categories of Data (GDPR Art. 9): Not intentionally collected by Keygraph. Such data may be processed only if uploaded by the Customer within Customer Data or through configured integrations.

Frequency of Transfer:

Continuous and on-demand, synchronized in real time with Customer systems and throughout Customer's use of the Services.

Nature and Purpose of Processing:

  • Authentication: Manage authentication, directory sync, role-based access, and lifecycle management.
  • Device Management: Enroll and monitor devices, enforce security policies, remediate risks.
  • HRIS Integration: Sync workforce directory and employment status to automate provisioning, deprovisioning, and security workflows.
  • Third-Party Integrations: Collect metadata and configuration states from cloud, code, communication, and project tools to automate security checks, enforce policies, and provide security posture visibility.
  • Application Security: Code scanning, vulnerability detection, AI pentesting, and remediation tracking.
  • VPN & Secure Access Services: Policy-based secure connectivity.
  • Audit & Security Logging: Record activity and provide forensic readiness.
  • Billing & Support: Subscription management, technical assistance, service optimization.

Retention of Data:

Customer Personal Data is retained for the duration of the Agreement. Upon termination, Keygraph will delete or return such data unless longer retention is required by law.

(C) Competent Supervisory Authority

For Customers established in the EU: the supervisory authority of the Member State where the Customer is established.

If Customer is not established in the EU: the Irish Data Protection Commission, in line with the SCCs.

Appendix 2: Technical and Organizational Security Measures

Keygraph implements and maintains the following categories of security measures:

  • Access Control: Policies and controls to limit access to systems and data to authorized personnel. This includes multi-factor authentication (MFA) and role-based access controls (RBAC).
  • Encryption: Customer Personal Data is encrypted in transit using industry-standard protocols (e.g., TLS) and at rest using strong encryption algorithms (e.g., AES-256).
  • Infrastructure Security: Services are hosted on secure cloud infrastructure (e.g., AWS, GCP) that provides robust physical and network security.
  • Vulnerability Management: Regular vulnerability scanning and penetration testing of the Services and infrastructure.
  • Personnel Security: Background checks for personnel with access to Customer Personal Data and mandatory security and privacy training.
  • Incident Response: A documented incident response plan to ensure timely detection, investigation, and notification of Security Incidents.
  • Business Continuity: Backup and disaster recovery plans to ensure the availability and resilience of the Services.

Further details on our security practices may be available in our third-party audit reports (SOC 2 Type II) upon reasonable request.

Appendix 3: Sub-processor List

Keygraph uses the following Sub-processors to provide the Services.

Sub-processor Name Purpose Entity Location
Amazon Web Services (AWS) Cloud Hosting & Infrastructure USA
Google Cloud Platform (GCP) Cloud Hosting & Infrastructure USA
Stripe, Inc. Payment Processing USA
Maple Billing Billing and Subscription Management Canada
ClickHouse, Inc. Real-time Analytics and Data Warehousing USA
Temporal Technologies Inc. Workflow Orchestration Platform USA
Kombo Technologies GmbH HRIS Integrations Germany
Nango, Inc. SaaS Integrations USA
Cloudflare Cloud Hosting & Infrastructure USA
Anthropic AI USA
OpenAI AI USA
Groq AI USA
Together.ai AI USA