Keycafe

Keycafe Data Processing Addendum (DPA)

Last Updated: October 23, 2025

Effective: On the date Customer accepts the Keycafe Terms of Service (the "Terms").
Parties: The "Customer" and Keycafe contracting entity ("Keycafe") under the Terms.


  1. Incorporation; Scope

    This DPA is incorporated by reference into the Terms and applies automatically whenever Keycafe Processes Personal Data on behalf of Customer as a processor or service provider/contractor under Applicable Data Protection Law. No separate signature is required. If there is a conflict between this DPA and the Terms regarding Personal Data processing, this DPA controls.

  2. Definitions

    Capitalized terms not defined here have the meanings in the Terms.

    • "Applicable Data Protection Law" means all laws governing privacy, data protection, or data security that apply to the Processing of Personal Data, including the EU/EEA GDPR, the UK GDPR, the Swiss FADP, the California CPRA/CCPA, Canada’s PIPEDA and substantially similar provincial laws (including Alberta PIPA, BC PIPA, and Québec’s private-sector law), and any other applicable national, state, provincial, or sectoral laws.
    • "Customer Personal Data" means Personal Data Processed by Keycafe on behalf of Customer under the Terms.
    • "Process" or "Processing" has the meaning in Applicable Data Protection Law.
    • "SCCs" means the EU Standard Contractual Clauses (Module 2, controller→processor) adopted by Commission Implementing Decision (EU) 2021/914, as amended or replaced.
    • "Subprocessor" means a processor engaged by Keycafe to Process Customer Personal Data.

    • "Awareness" means the point at which Keycafe’s security team confirms, following a reasonable investigation, that a Personal Data Breach affecting Customer Personal Data has occurred. Keycafe has no obligation to notify Customer of suspected or potential breaches before Awareness.
    • "Security Incident" means a suspected or actual adverse event affecting networks, systems, or facilities that does not result in unauthorized access to, or disclosure, alteration, or loss of, Customer Personal Data. Keycafe has no obligation to notify Customer of Security Incidents, though Keycafe may, at its discretion, include high-level statistics or summaries in periodic trust communications.
    • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. Unsuccessful attempts or activities that do not compromise security (e.g., pings, port scans, blocked malware, failed logins, DDoS) are not Personal Data Breaches.
  3. Roles; Instructions; Customer Responsibilities

    1. Roles. Customer is the controller and Keycafe is the processor/service provider for Customer Personal Data.
    2. Instructions. Keycafe will Process Customer Personal Data only on documented instructions from Customer and as necessary to provide and secure the Products described in the Terms. Keycafe will notify Customer if an instruction appears to violate Applicable Data Protection Law.
    3. Customer Responsibilities. Customer is responsible for the accuracy, quality, and lawfulness of Customer Personal Data and for providing any notices and obtaining consents required for Keycafe’s Processing.
    4. Sensitive data; SPI. Customer will not intentionally submit special categories of data under GDPR or Sensitive Personal Information under CPRA (or similar laws) unless Customer has provided prior written notice and appropriate safeguards are in place; emergency uploads must be notified promptly thereafter.
    5. No legal advice. Keycafe does not provide legal advice; Customer is solely responsible for the lawfulness of Customer Personal Data, required notices and consents, and the legality of Customer’s instructions.
  4. Personnel Confidentiality

    Keycafe will ensure its personnel authorized to Process Customer Personal Data are bound by confidentiality and receive appropriate privacy and security training.

  5. Security

    Keycafe will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include access controls, encryption where appropriate, logging/monitoring, vulnerability management, backups, and physical security as outlined in Annex II (Security Measures). Keycafe will assess and update its measures considering the nature of Processing and risk.

  6. Subprocessors

    1. Use; Flow-down. Customer authorizes Keycafe to use Subprocessors to provide the Products. Keycafe will impose data protection obligations no less protective than those in this DPA.
    2. List and Notice. The current list of Subprocessors and Keycafe’s notice mechanics are set out in Schedule 6 (Subprocessors) of the Terms. Posting an update to the list identified in Schedule 6 constitutes notice of a change. Customer may email privacy@keycafe.com to join the optional email notice list referenced in Schedule 6.
    3. Objection (narrow grounds); Remedy. Within 14 days after notice, Customer may object only on reasonable, materially substantiated data-protection grounds. Keycafe may address the objection by removing/replacing the Subprocessor or offering a reasonable alternative. If unresolved after good-faith discussion, Customer may terminate only the impacted functionality (not the entire Service) and receive a pro-rata refund of prepaid, unused fees for that functionality. Failure to object within 14 days is deemed consent.
    4. Liability; Cure. Keycafe remains liable for the performance of its Subprocessors to the same extent as for its own actions. Where a Subprocessor’s non-compliance affects the Services, re-performance or correction by Keycafe or the Subprocessor is Customer’s sole and exclusive remedy for that non-compliance, without prejudice to Customer’s termination right in (c).
  7. Assistance; Breach; Impact Assessments; Government Requests

    1. Data Subject Requests. Taking into account the nature of the Processing, Keycafe will provide reasonable assistance via product capabilities and support to respond to data-subject rights requests. Assistance beyond product features or that is excessive or repetitive may be charged on a time-and-materials basis.
    2. Security Incidents. Keycafe will notify Customer without undue delay and, where feasible, within 72 hours of Awareness of a Personal Data Breach affecting Customer Personal Data and will provide information to the extent then known, followed by updates. For clarity, unsuccessful attempts or activities that do not compromise security are not a Personal Data Breach. Keycafe’s notice or response is not an admission of fault or liability.
    3. DPIAs and consultations. Keycafe will provide reasonable information to support Customer’s data protection impact assessments and consultations with supervisory authorities insofar as the Processing by Keycafe is involved; work beyond reasonable efforts may be charged time-and-materials.
    4. Government and regulator requests. Keycafe will not respond to any government, law-enforcement, or supervisory-authority request relating to Customer Personal Data except to acknowledge receipt and refer the authority to Customer, unless legally required to respond. Where permitted, Keycafe will promptly notify Customer of the request, assess its legality, and disclose only the minimum information required. Keycafe will document its assessment and responses and make them available to Customer upon request.
  8. Audit and Information Rights

    Upon written request no more than once in any 12-month period (unless a justified regulator request or post-breach), Keycafe will provide current third-party audit reports or certifications (e.g., SOC/ISO), policies, and security summaries sufficient to satisfy audit obligations under this DPA and the SCCs. If, after reviewing this information, Customer reasonably deems it insufficient, Customer may conduct (or appoint an independent, mutually agreed auditor to conduct) an on-site audit of relevant systems and facilities with 30 days’ notice, limited to 1 business day, during business hours, and limited to systems Processing Customer Personal Data. On-site access is conditioned on the auditor signing a confidentiality agreement no less protective than the Agreement and agreeing a written audit plan (scope, artifacts, schedule). Audits are subject to confidentiality, safety, and reasonable time/materials fees for supervision and support. Post-breach or regulator-mandated audits may occur as required. Information and audit results may be shared with a competent supervisory authority on request.

  9. International Transfers

    1. EU/EEA. Where Customer Personal Data is transferred to Keycafe in a country without an adequacy decision, the SCCs (Module 2) are incorporated by reference and deemed executed by the parties upon Customer’s acceptance of the Terms. Annex I/II/III to the SCCs are satisfied by Annex I/II/III to this DPA. The docking clause applies.
    2. UK. For UK transfers, the UK IDTA/Addendum to the SCCs is incorporated and deemed executed on acceptance of the Terms; the completed tables are satisfied by Annexes I–III and the details in the Terms.
    3. Switzerland. For Swiss transfers, the SCCs apply as modified by the Swiss FDPIC guidance (references to the GDPR include the Swiss FADP; supervisory authority is the FDPIC).
    4. Supplementary measures. Keycafe will implement supplementary measures where required by law and will notify Customer if it can no longer comply with the SCCs/IDTA.
    5. Data location. Processing may occur in any jurisdiction where Keycafe or its Subprocessors operate, subject to this Section 9 and Applicable Data Protection Law.
    6. Canada adequacy (informational). Where Keycafe acts through an entity in Canada subject to PIPEDA, EU/UK adequacy for transfers to Canada may apply. This recital does not limit or replace the SCCs/UK Addendum, which remain operative for other locations and for onward transfers.
  10. Return and Deletion

    At termination or expiration of the relevant services, at Customer’s written election within 30 days, Keycafe will enable self-service export or otherwise provide Customer Personal Data in a commonly used, machine-readable format (no custom ETL or bespoke extraction), or delete/anonymize it. If Customer does not elect return within that period, Keycafe will delete/anonymize within 90 days, subject to legal retention requirements. Deletion from backups occurs by overwrite on the standard retention cycle; earlier purge is not required. Keycafe may retain de-identified/aggregated data for legitimate business purposes.

  11. CPRA/CCPA Service Provider Terms (U.S.)

    For California Personal Information, Keycafe acts as a service provider/contractor and will: (i) not sell or share such Personal Information; (ii) not retain, use, or disclose it outside the business purposes of providing the Products (including maintaining/improving security and as otherwise permitted by law); (iii) not combine it with other data except as permitted by CPRA (for example, for detecting security incidents or service improvements); (iv) flow down these restrictions to Subprocessors; and (v) certify it understands and will comply with these obligations.

  12. Liability; Precedence

    Liability under this DPA is subject to, and not in addition to, the limitations and exclusions in the Terms. Nothing in this DPA is intended to expand Keycafe’s liability beyond the Terms. For clarity, service credits and other exclusive remedies in the Terms remain applicable.

  13. Governing Law; Order of Precedence

    This DPA follows the governing law and dispute resolution provisions in the Terms. In case of conflict about Processing of Personal Data, this DPA controls; otherwise, the Terms control.

  14. Term

    This DPA remains in force for as long as Keycafe Processes Customer Personal Data on behalf of Customer under the Terms.

  15. Survival

    Sections 4, 5, 6 (to the extent obligations by their nature survive), 7(d), 8, 9, 10, 12, 13, and Annexes I–III survive termination.


Annex I — Data Processing Details (Art. 28 and SCCs)

  1. Parties and Contacts

    • Data exporter (controller): Customer (contact: as listed in Customer’s account).
    • Data importer (processor): Keycafe (contact: privacy@keycafe.com).
  2. Description of Processing

    • Subject matter: Provision, operation, and support of the Products under the Terms.
    • Duration: The Subscription Term and any wind-down/retention period in Section 10.
    • Nature and purpose: Hosting, storage, transmission, access management, telemetry logs, support, and security of the Products.
    • Categories of data subjects: Customer employees/agents; Customer end users; guests/visitors designated by Customer.
    • Categories of Personal Data: Identification and contact data (for example, name, email, phone); account identifiers; device and usage logs; access/transaction events; optional location/GPS where enabled; any other Personal Data Customer elects to submit.
    • Sensitive data: Not anticipated; if Customer submits sensitive data, Parties will implement appropriate safeguards.
    • Frequency of transfer: Continuous as needed.
    • Processing instructions: As set out in the Terms, this DPA, and Customer’s documented configurations and requests.
    • Retention: As per Section 10.
  3. Competent Supervisory Authority

    • For EU SCCs: the exporter’s competent authority under GDPR.
    • For Swiss transfers: the FDPIC.
    • For UK transfers: the ICO (per the UK Addendum).

Annex II — Technical and Organizational Security Measures

Keycafe maintains measures appropriate to the risk, including:

  • Access controls: role-based access, MFA for privileged access, least privilege, periodic access review.
  • Encryption: encryption in transit; encryption at rest for primary data stores where appropriate; key management policies.
  • Network and infrastructure security: segmentation, firewalls, DDoS protections, secure configuration baselines, vulnerability management and patching.
  • Application security: secure SDLC, code review, dependency management, secrets management, logging/monitoring.
  • Operational security: incident response plan, security event monitoring, backup/restore testing, change management.
  • Physical security: utilize data centers with protections consistent with industry practice.
  • Personnel and training: background checks where permitted; confidentiality, security, and privacy training.
  • Third-party risk: diligence and contractual controls for Subprocessors; periodic reassessment.
  • Testing and audit: penetration testing and/or independent assessments appropriate to the risk profile.

Annex III — Subprocessors

See Schedule 6 (Subprocessors) of the Terms. For clarity, posting an update to the list identified in Schedule 6 constitutes notice of a change. Objection rights and remedies are as set out in Sections 6(c)–(d) of this DPA.


Execution. The Parties agree that this DPA (including incorporated SCCs/IDTA) is deemed executed by the Parties and becomes effective upon Customer’s acceptance of the Terms.

Schließen