{"id":902,"date":"2025-09-05T13:40:03","date_gmt":"2025-09-05T10:40:03","guid":{"rendered":"https:\/\/ketosoftware.com\/?page_id=902"},"modified":"2025-09-05T16:51:24","modified_gmt":"2025-09-05T13:51:24","slug":"data-processing-agreement","status":"publish","type":"page","link":"http:\/\/83.143.220.118\/~keto\/legal-and-privacy\/data-processing-agreement\/","title":{"rendered":"Data processing agreement"},"content":{"rendered":"<section class=\"hero-section legal-hero-section position-relative\">\n\t<div class=\"blur-area-vertical blur-top\"><\/div>\n\t<div class=\"blur-area-vertical blur-bottom\"><\/div>\n\t<div class=\"tint tint__30\"><\/div>\n\t\t\n\t  <picture class=\"hero-picture hero-media\">\n    \n    <source\n      media=\"(min-width: 1024px)\"\n      srcset=\"http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353.jpg 1920w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-300x169.jpg 300w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-1024x576.jpg 1024w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-768x432.jpg 768w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-1536x864.jpg 1536w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-480x270.jpg 480w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-1440x810.jpg 1440w\"\n      sizes=\"100vw\">\n\n    \n    <img decoding=\"async\"\n      src=\"http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353.jpg\"\n      srcset=\"http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353.jpg 1920w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-300x169.jpg 300w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-1024x576.jpg 1024w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-768x432.jpg 768w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-1536x864.jpg 1536w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-480x270.jpg 480w, http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/08\/22e3cf20d933e94a9f0ea6c330bc4079af830353-1440x810.jpg 1440w\"\n      sizes=\"100vw\"\n      alt=\"Data processing agreement\" loading=\"eager\" fetchpriority=\"high\">\n  <\/picture>\n  \t\n\t<div class=\"hero-media-clip\"> \n\n\t<div class=\"container position-relative\">\n\t\t<div class=\"row\">\n\t\t\t\n\t\t\t<div class=\"col-12 col-lg-6 col-md-8\">\n\t\t\t\t<div class=\"article-meta white\">\n\t\t\n\t\t\t\t\t<div class=\"breadcrumbs\">\n\t\t\t\t\n\t\t\t\t\t\t<a class=\"post-parent-link\" href=\"http:\/\/83.143.220.118\/~keto\/legal-and-privacy\/\">\n\t\t\t\t\t\t\tLegal and Privacy<\/a>\n\t\t\t\t\t\t<span class=\"divider\">\n\t\t\t\t\t\t\t\n\n<svg width=\"6\" height=\"10\" viewBox=\"0 0 6 10\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M1 1L5 5L1 9\" stroke=\"white\" stroke-linecap=\"round\"\/>\n<\/svg>\n\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\n\t\t\t\t\t\tData processing agreement\t\t\t\t\t\t\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t<h1 class=\"white\">\n\t\t\t\t\tData processing agreement\t\t\t\t<\/h1>\n\t\t\t\n\t\t\t<\/div>\n\t\t<\/div><!--row-->\n\t<\/div><!--container-->\n\t<div class=\"container post-hero-cta\">\n\t\t\t\t\t<div class=\"cta\">\n\t\t\t\t<a target=\"_blank\" class=\"button hero-button yellow-button\" href=\"http:\/\/83.143.220.118\/~keto\/wp-content\/uploads\/2025\/09\/Keto-Software_DPA_August2025.pdf\">\n\t\t\t\t\tDownload document\t\t\t\t<\/a>\n\t\t\t<\/div>\n\t\t\t<\/div>\n<\/section>\n\n<section class=\"text-section legal-text-section white-logo-replace\">\n\t<div class=\"container\">\n\t\t<div class=\"row justify-content-center\">\n\t\t\t<aside class=\"col-12 col-lg-4 aside pe-0 pe-md-4\">\n\t\t\t\t<span class=\"caption\">\n\t\t\t\t\tOn This Page\t\n\t\t\t\t<\/span>\n\n\t\t\t\t\t\t\t\t\t<ol class=\"anchor-menu\">\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#preamble\">\n\t\t\t\t\t\t\t\tPreamble\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#definitions\">\n\t\t\t\t\t\t\t\tDefinitions\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#execution-and-duration\">\n\t\t\t\t\t\t\t\tExecution and Duration\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#responsibilities-of-the-customer\">\n\t\t\t\t\t\t\t\tResponsibilities of the Customer (Data Controller)\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#responsibilities-of-keto\">\n\t\t\t\t\t\t\t\tResponsibilities of Keto (Data Processor)\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#optional-ai-services\">\n\t\t\t\t\t\t\t\tOptional AI+ Services\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#use-of-sub-processors\">\n\t\t\t\t\t\t\t\tUse of Sub-processors\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#hosting-and-data-transfer\">\n\t\t\t\t\t\t\t\tHosting and Data Transfer\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#data-retention-and-deletion\">\n\t\t\t\t\t\t\t\tData Retention and Deletion\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#security-measures\">\n\t\t\t\t\t\t\t\tSecurity Measures\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#rights-of-data-subjects\">\n\t\t\t\t\t\t\t\tRights of Data Subjects\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#audit-rights-and-security-testing\">\n\t\t\t\t\t\t\t\tAudit Rights and Security Testing\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#liability\">\n\t\t\t\t\t\t\t\tLiability\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#final-provisions\">\n\t\t\t\t\t\t\t\tFinal Provisions\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#exhibit-b\">\n\t\t\t\t\t\t\t\tExhibit B \u2013 Approved Sub-Processors\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t\t\t<a href=\"#exhibit-c\">\n\t\t\t\t\t\t\t\tExhibit C \u2013 Technical &#038; Organisational Measures\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\n\t\t\t\t\t<\/ol>\t\n\t\t\t\t\t\t\t<\/aside>\n\t\t\t<div class=\"col-12 col-lg-8\">\n\t\t\t\t<h3 id=\"preamble\">1. Preamble<\/h3>\n<p>This Data Processing Agreement (&#8220;DPA&#8221;) is entered into between the Customer (as defined in the Keto License Agreement or Order Form) and:<\/p>\n<p>Keto Software Oy<br \/>\nKankurinkatu 4\u20136<br \/>\n05800 Hyvink\u00e4\u00e4, Finland<br \/>\n(&#8220;Keto&#8221; or &#8220;Processor&#8221;)<\/p>\n<p>This DPA governs the processing of Personal Data by Keto on behalf of the Customer in connection with the provision of the Keto Services. It supplements the Keto License Agreement (KLA), Order Form, General Terms and Conditions (GTCs), and any related attachments (together, the \u201cAgreement\u201d). Keto may process Customer Personal Data when delivering services under the Agreement. This DPA sets forth the parties&#8217; obligations in accordance with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016\/679 (GDPR) and other applicable legislation.<\/p>\n<ul>\n<li>Where the Customer is a Controller, Keto acts as a Processor.<\/li>\n<li>Where the Customer is a Processor, Keto acts as a Sub-Processor.<\/li>\n<\/ul>\n<p>In the event of conflict between this DPA and other Agreement documents, this<br \/>\nDPA shall prevail regarding data protection matters.<\/p>\n<h3 id=\"definitions\">2. Definitions<\/h3>\n<p>Terms used in this DPA have the meanings set out in GDPR and relevant Data Protection Laws. Notable definitions include:<br \/>\n<strong>Personal Data:<\/strong> Any information relating to an identified or identifiable natural<br \/>\nperson.<br \/>\n<strong>Processing:<\/strong> Any operation performed on Personal Data, such as collection,<br \/>\nstorage, use, or deletion.<br \/>\n<strong>Data Subject:<\/strong> An individual whose Personal Data is processed.<br \/>\n<strong>Customer Data:<\/strong> All data submitted by the Customer or users to the Keto Platform,<br \/>\nincluding Personal Data.<br \/>\n<strong>Sub-Processor:<\/strong> Any third party appointed by Keto to assist in processing Customer<br \/>\nData. 4 \/ 13 Keto DPA<br \/>\n<strong>Data Protection Laws:<\/strong> GDPR, UK GDPR, Finnish Data Protection Act, and other<br \/>\napplicable laws.<br \/>\n<strong>Adequate Jurisdiction:<\/strong> Countries with recognized data protection adequacy status<br \/>\nunder GDPR or equivalent regimes<\/p>\n<h3 id=\"execution-and-duration\">3. Execution and Duration<\/h3>\n<p>This DPA becomes effective upon the Effective Date of the Agreement (specified in the KLA or Order Form). It remains in force for the duration of the Agreement and any data retention period, thereafter, as described below.<\/p>\n<h3 id=\"responsibilities-of-the-customer\">4. Responsibilities of the Customer (Data Controller)<\/h3>\n<p>The Customer shall:<\/p>\n<ul>\n<li>Ensure it has a valid legal basis for all Personal Data shared with Keto.<\/li>\n<li>Inform Data Subjects as required under Data Protection Laws.<\/li>\n<li>Maintain accuracy and lawfulness of Customer Data.<\/li>\n<li>Manage user permissions and data uploaded to the Keto platform.<\/li>\n<li>Respond to Data Subject requests where appropriate.<\/li>\n<\/ul>\n<h3 id=\"responsibilities-of-keto\">5. Responsibilities of Keto (Data Processor)<\/h3>\n<p>Keto shall:<\/p>\n<ul>\n<li>Process Personal Data solely per documented Customer instructions.<\/li>\n<li>Maintain data confidentiality.<\/li>\n<li>Limit access to personnel with appropriate training and authorization.<\/li>\n<li>Assist Customer with data subject rights and privacy impact assessments.<\/li>\n<li>Notify Customer of Personal Data breaches without undue delay (typically within 48 hours).<\/li>\n<li>Enable audits or supply third-party certification reports upon request (subject to reasonable limits and confidentiality).<\/li>\n<\/ul>\n<p>Where the Customer enables optional AI+ functionality, certain Personal Data may be transferred to Keto\u2019s sub-processors, including Microsoft Azure OpenAI Services, for the purpose of generating responses or processing user prompts, subject to the restrictions of this DPA. The Customer acknowledges and expressly agrees that enabling AI+ functionality may involve the processing of Personal Data by third-party sub-processors (e.g., Microsoft Azure OpenAI Services). The Customer retains the right to disable AI+ Services at any time without prejudice to its other contractual rights.<\/p>\n<h3 id=\"optional-ai-services\">6. Optional AI+ Services<\/h3>\n<p>Where the Customer enables optional AI+ features, Keto may transmit Personal Data (e.g.user prompts or project data) to its sub-processor Microsoft Corporation (Azure OpenAI Services) solely for generating AI responses.<\/p>\n<p>This processing is:<\/p>\n<ul>\n<li>Initiated exclusively by Customer\/user input<\/li>\n<li>Subject to Microsoft\u2019s \u201cCode of Conduct for Azure OpenAI Services\u201d<\/li>\n<li>Not used to train or improve underlying AI models<\/li>\n<li>Logged, monitored, and secured in accordance with this DPA<\/li>\n<\/ul>\n<p>The Customer retains full ownership and responsibility for input and output data<br \/>\nassociated with AI+.<\/p>\n<h3 id=\"use-of-sub-processors\">7. Use of Sub-processors<\/h3>\n<p>Keto may engage Sub-processors for specific processing tasks. A current list is<br \/>\navailable in Exhibit B.<\/p>\n<p>Keto will:<\/p>\n<ul>\n<li>Ensure Sub-processors are contractually bound to obligations equivalent to this DPA<\/li>\n<li>Notify the Customer in advance of any changes to Sub-processors<\/li>\n<li>Allow the Customer to object within 15 business days; in case of unresolved objections, the Customer may terminate only the affected services. In case of a Customer objection to a new Sub-Processor, the Parties shall in good faith discuss alternatives before the Customer exercises its right to terminate the<br \/>\naffected services.<\/li>\n<\/ul>\n<h3 id=\"hosting-and-data-transfer\">8. Hosting and Data Transfer<\/h3>\n<p>Depending on the Customer\u2019s selection in the Agreement, Customer Personal Data<br \/>\nwill be hosted on data servers located in the:<\/p>\n<ul>\n<li>European Economic Area (EEA)<\/li>\n<li>United Kingdom (UK)<\/li>\n<li>United States (US) (where applicable and selected)<\/li>\n<\/ul>\n<p>Additionally, data may be processed at Keto\u2019s affiliated locations, including:<\/p>\n<ul>\n<li>Keto Software Ltd (London, UK)<\/li>\n<li>Keto Software AG (Zug, Switzerland)<\/li>\n<\/ul>\n<p>Transfers to countries outside an Adequate Jurisdiction shall be made only in compliance with applicable Data Protection Laws, using appropriate safeguards such as Standard Contractual Clauses (SCCs).<\/p>\n<h3 id=\"data-retention-and-deletion\">9. Data Retention and Deletion<\/h3>\n<ul>\n<li>The Customer may delete Customer Data at any time through the platform.<\/li>\n<li>Upon termination of the Agreement, Keto will, upon written request, provide a<br \/>\ncopy of Customer Data.<\/li>\n<li>Customer Data will be deleted from active systems within 90 days of<br \/>\ntermination, unless required for legal retention.<\/li>\n<li>Backup copies will be automatically deleted within 365 days. Backup copies<br \/>\nshall be automatically deleted within one hundred eighty (180) days after<br \/>\ntermination of the Agreement, unless a longer retention period is required by<br \/>\napplicable law.<\/li>\n<li>During retention, such data remains subject to the terms of this DPA.<\/li>\n<\/ul>\n<h3 id=\"security-measures\">10. Security Measures<\/h3>\n<p>Keto implements appropriate Technical and Organizational Measures (TOMs), described in Exhibit C, to ensure the security of processing. These include but are \u00a0not limited to:<\/p>\n<ul>\n<li>Encryption at rest and in transit<\/li>\n<li>Logical access control and monitoring<\/li>\n<li>Secure backup and disaster recovery<\/li>\n<li>Security incident response protocols<\/li>\n<\/ul>\n<h3 id=\"rights-of-data-subjects\">11. Rights of Data Subjects<\/h3>\n<p>During the Term, Keto will enable the Customer to access, rectify, restrict, delete, or export Customer Personal Data through the functionalities of the Keto Services, where technically feasible.<\/p>\n<p>If Keto receives a Data Subject Request directly (e.g., access, deletion, rectification), Keto will, to the extent legally permitted, promptly notify the Customer and redirect the Data Subject to submit the request directly to the Customer. Keto will not respond to such a request unless authorized by the Customer or required by law.<\/p>\n<h2 id=\"audit-rights-and-security-testing\">12. Audit Rights and Security Testing<\/h2>\n<p>The Customer may audit Keto\u2019s compliance with this DPA:<\/p>\n<ul>\n<li>Once per year or in case of a confirmed security incident,<\/li>\n<li>By providing 15 business days\u2019 written notice,<\/li>\n<li>Keto may provide certifications, audit reports, or documentation in lieu of onsite audits.<\/li>\n<li>In addition, the Customer shall be entitled to conduct an on-site audit in case of substantiated suspicion of non-compliance.<\/li>\n<\/ul>\n<p>Penetration tests are permitted under the following conditions:<\/p>\n<ul>\n<li>Prior written approval of Keto (at least 5 business days in advance),<\/li>\n<li>Scope and methods agreed upon,<\/li>\n<li>No disruption to services or impact on other customers.<\/li>\n<\/ul>\n<p>Physical penetration testing of hosting infrastructure (e.g., GCP data centers) is<br \/>\nstrictly prohibited.<\/p>\n<p>Keto shall provide reasonable assistance to the Customer in fulfilling its obligations<br \/>\nunder applicable Data Protection Laws to respond to such requests, taking into<br \/>\naccount the nature of the Processing and the information available to Keto.<\/p>\n<h3 id=\"liability\">13. Liability<\/h3>\n<p>Liability for each Party is governed by the limitations defined in the Agreement (KLA, or Order Form and GTCs). Nothing in this DPA expands either Party\u2019s liability beyond the agreed contractual limits. Nothing in this Section shall limit either Party\u2019s liability for breaches of applicable data protection laws or for regulatory fines imposed directly by competent supervisory authorities.<\/p>\n<h3 id=\"final-provisions\">14. Final Provisions<\/h3>\n<p><strong>Severability<\/strong><\/p>\n<p>If any provision of this DPA is held invalid, the remaining provisions remain in full<br \/>\nforce. The invalid term shall be replaced by a valid term closest in meaning and<br \/>\npurpose.<\/p>\n<p><strong>Governing Law and Jurisdiction<\/strong><\/p>\n<p>This DPA is governed by Finnish law. The competent courts of Helsinki, Finland shall have exclusive jurisdiction, unless otherwise agreed.<\/p>\n<p>Exhibit A \u2013 Subject Matter and Details of Processing<\/p>\n<p><strong>Subject Matter:<\/strong><\/p>\n<p>Provision of the Keto Services, including AI+ features where enabled.<\/p>\n<p><strong>Duration:<\/strong><\/p>\n<p>Throughout the Agreement and up to deletion of Customer Data in accordance with this DPA<\/p>\n<p><strong>Nature and Purpose of Processing:<\/strong><\/p>\n<p>Storing, transmitting, generating, and analysing Personal Data for purposes<br \/>\nincluding:<\/p>\n<p>\u2022 User authentication<br \/>\n\u2022 Platform operation and performance<br \/>\n\u2022 AI+ features (e.g., content generation, translation, project insights)<\/p>\n<p><strong>Categories of Personal Data:<\/strong><\/p>\n<ul>\n<li>Name<\/li>\n<li>Email address<\/li>\n<li>Profile information (e.g., job title)<\/li>\n<li>Interaction and usage metadata<\/li>\n<li>AI+ prompts and responses (if feature enabled)<\/li>\n<li>Uploaded content (files, text, tags)<\/li>\n<\/ul>\n<p><strong>Categories of Data Subjects:<\/strong><\/p>\n<ul>\n<li>Customer\u2019s employees and contractors<\/li>\n<li>Other authorized users accessing the Keto Services<\/li>\n<\/ul>\n<h3 id=\"exhibit-b\">15. Exhibit B \u2013 Approved Sub-Processors<\/h3>\n<p><strong>Third Party Provider<\/strong><\/p>\n<p>Below is the list of sub-processors authorized by Keto Software Oy to process Customer Personal Data in connection with the Keto Services. Each sub-processor is contractually bound to data protection obligations equivalent to those set out in this DPA.<\/p>\n<p>Provider: GOOGLE CLOUD<br \/>\nLegal Name of provider: Google Cloud EMEA Limited<br \/>\nAddress: Velasco Clanwilliam Place, Dublin 2, Ireland<br \/>\nService Description: Cloud hosting and infrastructure<\/p>\n<p>Provider: Azure Open AI Services<br \/>\nLegal Name of provider: Microsoft Irland Operations Ltd<br \/>\nAddress: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland<br \/>\nService Description: AI model hosting (Azure OpenAI, EU-hosted)<\/p>\n<p>Provider: DeepL<br \/>\nLegal Name of provider: DeepL<br \/>\nAddress: DeepL SE, Maarweg 165, 50825 Cologne, Germany<br \/>\nService Description: Translation Services<\/p>\n<p>Provider: Oivan<br \/>\nLegal Name of provider: Oivan Group Oy, Oivan Finland Oy<br \/>\nAddress: Ruoholahdenkatu 8, 00180 Helsinki, Finland<br \/>\nService Description: Server Hosting partner for Middle East Clients<\/p>\n<p><strong>Affiliates<\/strong><\/p>\n<p>Provider: Keto Switzerland<br \/>\nLegal Name of provider: Keto Software AG<br \/>\nAddress: Kolinplatz 5, 6300 Zug, Switzerland<br \/>\nService Description: Support Services<\/p>\n<p>Provider: Keto UK<br \/>\nLegal Name of provider: Keto Software Ltd.<br \/>\nAddress: 385\u2013389 Oxford Street, W1C 2NB London, UK<br \/>\nService Description: Support Services<\/p>\n<h3 id=\"exhibit-c\">16. Exhibit C \u2013 Technical &amp; Organisational Measures<\/h3>\n<p><strong>Information Security Program<\/strong><\/p>\n<p>Keto implements an Information Security Management System (ISMS) certified under ISO\/IEC 27001. This system governs all relevant aspects of security in line with industry standards. Measures are evaluated and updated regularly to ensure data protection and operational resilience.<\/p>\n<p><strong>Audits and Certifications<\/strong><\/p>\n<p>Keto maintains ISO 27001 certification and may provide proof of compliance or<br \/>\nrelevant third-party audit summaries upon request, under confidentiality.<\/p>\n<p><strong>Hosting &amp; Infrastructure<\/strong><\/p>\n<p>Keto services are hosted via Google Cloud Platform (GCP) in data centers located<br \/>\nin Hamina (Finland) or London (UK), which are ISO 27001, 27017, 27018 and SOC<br \/>\n1\/2\/3 certified. Hosting infrastructure includes:<\/p>\n<ul>\n<li>Physical access restrictions (biometrics, surveillance, intrusion detection)<\/li>\n<li>Logical separation of customer environments<\/li>\n<li>TLS encryption for network traffic<\/li>\n<li>Data encryption at rest<\/li>\n<\/ul>\n<p><strong>Encryption<\/strong><\/p>\n<ul>\n<li>In Transit: TLS 1.2 or higher for all data transfer.<\/li>\n<li>At Rest: AES 256-bit encryption of customer data within GCP infrastructure.<\/li>\n<\/ul>\n<p><strong>Access Control<\/strong><\/p>\n<ul>\n<li>Role-based access control with the principle of least privilege<\/li>\n<li>MFA (multi-factor authentication) for privileged access<\/li>\n<li>Centralized identity and authorization management<\/li>\n<li>Logging and monitoring of access attempts<\/li>\n<\/ul>\n<p><strong>Data Separation<\/strong><\/p>\n<ul>\n<li>Logical multi-tenancy: Each customer has a dedicated database and environment<\/li>\n<li>Test and production environments are separated<\/li>\n<li>Access to customer data is restricted to authorized personnel only<\/li>\n<\/ul>\n<p><strong>Confidentiality<\/strong><\/p>\n<p>All Keto employees are under confidentiality agreements. Only trained personnel with a need-to-know basis may access Personal Data. Security and data protection training is provided regularly.<\/p>\n<p><strong>Incident Management &amp; Monitoring<\/strong><\/p>\n<ul>\n<li>Continuous system monitoring<\/li>\n<li>Incident escalation and tracking procedures<\/li>\n<\/ul>\n<p>Critical issues handled with the highest development priority<\/p>\n<ul>\n<li>Breach notifications as per legal obligations (typically within 48 hours)<\/li>\n<\/ul>\n<p><strong>Vulnerability Management &amp; Penetration Testing<\/strong><\/p>\n<ul>\n<li>Regular vulnerability scans<\/li>\n<li>Annual third-party penetration tests<\/li>\n<li>Customers may request vulnerability testing under pre-agreed scope (see DPA terms)<\/li>\n<\/ul>\n<p><strong>Availability &amp; Business Continuity<\/strong><\/p>\n<ul>\n<li>Daily data backups, retained for 30 days<\/li>\n<li>Recovery Time Objective (RTO): 48 hours; Recovery Point Objective (RPO): 24 hours<\/li>\n<li>Annual Business Continuity and Disaster Recovery (BCDR) reviews<\/li>\n<li>High availability through GCP live migration and redundancy<\/li>\n<\/ul>\n<p><strong>Logging &amp; Audit Trails<\/strong><\/p>\n<ul>\n<li>System logs are maintained to track user activity and changes<\/li>\n<li>Logs are retained securely and used for security investigations and audits<\/li>\n<\/ul>\n<p><strong>Data Minimization and Retention<\/strong><\/p>\n<ul>\n<li>Customers control deletion of data via platform functionality<\/li>\n<li>Upon termination, data is deleted within 90 days (active systems); backups purged within 365 days<\/li>\n<li>Retained data is subject to confidentiality and secured storage<\/li>\n<\/ul>\n<p><strong>Organizational Measures<\/strong><\/p>\n<ul>\n<li>Security governance framework with designated responsibilities<\/li>\n<li>Formal onboarding and offboarding processes<\/li>\n<li>Security policies reviewed and acknowledged by all employees<\/li>\n<\/ul>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n<\/section>\n\t\t","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":241,"parent":444,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"class_list":["post-902","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/pages\/902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/comments?post=902"}],"version-history":[{"count":13,"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/pages\/902\/revisions"}],"predecessor-version":[{"id":926,"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/pages\/902\/revisions\/926"}],"up":[{"embeddable":true,"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/pages\/444"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/media\/241"}],"wp:attachment":[{"href":"http:\/\/83.143.220.118\/~keto\/wp-json\/wp\/v2\/media?parent=902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}