Last updated on : Jan 28th, 2026

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is entered into as of the date (the “Effective Date”) set forth in the applicable Subscription Order Form (SOF) executed between Keka (“Processor / Data Processor”), and the Subscriber identified in the SOF, bearing the GSTIN/CIN/PAN and principal place of business as specified therein (“Subscriber / Data Controller”).

Keka and Subscriber are each a “Party” and together are “Parties” to this DPA.

NOW, THEREFORE, in consideration of the mutual covenants and Agreement contained herein, and intending to be legally bound, the Parties agree as follows:

1. Scope and Purpose
a. This Addendum supplements and forms an integral part of the Agreement and sets out the terms governing the Processing of Personal Data by the Data Processor on behalf of the Data Controller, in accordance with Applicable Law (as defined below), and constitutes as the valid contract required for such engagement.
b. Where the Subscriber entity executing this DPA is a party to the Master Subscription Agreement (“MSA”) and/or has executed a Subscription Order Form (“SOF”) with Processor, this DPA shall operate as an addendum to, and form an integral part of, the MSA and/or such SOF (as applicable), including any applicable renewals.
c. Where the Subscriber entity executing this DPA does not have a direct executed MSA or SOF with Processor, including where the Subscriber receives the Services indirectly through an authorised reseller, distributor, or partner, this DPA shall be null and void and shall not be valid or legally binding.
d. The Subscriber may upload Special Category Data and/or Sensitive Personal Data, Processor Processes such data only incidentally and implements safeguards appropriate to its sensitivity.
e. Processor does not sell or share Personal Data and does not Process it for cross-context behavioural advertising under the CCPA/CPRA.
f. Processor retains no independent rights in or to the Personal Data beyond what is necessary to provide the Services. Processor may retain limited metadata for operational, security, troubleshooting, and audit purposes, including to trace system events and notifications, provided such metadata is not used to identify or profile individuals beyond what is required for the foregoing purposes.
g. Nothing in this DPA assigns to the Data Processor any role or obligation reserved exclusively for the Data Controller under the Act.
h. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict solely with respect to the Processing of Personal Data.

2. Definitions
a. “Agreement” means the Master Subscription Agreement, including all schedules, exhibits, the SOF to which this Agreement is appended, and addenda, as amended from time to time.
b. “Applicable Law” means all data protection, privacy laws and rules, notifications, or amendments issued from time to time that apply directly to the Processor in its role, including but not limited to the General Data Protection Regulation (GDPR) EU Regulation 2016/679, the Digital Personal Data Protection Act, 2023 (DPDP Act), and the California Consumer Privacy Act (CCPA/CPRA), as referenced in this DPA. For clarity, the Processor is required to comply only with the GDPR, the DPDP Act, the CCPA/CPRA, and any other applicable data protection solely to the extent such laws expressly apply to the Processor itself. Where the Controller or its employees are subject to additional national, foreign or jurisdiction-specific data protection laws (including the LGPD, PIPEDA, UK GDPR, or similar), such obligations apply solely to the Controller and shall not transfer to, or bind, the Processor, except to the extent such laws independently impose obligations directly on the Processor.
c. “CCPA/CPRA Service Provider” means the role assigned to the Processor under the California Consumer Privacy Act. A Service Provider Processes Personal Information solely to provide the contracted services, without selling, sharing, or retaining such data for any purpose outside the Agreement.
d. “Controller” / “Data Controller” means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
e. “Cross-Border Transfer Mechanisms” means legally recognized tools enabling international transfers of Personal Data, such as Standard Contractual Clauses (SCCs) under the GDPR or permitted transfer conditions under the DPDP Act.
f. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
g. “DPIA” / “Data Protection Impact Assessment” means an assessment required under GDPR Article 35 (or equivalent provisions in applicable privacy laws) to evaluate risks associated with Processing activities likely to result in high risk to Data Subjects.
h. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) as per the modules subscribed and configured for rendering the Services, including but not limited to name, identification details, contact information, Job title, employment, HR, Attendance and time tracking data or payroll information, Online identifiers such as IP address, cookie identifiers, or device information, any data uploaded or provided by the Controller. For clarity, CCPA/CPRA, “Personal Information” shall have the meaning given under the California Consumer Privacy Act and includes similar categories of information.
i. “Personal Data Breach” means a breach of security leading to unauthorised or unlawful Processing or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
j. “Processing” / “Process” means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, organization, structuring, storage, retrieval, use, disclosure or transmission, dissemination, alignment or combination, restriction, erasure or destruction.
k. “Processor” / “Data Processor” means the natural or legal person that Processes Personal Data on behalf of the Controller.
l. “Special Category Data” / “Sensitive Personal Data” means categories of Personal Data subject to enhanced protection under applicable laws, including government identifiers or other data that the Controller may upload depending on its internal workflows. The Processor Processes such data only incidentally and strictly under Controller instructions.
m. “Sub-Processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller in connection with the Services.
n. “Supervisory Authority” means an independent public authority established under GDPR Article 51, or any similar regulatory authority under applicable data protection laws.

Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the Agreement; and, to the extent not defined therein, in the DPDP Act.

3. Roles of the Parties. The Subscriber acts as the Data Controller and Processor acts strictly as the Data Processor, Processing Personal Data on behalf of the Data Controller.

4. Controller Responsibilities. The Data Controller shall be solely responsible under Applicable Law for: (i) ensuring that all Personal Data provided or made available for Processing is collected and disclosed lawfully; (ii) issuing all required notices and disclosures to Data Subjects describing the Processing (including, where required, disclosures relating to engagement of Processors and Sub-Processors); (iii) obtaining and maintaining all valid consents and authorisations required for the Processing; (iv) promptly notifying the Data Processor of any withdrawal of consent, restriction request, correction request, or grievance raised by a Data Subject to the extent it affects the Processing; (v) ensuring that no Personal Data or other content uploaded or otherwise made available through the Services is excessive or unnecessary for the intended use of the Services, or is unlawful, defamatory, infringing (including intellectual property infringement), or privacy-violative; (vi) taking reasonable steps to ensure the accuracy, completeness, and relevance of Personal Data shared for Processing, having regard to the nature of the Processing and the risk of harm to Data Subject, and promptly correcting or updating such Personal Data where it becomes aware of any inaccuracy that may materially affect the Processing; and (vii) not instructing, permitting, or requiring the Data Processor to Process Personal Data in a manner that would cause a breach of Applicable Law. (viii) lawful collection and transfer of any Special Category Data, or sensitive identifiers uploaded to or otherwise provided through the Services. The Data Processor may rely on the foregoing and shall have no independent obligation to verify whether the Data Controller has obtained valid consent or issued compliant notices.

5. Processor Responsibilities and Warranties
a. Processor shall (i) process Personal Data limited to the modules so subscribed by the Data Controller. (ii) accept other instructions solely through Agreement, platform configurations, or formally ticketed requests. (iii) notify the Controller where the instructions appear unlawful or incapable of being performed and may suspend processing until clarified. (iv) ensure Sub-Processors are bound by equivalent data protection obligations as set forth in the Agreement. (v) assist the Controller with Data Subject Rights, Supervisory Authority inquiries, and DPIAs. (vi) assist the Controller in responding to Personal Data Breaches. (vii) maintain records of Processing activities required by GDPR Article 30. (viii) provide evidence of compliance, including ISO 27001:2022 and SOC 2 Type II reports.
b. Processor warrants that it shall: (i) comply with applicable law. (ii) maintain appropriate technical and organizational measures aligned with ISO 27001:2022 and SOC 2 Type II or any equivalent measures industry standards applicable to the nature of Processing. (iii) ensure all personnel with access to Personal Data are bound by equivalent confidentiality obligations as set forth in the Agreement. (iv) not collect, retain, use, or disclose data beyond what is necessary to provide the Services. (v) not Process Personal Data for profiling or analytics beyond what is essential to deliver the service unless expressly set forth in the Agreement or authorised in writing by the Controller. (vi) implement and maintain at all times the Security Safeguards set out in Annexure A form.

6. Storage Location. The Processor stores and Processes Personal Data in the data centre region(s) selected for the Controller’s tenant, which may include Central India, North Europe, Central US, Southeast Asia, and the UAE (and as applicable, other locations outside the European Union). Where Personal Data is stored or accessed from a location outside the Controller’s tenant location (including outside the European Union), such transfers shall be carried out in accordance with applicable Cross-Border Transfer Mechanisms and this DPA.

7. Cross-Border Transfer. Where Personal Data is transferred, accessed, or otherwise Processed outside the country or region of the Subscriber’s primary operations, the Processor shall ensure that such cross-border Processing is carried out in accordance with applicable data protection laws and only using lawful Cross-Border Transfer Mechanisms, as applicable, including the following: (i) Permitted Transfer Destinations. Processing or transfer of Personal Data only to countries, regions, or entities that are not restricted or prohibited under applicable data protection laws or by competent governmental or regulatory authorities. (ii) Processor and Service Provider Limitations. Restriction of recipients of Personal Data to entities acting solely as processors or service providers, subject to contractual obligations that limit Processing to the provision of the Services and prohibit independent use, sale, sharing, or retention of Personal Data. (iii) Technical and Organisational Measures. Application of appropriate technical and organisational safeguards, including encryption in transit, access controls, monitoring, and data minimisation measures, to protect Personal Data during cross-border Processing. (iv) Organisational Controls and Access Governance. Enforcement of internal policies, procedures, and access controls to ensure that cross-border Processing is limited to authorised personnel on a need-to-know basis and carried out in accordance with documented instructions. (v) Ongoing Assessment and Adaptation. Periodic review of cross-border Processing arrangements to account for changes in applicable laws, regulatory guidance, or governmental restrictions, and adoption of alternative mechanisms where reasonably necessary to maintain lawful Processing. (vi) Restriction on Prohibited Transfers. The Processor shall not knowingly affect any cross-border transfer of Personal Data where such transfer is prohibited under applicable law or by a competent authority.

8. Personal Data Incident Management. The Data Processor shall notify the Data Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach. Such notification shall include to the extent reasonably available: (i) nature of the breach. (ii) categories and approximate volume of affected Data Subjects. (iii) likely consequences. (iv) steps taken or proposed to mitigate impact, Although incidents caused by the acts or omissions of Subscribers or Data Subjects are excluded from the Processor’s responsibility under this clause. Processor shall maintain industry standard incident detection and response procedures.

9. Sub-Processors
a. The Data Processor may engage Sub-Processors for hosting, storage, and related infrastructure to render its Services provided that the Processor remains responsible for the performance of such Sub-Processors in accordance with this DPA.
b. The Data Controller acknowledges and grants this DPA serves as general written authorisation to engage Sub-Processors. The Processor shall maintain an up-to-date list of its Sub-Processors which shall be available on its website or a designated public link. The Data Processor shall provide notice and actively indicate any material changes limited to addition to this list via email or in-product notification. Where reasonable, Processor will provide such notice of any intended addition in advance; however, Processor may engage or replace Sub-Processors without prior notice when necessary to maintain service continuity, performance, security, or availability.
c. The Data Processor shall ensure that all Sub-processors are bound by contractual obligations no less protective than those set out in this Addendum, including confidentiality, security and other essential obligations.
d. The list of authorised Sub-Processors is available on Keka’s website which the Processor shall update in accordance with clause 9(b).

10. Objection Right. Where the Processing is subject to the GDPR, the Controller may raise a written objection, with documented evidence, within seven (7) days of receipt of notice, solely where engagement (i) would cause the Controller to violate applicable data protection law, or (ii) presents a demonstrable and material security risk to Personal Data. Upon receipt of a valid objection, the Processor shall act in good faith to address the concern, including by providing additional information and/or implementing supplementary safeguards. Where the Processor cannot reasonably address the objection, the Controller may terminate only the affected Processing and/or the affected portion(s) of the Services (including, where applicable, discontinuation of the relevant module or add-on) that require use of the objected Sub-Processor. Notwithstanding the foregoing, the Processor may proceed with the engagement where: (i) the objection is outside the permitted grounds above or is not supported by documented evidence provided within the notice period; and (ii) the Processor has determined, acting reasonably, that the engagement is compliant with the above set grounds.

11. Retention, Return, And Erasure
a. Retention. The Processor shall retain Personal Data only for so long as necessary to provide the Services to the Controller and as required to comply with applicable law or to resolve disputes and enforce its agreements. The Processor may retain audit, statutory, and compliance records for the period required under applicable law. The Controller acknowledges that certain Personal Data may be processed and retained on authorised Sub-Processor systems in accordance with their retention policies.
b. Backups. The Processor maintains encrypted and logically segregated backups for business continuity and system integrity. Backup files are retained for not less than ninety (90) days and are not accessible for standard production operations, except for disaster recovery, security incident response, or maintaining system integrity.
c. Return / Retrieval of Data. The Parties agree that the Processor’s obligation to return Personal Data is satisfied through the “Retrieval of Subscriber Data” mechanism set out in the Agreement. Upon termination or expiry of the Services, the Processor shall provide the Controller limited access to the Platform for up to thirty (30) days, at no additional cost, solely to enable retrieval of Subscriber Data. The Processor shall provide reasonable guidance on the retrieval process. The Controller shall notify the Processor once retrieval is complete.
d. Automated Deletion Process. Following the expiry of the thirty (30) day retrieval period, the Processor shall start the auto deletion process and Subscriber Data shall be deleted from its systems and render such data inaccessible, subject to Clause (b) (Backups) and Clause (a) (legal and audit retention). The Controller may request earlier deletion of Subscriber Data and backups by written notice; the Processor shall use commercially reasonable efforts to comply, subject to applicable legal, security, and technical constraints. Deletion occurs through an automated, irreversible deletion cycle that permanently deletes data and backup-stored data in accordance with the Processor’s standard retention schedule. During this period, backup copies remain encrypted and inaccessible for standard operations.
e. De-identified Data. The Controller acknowledges that the Processor may collect and retain de-identified, anonymised and/or aggregated metadata and statistical usage data that does not identify any individual (and is not reasonably capable of being re-identified). Such data is not subject to return or deletion under this DPA and may be retained only for so long as necessary for legitimate legal, business purposes, including product improvement, analytics, security, and operational planning.
f. Controller-Held Data. Where Personal Data is retained by the Controller (or its systems) after termination, the Processor will have no access or ability to update, delete, or return such data. For the avoidance of doubt, to the extent any Personal Data of Data Subjects is retained by the Controller within in Processor’s systems, the Data Subject’s rights for retention, return, erasure, access or rectification, in respect of such data are exercisable against and directly with the Controller. With this DPA, the Data Subjects hereby waive, to the fullest extent under applicable law, any and all rights to raise any claim against the Data Processor in relation to the Personal Data, including any right to access, view, control such Personal Data, and any right to file any complaint, action, or proceeding against the Data Processor in respect thereof. Nothing in this DPA limits or waives any rights of Data Subjects under applicable law against the Data Controller.
g. Confirmation of Deletion. Upon written request by the Controller, the Processor shall provide written confirmation that that may be provided electronically, confirming deletion of Subscriber Data in accordance with this DPA and applicable law.

12. Audit And Assessment Rights
a. Standard Assurance Materials. To support the Controller’s legal and Supervisory Authority requirements, Processor shall, on request and not more than once in twelve (12) months, provide the Data Controller with the most recent independent third-party assurance reports and/or certifications (including SOC 2 Type II and ISO 27001 reports/certificates), together with reasonable supporting security documentation.
b. Trust Vault Access. The Processor shall provide the Controller access to the Processor’s Trust Vault (or equivalent trust/security portal) for review of applicable security documentation, policies, and relevant attestations made available by the Processor from time to time.
c. Security Questionnaire. Where the materials provided under Clause (a) do not reasonably address a specific discrepancy or legal requirement, the Controller may submit a reasonable written security questionnaire limited to the Services and the Controller’s use case. The Data Processor shall respond within a reasonable timeframe and may provide clarifications, supplemental documentation, or written attestations as appropriate.
d. Audit Right. In the event, where the Controller has a demonstrable legal right under Applicable Law to audit Processor in its capacity as a Data Processor, and where the assurance materials and clarifications provided by Processor are insufficient to meet such legal requirement, the Controller may request an audit. To the extent any such non-waivable legal requirement applies, the Parties shall agree on a reasonable alternative method to satisfy such requirement through the assurance materials, Trust Vault access, and/or written confirmations, and any disclosure shall be subject to strict confidentiality obligations and necessary access limitations to protect other customers’ data and the Processor’s proprietary systems.
e. Scope and Access Limitations. All materials provided under this clause (including assurance reports, Trust Vault contents, responses to questionnaires, and any written confirmations) shall be treated as Confidential and shall not be disclosed or published to any third party or on any forum (public or private). The Processor may limit access, redact materials, and impose reasonable measures to protect (i) other customers’ data, (ii) Processor’s proprietary systems, architecture, and security measures, and (iii) information unrelated to the Services.
f. Data Protection Impact Assessments. The Data Processor shall assist the Controller with information reasonably required to perform Data Protection Impact Assessments as required.

13. Miscellaneous. This Addendum shall remain in effect for the term of the Agreement and shall not be terminated independently of the Agreement. The provisions of the Agreement relating to Limitation of Liability, Indemnification, Governing Law, Arbitration, and any other provisions necessary to give effect to this Addendum shall apply mutatis mutandis to this Addendum and are incorporated herein by reference.

Annexure A – Security Safeguards

This Annexure describes the Technical and Organizational Measures (TOMs) implemented by the Processor to protect Personal Data throughout its lifecycle. The Processor may modify the Security Safeguards at its discretion, provided that the Processor maintains a security program consistent with industry-standard practices, including to address evolving threats, newly identified vulnerabilities, and changes to the Processor’s services or infrastructure.

The following represent such safeguards:
1. Certification. The Data Processor is certified for ISO 27001:2022 and has been assessed in compliant with the controls stipulated in SOC 2 Type II. Processor maintains an Information Security Management System (ISMS) and controls aligned with such certification requirements.

2. Access Control. Preventing Unauthorized Product Access
a. Outsourced Processing. The Data Processor hosts its Service on Azure Cloud and outsourced cloud infrastructure providers. Processor maintains contractual relationships and relies on privacy policies, and compliance programs to protect data processed or stored by sub processors in accordance with the DPA.
b. Physical and Environmental Security. The Data Processor hosts its product infrastructure with multi-tenant, outsourced infrastructure sub processor. Controls here are audited for SOC1, SOC2 Type II and ISO 27001 compliance, among other certifications.
c. Authentication. The Processor implements a unifies password policy for its Platform. The Controller who interacts with the platform via the user interface must authenticate before accessing their Subscriber Data. The Data Processor shall have a provision for integrating with various single sign on tools or use authentication mechanisms.
d. Authorization. The Subscriber data is stored in multi-tenant storage systems accessible to the Authorised Users via application user interfaces and application programming interfaces. The Controller is not allowed a direct access to the underlying application infrastructure. The authorization model in each of Processor’s products is designed to ensure that only the Authorised User can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against role-based access policies defined by the Controller.
e. Application Programming Interface (API) access. Public product APIs may be accessed using an API key or through Approved authorization. The Controller may generate API credentials, including a Client ID and Client Secret, which are used to generate an API key for the purpose of obtaining bearer tokens with defined scopes to access the Processor’s APIs. The Controller shall maintain the confidentiality of all such credentials, API keys, and tokens and shall use them solely for authorized API access. The Controller is responsible for securely storing, protecting, rotating, and revoking API credentials, API keys, and bearer tokens as necessary and shall not disclose or expose them in any unsecured environment. The Processor may suspend or revoke API credentials, API keys, or bearer tokens in the event of misuse, suspected compromise, or material security risk, and shall notify the Controller without undue delay. Where practicable, such action shall be coordinated with the Controller.

3. Preventing Unauthorized Product Use. Processor implements standard access controls and detection capabilities for the internal networks that support its products.
a. Access controls. Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The control measures are implemented by security group assignment, and traditional firewall rules.
b. Intrusion detection and prevention. The Data Processor implements firewalls designed to identify and prevent attacks against publicly available network services. A regular VA and PT assessment is carried on to proactively identify any threats and remediate as required.
c. Static code analysis. Security reviews of code stored in Processor’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

4. Limitations of Privilege & Authorization Requirements
a. Product access. An authorized group of Processor’s employees have access to the Platform and to Subscriber Data via controlled interfaces. The intent of providing access to an authorized employee is to provide effective support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through a Service request process for all requests for access. Employees are granted access by role and responsibility. Employee roles are reviewed at least once every six months as part of Internal Security Audit.
b. Background checks. All Data Processor’s employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

5. Data Transfer Controls.
a. In-transit. Processor makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its logins.
b. At-rest. The Data Processor shall implement technologies to ensure that stored data is encrypted at rest.

6. Data Input.
a. Detection. The Data Processor has designed an internal monitoring and management systems to log information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems alert appropriate Platform Support Groups of malicious, unintended, or anomalous activities. Processor has established support process and personnel for security, operations to respond to various incidents.
b. Response and tracking. The Processor maintains a record of known security incidents that includes description, dates, times, priority and remediation process. Suspected and confirmed security incidents are investigated by security, operations, or support personnel and appropriate resolution steps are identified as well as documented. For any confirmed incidents, Processor is required to take appropriate steps to minimize Product and Controller damage or unauthorized disclosure.
c. Communication. In the event, the Processor becomes aware of unlawful access to Subscriber Data stored within its products, Processor, will: (i) notify the affected Controller of the incident. (ii) provide a description of the steps taken to resolve the incident. (iii) provide status updates to the Controller POC, as Processor deems necessary. Notification(s) of incidents, if any, shall be delivered to one or more of the Controller’s contacts in a form Processor, selects, which may include via email through Support.

7. Availability Control.
a. Infrastructure availability. The Data Processor is obligated to provide a minimum of 99.8% uptime for the Platform. The sub processors to maintain a minimum of N+1 redundancy to power, network, and other Services in the Azure.
b. Fault tolerance. Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. The Subscriber Data is backed up to multiple durable data stores and replicated across multiple systems. The Data Processor maintains an active-active set-up for disaster recovery to ensure redundancy and seamless failover to support service continuity. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Processor’s operations in maintaining and updating the product applications and backend while limiting downtime.

8. Data Protection Officer. The Data Processor has appointed a Data Protection Officer (DPO) in compliance with the Applicable Law. The appointed person may be reached at DPO@keka.com.

Click here for the previous versions of the DPA.