Data Processing Addendum

This Data Processing Addendum (DPA) contains GDPR clauses to be followed by the parties who signed the Subscription Services with Keka

The agreement is BETWEEN THE PARTIES: Customer/Partner (Hereinafter referred to as Data Controller) &Keka Technologies Private limited having CIN U72500TG2014PTC094953 with a place of business at 12th Floor, Survey no. 17, Vasavi Shalom Sky City, Gachibowli, K.V.Rangareddy, Seri Lingampally, Telangana, India, 500032 (“Keka” or “Company”) (Hereinafter referred to as the “Data Processor”)

In consideration of the mutual obligations set out in this GDPR Addendum, the parties agree as follows:

This agreement details the roles of both parties set forth in GDPR Regulation (EU) 2016/679 under Articles 28, 32, and 82

Definitions:

1.1 Personal Data: Personal Data means any information relating to an identified or identifiable natural person ('Data Subject'). The following data, often used for the express purpose of distinguishing individual identity, can be classified as Personal Data:

a) Name

b) Identification Number

c) Location data

d) An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a Natural Person.

e) IP Address

f) Cookie Identifiers

g) Radio Frequency ID (RF ID) tags

1.2 Natural Person/Data Subject: An identifiable Natural Person/Data Subject is one who can be identified, directly or indirectly, by reference to his/her Personal Data.

1.3 Processing: Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data by automated means, such as:

a) Collection

b) Recording

c) Organisation

d) Structuring

e) Storage

f) Adaptation or alteration

g) Retrieval/Downloading data

h) Consultation

i) Use

j) Disclosure by transmission

k) Dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

1.4 Data Controller: Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

1.5 Data Processor: Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

1.6 Data Sub-Processor: Data Sub-Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Data Processor.

1.7 GDPR: The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of Personal Data of individuals within the European Union (EU).

1.8 Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

1.9 Personal Data Breach: Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.10 Consent: Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the Data Subject.

1.11 Data Protection Impact Assessment (DPIA): This activity is carried out to enhance compliance with GDPR where processing operations are likely to result in a high risk to the rights and freedoms of Data Subjects.

1.12 Security Breach: means (i) any actual or reasonably suspected unauthorized use of, loss of, access to or disclosure of, Subscriber Data; provided that an incidental disclosure of Subscriber Data to an Authorized Party or Keka, or incidental access to Subscriber Data by an Authorized Party or Keka, where no reasonable suspicion exists that such disclosure or access involves theft, or is fraudulent, criminal or malicious in nature, shall not be considered a “Security Breach” for purposes of this definition, unless such incidental disclosure or incidental access triggers a notification obligation under any applicable Law and (ii) any security breach (or substantially similar term) as defined by applicable Law

1.13 Supervisory Authority: Supervisory authority means an independent public authority which is established by an EU member state. Supervisory Authority Concerned means a Supervisory Authority which is concerned by the processing of personal data because:

a) The Data Controller or processor is established on the territory of the Member State of that supervisory authority;

b) Data Subjects residing in the Member State of that Supervisory Authority are substantially affected or likely to be substantially affected by the processing; or

c) A complaint has been lodged with that supervisory authority.

2. Applicability: This DPA is applicable for below Clauses:

a) If the Data Controller entity signing this Addendum is a party to the MSA, this DPA is an addendum to and forms part of the MSA. In such case, the entity that is party to the Agreement is party to this DPA.

b) If the Data Controller entity signing this DPA has executed an Order Form with Keka, or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and Keka, entity that is party to such Order Form is party to this DPA.

c) If the Data Controller entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Data Controller entity who is a party to the Agreement executes this DPA.

d) If the Data Controller entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with Keka, but is instead a Data Controller indirectly via an authorized reseller of Keka, services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required. This DPA shall not replace any comparable or additional rights relating to Processing of Data Controller Data contained in Data Controller’s Agreement (including any existing data processing addendum to the Agreement).

e) The Data Controller and Keka, each warrant that they are and will continue to adhere to GDPR and shall perform their obligations under this GDPR Addendum in accordance with the provisions of the GDPR from time to time in force.

f) The parties acknowledge that for the purposes of GDPR, that the Data Controller/Partner is the Data Controller for the Personal Data (Personal Data of Data Controller’s Employees or the Data Controller’s Data Controller or Contractor as applicable) and the performance of the services will require the processing of Personal Data by Keka, for the Data Controller.

3. Scope: The parties acknowledge that for the purposes of GDPR:

a) Keka, shall be processing the personal data provided by Data Controller that is limited to Name, Phone, E-Mail and Job Title for the escalation and communication that is used to send notifications/ alerts during the business operations to the Data Subjects whose personal data is shared by the Data Controller.

b) Keka, implements controls to undertake Consent from Users of the platform without disrupting Data Controller’s Operations. The Data Controller is responsible for ensuring the respective Data Controllers and users accept the user consent

c) Keka, may use various software tools/Cloud Services for storing such Personal Data in their repositories.

d) Keka, may use or store the Personal Data for retracting any reference to the Data Subject, as mentioned in their Privacy Policy, if it is required in future even after expiry of the agreement for identifying or tracing any alerts/ notifications sent to the Data Subject.

e) The Data Controller/Partner shall be responsible to notify and undertake Consent from their Employees/ Data Controllers/ Contractors on how the Personal Data is processed by Keka, and their Data Sub-Processor, without which compliance to GDPR by the Data Controller/Keka, /Data Sub Processor would be difficult.

f) Keka, shall bring to the Data Controller’s /Partner’s attention if they find a Personal Data Breach in their or their Data Sub-Processor environment that has impacted any form of Personal Data stored by either or both parties.

g) Keka, shall not process Personal Data (Personal Data collected from the Data Controller) other than for the purposes of the processing which are documented in the Agreement.

4. Warranty By Keka: Keka warrants to the Data Controller to comply with below,

a) It shall fully comply with the provisions of GDPR in carrying out its obligations under this agreement

b) It has all provisions for data protection necessary for carrying out of its obligations under this agreement and shall maintain such provisions throughout the term.

c) It shall immediately advise the Data Processor(Keka) in writing if it receives or learns of any:

i. Complaint or allegation indicating a violation of Data Privacy Laws regarding Personal Data;

ii. Request from one or more individuals seeking to access, correct, or delete Personal Data;

iii. Inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Data; and

iv. Any regulatory request, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Data

5. Representation by Keka:

Keka, shall:

a) Adopt and maintain appropriate technical and organizational measures to ensure Personal Data is kept secure throughout the data life cycle, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, and take such precautions as are necessary to ensure the integrity of Personal Data and to prevent any Personal Data Breach.

b) Ensure that the Data Sub-Processors process the Personal Data (Personal Data collected from the Data Controller) as per the instructions provided by Keka, in accordance with the requirements of GDPR.

c) Shall not collect Personal Data (Personal Data collected from the Data Controller), more than that is required to Keka, for Processing.

d) Maintain a current list of the categories of Sub-processors used by Keka on Keka’s website at https://www.keka.com/privacy-policy. Data Controller specifically authorizes the engagement as Sub-processors of those entities listed at the URL mentioned herein. Data Controller generally authorizes the engagement as Sub-processors of any other third parties. In case Keka intends to add a new Sub-processor, Keka shall update the website/send out a communication email ten (10) days prior to authorizing any new Sub-processor to Process Data Controller Content in connection the provision of the applicable Services. If the Data Controller objects on reasonable grounds related to data protection, the parties shall work together in good faith to resolve the concern. If no resolution is reached, the Data Controller shall have the right to terminate the agreement.

e) Keka shall, before the Sub-processor first Processes Data Controller Information), ensure that the Sub-processor is capable of providing the level of protection required by this Exhibit.

f) Keka will remain fully liable to Data Controller in respect of any failure by the Sub-processor to fulfil its data protection obligations

g) Allow Data Subjects to keep contents of their Personal Data (Personal Data collected from the Data Controller) accurate.

h) On reasonable written notice by the Data Controller, make available to the Data Controller all such information as is necessary to demonstrate Keka’s compliance with GDPR, including where such information is requested as part of an /assessment/compliance check.

i) On termination of the Agreement, at the Data Controller’s sole requisition, provide all Personal Data (Personal Data collected from the Data Controller) to the Data Controller and shall provide confirmation of erasure.

j) Keep the records of the Processing activities that are carried out on behalf of Data Controller

k) Assist the controller in meeting its GDPR obligations to notify the Personal Data Breaches to the Supervisory Authority along with the process and information required to be submitted for the same.

l) Shall Not use the Personal Data (Personal Data collected from the Data Controller) for activities like analytics and profiling unless required for business operations to provide subscribed services.

m) shall inform the controller if, in keka’s opinion, a processing instruction infringes applicable legislation or regulation.

n) Where shared Personal Data is transferred outside the Data Processor’s territorial boundaries, the transferor shall ensure that the recipient of such data is under contractual obligations to protect such Personal Data to the same or higher standards as those imposed under this Addendum and the Data Protection Laws.

o) shall regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice and shall ensure that all the Personal Data is kept strictly confidential.

6. Audit:

Keka shall engage independent third-party auditors to assess the adequacy of its security and data protection measures. Such audits shall be conducted at least annually in accordance with ISO 27001, SOC 2, and GDPR requirements.

Upon the Data Controller’s written request, and subject to the execution of a mutually agreed Non-Disclosure Agreement (NDA), Keka shall provide Data Controller with a copy of the SOC 2 Report and compliance documentation, including responses to data protection and security questionnaires, to the extent necessary to verify Keka’s compliance with General Data Protection Regulation (GDPR) (EU 2016/679), ISO 27001 & SOC2 Type II

7. Right to Terminate:

If Keka contravenes the provision mentioned in clause 6 (Audit), the Data Controller shall have the right to terminate this Data Processing Addendum (DPA) and the Master Services Agreement (MSA).

8. Mechanism of Data Transfers:

Where the processors is located outside the EEA or an adequate country and receives Personal Data: (a) the processor will act as the data importer, (b) the other party(client/Data Controller) is the data exporter, and (c) the relevant Transfer Mechanism will apply. “Transfer Mechanism" refers to any lawful means of transferring personal data from the European Economic Area (EEA) or any adequate country to a third country in compliance with applicable data protection laws. This may include, but is not limited to, the Contractual Clauses for the transfer of personal data from the EEA or adequate countries to a third country.

9. Data Incident Management:

Keka maintains security incident management policies and procedures and shall notify Data Controller without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data Controller Data, including Personal Data, transmitted, stored or otherwise Processed by Keka, or its Sub-processors of which Keka, becomes aware (a “Data Controller Data Incident”). Keka, shall make reasonable efforts to identify the cause of such Data Controller Data Incident and take those steps as Keka, deems necessary and reasonable in order to remediate the cause of such a Data Controller Data Incident to the extent the remediation is within Keka’s reasonable control. The obligations herein shall not apply to incidents that are caused by Data Controller or Data Controller’s Users.

Data Processor shall Immediately notify the Data Controller with full details of:

a) Any Personal Data Breach in relation to this Addendum;

b) Processing of Personal Data (Personal Data collected from the Data Controller) which are contrary to or would require it to act in a way contrary to GDPR

c) Any request received (including from an individual or the Supervisory Authority) to disclose any Personal Data

10. Return and Erasure of Data Controller Data:

Keka, has made provision for retrieval of Data Controller data from the platform by authorization, to the extent allowed by applicable law, delete Data Controller’s Data in accordance with the procedures and timeframes specified in the Retention Policies

11. Data Protection Officer:

Keka has appointed a Data Protection Officer (DPO) in compliance with GDPR Article 37. The DPO may be contacted at (DPO@keka.com).

12. General:

12.1 Nothing in this Agreement shall relieve Keka, of its own direct responsibilities and liabilities under GDPR

12.2 The Clauses in this document shall be governed by the law of the Member State of EEA (European Economic Area) in which the data processing is established.

12.3 In assessing the appropriate level of security, Keka, shall conduct DPIA (Data Protection Impact Assessment) on a periodic basis to evaluate the risks that are presented by processing, from a Personal Data Breach.