Data Processing Agreement

SECTION I

Clause 1
Purpose and scope

• (a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• (b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
• (c) These Clauses apply to the processing of personal data as specified in Annex II.
• (d) Annexes I to IV are an integral part of the Clauses.
• (e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.
• (f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

Clause 2
Invariability of the Clauses

• (a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
• (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

Clause 3
Interpretation

• (a) Where these Clauses use the terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
• (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
• (c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4
Hierarchy

• In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5 - Optional
Docking clause

• (a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
• (b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
• (c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 6
Description of processing(s)

• The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7
Obligations of the Parties

7.1. Instructions

• (a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
• (b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.

7.2. Instructions

• The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

• Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

• (a) The processor shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
• (b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

• If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance

• (a) The Parties shall be able to demonstrate compliance with these Clauses.
• (b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
• (c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
• (d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
• (e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

• (a) The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
• (b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.
• (c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
• (d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfill its contractual obligations.
• (e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

• (a) Any transfer of data to a third country or an international organization by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfill a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.
• (b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.
• (c) For transfer of personal data from the EEA to other countries with a non-adequate data protection level, the parties agree that the terms of the Standard Contractual Clauses (SCCs), as set out in the European Commission's Decision 2021/914 of 4 June 2021, are hereby incorporated by reference, and shall apply as follow:
  1. Module 2 (Controller to Processor) of the SCCs - shall apply when the Customer is the Controller and Keelvar is the Processor;
  2. Clause 7 - Docking Clause shall apply;
  3. Clause 9 - Option 2 (General Written Authorization) shall apply, and the time period to be set is described under clause 7.7 (a) of this DPA;
  4. Clause 11 - optional text shall not apply;
  5. Clause 17 - Option 1 shall apply, and the EU SCCs will be governed by Irish law;
  6. Clause 18(b) - disputes shall be resolved before the courts of Ireland;
  7. Annex I of the EU SCCs - shall be deemed completed with the information set out in Annex I of this DPA;
  8. Annex II of the EU SCCs - shall be deemed completed with the information set out in Annex II of this DPA;
  9.Annex III of the EU SCCs - shall be deemed completed with the information set out in Annex IV of this DPA. Any sub-processor name and contact can be provided by Keelvar upon request;
• (d) For transfer of personal data from the UK to other countries with a non-adequate data protection level, the parties agree that the terms of the UK Addendum, Version B1.0, in force 21 March 2022, are hereby incorporated by reference into this DPA and should be completed per below:
  1. Table 1: Start date - shall be deemed completed per the effective date of this Agreement;
  2. Table 1: Parties’ details - shall be deemed completed per Annex II of this DPA;
  3. Addendum EU SCCs - shall be deemed completed per clause 7.8(c) of this DPA;
  4. Table 3: Appendix Information (Annex 1A) - shall be deemed completed per Annex I of this DPA;
  5. Table 3: Appendix Information (Annex 1B) - shall be deemed completed per Annex II of this DPA;
  6. Table 3: Appendix Information (Annex II) - shall be deemed completed per Annex III of this DPA;
  7. Table 3: Appendix Information (Annex III) (Module 2) - shall be deemed completed per Annex IV (List of Sub-processors) of this DPA;
  8. Table 4: Ending this Addendum when the Approved Addendum Changes - Importer and Exporter options shall be deemed selected.
  
• (e) For transfer of personal data from Switzerland to other countries with a non-adequate data protection level, the parties agree that the terms of the Swiss Federal Data Protection Act are hereby incorporated by reference into this DPA and should be completed per below:
  1. References to Regulation (EU) 2016/679 shall be interpreted as references to the Swiss Federal Data Protection Act. References to articles under the same Regulation shall be replaced with the equivalent one under the Swiss Federal Data Protection Act;
  2. References to EU, Union, and Member State shall be replaced with Swiss Law and/or Switzerland;
  3. Member State shall not be interpreted in a way that would prevent Data Subjects in Switzerland to redress their rights at their place of habitual residence (Switzerland);
  4. References to the competent supervisory authority and competent courts shall be interpreted as references to the Swiss Federal Data Protection Information Commissioner and the applicable Swiss courts;
  5. The SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the applicable Swiss courts.

Clause 8
Assistance to the controller

• (a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorized to do so by the controller.
• (b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
• (c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
• (1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
• (2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
• (3) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
• (d) The Parties shall set out in Annex III the appropriate technical and organizational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9
Notification of personal data breach

• In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.

9.1 Data breach concerning data processed by the controller

• In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
• (a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
• (b) in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
• (1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• (2) the likely consequences of the personal data breach;
• (3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
• Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
• (c) in complying, pursuant to Articles 33 and 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor

• In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
• (a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
• (b) the details of a contact point where more information concerning the personal data breach can be obtained;
• (c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III – FINAL PROVISIONS

Clause 10
Non-compliance with the Clauses and termination

• (a) Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
• (b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
• (1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
• (2) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679;
• (3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679.
• (c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
• (d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller within 60 days and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I: LIST OF PARTIES

Controller(s):
Name:
Address:
Contact person’s name:
Contact person’s position:
Contact person’s email:
Signature:
Date:

Processor(s):
Name: Keelvar Systems Ltd.
Address: 2B, 6 Lapps Quay, Cork, Ireland
Contact person’s name: John Paul O’Gorman
Contact person’s position: Chief Information Security Officer
Contact person’s email: privacy@keelvar.com
Signature:
Date:

ANNEX II: DESCRIPTION OF THE PROCESSING

1. Scope of Service

Keelvar SaaS solution offers advanced eSourcing and automation capabilities including RFI, RFQ, and eAuctions between purchasing and bidder organizations, as described in service terms and on the Keelvar Support Portal.

2. Duration

Except as otherwise specified in your service upon termination of services or at your request, Keelvar will delete your data including its back-ups held in our data stores within 60 days or by our sub-processors unless there is a legal obligation imposed on Keelvar preventing it from deleting all or part of the data.

3. Nature and purpose of the processing

Keelvar will process personal data as the Customer's Processor in order to enable the use of the SaaS Services as defined under the Terms & Conditions according to documented instructions (in accordance with the service functionality) of the Customer and/or its users. This essentially covers the processing of the transmitted content as well as the organization of the contents of the user account. When using Keelvar platform, Keelvar will carry out the following processing of personal data on behalf of the Customer:

• • Processing of data in the context of user registration and session management
• • Processing in the context of data analysis for service.
• • Processing user generated content such as messages between bidders and purchasers as well as file uploads
• • Processing user details when matching bidders and purchaser preferences
• • Processing in the context of supporting the customer to resolve service issues
• • Processing customer details to provide product training (optional service for customers)

The further specification of Keelvar SaaS is provided under the Keelvar Support Portal.

4. Type of personal data

In connection with Keelvar SaaS, the following types of personal data are processed by Keelvar as a Processor:

• a) User account information, e.g. name, email, user UUID, optional phone number, IP address, password.
• b) Personal data processed in connection with password reset (e.g., email with reset link, assignment of the new password to the account) as well as trusted device management (e.g., email notifications to prevent misuse of a device for login).
• c) User generated content data that is exchanged between Keelvar SaaS users during the use of this service such as file uploads and message content.
• d) Personal data in connection with the optional user training including Email Address, Name, training logs (how many times a user attempts training, questions responses)
• e) Personal data recording the session and connection interactions such as log files.
• f) Personal data processed within the customer support tools to resolve issues including  name, email, and messages notifying, updating, and reporting on raised tickets.

5. Categories of data subjects

The following categories of data subjects are affected by the data processing:

• a) The Customers (to the extent that the Customer's personal data is processed in accordance with section 4) and, if applicable, the Customer's users.
• b) Third parties whose personal data is passed on by the Customer/the Customer users in a communication connection. 

ANNEX III: TECHNICAL AND ORGANIZATIONAL MEASURES

Keelvar aligns our organizational and technical security and privacy measures in line with best practice, security standard ISO/IEC 27001:2013, privacy management standard ISO/IEC 27701:2019, and the GDPR. This Annex is structured based on the controls in ISO/IEC 27001:2013. Keelvar may update or modify security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Keelvar maintains a security page at https://keelvar.com/securityThese Security Measures are in effect on the DPA Effective Date.

Context of the organization (4)

Keelvar monitors the internal and external factors relevant for appropriate security and privacy management, including understanding the needs of our customers. Keelvar has a defined information security and privacy management system in place, scoped to ensure appropriate security measures for Services. Keelvar is the data processor in the context of the Services.

Leadership (5)

Keelvar’s management is committed to a strong information security and privacy management  system with appropriate resources, objectives, and continual improvement as key components. Keelvar has developed a Policy framework appropriate to the organization with key leadership roles and responsibilities defined in relation to information security, including a dedicated Chief Information Security Officer.

Planning (6) and Operation (8)

Keelvar ensures information security objectives and planning is in line with and responsive to external changes including new threats or regulatory changes. Risk assessments are reviewed at regular intervals based on Keelvar’s Risk Assessment Methodology. Risk treatments are actioned based on risk analysis. Keelvar maintains a Statement Of Applicability in line with ISO/IEC 27001:2013 and ISO/IEC 27701:2019 controls.

Support (7)

Keelvar ensures the information security and privacy systems have appropriate support and resources to fulfill information security objectives and continual improvement. Keelvar employees are hired through a structured recruitment process to ensure competence in their role, and with additional training and awareness support provided during their employment. All employees are trained on Keelvar policies importance of information security and privacy. Keelvar Service status and uptime is accessible at https://status.keelvar.com for communication on Service uptime.

Performance evaluation (9)

Keelvar's Security Steering Group is made up of senior leadership and management. This group meets on a quarterly basis to review the continuing suitability, adequacy, and effectiveness of our information security and privacy management system. Key inputs to these reviews are results from internal audits, security KPIs, penetration test results, and risk assessments. Keelvar has contracted an external security consultancy to perform internal audits on our behalf. External audits are completed yearly as part of our ISO/IEC 27001:2013 certification programme.

Improvement (10)

Keelvar manages nonconformities identified in the implementation or auditing of our security and privacy system. Nonconformities, incident actions, and other findings are logged and corrective actions planned and implemented. Keelvar has committed to continued improvement in line with our information security objectives and planning.

Information Security Policies (A5)

Keelvar has a comprehensive set of information security policies in line with ISO/IEC 27001:2013 and ISO/IEC 27701:2019 requirements. Policies are reviewed on a yearly basis. Policy changes are approved by management and communicated to all employees.

Organization of Information security

(A6)Internal Organization (A6.1)

Keelvar’s Information Security Policy outlines roles and responsibilities for employees and contractors. Keelvar applies segregation of duties to all employees and contractors based on the principle of least privilege. Access is granted to systems and data based on role and responsibility. Systems have a defined information owner who administers the system and implements the joiner, mover, leaver procedures to ensure access has management approval and permission is revoked as soon as no longer required. Keelvar maintains contact with relevant authorities and special interest groups to ensure we remain up to date in the areas of information security and privacy.

Mobile devices and teleworking (A6.2)

Mobile device management software is installed on employee laptops facilitating auditing and compliance in line with mobile computing and teleworking policy. Employee laptops are encrypted, have controls in place against malware, and are patched to a secure OS version.

Human Resource Security (A7)

Keelvar employs a multistage interview process to ensure a candidate's competence for the role and fit to Keelvar ethics and culture. Background checks such as references, identity, and academic records are verified in line with jurisdiction. Employee contracts have clauses for confidentiality, protection of intellectual property, and disciplinary procedure.

Keelvar uses a security awareness and training platform to streamline employee security training both for new hires and existing employees. Policy training, data protection/privacy, security best practices along with department or role specific training is included. Regular employee phishing tests are performed and results reported on.

Asset Management (A8)

Keelvar maintains an asset register tracking physical and information assets from acquisition through to asset destruction and disposal. Assets are assigned an owner, classified, and acceptable usage and handling documented.

Access Control (A9)

Keelvar operates an access control policy with the principle of least privilege where access to data and systems is granted to employees whose role and responsibility requires access. Keelvar implements joiner/mover/leaver procedures in conjunction with security audits to ensure access is approved. Access is removed as soon as it is no longer required. Keelvar uses SSO including multi-factor authentication on systems and mandates the use of strong and unique passwords per service. Access to production data is restricted to approved employees whose role and responsibilities require it.

Cryptography (A10)

All data in transit and at rest is encrypted in our infrastructure. Traffic from the public internet is encrypted using TLS 1.2 and decrypted at our load balancer before being re-encrypted for communication to application servers. Application server and database volumes are encrypted with AES-256, with keys stored in FIPS 140-2 compliant hardware security modules. Communication between application servers and databases is encrypted with a certificate signed by AWS CA.

Physical and Environment Security (A11)

Keelvar uses Amazon AWS IaaS for hosting of the Service based on a shared responsibility model. AWS has responsibility for “Security of the Cloud” involving protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS has comprehensive security certifications including ISO/IEC 27001:2013. Further details are provided here: https://aws.amazon.com/compliance/programs/

Operations Security (A12)
Operational procedures and responsibilities (A12.1)

Keelvar works on a quarterly cadence of goal setting allowing for structured planning and change management. Keelvar has a change management system where policies and procedures ensure stringent analysis, design, implementation, review, test, and release phases. Product, Development, QA, and DevOps teams collaborate in the change management process. Code changes undergo full review and quality assurance via automated and manual testing before being approved for release. Hotfix releases follow the same process but are actioned and deployed outside of the standard release cycle where a serious issue has been identified. Keelvar maintains a separation of development, test, and production environments within our AWS infrastructure.

Protection from malware (A12.2)

The Service scans all uploaded files with antivirus software and will quarantine any detected malicious files. The Service uses Amazon GuardDuty for threat detection and notification within our infrastructure. Suspicious behavior is automatically alerted to our DevOps team for investigation. Employee laptops have controls against malware in place.

Backup (A12.3)

Machine images, databases, and files are securely backed up in Amazon AWS. The underlying backup storage is via the high availability S3 data storage service. Point in time recovery is enabled on the database with 30 days of database daily backups maintained. A nightly snapshot is synchronized to a separate AWS data center for failover purposes.

Logging and Monitoring (A12.4)

Keelvar has detailed logging, monitoring, and alerting for our application health and infrastructure. Our application API exposes a health check endpoint that is called frequently to monitor application health and uptime. AWS Cloudwatch monitors server CPU, memory, disk space, and will alarm when specified thresholds are reached. Logs from application usage are securely stored for audit purposes.

Control of software/vulnerabilities and auditing (A12.5/6/7)

Keelvar uses GitHub as the repository for our application source code, dependencies, and infrastructure code including strong inbuilt auditing controls. Keelvar receives security alerts from multiple sources for triage and actioning, including GitHub Dependabot alerts for when one of our dependencies has a vulnerability.

Communications Security (A13)

Keelvar uses a combination of AWS Virtual Private Clouds (VPCs), VPC subnets, Network Access Control Lists (Network ACLs), AWS Security Groups, and AWS DB Subnet Groups to provide logical network level isolation between production and lower environments, and between the public internet and non-public infrastructure components. This follows a defense in depth design. Keelvar uses AWS Security Hub and Inspector to support the auditing of security controls and configuration. All data is encrypted in transit and at rest in our infrastructure.

System Acquisition, Development and Maintenance (A14)

Keelvar has a software development life cycle and secure coding policy that considers security during the change management process. Third party dependencies are security assessed and packages are retrieved from secure package managers. Code development occurs on a feature code branch and follows OWASP secure coding principles. A suite of automated security tests is run using GitHub Actions on each request to merge code. Additional workflow steps are automated including static code analysis (e.g. flake8, shell-linter, bandit). All code is manually reviewed before being approved for merging. Keelvar incorporates front end and back end web frameworks as core security building blocks. A formal QA process is initiated in a segregated QA environment for each release candidate, involving manual and automated functional, regression, performance, and security testing. Releases to production are typically zero downtime and follow strict change management procedures. Where production data is required for test or analysis purposes, appropriate technical and organizational controls are in place including minimisation of data, pseudonymisation of PII data, and limitation on data retention.

Supplier Relationships (A15)

Keelvar assesses suppliers from an information security perspective including compliance with data protection regulations before approving suppliers. Keelvar monitors suppliers on an ongoing basis.

Information Security Incident Management (A16)

Keelvar has documented incident management procedures to ensure Keelvar appropriately responds to any suspected or actual incident. Responsibilities and steps for incident reporting, response, customer reporting, resolution, and actioning improvements are documented.

Business Continuity Management (A17)

Keelvar maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of unavailability. Keelvar has disaster recovery infrastructure in Frankfurt, Germany (eu-central-1) to allow failover should our primary datacenter in Dublin, Ireland (eu-west-1) encounter availability issues. Keelvar performs regular testing to verify an RTO and RPO of 24 hours.

Compliance (A18)

Keelvar monitors compliance with legal and contractual requirements and has committed to an internal and external auditing program in compliance with ISO/IEC 27001:2013. Yearly independent penetration tests are completed.

ANNEX IV: LIST OF SUB-PROCESSORS

The following processors will be used by Keelvar SaaS as part of the core functionality.