Last updated: 10 June 2024 

This Data Processing Agreement (“DPA”) forms part of the Agreement between Keywee Inc. d/b/a Anyword (“Company”) and _______ (“Customer”), entered into on DATE (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data. In the event of a conflict between the terms of the Agreement as it relates to the Processing of Personal Data and this DPA, this DPA shall prevail. This DPA supersedes any previous DPAs that may have been executed between the Company and Customer.

This DPA consists of the following:
(a) the main DPA – covers processing of Customer Data by Company; and
(b) the California specific provisions at Schedule 1

This DPA shall be effective for the duration of the Agreement (or longer to the extent required by applicable law).

CUSTOMER		Keywee Inc. d/b/a Anyword
Signature:		Signature:
Name:		Name:
Title:		Title:
Date:		Date:

DEFINITIONS

Capitalized terms that are not defined in this DPA shall have the meaning set out in the Agreement. References in this DPA to the terms “Controller“, “Processor”, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and  “Supervisory Authority” shall have the meanings ascribed to them under Data Protection Laws.

“Customer Personal Data” means Personal Data provided by Customer to Company.

“Data Protection Laws” means all applicable laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom, and any other applicable data protection law of any country to which the Parties are subject, including but not limited to, the EU General Data Protection Regulation 2016/679 (GDPR), UK GDPR and the California Consumer Privacy Act (CCPA).

“Data Subject” means the identified or identifiable person or household to whom Personal Data relates.

“European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

“SCCs” means Standard Contractual Clauses adopted by the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as updated from time to time if required by law).

“Subprocessor” means any third party, including without limitation a subcontractor, engaged by Company in connection with the Processing of Personal Data.

“Third Country” means a country without an applicable adequacy decision under the Data Protection Laws of the EEA, the United Kingdom and Switzerland.

1. PROCESSING OF CUSTOMER PERSONAL DATA

1.1 Customer’s Processing of Personal Data. For the purposes of Part 1 of this DPA, Customer is Controller, Company is Processor. Customer shall, in its use of the Services, be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Customer Personal Data and the instructions it issues to Company.

1.2 Company’s Processing of Personal Data. Company shall process Customer Personal Data only as reasonable to provide the Services under the Agreement, or as otherwise required to do so by applicable law. Customer hereby authorizes and instructs Company and its Subprocessors to process Customer Personal Data in line with the above.

1.3 Confidentiality. Company shall maintain the confidentiality of the Customer Personal Data in accordance with the Agreement and shall require persons authorized to process the Customer Personal Data (including any Subprocessors) to have committed to materially similar obligations of confidentiality.

2. SECURITY

Company shall in relation to the Customer Personal Data implement reasonably appropriate

technical and organizational measures, based on industry standards, to ensure a level of security appropriate to any reasonably foreseeable security risks, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Company shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

3. SUBPROCESSING

Customer agrees to the continued use of those Subprocessors already engaged by Company as of the date of this Agreement and further generally authorizes Company to appoint additional Subprocessors in connection with the provision of the Services, provided that:

1. Company shall have in place a contract in writing with each Subprocessor that imposes obligations that are (i) relevant to the services to be provided by the Subprocessors and (ii) materially similar to the rights and/or obligations granted or imposed on Company under this DPA;
2. where a Subprocessor fails to fulfill its data protection obligations, Company shall be liable to the Customer for the performance of the Subprocessor’s obligations; and
3. provide Customer with written notice of the prospective appointment; except if Company reasonably believes appointing a new Subprocessor on an expedited basis is necessary for maintaining the availability and security of the Services, Company will give such notice as soon as reasonably practicable. If Customer does not object to the appointment of the new Subprocessor within fourteen (14) days of receiving the notice (“Objection Period”), Company may use the new Subprocessor. If Customer objects to the appointment of the new Subprocessor, Customer must notify Company within the Objection Period and work with Company to find a commercially reasonable solution for the Customer. If the parties are unable to reach a resolution, Customer may terminate the Agreement as its sole and exclusive remedy.

4. DATA SUBJECT RIGHTS

Company shall assist implement appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Company’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws (“Data Subject Request”). 

5. PERSONAL DATA BREACHES

5.1 Company shall notify Customer without undue delay and within 48 hours of Company or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

5.2 Company shall make reasonable efforts to identify the cause of the Personal Data Breach and take those steps necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within Company’s reasonable control. The obligations herein shall not apply to incidents caused by Customer.

6. DELETION OR RETURN OF CUSTOMER PERSONAL DATA

Following termination of the Services, Company will, upon Customer’s written request, delete or return Customer Personal Data, except to the extent Company is required by applicable law to retain some or all of the Customer Personal Data. The terms of this DPA will continue to apply to that retained Customer Personal Data.

7. AUDIT RIGHTS

Company shall make available to Customer on request all information necessary to demonstrate compliance with this Agreement, including the results of any audits or assessments relating to the Processing of the Customer Personal Data by Company. 

8. INTERNATIONAL TRANSFERS

8.1 Company may, in connection with the provision of the Services make international transfers of Personal Data from the European Union, the EEA and/or their member states (“EU Data”), Switzerland (“Swiss Data”) and the United Kingdom (“UK Data”) to its Subprocessors. When making such transfers, Company shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with the Agreement and this DPA.

8.2 Where the provision of Services involves the international transfer of EU Data, the Parties agree to the Standard Contractual Clauses as approved by the European Commission under Decision 2021/914 of 4 June 2021 (“EU SCCs”), which shall be automatically incorporated by reference and form an integral part of this DPA. The EU SCCs shall apply completed as follows:

8.2.1 Module Two (Section 2.1.1.) and/or Three (Section 2.1.2.) will apply;

8.2.2 in Clause 7, the optional docking clause will apply;

8.2.3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor

changes is identified in Section 3 above;

8.2.4 in Clause 11, the optional language will not apply;

8.2.5 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish Law

8.2.6 in Clause 18(b), disputes shall be resolved before the courts of Ireland;

8.2.7 Annex I of the EU SCCs shall be deemed completed with the information set out in

Schedule 2, Annex I-A of this DPA; and

8.2.8 Annex II of the EU SCCs shall be deemed completed with the information set out in

Schedule 2, Annex II of this DPA.

8.3 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the template Addendum B.1.0, International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (the “UK IDT Addendum”), shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows: :

8.3.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are

Customer as exporter and Company as importer.

8.3.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected

in relation to a particular transfer in accordance with Section 8.2 above.

8.3.3 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section

19

8.4 Where the provision of Services involves the international transfer of Swiss Data subject to the Federal Act on Data Protection (“FADP”), the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 8.2 and with applicable

references replaced with the Swiss equivalent.

9. GENERAL TERMS

9.1 Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes with a view to agreeing and implementing those variations as soon as is reasonably practicable.

9.2 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

9.3 Liability. For the avoidance of doubt and to the extent permitted by Data Protection Laws, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.

SCHEDULE 1

CALIFORNIA SPECIFIC PROVISIONS

1. When processing California Personal Information (as defined in the CCPA) in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is a Business and Company is a Service Provider for the purposes of the CCPA. Company shall process California Personal Information solely for a valid business purpose to perform the Services.

2. Company understands and agrees to the prohibition from: (i) selling California Personal Information that it processes on behalf of the Customer; (ii) retaining, using, or disclosing California Personal Information for a commercial purpose other than providing the Services or otherwise permitted by CCPA; and (iii) retaining, using, or disclosing California Personal Information outside of the Agreement between Company and Customer.

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the  technical and organizational security measures implemented by Anyword as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

• Security

• Security Management System.
  • Organization. Anyword designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program.
  • Policies. Management reviews and supports all security related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data.  These policies are updated at least once annually.
  • Assessments. Anyword engages a reputable independent third-party to perform risk assessments of all systems containing Customer Personal Data at least once annually.
  • Risk Treatment. Anyword maintains a formal and effective risk treatment program that includes penetration testing, vulnerability management and patch management to identify and protect against potential threats to the security, integrity or confidentiality of Customer Personal Data.
  • Vendor Management. Anyword maintains an effective vendor management program
  • Incident Management. Anyword reviews security incidents regularly, including effective determination of root cause and corrective action.
  • Standards. Anyword operates an information security management system that complies with the requirements of ISO/IEC 27001:2022 standard.
• Personnel Security.
  • Anyword personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Anyword conducts reasonably appropriate background checks on any employees who will have access to client data under this Agreement, including in relation to employment history and criminal records, to the extent legally permissible and in accordance with applicable local labor law, customary practice and statutory regulations.
  • Personnel are required to execute a confidentiality agreement in writing at the time of hire and to protect Customer Personal Data at all times. Personnel must acknowledge receipt of, and compliance with, Anyword’s confidentiality, privacy and security policies. Personnel are provided with privacy and security training on how to implement and comply with the Information Security Program. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications). Anyword’s personnel will not process Customer Personal Data without authorization.
• Access Controls
  • Access Management. Anyword maintains a formal access management process for the request, review, approval and provisioning of all personnel with access to Customer Personal Data to limit access to Customer Personal Data and systems storing, accessing or transmitting Customer Personal Data to properly authorized persons having a need for such access. Access reviews are conducted periodically to ensure that only those personnel with access to Customer Personal Data still require it.
  • Infrastructure Security Personnel. Anyword has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Anyword’s infrastructure security personnel are responsible for the ongoing monitoring of Anyword’s security infrastructure, the review of the Services, and for responding to security incidents.
  • Access Control and Privilege Management. Anyword’s and Customer’s administrators and end users must authenticate themselves via a Multi-Factor authentication system or via a single sign on system in order to use the Services
  • Internal Data Access Processes and Policies – Access Policy. Anyword’s internal data access processes and policies are designed to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data. Anyword designs its systems to only allow authorized persons to access data they are authorized to access based on principles of “least privileged” and “need to know”, and to prevent others who should not have access from obtaining access.  Anyword requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; a need to know basis; and must be in accordance with Anyword’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies follow industry standard practices. These standards include password complexity, password expiry, password lockout, restrictions on password reuse and re-prompt for password after a period of inactivity

• Data Center and Network Security
  • Data Centers.
    • Infrastructure. Anyword has AWS as its data center.
    • Resiliency. Multi Availability Zones are enabled on AWS and Anyword conducts Backup Restoration Testing on a regular basis to ensure resiliency.
    • Server Operating Systems. Anyword’s servers are customized for the application environment and the servers have been hardened for the security of the Services. Anyword employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.
    • Disaster Recovery. Anyword replicates data over multiple systems to help to protect against accidental destruction or loss. Anyword has designed and regularly plans and tests its disaster recovery programs.
    • Security Logs. Anyword’s systems have logging enabled to their respective system log facility in order to support the security audits, and monitor and detect actual and attempted attacks on, or intrusions into, Anyword’s systems.
    • Vulnerability Management. Anyword performs regular vulnerability scans on all infrastructure components of its production and development environment.  Vulnerabilities are remediated on a risk basis, with Critical, High and Medium security patches for all components installed as soon as commercially possible.

• Networks and Transmission.
  • Data Transmission. Transmissions on the production environment are transmitted via Internet standard protocols.
  • External Attack Surface. AWS Security Group which is equivalent to virtual firewall is in place for the production environment on AWS.
  • Incident Response. Anyword maintains incident management policies and procedures, including detailed security incident escalation procedures. Anyword monitors a variety of communication channels for security incidents, and Anyword’s security personnel will react promptly to suspected or known incidents, mitigate harmful effects of such security incidents, and document such security incidents and their outcomes.
  • Encryption Technologies. Anyword makes HTTPS encryption (also referred to as SSL or TLS) available for data in transit.

• Data Storage, Isolation, Authentication, and Destruction. Anyword stores data in a multi-tenant environment on AWS servers. Data, the Services database and file system architecture are replicated between multiple availability zones on AWS. Anyword logically isolates the data of different customers. A central authentication system is used across all Services to increase uniform security of data. Anyword ensures secure disposal of Client Data through the use of a series of data destruction processes.

SCHEDULE 3

LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors:

Name of Sub- Processor	Description of Processing	Location of Other Processor
Amazon Web Services	Hosting the Production Environment	USA
Snowflake	Data Warehouse	USA
HubSpot	CRM	USA