Last updated: 10 June 2024 

This Data Processing Agreement (“DPA”) forms part of the Agreement between Keywee Inc. d/b/a Anyword (“Company”) and _______ (“Customer”), entered into on DATE (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data. In the event of a conflict between the terms of the Agreement as it relates to the Processing of Personal Data and this DPA, this DPA shall prevail. This DPA supersedes any previous DPAs that may have been executed between the Company and Customer.

This DPA consists of the following:
(a) the main DPA – covers processing of Customer Data by Company; and
(b) the California specific provisions at Schedule 1

This DPA shall be effective for the duration of the Agreement (or longer to the extent required by applicable law).

CUSTOMERKeywee Inc. d/b/a Anyword


Capitalized terms that are not defined in this DPA shall have the meaning set out in the Agreement. References in this DPA to the terms “Controller“, “Processor”, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and  “Supervisory Authority” shall have the meanings ascribed to them under Data Protection Laws.

Customer Personal Data” means Personal Data provided by Customer to Company.

Data Protection Laws” means all applicable laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom, and any other applicable data protection law of any country to which the Parties are subject, including but not limited to, the EU General Data Protection Regulation 2016/679 (GDPR), UK GDPR and the California Consumer Privacy Act (CCPA).

Data Subject” means the identified or identifiable person or household to whom Personal Data relates.

“European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

“SCCs” means Standard Contractual Clauses adopted by the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as updated from time to time if required by law).

Subprocessor” means any third party, including without limitation a subcontractor, engaged by Company in connection with the Processing of Personal Data.

“Third Country” means a country without an applicable adequacy decision under the Data Protection Laws of the EEA, the United Kingdom and Switzerland.


1.1 Customer’s Processing of Personal Data. For the purposes of Part 1 of this DPA, Customer is Controller, Company is Processor. Customer shall, in its use of the Services, be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Customer Personal Data and the instructions it issues to Company.

1.2 Company’s Processing of Personal Data. Company shall process Customer Personal Data only as reasonable to provide the Services under the Agreement, or as otherwise required to do so by applicable law. Customer hereby authorizes and instructs Company and its Subprocessors to process Customer Personal Data in line with the above.

1.3 Confidentiality. Company shall maintain the confidentiality of the Customer Personal Data in accordance with the Agreement and shall require persons authorized to process the Customer Personal Data (including any Subprocessors) to have committed to materially similar obligations of confidentiality.


Company shall in relation to the Customer Personal Data implement reasonably appropriate

technical and organizational measures, based on industry standards, to ensure a level of security appropriate to any reasonably foreseeable security risks, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Company shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.


Customer agrees to the continued use of those Subprocessors already engaged by Company as of the date of this Agreement and further generally authorizes Company to appoint additional Subprocessors in connection with the provision of the Services, provided that:

  1. Company shall have in place a contract in writing with each Subprocessor that imposes obligations that are (i) relevant to the services to be provided by the Subprocessors and (ii) materially similar to the rights and/or obligations granted or imposed on Company under this DPA;
  2. where a Subprocessor fails to fulfill its data protection obligations, Company shall be liable to the Customer for the performance of the Subprocessor’s obligations; and
  3. provide Customer with written notice of the prospective appointment; except if Company reasonably believes appointing a new Subprocessor on an expedited basis is necessary for maintaining the availability and security of the Services, Company will give such notice as soon as reasonably practicable. If Customer does not object to the appointment of the new Subprocessor within fourteen (14) days of receiving the notice (“Objection Period”), Company may use the new Subprocessor. If Customer objects to the appointment of the new Subprocessor, Customer must notify Company within the Objection Period and work with Company to find a commercially reasonable solution for the Customer. If the parties are unable to reach a resolution, Customer may terminate the Agreement as its sole and exclusive remedy.


Company shall assist implement appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Company’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws (“Data Subject Request”). 


5.1 Company shall notify Customer without undue delay and within 48 hours of Company or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

5.2 Company shall make reasonable efforts to identify the cause of the Personal Data Breach and take those steps necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within Company’s reasonable control. The obligations herein shall not apply to incidents caused by Customer.


Following termination of the Services, Company will, upon Customer’s written request, delete or return Customer Personal Data, except to the extent Company is required by applicable law to retain some or all of the Customer Personal Data. The terms of this DPA will continue to apply to that retained Customer Personal Data.


Company shall make available to Customer on request all information necessary to demonstrate compliance with this Agreement, including the results of any audits or assessments relating to the Processing of the Customer Personal Data by Company. 


8.1 Company may, in connection with the provision of the Services make international transfers of Personal Data from the European Union, the EEA and/or their member states (“EU Data”), Switzerland (“Swiss Data”) and the United Kingdom (“UK Data”) to its Subprocessors. When making such transfers, Company shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with the Agreement and this DPA.

8.2 Where the provision of Services involves the international transfer of EU Data, the Parties agree to the Standard Contractual Clauses as approved by the European Commission under Decision 2021/914 of 4 June 2021 (“EU SCCs”), which shall be automatically incorporated by reference and form an integral part of this DPA. The EU SCCs shall apply completed as follows:

8.2.1 Module Two (Section 2.1.1.) and/or Three (Section 2.1.2.) will apply;

8.2.2 in Clause 7, the optional docking clause will apply;

8.2.3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor

changes is identified in Section 3 above;

8.2.4 in Clause 11, the optional language will not apply;

8.2.5 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish Law

8.2.6 in Clause 18(b), disputes shall be resolved before the courts of Ireland;

8.2.7 Annex I of the EU SCCs shall be deemed completed with the information set out in

Schedule 2, Annex I-A of this DPA; and

8.2.8 Annex II of the EU SCCs shall be deemed completed with the information set out in

Schedule 2, Annex II of this DPA.

8.3 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the template Addendum B.1.0, International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (the “UK IDT Addendum”), shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows: :

8.3.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are

Customer as exporter and Company as importer.

8.3.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected

in relation to a particular transfer in accordance with Section 8.2 above.

8.3.3 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section


8.4 Where the provision of Services involves the international transfer of Swiss Data subject to the Federal Act on Data Protection (“FADP”), the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 8.2 and with applicable

references replaced with the Swiss equivalent.


9.1 Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes with a view to agreeing and implementing those variations as soon as is reasonably practicable.

9.2 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

9.3 Liability. For the avoidance of doubt and to the extent permitted by Data Protection Laws, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.



1. When processing California Personal Information (as defined in the CCPA) in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is a Business and Company is a Service Provider for the purposes of the CCPA. Company shall process California Personal Information solely for a valid business purpose to perform the Services.

2. Company understands and agrees to the prohibition from: (i) selling California Personal Information that it processes on behalf of the Customer; (ii) retaining, using, or disclosing California Personal Information for a commercial purpose other than providing the Services or otherwise permitted by CCPA; and (iii) retaining, using, or disclosing California Personal Information outside of the Agreement between Company and Customer.



Description of the  technical and organizational security measures implemented by Anyword as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.



The controller has authorized the use of the following sub-processors:

Name of Sub- ProcessorDescription of ProcessingLocation of Other Processor
Amazon Web ServicesHosting the Production EnvironmentUSA
SnowflakeData WarehouseUSA