Kevel Data Processing Agreement

Kevel Data Processing Agreement

This Data Processing Agreement (“DPA”) is between Adzerk, Inc. dba Kevel and its Affiliates (“Kevel”) and the undersigned customer (the “Customer” or “you”) (collectively the “Parties).

This DPA and the Standard Contractual Clauses (SCCs), if applicable, will become legally binding on the Effective Date of the Agreement or the date of signature below.

1. Definitions

“Affiliates” refers to Adzerk, Ltd. (UK) and ShiftForward S.A., a wholly-owned subsidiary of Adzerk, Inc. (also referred to as Velocidi).

“Applicable Data Protection Law” refers to laws and regulations related to Kevel’s processing of Personal Data.

“EU GDPR” means ​​Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

“EU Standard Contractual Clauses (EU SCCs)” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914 of 4 June 2021.

“Health Information” means personal data related to the physical or mental health of a Data Subject.

“Personal Data or Personal Information” means any information processed by Kevel on behalf of the Customer that relates to an identified or identifiable person and includes the similarly defined terms under Applicable Data Protection Law.

“Security Incident or Personal Data Breach” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Kevel and includes the similarly defined terms under Applicable Data Protection Law.

“Services” means the processing activities to be performed by Kevel under the Agreement.

“Standard Contractual Clauses” means the EU SCCs and/or the UK SCCs, as applicable.

“Sub-Processor” means (a) any authorized processor, contractors, vendors, or third-party service providers engaged by Kevel that Process Personal Data, or (b) Kevel, when Kevel is Processing Personal Data and where the Customer is the Processor of the Personal Data.

“UK GDPR” means the UK Data Protection Act 2018 and the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

“UK International Data Transfer Addendum (UK SCCs)” means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018.

All other definitions, including but not limited to “Controller”, “Business”, “Organization”, “Processor”, “Service Provider”, “Data Intermediary”, “Data Subject”, “Consumer”, “Processing”, “Handling”, “Sale”, “Sell”, “Share”, “Commercial Purpose”, and “Supervisory Authority” (or equivalent terms), have the meaning set out under the Applicable Data Protection Law.

2. Subject Matter, Duration, and Contact

2.1 Subject Matter. This DPA reflects the Parties’ commitment to abide by Applicable Data Protection Law concerning the Processing of Personal Data in connection with the Agreement.

2.2 Duration and Survival. Kevel will Process Customer Personal Data until the relationship between the Parties terminates as specified in the Agreement or as required by law. Kevel’s obligations and Customer’s rights will continue in effect so long as Kevel Processes Personal Data on behalf of the Customer.

2.3 Contact. Kevel Data Protection Officer - [email protected]

3. Details of Personal Data Processing

3.1 Relationship of the Parties. In most instances, the Customer is the Controller and determines the purposes and means of Processing Personal Data, and Kevel is the Processor that processes the Personal Data according to the Customer’s instructions. In some instances, the Customer may be a Processor of Personal Data on behalf of a third-party Controller, and Kevel is a sub-processor that processes Personal Data according to the third-party Controller’s instructions as provided by the Customer.

3.2 Purpose Limitation. Kevel will not Process Personal Data for any purpose other than for the specific purposes set forth by the Customer unless obligated to do otherwise by applicable law.

3.3 Documented Instructions. Kevel may Process Personal Data in connection with the Services. Where the Customer is the Controller, Kevel will Process Personal Data according to the Customer’s written instructions. Where the Customer is the Processor, Kevel will process Personal Data according to the third-party Controller’s instructions as provided by the Customer.

The Agreement, Order Form, this DPA, and if applicable, the SCCs and Appendix 1 constitute the complete instructions to Kevel regarding the Processing of Personal Data. Changes to these instructions must be submitted to Kevel in writing and directed to [email protected] Kevel will inform the Customer in writing if it reasonably believes there is a conflict between their instructions and Applicable Data Protection Law unless legally prohibited.

3.4 Confidentiality. Kevel will treat Customer Personal Data as confidential. Kevel will ensure that all employees, contractors, or approved subprocessors have signed a confidentiality agreement, are bound to a duty of confidentiality, and/or are under a statutory obligation of confidentiality.

3.5 Data Deletion. Kevel will 1) allow the Customer thirty (30) days after the termination effective date to obtain any stored Personal Data, and 2) automatically delete any stored Personal Data thirty (30) days after the termination effective date or sooner if requested by the Customer. To the extent the Customer cannot independently retrieve or delete Personal Data, Kevel will assist with the deletion or return of Personal Data upon written request.

3.6 Customer Responsibilities. Customer agrees to be solely responsible for 1) the quality, accuracy, and legality of Personal Data, 2) complying with lawfulness requirements under Applicable Data Protection Law for collection and use of Personal Data, including obtaining any necessary consents and authorizations (particularly for the use of the Personal Data for marketing purposes), 3) providing any required notifications to regulatory authorities for data transfer, and 4) ensuring compliance with applicable data localization law.

Customer agrees not to process or store Health Information or store payment card information using Kevel’s Services.

4. Selling / Sharing Personal Data

4.1 No Selling or Sharing Personal Data. When Kevel’s Processing Personal Data is subject to the California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq. (“CCPA”), or other Applicable Data Protection Law with restrictions on Selling or Sharing Personal Data, Kevel: 1) will not Sell or Share Personal Data provided to it under the Agreement; 2) will not retain, use or disclose Personal Data for any purpose other than for the specific purposes of performing Services; 3) will not retain, use or disclose Personal Data for a commercial business purpose other than performing the Services; 4) will not retain, use or disclose Personal Data outside the direct business relationship with the Customer, 5) certifies that it understands these restrictions and will comply with them; and 6) will notify the Customer in the event Kevel can no longer meet these obligations.

5. Sub-processors

5.1 General Authorization. Customer agrees to Kevel’s use of the Sub-processors to assist in the Processing of Customer Data and agrees to Kevel’s use of Sub-processors identified in Appendix 3. If Kevel adds or replaces a Sub-processor, Kevel will notify the Customer and provide at least thirty (30) days to object in writing. If the Customer has a reasonable objection relating to data protection to the engagement of any new or replacement Sub-Processor, the parties will work together in good faith to resolve the grounds for the objection for no less than fourteen (14) days (the “Cure Period”). If no resolution is reached by the expiration of the Cure Period, the Customer may terminate the part of the service performed under the Agreement that cannot be performed by Kevel without using the objectionable Sub-Processor. Kevel will impose data protection terms on the Sub-Processor that provide at least the same level of protection for Personal Data as those described in Appendix 2. Where the Sub-processor fails to fulfill its data protection obligations, Kevel, as a Processor, will remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

6. Security and Audit

6.1 Security. To the extent that Kevel Processes Customer Personal Data in connection with the Service, Kevel agrees to maintain appropriate organizational and security measures to protect such Personal Data and ensure a level of security appropriate to the risk. These measures will include, at a minimum, the security measures listed in Appendix 2.

6.2 Customer Audit. Customers will have the right to audit Company’s compliance with this DPA once annually or as necessary if the Customer has a good faith basis to believe Kevel has not complied with this DPA. Any audit under this section must be: 1) conducted with reasonable advance written notice to Kevel; 2) of reasonable scope and duration and not interfere with day-to-day operations at Kevel; 3) conducted by Customer or by independent auditors, who are subject to the duty of confidentiality, and to which Kevel does not reasonably object; and, 4) conducted in a manner that does not violate any agreement between Kevel and its customers and/or its service providers, including cloud providers. The right to audit does not include the right to perform direct testing, such as internal vulnerability scanning or penetration testing on Kevel’s AWS environment by the Customer or its auditors. After conducting an audit, the Customer will notify Kevel in writing of any discovered nonconformity with this DPA within ten (10) business days. Kevel will remediate the material findings that Kevel determines are necessary to comply with this DPA at its own expense and without reasonable delay.

6.3 Kevel’s Audit Program. Upon written request, Kevel will provide the Customer (or the third-party Controller if the Customer is a Processor) copies of any available third-party audit summaries completed by Kevel and any available executive summaries of penetration testing and vulnerability scanning.

7. Security Incident

7.1 Security Incident. Kevel agrees to provide prompt written notice to the Customer without undue delay and within the time frame required under Applicable Data Protection Law, but in no event longer than twenty-four (24) hours after becoming aware that a Security Incident affecting Customer Personal Data has occurred. Such notice will include all available details required under Applicable Data Protection Law for the Customer to comply with its notification obligations to regulatory authorities or individuals affected by the breach.

8. Customer Assistance

8.1 Data Subject Inquiries and Requests. If the Customer (or the third-party Controller if the Customer is a Processor) cannot address a Data Subject rights request using Kevel Services, Kevel will provide reasonable assistance. If a Data Subject request is made directly to Kevel, Kevel will promptly notify the Customer and provide details of the request, to the extent legally permitted. Kevel will not respond to the Data Subject directly. Customer (or the third-party Controller) is responsible for responding to the Data Subject under the Applicable Data Protection Law.

8.2 Data Protection Impact Assessment and Prior Consultation. Kevel will provide reasonable assistance to the Customer (or the third-party Controller if the Customer is a Processor) to carry out data protection impact assessments related to the Services and in required consultations with regulatory authorities under Applicable Data Protection Law.

9. Indemnification and Liability

9.1 Indemnification. Subject to the limitation of liability described herein, Kevel will indemnify the Customer and hold the Customer harmless against third-party claims, actions, losses, damages, and expenses incurred by the Customer in connection with or arising from a Security Incident caused by Kevel. Customer will indemnify Kevel and hold Kevel harmless against third-party claims, actions, losses, damages, and expenses incurred by Kevel in connection with or arising from a Security Incident caused by the Customer.

9.2 Liability. Kevel’s cumulative aggregate liability under this DPA will be limited to two (2) times the fees paid by Customer to Kevel during the twelve (12) months immediately prior to the date that the relevant cause of action accrued.

10. Cross-Border Data Transfers (if applicable)

The parties agree that when the transfer of Personal Data from Company to Kevel may be to a country without an adequacy decision (e.g., the United States), the transfer will be subject to the applicable Standard Contractual Clauses as follows:

10.1 EU SCCs. For Personal Information protected by the EU GDPR or for Personal Data protected by a country that recognizes the EU SCCs as an approved transfer mechanism, the EU SCCs will apply as follows:

10.1.1 The EU Controller to Processor Transfer Clauses. Where Company is a Controller and a data exporter of Personal Information and Kevel is a Processor and data importer, then the Parties shall comply with the EU Controller to Processor Transfer Clauses (Module 2), subject to Schedule 4 of this DPA; and/or
10.1.2 The EU Processor to Processor Transfer Clauses. Where Company is a Processor acting on behalf of a Controller and a data exporter of Personal Information, and Kevel is a Sub-processor and data importer, the Parties shall comply with the terms of the EU Processor to Processor Transfer Clauses (Module 3), subject to Schedule 4 of this DPA.

10.2 UK SCCs. For Personal Information protected by the UK GDPR, the UK SCCs will apply completed as follows:

Where Kevel and Company are lawfully permitted to rely on the EU SCCs for transfers of Personal Information from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:

  1. The EU SCCs, as set out above, will also apply to transfers of such Personal Information, and
  2. The UK Addendum will be deemed executed between Kevel and Company, and the EU SCCs will be deemed amended as specified by the UK Addendum regarding the transfer of Personal Information.
    To the extent of any inconsistency between this DPA and the applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Appendix 1

A. LIST OF PARTIES

Data Exporter
Customer using the Kevel platform to serve ads and/or using Kevel’s customer data platform (CDP) service.

Data Importer
Kevel, the Data Importer, enables the Customer, as the Data Exporter, to build their own ad server using Kevel’s ad serving APIs platform, and/or enables the Customer, as the Data Exporter, to use a private CDP.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Ad Server Service
● Data subjects seeing and/or clicking ads served by the Customer.
● Data subject whose personal information may be collected or stored in Kevel’s
first-party data management platform by the Customer if used.
● Data subjects whose personal information may be passed by the Customer for
real-time-bidding (RTB) if used by the Customer.
● Customer’s employee/users
● Website visitors

CDP Service
● Customer’s employee/users
● Website visitors

Categories of personal data transferred

Ad Server Service
● IP Address (used for geo-targeting)
● Latitude/Longitude (if data is given to Kevel by the Customer for geo-distancing)
● User Agent Strings (device name, type, version, web browser name, vendor)
● Third-Party Cookie-ID (if Customer is using RTB)
● First Party Cookie-ID of Person Seeing and /or Clicking an Ad
● First-Party Data (if the Customer chooses to use Kevel’s first-party data management
platform and collect and/or store personal information of the person seeing and/or
clicking on the ad within that platform.)
● Name and business email address of the Customer's employee/contractors.

CDP Service
● Name and business email address of the Customer's employee/contractors (registration
information)
● Website browsing activity
● Mobile interactions
● Email interactions
● In-store purchases
● Online advertising interactions
● Identification
● Other categories of personal data chosen by Customer.

Sensitive Data Transferred (if applicable)
Customer would choose whether to collect and store special categories of data in the first-party data management platform in Kevel’s ad serving platform or in the CDP.

Frequency of the Transfer
Data is transferred on a continuous basis and for the duration of the Services except where otherwise required or allowed by Applicable Data Protection Law.

Nature of the Processing
The nature of processing is the performance of Services. Kevel will process personal data to provide its ad serving platform and/or CDP to the Customer. The Services may include Processing Personal Data to provide the Customer use of Kevel’s ad-serving APIs, the use of the in-app first-party data management platform, the use of RTB endpoints available in the platform (if used), and the use of the private CDP.

Period for which the Personal Data will be Retained
Kevel will keep the Personal Data as long as required to meet the customer's instructions.

C. COMPETENT SUPERVISORY AUTHORITY
The Supervisory Authority shall be those designated in the jurisdiction section of the Agreement. If the Agreement does not designate a jurisdiction in an EU Member State or the UK, the Supervisory Authority will be the Ireland Data Protection Authority and/or the UK Information Commissioner’s Office.

Appendix: Security Technical and Organizational Measures

TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE
SECURITY OF PERSONAL DATA

Measures of pseudonymization and encryption of personal data
Pseudonymization. Kevel uses Pseudonymization wherever possible in its platforms to protect personal data.

Encryption. Kevel encrypts data in its platforms on AWS using industry-accepted TLS 1.2 for data in transit and AES-256 for data at rest.

Measures for ensuring ongoing confidentiality, integrity and availability and resilience of processing systems and services

AWS Infrastructure. The Kevel platforms span multiple AWS availability zones physically separated from one another to maintain the high availability of services.

Confidentiality Agreements. Kevel’s customer agreements contain confidentiality obligations.

Employee Training and Agreements. Kevel’s employees must take security and privacy training upon hire and then annually after that. Kevel performs background checks on all employees, and employees sign confidentiality agreements.

Measures for ensuring the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident

Incident Management. Kevel has implemented and maintains an incident response plan and is prepared to respond to a personal data breach.

Recovery and Response. Kevel replicates data over multiple systems to protect against loss and for disaster recovery purposes.

Communication and Information. Planned or emergency changes are communicated internally to relevant stakeholders. https://kevel.statuspage.io/ is used by the Kevel ad serving platform to inform customers of incidents, availability, and major maintenance operations. Customers may subscribe to recent email updates to this status page.

Processes for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing

Program Framework. Kevel bases its security program on an industry-accepted standard framework. The program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Kevel platforms and the confidentiality, integrity, and availability of customer data.

Security Monitoring and Testing. Kevel regularly tests and monitors the security of its platforms using:
● a threat detection service within AWS to continuously monitor our platforms for malicious
activity and unauthorized behavior,
● a monitoring tool to detect and alert on API access and threats,
● a logging tool for application log management, alerting, and analytics,
● a vulnerability scanning tool to monitor its user interface (UI), and,
● an annual penetration test by a third-party.

Program Review. Kevel will conduct periodic reviews of the platforms’ security and adequacy of its information security program as measured against accepted industry security standards and its internal policies and procedures. Kevel will continually evaluate the security of its platforms to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

Measures for user identification and authorization

AWS Access Controls. Kevel requires employees to use Virtual Private Networking (VPN) when accessing the AWS environment remotely. Kevel’s password requirements for AWS meet or exceed industry-accepted practices and follow industry-accepted standard framework password requirements. Kevel does not use vendor-supplied defaults for system passwords and other security parameters on any system.

AWS Access Grant and Removal. Access to Kevel’s infrastructure is granted on a need-to-know basis and must be specifically granted through an approval process. When an employee no longer has a business need for the access privileges assigned, the access privileges are promptly revoked, even if the employee continues to be an employee of Kevel.

Access to Data Exporter Personal Data. Kevel will only view or access Personal Data collected or stored in the Kevel platforms by the Data Exporter for customer support or technical troubleshooting. Kevel does not use this Personal Data for its purposes, nor will Kevel sell such Personal Data.

Data Exporter (Customer) Ad Server Platform Access. Customers may use AWS Cognito via the Kevel ad serving platform for single sign-on (SSO) into Kevel infrastructure. The password complexities set in Cognito will meet or exceed industry-accepted standards. If the Customer uses its single sign-on solution, the password complexity requirements will be defined and enforced in that SSO.

Measures for the protection of data during transmission
Transit Encryption. Kevel encrypts data in its platforms on AWS using industry-accepted TLS 1.2 for data in transit. Transmission across open, public networks is encrypted using cryptography and security protocols.

Measures for the protection of data during storage
Storage Encryption. Kevel encrypts data in its platforms on AWS using industry-accepted AES-256 for data at rest.

Measures for ensuring physical security of locations at which personal data are processed
Physical Access Controls and Cloud Security. Kevel uses AWS as its secure hosting and data storage provider for its platforms. AWS meets System and Organization Controls (SOC) verified by independent third-party examination reports demonstrating how it achieves key compliance controls as evidence at: https://aws.amazon.com/compliance/.

Office Security. Kevel offices are secured with locks, and employees are assigned key cards.

Workstation Security. Kevel protects company-owned workstations against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Kevel-owned workstations are secured and managed by a mobile device management solution. Workstations are encrypted and use firewalls.

Measures for ensuring events logging
Application Logging. Kevel retains application logging in its logging management tool for immediate analysis. These application logs are kept in AWS S3 buckets for longer-term storage (up to 90 days).

Measures for ensuring system configurations, including draft configurations
SDLC. Kevel applies Secure Software Development Lifecycle (SDLC) standards to perform security-related activities for its platforms and incorporates security/privacy by design principles. Code changes and reviews are tracked in a project management platform and pull requests are tracked in a source-code-management system. Code is tested by a dedicated QA team and/or tools before proceeding into production.

Measures for internal IT and IT security governance and management
Information Security Program. Kevel maintains an information security program that includes the implementation of security policies and procedures designed to;
● secure Personal Data against accidental or unlawful loss, access, or disclosure
● identify reasonable foreseeable and internal risks to security and authorized access to
Kevel’s platforms, and
● minimize security risks through risk assessment and regular testing.

Inventory of Personal Data. Kevel keeps an inventory of where Personal Data may be Processed and stored.

Compliance and Risk. Kevel has a team of security and privacy professionals to perform risk assessments and maintain its security and privacy policies and procedures. Kevel conducts risk assessments, including security and privacy assessments, annually.

Measures for certifications/assurance of processes and products
SOC 1 Type 2. A third-party auditor examines the Kevel Ad Server platform security practices annually and provides a SOC 1 Type 2 report..

Measures for ensuring data minimization
Data Deletion. Using the Kevel platforms, customers may delete their Personal Data. If a customer cannot delete their data via self-serve functionality, Kevel will assist with the deletion the data upon the customer’s written request per Applicable Data Protection Law.

Measures for ensuring data quality
Data Segregation in Platforms. Kevel Ad Server segregates customer data using a single ID (network ID.) This ID field is required on calls to the Kevel databases on the backend to ensure data is segregated on inputs and outputs. Customer data is in a multi-tenant environment. Kevel CDP segregates based on use of a single tenant environment

Trend Analysis. Trend analysis on request rates, latency, and errors is performed regularly to identify anomalies and ensure the system meets customer goals.

Measures for ensuring limited data retention
Data Retention in Platforms. Kevel keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage in accordance with the needs of its customers.

Measures for ensuring accountability
Audits. Kevel conducts regular third-party and internal audits to ensure compliance with our privacy and security standards.

Measures for allowing data portability and ensuring erasure
Data Subject Rights. Kevel’s customers are responsible for responding to requests from end-users who wish to exercise their rights under Applicable Data Protection Law. Kevel has built-in self-service functionality to assist customers with their responsibilities. If the customer is unable to use the self-service functionality, Kevel will provide reasonable assistance to the customer to respond to Data Subject requests. If Kevel receives a request from a Data Subject related to customer data, Kevel will notify the customer in a reasonable time and advise the data subject to submit their request to the customer. The customer is responsible for responding to any Data Subject request.

For transfers to sub-processors, also describe the specific technical and organizational measures to be taken by the sub-processor to be able to provide assistance to the controller and, for transfer from the processor to a sub-processor, to the data explorer
Vendor Due Diligence. Kevel performs security and privacy due diligence on each Sub-processor with whom the Personal Data of a customer may be shared and signs contracts to ensure data protection.

Appendix 3: Kevel Sub-Processors

Amazon Web Services, Inc. (AWS)
US (US-East-1 and US-West-2),
Germany (EU-Central-1)
Ireland (EU-West-1)
South Korea (Ap-Northeast-2)
Singapore (Ap-Southeast-1)
Australia (Ap-Southeast-2)
Other regions chosen by Customer for of CDP services.
AWS is a cloud service provider. Kevel uses AWS to host our applications and services. Personal data of the customer, its customers’ customers, and the individual being served as advertisement is processed by AWS and may be stored in AWS.

ChurnZero
United States
ChurnZero is a customer success platform that Kevel uses both as a Controller and as a Processor. As a Processor, Kevel uses ChurnZero to provide customer support-type services to our customers.

Datadog, Inc.
United States
Datadog is a third-party logging platform Kevel uses for ingesting, parsing, querying, and performing analytics on Service application and infrastructure logs (“Logs”). These Logs are then used for debugging, troubleshooting, auditing, reporting, detecting, and alerting on unexpected application behavior and providing latency and other analytics to the customer. Although Kevel’s application is set up not to log Personal Data, processing of Personal Data may occur inadvertently.

Hubspot, Inc.
United States
Hubspot is marketing, sales, and service software that Kevel uses as a Controller and as a Processor. As a Processor, Kevel uses Hubspot’s service software to provide customer support to our customers and their customers. When someone submits a support ticket, this ticket may include personal data.

Mux, Inc.
United States
Mux Video provides Kevel with an API for video hosting, encoding, and streaming services for the processing of media content (audio and video files) for customers using Kevel Video Asset functionality to serve video ads. Mux collects access log data of media playback requests for utilization, performance, and security validation. This may include the content of the uploaded video to the extent that these contain personal data, IP addresses, user-agent, and low-resolution geolocation data inferred from IP addresses.

Papertrail, SolarWinds Worldwide, LLC
United States
Papertrail is a third-party logging platform that Kevel uses for ingesting, parsing, querying, and performing analytics on Service application and infrastructure logs (“Logs”). These Logs are then used for debugging, troubleshooting, auditing, reporting, and detecting and alerting on unexpected application behavior. Although Kevel’s application is set up not to log Personal Data, processing of Personal Data may occur inadvertently.

Shortcut Software Company (formerly known as Clubhouse)
United States
Shortcut is a software project management and workflow tool that Kevel uses as a Controller and as a Processor. As a Processor, Kevel handles customer support issues that have been escalated to engineering. Personal data, such as name and email, may be processed.

Slack Technologies, LLC
United States
Slack is a messaging application tool for business that Kevel uses both as a Controller and as a Processor. As a Processor, Kevel sets up dedicated Slack channels to communicate with customers for customer support. Set-up and use of a dedicated customer channel may require the use of personal data, such as email and name.

Kevel Affiliates
Adzerk, Ltd. (UK)
Hanover House
14 Hanover Square
London
W1S 1HP

ShiftForward S.A. (wholly-owned subsidiary of Adzerk, Inc.)
Founders Founders,
Rua da Constitutcāo, 352
4200-192 Porto, Portugal

Employer of Record Arrangements
Kevel employs individuals via Employer of Record arrangements as detailed below. These individuals only provide services using Kevel-provided workstations and are subject to the same technical and organizational security controls as implemented and controlled by Kevel.

Employer of Record
Remote Europe Holding BV
Landmeter 25
1566MP Assendelft
The Netherlands

Appendix 4: Standard Contractual Clauses

STANDARD CONTRACTUAL CLAUSES: OPTIONS AND ADDITIONAL TERMS

For the purposes of the EU Controller to Processor Transfer Clauses and the EU Processor to Processor Transfer Clauses, Company is the data exporter, and Kevel is the data importer, and the Parties agree to the following.
Reference to the Standard Contractual Clauses. The relevant provisions in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA..

Docking Clause. The option under Clause 7 shall apply.

General authorisation for the use of Sub-processors. Option 1 under Clause 9 shall apply. For clause 9(a), Kevel shall give Company thirty (30) Business Days’ notice before the engagement of the sub-processor.

Complaints – Redress. The parties agree the option under Clause 11 shall apply.

Governing Law. The governing law for Clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by the laws of Ireland.

Choice of forum and jurisdiction. The courts under Clause 18 shall be those designated in the jurisdiction section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of Ireland shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses.

The term “member state” is not to be interpreted in such a way as to exclude data subjects in Switzerland or in other countries accepting the EU SCCs for data transfer from the possibility of suing for their rights in their place of habitual residence.

Annexes. The SCC Annexes are set out as follows:

  • The contents of Appendix 1 of this DPA shall form Annex I to the Standard Contractual Clauses
  • The contents of Appendix 2 to this DPA shall form Annex II to the Standard Contractual Clauses.
  • The contents of Appendix 3 to this DPA shall form Annex III to the Standard Contractual Clauses.