Last updated: June 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Servicebetween you ("Customer", the controller) and Keply, operated by Keply Ltd(the processor). It governs Keply's processing of personal data on your behalf and applies where the EU/UK GDPR, the Israeli Privacy Protection Law, or comparable laws apply.
You are the controller (or a processor acting for another controller) of the Customer Data you connect. Keply is your processor. We process personal data only to provide the Service and on your documented instructions, which include these Terms and your configuration of the Service.
Ingesting connected data; normalizing it; computing health scores and risk signals; drafting outreach; and operating the AI agent under your control. Processing continues for the duration of your subscription.
Data subjects:your personnel and your customers' representatives and end-users. Personal data: names, business contact details, communications content (email/calendar), account and billing identifiers, product-usage and survey signals, and derived scores. You must not connect special-category data unless agreed in writing; the Service is not designed to process it.
We will: (a) process personal data only on your instructions; (b) ensure persons authorized to process it are bound by confidentiality; (c) implement appropriate technical and organizational measures (Annex below); (d) assist you, taking into account the nature of processing, with data-subject requests and with your security, breach-notification, and DPIA obligations; (e) make available information needed to demonstrate compliance; and (f) at your choice, delete or return personal data at the end of the Service, subject to legal retention.
You authorize Keply to engage the sub-processors listed at keply.ai/legal/subprocessors, under written terms imposing data-protection obligations no less protective than this DPA. We will give notice of intended changes and you may object on reasonable data-protection grounds. Keply remains liable for its sub-processors' performance.
Where personal data is transferred outside the EEA, UK, or Israel without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (and the UK Addendum / IDTA where applicable), which are incorporated by reference, with Keply as data importer where relevant.
We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, with the information reasonably available to help you meet your notification obligations, and will take reasonable steps to mitigate and remediate. See our security overview.
Taking into account the nature of processing, we will assist you in responding to data-subject requests, including providing tools to access, correct, export, or delete data. Requests we receive directly from data subjects are routed to you as controller. See our DSAR process referenced in the Privacy Policy.
On termination, we will delete or return Customer Data within a defined window (target: 30–90 days) and delete existing copies unless retention is required by law. Backups expire on their normal cycle.
We will make available our security documentation and, once issued, our SOC 2 report (under NDA) to demonstrate compliance, and will respond to reasonable written audit requests consistent with protecting the confidentiality and security of other customers.
Encryption in transit (TLS 1.2+) and at rest (AES-256); multi-tenant isolation enforced by database row-level security and application-layer scoping; least-privilege access with MFA on administrative systems; encrypted storage of integration tokens; logging and an agent audit trail; secure SDLC with peer review and versioned database changes; managed backups with point-in-time recovery; and a documented incident-response process. Current details are summarized at keply.ai/legal/security.
To execute a countersigned copy of this DPA or with questions: [email protected].