Data Processing Agreement

Last updated: May 15, 2022

This Data Processing Agreement (“DPA”) forms an integral part of the SaaS Agreement entered into between the parties (“Agreement“) by and between Akeyless and Customer. Capitalized terms used herein but not defined herein shall have the respective meanings given to them in the Agreement. 

WHEREAS, the Processor supplies software as a service to the Controller; 

WHEREAS, the Parties desire to supplement the Agreement to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:

  1. Definitions
    1.  “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties. 
    2. CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, as may be amended as well as all regulations promulgated thereunder from time to time.
    3. Customer Data” means any and all Personal Data provided and uploaded by the Customer to the Akeyless during its use of the Service.
    4. The terms “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider,” “Sale” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such term defined in the CCPA.
    5. Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws and the CCPA) as may be amended or superseded from time to time. 
    6. EEA” means the European Economic Area. 
    7. EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
    8. ID” means (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) an online identifier associated with a device.
    9. Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) processed by Akeyless pursuant to the Agreement, including by way of access to the data, and may include, inter alia, demographic data, device information, IDs, cookies, browsing URLs, events, and geo localization data. 
    10. Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (including Customer Data). Any Personal Data Breach will comprise a Security Incident.
    11. Standard Contractual Clauses” mean the standard contractual clauses for the transfer of  Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here: Standard Contractual Clauses
    12. UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
    13. UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
    14. UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State. 

      Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of CCPA, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.
  1. Parties’ Roles
    1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, Akeyless is acting as a Data Processor and Customer is acting as a Data Controller. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Akeyless is the Service Provider. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law. 
    2. The Company is also a Controller of certain Personal Data related to the Akeyless, such as (without limitation) Akeyless’s registration data, the contact details of Akeyless’s personnel or the Akeyless’s contact information (in the event the Akeyless contacts the Company via email, its website or when the Akeyless signs up to receive the Company’s email marketing materials) (“Company Data”). The Company Data is subject to the Company’s Privacy Policy available at: and this DPA does not apply to the processing of such Company Data. This DPA will solely apply to the Processing by the Company of the Customer Data during the provision of the Service.  
    3. The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto. 
  1. Representations and Warranties
    1. The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law, and the Customer acknowledges that, taking into account the nature of the Processing, Akeyless is not in a position to determine whether the Customer’s instructions infringe applicable Data Protection Law; and (ii) it will comply with EU Data Protection Law, specifically with regards to the lawful basis principal for Processing Customer Data; and (iii) due to the nature of the Services, Akeyless does not monitor or control the Customer Content and thus, the type of Personal Data or Categories of the Data Subjects processed by Akeyless are subject to the Customer’s sole discretion. 
    2. Akeyless represents and warrants that it shall Process Customer Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s written instructions including the Agreement and this DPA. Notwithstanding the above, in the event Akeyless is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, Akeyless shall make its best efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law. In addition, Akeyless shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of its Customer Data and to consult with the Supervisory Authority (as applicable).
    3. If the EU Data Protection Law or the CCPA do not apply to the Customer, then the Customer must abide by any other Data Protection Law and data security laws and regulations that apply to it, and at a minimum Customer shall: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow Akeyless to lawfully collect, handle, retain, process and use the processed data within the scope of the Service;  (ii) substantiate the legal basis and legitimize, pursuant to applicable law, the collection of the Customer Data through the Service; (iii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Law.
    4. Notwithstanding the above, in the event the Customer is an Israeli establishment or Customer Data includes processing of Israeli data subjects, or in any event that the IL Law shall apply, the parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.
  1. Processing of Personal Data and Compliance with Data Protection Law
    1. The Customer represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of the Services, unless agreed in writing by Akeyless. Unless otherwise agreed to in writing by the parties, the Customer shall not share any Personal Data with Akeyless that contains Personal Data relating to children under 16 years old. 
    2. As between the parties, the Customer undertakes, accepts and agrees that the Data Subjects do not have a direct relationship with Akeyless and that Akeyless relies on Customer’s lawful basis (as required under Data Protection Law). In the event consent is needed under Data Protection Law, the Customer shall ensure that it obtains a proper act of consent from Data Subjects and present all necessary and appropriate notices in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process Customer Data and enable the lawful transfer and Processing of Customer Data to and by Akeyless, as well as where applicable, provide the Data Subjects with the ability to opt out. In the event Data Subject consent is required under Data Protection Law, Customer shall be fully responsible to support and transmit to Akeyless, the parameter of consent, or opt-out, as applicable. The Customer shall maintain a record of all consents obtained from a Data Subject, including the time and date on which consent was obtained, the information presented to the Data Subject in connection with their giving consent, and details of the mechanism used to obtain consent, as well as a record of the same information in relation to all withdrawals of consent by Data Subject. Customer shall make these records available to Akeyless promptly upon request. 
  1. Rights of Data Subjects and Parties Cooperation Obligations
    1. It is agreed that where Akeyless receives a request from a Data Subject or an applicable authority in respect of Customer Data Processed by Akeyless, where relevant, Akeyless will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
    2. Where applicable, Akeyless shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if Akeyless becomes aware of the fact that the Customer Data it is Processing is inaccurate or has become outdated. 
  1. Akeyless Personnel
    Akeyless shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; (ii) that persons authorized to process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.
  1. No Sale of Personal Information
    It is hereby agreed that any sharing of Personal Data between the parties is made solely in order to fulfill a Business Purpose and Akeyless does not receive or process any Personal Data in consideration for the Service. Thus, such Processing of Personal Data shall not be considered as a “Sale” of Personal Information under the CCPA. 
  1. Sub-Processor
    1. The Customer acknowledges that Akeyless may transfer Customer Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Customer hereby authorizes Akeyless to engage and appoint such Sub-Processors to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Akeyless may continue to use those Sub-Processors already engaged by Akeyless, as listed in Annex III, or to engage an additional or replace an existing Sub-Processor to process Customer Data, subject to the provision of a 30 day prior notice of its intention to do so to the Customer. In case the Customer has not objected to the adding or replacing of a Sub-Processor within five (5) days of Akeyless’s notice, such Sub-Processor shall be considered approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, Akeyless may, under Akeyless’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement. 
    2.  Akeyless shall, where it engages any Sub-Processor, impose, through a legally binding contract between Akeyless and the Sub-Processor, data protection obligations similar to those set out in this DPA. Akeyless shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law. 
    3. Akeyless shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA. Akeyless shall notify the Customer of any failure by the Sub-Processor to fulfill its contractual obligations.
  1. Technical and Organizational Measures
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Akeyless hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
    2. The security measures are further detailed in Annex II.

  2. Security Incident
    1. Akeyless will notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer Data in Akeyless’ possession or control. Akeyless’ notification regarding or response to a Security Incident under this Section 10 shall not be construed as an acknowledgment by Akeyless of any fault or liability with respect to the Security Incident. Akeyless will, in connection with any Security Incident affecting the Customer Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident;  (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Customer and assist Customer with its obligation to notify the affected individuals in the case of a Security Incident.
    2. Akeyless notification regarding or response to a Security Incident under this Section 10 shall not be construed as an acknowledgment by Akeyless of any fault or liability with respect to the Security Incident.
  1. Audit Rights 
    1. Akeyless shall make available, solely upon prior reasonable written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Akeyless may object to an auditor appointed by the Customer in the event Akeyless reasonably believes the auditor is not suitably qualified or independent, is a competitor of Akeyless or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Akeyless. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Akeyless’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Akeyless immediately.
  1. Data Transfer
    1. The Customer acknowledges and agrees that in order to be provided with the Service, Akeyless may access and Process the Customer Data from territories that are not part of the EEA. Moreover, the Customer further agrees that Akeyless may engage a Sub-Processor which is not established in the EEA, in accordance with Section 8. In the event the Processing includes transferring of Customer Data to a country that has not received an adequacy decision from the European Commission or is not exempt under Article 49 of the GDPR (“Restricted Transfer”), the following shall apply: 
      1. In order to maintain the integrity, security, and confidentiality of the Customer Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of Module II of the Standard Contractual Clauses in which event Akeyless shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter. 
      2. The purpose and description of the transfer is set forth in Annex I.
      3. In case Akeyless engages any Sub-Processor, such Restricted Transfer shall be subject, in addition to the terms of the Contract, to the terms and obligations of Module III of the Standard Contractual Clauses in which event Akeyless shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. 
      4. Where the UK SCC applies, it will be deemed completed as follows: 
        1. Table 1 shall be deemed completed with the information set out in Annex I of this Addendum, as appropriate, the contents of which are hereby agreed by the Parties;
        2. In Table 2, Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed to be completed according to Parties preferences.
        3. Table 3 shall be deemed completed with the information set out in Annex I and Annex  II to this Agreement, the contents of which are hereby agreed by the Parties;
        4. In Table 4, Parties agree that only the Exporter may end the SCC as set out in Section 19 of the UK SCC.
    2. Akeyless agrees to submit itself to the jurisdiction of and cooperate with the competent Supervisory Authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Subject to Clause 13 of the Standard Contractual Clauses the jurisdiction of the competent Supervisory Authority shall be either in the jurisdiction of the lead Supervisory Authority or the EU representative or an EU establishment. Further, subject to Clause 17 the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable). Notwithstanding the above, subject to Clause 18 the Data Subject may also bring legal proceedings against the parties before the courts of the Member State in which he/she has his/her habitual residence. Notwithstanding the above the UK SCCs shall be governed by the laws of England and Wales.
    3. Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) are further detailed in ANNEX II
  1. Conflict
    In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Terms shall remain in full force and effect.
  1. Term & Termination
    1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. 
    2.  Akeyless shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s instructions or this DPA infringe applicable legal requirements. 
    3. Following the termination of this DPA, Akeyless shall, at the choice of the Customer, delete all Customer Data processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that Akeyless continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA.

Annex I

Details of Processing and Transferring of Customer Data 

This Annex includes certain details of the Processing and transferring of Personal Data as required by Article 28(3) GDPR and the Standard Contractual Clauses.

Categories of data subjects whose personal data is processed or transferred:

Customer employees, Customer’s customers. 

Categories of personal data processed and transferred:

Username and Passwords, authentication and security credentials, contact information (name, email, and other applicable contact imformation).

Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:


Nature of the processing and transfer:

To provide the Service.

Purpose(s) for which the Personal Data is processed or transferred on behalf of the Customer:

To provide the Service.

Duration of the processing:

For as long as is necessary to provide the Service by Akeyless; provided there is no legal obligation to retain the Personal Data past termination.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Continuous basis 

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing

Hosting server providers as detailed in Annex III

Annex II

Technical and Organizational Measures 

Please review Akeyless’s security policy here and here to learn more regarding the technical and organizational measures implemented by it in order to ensure an appropriate level of security for its Processing of Personal Data.

Additional Safeguards

Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following: 

Annex III

List of Sub-Processors

Name AddressDescription of the processing
Amazon USAhosting 
Amazon Ireland hosting
Azure USA hosting

Join Us at Gartner Identity & Access Management Summit