Data Processing Agreement
This page provides a public summary of the data processing commitments applicable to institutional engagements with KeyIdentity. A full Data Processing Agreement is provided on request to qualified institutional parties through the institutional engagement process.
1. Roles
In the context of data processed through the institutional engagement form on this Site, KeyIdentity acts as the data controller. Where KeyIdentity processes data on behalf of an institutional counterparty under a formal engagement, the roles of controller and processor are defined in the applicable engagement agreement. The full DPA specifies obligations for each role.
2. Security Measures
KeyIdentity implements technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS 1.2 or higher)
- Access controls with least-privilege enforcement
- Network zone isolation between system components
- Append-only audit logging for state-mutating operations
- Rate limiting and input validation on all public endpoints
A detailed description of security measures is available in the full DPA and in the Security Posture page.
3. Sub-processors
KeyIdentity may engage sub-processors for infrastructure hosting, operational monitoring, or communications support. A current list of sub-processors, together with their roles and jurisdictions, is disclosed upon request to qualified institutional parties under the full DPA. KeyIdentity ensures that all sub-processors are bound by data protection obligations no less protective than those in the DPA.
4. Breach Notification
In the event of a personal data breach, KeyIdentity will notify the affected institutional counterparty without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the impact.
5. Data Subject Requests
KeyIdentity will assist institutional counterparties in responding to data subject requests (access, rectification, erasure, portability, restriction, or objection) in accordance with applicable data protection law. Where KeyIdentity acts as processor, such requests will be referred to the controller without undue delay.
6. Data Return and Deletion
Upon termination of an institutional engagement, KeyIdentity will, at the counterparty's election, return or delete all personal data processed under the engagement, except where retention is required by applicable law or regulation. A certificate of deletion is provided upon request.
7. Audit Rights
Institutional counterparties may audit KeyIdentity's compliance with the DPA subject to reasonable advance notice, scope limitations, and confidentiality obligations. Audits may be conducted by the counterparty or by an independent third-party auditor agreed upon by both parties. KeyIdentity will provide reasonable cooperation and access to relevant documentation.
8. Requesting the Full Agreement
The complete Data Processing Agreement — including specific processing descriptions, technical annexes, and standard contractual clauses where applicable — is provided to qualified institutional parties upon request. Contact: contact@keyidentitypay.com