GETKENI LLC – DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the applicable Keni Terms of Serviceor Master Services Agreement (collectively, the “Underlying Agreement”) between GETKENI LLC (“Keni”, “we”, “our”, or “us”) and the customer entity (“Client”, “you”, or “your”) using the Keni Platform and Services that may involve the processing of personal data.

This DPA applies to the extent that Keni Processes Personal Data or Covered Data on behalf of the Client in connection with the provision of Keni’s Services.

1. DEFINITIONS

1.1 “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Covered Data under this DPA, including, where applicable:
(a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”),
(b) the UK Data Protection Act 2018 and UK GDPR,
(c) the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA),
(d) the Gramm-Leach-Bliley Act (GLBA) and Safeguards Rule (16 C.F.R. §314), and
(e) the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

1.2 “Client Account Data” means personal data related to Client’s relationship with Keni, such as names and contact details of Authorized Users, billing data, and authentication information.

1.3 “Covered Data” means any Personal Data or Customer Information pertaining to a Consumer, Data Subject, or End User that Keni Processes on behalf of Client in providing the Services, excluding Client Account Data.

1.4 “Data Subject” means an identified or identifiable natural person as defined by Applicable Data Protection Laws.

1.5 “Personal Data” (or “Personal Information”) means any information relating to an identified or identifiable individual, as defined under Applicable Data Protection Laws.

1.6 “Processing”, “Controller”, “Processor”, “Sub-Processor”, “Service Provider”, “Business Purpose”, “Sell”, and “Share” shall have the meanings given to them under Applicable Data Protection Laws.

1.7 “Safeguards Rule” means the Federal Trade Commission’s Standards for Safeguarding Customer Information (16 C.F.R. §314 et seq.).

2. KENI AS PROCESSOR OR SERVICE PROVIDER

2.1 Role of the Parties. With respect to Covered Data, Client is the Controller or Business, and Keni acts as Processor or Service Provider. Keni shall process Covered Data only in accordance with Client’s documented instructions as described in this DPA and the Underlying Agreement.

2.2 Client Obligations. Client determines the purposes and means of Processing and represents and warrants that:
(a) it has provided all required notices and obtained all consents and lawful bases for Processing Covered Data by Keni;
(b) its transfer of Covered Data to Keni complies with Applicable Data Protection Laws; and
(c) it shall notify Keni without undue delay of any request by a Data Subject requiring Keni’s assistance to respond.

2.3 Keni Obligations.
Keni agrees to:
(a) Process Covered Data solely as instructed by Client and only as necessary to provide the Services;
(b) ensure persons authorized to Process Covered Data are subject to confidentiality obligations;
(c) maintain a comprehensive information security program with administrative, technical, and physical safeguards appropriate to the sensitivity of the data;
(d) assist Client in responding to Data Subject requests, and in compliance with applicable breach notification obligations;
(e) make available relevant documentation or third-party audit reports (e.g., ISO 27001, SOC 2) to demonstrate compliance upon written request; and
(f) upon termination of the Underlying Agreement, delete or return all Covered Data, except as required by law.

3. CROSS-BORDER DATA TRANSFERS

To the extent Keni transfers Personal Data outside of the European Economic Area (EEA), the United Kingdom, or Switzerland, such transfers shall be governed by the EU Standard Contractual Clauses (“SCCs”), incorporated herein by reference, and supplemented as required by Applicable Data Protection Laws. Keni shall ensure that all Sub-Processors engaged outside these jurisdictions provide equivalent protection.

4. SUB-PROCESSORS

Client authorizes Keni to engage Sub-Processors to support the provision of Services. A current list of approved Sub-Processors is maintained at:
https://legal.getkeni.com/#servicepartners

Keni shall:
(a) notify Client of any intended changes to this list (via posting or email to [email protected]);
(b) ensure all Sub-Processors are bound by written agreements imposing obligations equivalent to those in this DPA; and
(c) remain responsible for each Sub-Processor’s compliance.

If Client reasonably objects to a Sub-Processor within 30 days of notice, Keni may work with Client in good faith to resolve the objection. However, if resolution is not feasible, Keni may suspend or terminate the affected Services.

5. SECURITY MEASURES AND INCIDENT RESPONSE

5.1 Security Measures.
Keni shall implement appropriate technical and organizational security measures to protect Covered Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include but are not limited to:

Encryption in transit and at rest

Access control and authentication

Regular security assessments and penetration testing

Data minimization and pseudonymization practices

Business continuity and disaster recovery plans

5.2 Security Incidents.
Keni shall notify Client without undue delay upon becoming aware of a confirmed data breach involving Covered Data. Such notice will include, to the extent available, the nature of the breach, categories of affected data, and remediation measures taken.

6. CCPA-SPECIFIC TERMS

To the extent Keni Processes Personal Information of California Consumers on behalf of Client, Keni shall:
(a) act as a Service Provider as defined under the CCPA;
(b) not Sell or Share such Personal Information;
(c) not retain, use, or disclose Personal Information for any purpose other than providing the Services or as otherwise permitted by the CCPA;
(d) provide the same level of privacy protection as required of Businesses by the CCPA; and
(e) notify Client if Keni determines it can no longer meet its CCPA obligations.

7. GDPR-SPECIFIC TERMS

For Processing subject to the GDPR or UK GDPR:
(a) Keni shall ensure all Processing complies with Article 28 GDPR obligations;
(b) Client authorizes Keni to appoint Sub-Processors in accordance with Section 4;
(c) Keni shall implement data protection by design and by default;
(d) Keni shall maintain records of Processing activities; and
(e) Keni shall assist Client with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities when required.

8. KENI AS CONTROLLER OF CLIENT ACCOUNT DATA

Client acknowledges that with respect to Client Account Data, Keni acts as an independent Controller, not a joint Controller with Client.
Keni processes Client Account Data to:
(a) manage and maintain the Client relationship;
(b) perform billing and account administration;
(c) authenticate users and secure accounts;
(d) detect, prevent, or investigate fraud and abuse; and
(e) comply with legal obligations and internal policies.

9. AUDIT RIGHTS

Upon written request, Keni shall make available evidence of its security and compliance controls. Keni may satisfy audit obligations by providing independent third-party audit reports (such as ISO 27001 or SOC 2 Type II). On-site inspections shall be permitted only where required by law and agreed upon in advance.

10. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by and construed in accordance with the laws of the State of Florida, United States, without regard to conflict of law principles.
Any disputes arising out of or relating to this DPA shall be resolved exclusively in the state or federal courts located in Miami-Dade County, Florida, USA, and both parties consent to the personal jurisdiction of these courts.

11. MISCELLANEOUS

11.1 Order of Precedence. In the event of any conflict between this DPA and the Underlying Agreement, the terms of this DPA shall prevail.
11.2 Severability. If any provision is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
11.3 Notices. All communications under this DPA shall be directed to:
GETKENI LLC, Legal Department
15435 SW 75TH CIRCLE LN APT 107
MIAMI, FL 33193, USA
📧 [email protected]
11.4 Entire Agreement. This DPA supersedes all prior discussions relating to data processing between the parties and constitutes the entire agreement with respect to the subject matter herein.

Effective Date: Upon the date the Client accepts the Keni Terms of Service or executes a Master Services Agreement.
Last Updated: December 2025