These Standard Data Processing Terms (the "Standard DPA Terms") apply to Customer's use of the Keygraph Cloud Service to the extent Keygraph Processes Customer Personal Data on Customer's behalf under the Keygraph Cloud Service Agreement (the "Agreement").
If Customer and Keygraph have executed a separately signed Keygraph Data Processing Agreement, that signed agreement controls in all respects and these Standard DPA Terms do not apply. These Standard DPA Terms apply only to Customers who have not executed a separately signed Data Processing Agreement with Keygraph.
Keygraph may update these Standard DPA Terms from time to time. Material changes will be notified by email to Customer's designated administrator and by updating the "Last Updated" date above, in each case at least thirty (30) days before the change takes effect. Continued use of the Cloud Service after the effective date constitutes acceptance.
Capitalized terms used but not defined here have the meanings given in the Agreement.
"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the GDPR, the UK GDPR, the Swiss Federal Data Protection Act, the CCPA, and any other applicable U.S. state privacy laws.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and binding regulations promulgated thereunder.
"Controller" has the meaning given in Applicable Data Protection Laws.
"Customer Personal Data" means Personal Data that Customer uploads or provides to Keygraph (or that Keygraph collects from systems Customer has authorized) as part of the Cloud Service.
"EEA" means the European Economic Area.
"EEA SCCs" means the standard contractual clauses annexed to European Commission Implementing Decision 2021/914 of 4 June 2021.
"GDPR" means European Union Regulation 2016/679.
"Personal Data" has the meaning given in Applicable Data Protection Laws.
"Processing" or "Process" has the meaning given in Applicable Data Protection Laws.
"Processor" has the meaning given in Applicable Data Protection Laws.
"Restricted Transfer" means (a) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the UK Data Protection Act 2018.
"Security Incident" means a Personal Data Breach as defined in Article 4 of the GDPR; provided that unsuccessful attempts that do not result in actual unauthorized access to or loss of Customer Personal Data are not Security Incidents.
"Special Category Data" has the meaning given in Article 9 of the GDPR.
"Subprocessor" has the meaning given in Applicable Data Protection Laws.
"UK GDPR" means European Union Regulation 2016/679 as implemented by section 3 of the UK European Union (Withdrawal) Act of 2018 in the United Kingdom.
"UK Addendum" means the international data transfer addendum to the EEA SCCs issued by the UK Information Commissioner's Office.
With respect to Customer Personal Data, Customer is the Controller (or, where Customer is itself a Processor, Customer's customer is the Controller and Customer is the Processor) and Keygraph is the Processor (or Subprocessor, as applicable).
Customer instructs Keygraph to Process Customer Personal Data: (a) to provide and maintain the Cloud Service; (b) as further specified through Customer's use of the Cloud Service (including Customer's configuration choices, integrations, and administrative actions); (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Keygraph. Keygraph will abide by these instructions unless prohibited by Applicable Laws and will inform Customer if it cannot follow them.
Keygraph will only Process Customer Personal Data in accordance with these Standard DPA Terms. If Keygraph updates the Cloud Service to add or modify products, features, or functionality, Keygraph may update the categories of Personal Data Processed, the nature and purpose of Processing, and related Processing details by updating these Standard DPA Terms in accordance with the "Updates to These Terms" section above.
Customer represents and warrants that it has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Keygraph, including making all required disclosures, obtaining all required consents, and implementing relevant safeguards. Customer is responsible for the lawfulness of any data it elects to submit to the Cloud Service.
Keygraph will not use Customer Personal Data, Customer Content, or Usage Data attributable to an identified or identifiable Customer to develop, train, fine-tune, evaluate, benchmark, create embeddings for, or otherwise improve any artificial intelligence or machine learning model. Notwithstanding the foregoing, Keygraph may use threat intelligence and generalized vulnerability patterns derived from operating the Cloud Service (in each case in a form that does not identify Customer, any individual, or any Customer Content, and that cannot reasonably be re-identified) to improve Keygraph's detection rules, heuristics, and security research; this permission does not extend to using any Customer Content (including source code, vulnerability findings, or AI prompts and responses) as training data, fine-tuning data, or reference material for any AI or machine learning model.
Customer provides a general authorization for Keygraph to engage Subprocessors to Process Customer Personal Data. The current list of Keygraph's Subprocessors is published at keygraph.io/subprocessors and is updated from time to time.
The list of Keygraph's Subprocessors is published at keygraph.io/subprocessors, which is the authoritative source for the current list. Keygraph updates this page at least ten (10) business days before a new Subprocessor entity begins Processing Customer Personal Data. Customer is responsible for monitoring the published list. Customer may also email legal@keygraph.io to confirm the current list at any time. For clarity, the notice procedure in this Section applies only to the addition or replacement of a Subprocessor entity; changes to how an existing Subprocessor is used (including changes of services, regions, or capabilities of the same Subprocessor), like-for-like replacement of a Subprocessor with another Subprocessor providing substantially equivalent services on substantially equivalent data-protection terms, and the addition of a Subprocessor whose Processing is limited to operational metadata not constituting sensitive data do not require notice and are not subject to objection.
If Customer objects in writing to a new Subprocessor within ten (10) business days of notice, the objection must (i) be made by Customer's designated administrator, (ii) identify specific data-protection deficiencies of the proposed Subprocessor under Applicable Data Protection Laws, and (iii) not be based on commercial, competitive, or non–data-protection considerations. If the parties cannot agree on a resolution within forty-five (45) days of a properly noticed objection, Keygraph may elect to either (x) refrain from using the proposed Subprocessor with respect to Customer's tenant (if technically feasible without material impact on the Cloud Service), or (y) allow Customer to terminate the affected portion of the Cloud Service (limited to the portion that requires the new Subprocessor), with a refund of pre-paid, unused fees for the terminated portion only. Termination under this Section is Customer's sole and exclusive remedy.
When engaging a Subprocessor that will Process Customer Personal Data, Keygraph will impose data-protection obligations on the Subprocessor that are substantially equivalent to the obligations applicable to Keygraph under these Standard DPA Terms, taking into account the nature of the Subprocessor's services.
Upon Customer's reasonable written request, Keygraph will make available a summary or description of the material data-protection terms applicable to its Subprocessors. Keygraph will provide such information on a confidential basis and no more than once in any twelve (12) month period, absent (a) a Security Incident materially affecting Customer or (b) a documented regulatory requirement. To the extent Applicable Data Protection Laws (including Article 28(9) of the GDPR) require Keygraph to make available a copy of its data-protection terms with a particular Subprocessor, Keygraph may redact commercial terms and other non–data-protection content prior to providing such copy.
As required by Article 28(4) of the GDPR, Keygraph remains responsible for its Subprocessors' performance of the data-protection obligations subcontracted to them under these Standard DPA Terms, subject to the limitations of liability in the Agreement. Keygraph will notify Customer without undue delay upon becoming aware of any material failure by a Subprocessor to fulfill its data-protection obligations with respect to Customer Personal Data.
Customer agrees that Keygraph may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Cloud Service. If Keygraph transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Keygraph will implement appropriate safeguards consistent with Applicable Data Protection Laws.
If the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer within the EEA to Keygraph outside the EEA, and the transfer is not governed by an adequacy decision, then by accepting the Agreement and these Standard DPA Terms, Customer and Keygraph are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. The EEA SCCs are completed as follows:
If the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer within the UK to Keygraph outside the UK, and the transfer is not governed by an adequacy decision, then by accepting the Agreement and these Standard DPA Terms, Customer and Keygraph are deemed to have signed the UK Addendum and its Annexes, which are incorporated by reference. The UK Addendum is governed by the laws of England and Wales. Section 8 of these Standard DPA Terms provides the information required by Tables 1, 2, and 4 of the UK Addendum. Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.
For Personal Data transfers where Swiss law applies, references to the GDPR in Clause 4 of the EEA SCCs are amended to refer to the Swiss Federal Data Protection Act, and the concept of supervisory authority includes the Swiss Federal Data Protection and Information Commissioner.
Upon becoming aware of any Security Incident, Keygraph will: (a) notify Customer without undue delay, and in any event no later than seventy-two (72) hours after Keygraph confirms the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer, to the extent then known and to the extent providing such information does not compromise the integrity of the investigation or violate Applicable Laws; and (c) promptly take reasonable steps to contain, investigate, and mitigate the Security Incident. Keygraph's notification of or response to a Security Incident will not be construed as an acknowledgment of fault or liability. Keygraph's notification obligations under this Section do not apply to unsuccessful attempts to interfere with the Cloud Service or its operation (including unsuccessful log-on attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems) that do not result in actual unauthorized access to, or loss of, Customer Personal Data.
Keygraph will give Customer information reasonably necessary to demonstrate its compliance with these Standard DPA Terms, subject to this Section. Keygraph may restrict access to data or information if Customer's access would negatively impact Keygraph's intellectual property rights, Keygraph's confidentiality obligations to third parties, the security of Keygraph's systems or other customers' data, or other obligations under Applicable Laws. Customer will exercise its audit rights under these Standard DPA Terms and any audit rights granted by Applicable Data Protection Laws by instructing Keygraph to comply with the reporting and due-diligence requirements in this Section. Keygraph will maintain records of its compliance with these Standard DPA Terms for three (3) years.
Keygraph is regularly audited against the standards defined in Keygraph's security program by independent third-party auditors. Upon written request, Keygraph will give Customer, on a confidential basis, a summary copy of its then-current audit report.
Keygraph will respond to reasonable requests for information made by Customer to confirm Keygraph's compliance with these Standard DPA Terms, including responses to information security questionnaires. All such requests must be made in writing to security@keygraph.io and, absent (a) a Security Incident materially affecting Customer or (b) a documented regulatory or material customer-policy requirement, may be made no more than once in any 12-month period. Keygraph will use reasonable efforts to respond within thirty (30) days. Any on-site audit will be subject to a separate written agreement, may not occur more than once in any 24-month period absent a Security Incident or regulator order, must be conducted by qualified personnel under reasonable confidentiality and security protections, may not unreasonably interfere with Keygraph's operations or other customers' data, and will be at Customer's sole expense.
If Keygraph receives any inquiry or request from anyone other than Customer about the Processing of Customer Personal Data (including a judicial, administrative, or regulatory order, or a request from a data subject), Keygraph will notify Customer where permitted by Applicable Law and will not respond without Customer's prior consent. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer's giving of Customer Personal Data to Keygraph, Keygraph will assist Customer in fulfilling the request. Keygraph will cooperate with and provide reasonable assistance to Customer, at Customer's expense for non-routine assistance, in any legal response or procedural action.
If required by Applicable Data Protection Laws, Keygraph will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and the information reasonably available to Keygraph.
Keygraph will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Cloud Service. After termination or expiration of the Agreement, Keygraph will return or delete Customer Personal Data at Customer's written instruction within ninety (90) days, unless further storage is required or authorized by Applicable Law (including for routine backups subject to documented retention schedules and overwrite cycles).
Data Exporter: Customer (Controller, or Processor where applicable). Contact details as provided by Customer in its Cloud Service account.
Data Importer: Keygraph, Inc., a Delaware corporation. Address: 1885 Mission St., San Francisco, CA 94103. Contact: Madeline Nachbar, Operations Lead — security@keygraph.io. Role: Processor (or Subprocessor where applicable).
Service: Keygraph's AI-native, agentic application security platform (the "Cloud Service"), which consolidates application security tooling into a single integrated solution for finding, triaging, fixing, and verifying remediation of vulnerabilities. The Cloud Service unifies penetration testing workflows, static application security testing (SAST), software composition analysis (SCA), secrets scanning, container scanning, CI/CD integration, findings management, ticketing integration, and assistive code patching on a single deduplicated data model. The Cloud Service includes related support and professional services.
Data Storage Location: At account setup, Customer may elect to provision its tenant in Keygraph's European Union region, in which case Customer Personal Data (including source code, container images, vulnerability findings, and operational logs) is stored at rest in Amazon Web Services regions located within the EEA, and Keygraph's application infrastructure that serves the tenant is operated from the EEA. The election is made at account setup and is permanent for the life of the account. Keygraph is incorporated in the United States and Keygraph's personnel are located in the United States and other jurisdictions outside the EEA; Keygraph's personnel may access Customer Personal Data from outside the EEA in the course of providing the Cloud Service (including for support, debugging, incident response, and operating, securing, monitoring, and improving the Cloud Service). Such access is subject to the EEA SCCs and the UK Addendum (Section 4 above) and the technical and organizational measures in Section 8.5 below.
AI Features: By default, AI features of the Cloud Service operate against large language model endpoints designated by Customer (Bring-Your-Own-Key, or "BYOK"). Under the BYOK default, Customer selects and controls the location and provider of its LLM endpoint, AI compute occurs in Customer's LLM tenant under Customer's account, and Keygraph does not maintain a separate agreement with any LLM provider for the Processing of Customer Content. Customer may, by explicit configuration in the Cloud Service or by Order Form, opt into Keygraph-managed AI features in which Customer Content is processed by Keygraph-engaged LLM providers identified as Opt-In AI Subprocessors at keygraph.io/subprocessors. Regardless of which path Customer elects, Keygraph does not use Customer Content (including AI prompts and responses) to train, fine-tune, evaluate, benchmark, or otherwise improve any AI or machine learning model. Keygraph's handling of AI request and response data, including operational logging and retention, is further described in Keygraph's Code Security Posture.
Categories of Data Subjects:
Categories of Personal Data:
Special Category Data: Keygraph does not intentionally collect Special Category Data and the Cloud Service is not designed or intended to Process Special Category Data. Keygraph strongly advises Customer not to submit Personal Data (including Special Category Data) to the Cloud Service that is not necessary for application security testing. Any Special Category Data that may be incidentally present in Customer Content is the responsibility of Customer to identify, lawfully process, and where appropriate exclude or redact before submission. To the extent the Agreement (including any restriction on Prohibited Data or similar category) prohibits Customer from submitting Special Category Data or other Personal Data, that prohibition applies only to intentional submission by or on behalf of Customer; the incidental presence of such data in Customer Content is not a breach of any such prohibition and is governed by these Standard DPA Terms.
Frequency of Transfer: Continuous and on-demand, throughout the term of the Agreement.
Nature and Purpose of Processing: Vulnerability discovery (SAST, SCA, secrets scanning, container scanning, in each case against Customer-authorized assets); penetration testing workflow orchestration; findings management (deduplication, triage, prioritization, SLA tracking); assistive code patching against Customer-designated LLM endpoints (BYOK) or, where Customer has explicitly opted in, against Keygraph-managed LLM endpoints; remediation verification; CI/CD integration; ticketing integration; metrics and reporting; authentication and access management via Customer-controlled identity providers; audit and security logging; customer support; and operating, securing, monitoring, troubleshooting, and improving the Cloud Service.
Duration of Processing: Keygraph will Process Customer Personal Data for as long as required to provide the Cloud Service (generally aligning with the subscription period under the Agreement and any wind-down period) or as required by Applicable Laws.
For Customers established in the EU: the supervisory authority of the EU Member State where Customer is established. For Customers not established in the EU but to whom the GDPR otherwise applies: the Irish Data Protection Commission. For UK transfers: the UK Information Commissioner's Office (ICO).
To the extent the CCPA applies, the parties acknowledge that Keygraph is a Service Provider receiving Personal Data from Customer to provide the Cloud Service as set forth in the Agreement and these Standard DPA Terms, which constitutes a limited and specified business purpose. Keygraph will not: (a) sell or share any Personal Data; (b) retain, use, or disclose any Personal Data outside the direct business relationship between Keygraph and Customer; (c) retain, use, or disclose any Personal Data for any purpose other than for the business purposes specified in the Agreement (or as otherwise permitted by the CCPA); or (d) combine the Personal Data with personal information that Keygraph receives from or on behalf of another person or persons (or that Keygraph collects from its own interactions with consumers), except as permitted by the CCPA. Keygraph will notify Customer if it can no longer meet its obligations under the CCPA.
Keygraph implements and maintains the following technical and organizational measures to protect Customer Personal Data:
Each party's total cumulative liability arising out of or related to these Standard DPA Terms is subject to the waivers, exclusions, and limitations of liability set forth in the Agreement. Without limiting the foregoing, Keygraph's total cumulative liability arising out of or related to claims for (a) Keygraph's breach of these Standard DPA Terms, or (b) Keygraph's gross negligence or willful misconduct that results in a Security Incident, will not exceed the greater of (i) $50,000 or (ii) two (2) times the fees paid or payable by Customer to Keygraph in the twelve (12) month period immediately before the claim.
Any claims against Keygraph or its affiliates arising out of or related to these Standard DPA Terms may only be brought by the Customer entity that is a party to the Agreement.
These Standard DPA Terms do not limit any liability to an individual regarding the individual's data protection rights under Applicable Data Protection Laws, and do not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.
These Standard DPA Terms form part of and supplement the Agreement. If there is any inconsistency between these Standard DPA Terms and the Agreement, the EEA SCCs or UK Addendum will control over these Standard DPA Terms, which will control over the Agreement, in each case to the extent of the inconsistency.
If Customer and Keygraph have executed a separately signed Keygraph Data Processing Agreement, that signed agreement controls in all respects and these Standard DPA Terms do not apply.
These Standard DPA Terms apply for as long as Keygraph Processes Customer Personal Data on Customer's behalf under the Agreement and continue until the Agreement expires or is terminated. The obligations relating to data subject to the EEA SCCs and UK Addendum continue until Customer stops transferring Customer Personal Data to Keygraph and Keygraph stops Processing Customer Personal Data.
These Standard DPA Terms are governed by the laws of the State of California, without regard to its conflict of laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California for any legal suit, action, or proceeding arising out of or relating to these Standard DPA Terms. Governing law and forum for (a) the EEA SCCs and (b) the UK Addendum are as set forth in Section 4 above.
Questions about these Standard DPA Terms, Subprocessors, or general data-protection matters may be directed to legal@keygraph.io. Security-related questions, including incident reports and security questionnaire responses, may be directed to security@keygraph.io.
These Standard Data Processing Terms are derived from the Common Paper Data Processing Agreement Standard Terms Version 1.1 (https://commonpaper.com/standards/data-processing-agreement/1.1/), with modifications by Keygraph, Inc., under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
Keygraph, Inc. | © 2026 All rights reserved.