KeyStack
Start free

Data Processing Agreement

Last updated: 15 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and KeyStack ("Processor"). It applies whenever you upload, transmit or otherwise process Personal Data through the KeyStack platform.

1. Definitions

Terms not defined here have the meaning given in the EU GDPR.

2. Subject matter

KeyStack processes Personal Data on your behalf strictly to provide the licensing platform you've subscribed to. This includes generating, validating, freezing and revoking license keys you create, and surfacing the dashboard you log into.

3. Duration

This DPA is in force for as long as KeyStack processes Personal Data on your behalf, plus a 30-day retention period after termination during which you can export your data.

4. Nature & purpose

CategoryExample
Identification dataCustomer email, name
Technical dataIP, user-agent, hardware ID supplied during activation
Account dataYour team members' name, email, hashed password
Configuration dataLicense keys, plans, audit log entries

5. Categories of data subjects

  • Your end-users (the people who buy or use licensed software from you).
  • Your teammates with access to the KeyStack dashboard.

6. Processor obligations

KeyStack will:

  1. Process Personal Data only on documented instructions from you.
  2. Ensure persons authorised to process Personal Data are under confidentiality.
  3. Implement the technical and organisational measures listed in Annex II.
  4. Assist you in fulfilling data-subject requests (access, rectification, erasure).
  5. Notify you without undue delay (and in any case within 72 hours) of a Personal Data Breach.
  6. Make available all information necessary to demonstrate compliance.
  7. Delete or return all Personal Data after the end of the service, at your choice.

7. Sub-processors

You authorise KeyStack to engage the sub-processors listed in the Privacy Policy. We give 30 days' notice before adding new sub-processors and you may object on reasonable grounds.

8. International transfers

When Personal Data is transferred outside the EEA we rely on the EU Standard Contractual Clauses (Module 2, 2021/914) supplemented by the technical safeguards in Annex II.

9. Annex II — Technical & organisational measures

  • TLS 1.3 in transit
  • AES-256-GCM at rest for sensitive secrets
  • Argon2id password hashing
  • Tenant isolation enforced at the database layer
  • 2FA available for all platform accounts
  • Audit log of every mutating action
  • Annual third-party penetration test
  • Quarterly internal access reviews

Contact

Sign and return a counter-signed copy of this DPA by emailing dpa@keystack.dev.