This Data Processing Agreement was last updated on 9 December 2022 and regulates KeyPay’s data processing activities carried out as a data processor on behalf of its Customers. For answers to any questions about the latest changes made to this Data Processing Agreement, please see the FAQs page linked here.
Previous version of this document can be found here.
This Data Processing Agreement (“DPA”) forms part of the written or electronic agreement(s)between the Customer and KeyPay, for use of the KeyPay Payroll Platform and its related apps, and the general provision of the Services (the “Agreement”),to reflect the parties’ agreement regarding the processing of Personal Data.
If the Customer entering into this DPA has executed an order form or statement of work with KeyPay pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. This DPA also forms part of the KeyPay Terms of Use and/or any other terms and conditions to which the Customer agrees when receiving Services from KeyPay or its Affiliates.
In this DPA:
“Affiliates” shall mean any corporation or other business entity controlling, controlled by or under common control with KeyPay. A current list of Affiliates is available here;
“Applicable Law” means all laws, regulations, orders, rules, judgments, directives, industry agreements or determinations in force from time to time applicable to a party and relevant to the Agreement or this DPA, including, without limitation the GDPR and UK GDPR;
“Customer” means the specific party which has entered into the Agreement with KeyPay;
“Customer Personal Data” means Personal Data in respect of which the Customer is the Data Controller, KeyPay is the Data Processor; but which excludes Personal Data held by KeyPay when acting as a Data Controller;
“Data Controller” means the entity which alone or jointly with others determines the purposes and means of Processing of Personal Data, it shall be interpreted in accordance with the GDPR and the UK GDPR;
“Data Processor” means an entity which Processes Personal Data on behalf of a Data Controller, it shall be interpreted in accordance with the GDPR and the UKGDPR;
“Data Protection Law” means the GDPR, the UK GDPR, Directive 2002/58/E C concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, any other privacy and data protection laws that may be applicable to the parties, and any amendments to or replacements of such laws and regulations;
“Data Subject” has the meaning given to it in the GDPR and the UK GDPR;
“EEA” means the European Economic Area;
“GDPR” means in each case to the extent applicable to the processing activities: (i)Regulation (EU) 2016/679; and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union;
“KeyPay” means Webscale Pty Ltd, trading as KeyPay or the relevant KeyPay Affiliate which has entered into the Agreement with the Customer for the provision of the Services;
“Personal Data” means any information relating to an identified or identifiable natural person and an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” has the meaning given to it in Data Protection Law (the “GDPR” and the “UKGDPR”) and “process”, “processes” and “processed” will be interpreted accordingly;
“Relevant Country” means all countries other than those (a) within the EEA and (b)countries in respect of which an adequacy finding under Article 25(6) of the European Data Protection Directive or Article 45 of the GDPR has been given;
“Services” means the provision of cloud-based payroll software services provided by KeyPay and/or its Affiliates under the Agreement through its websites, platforms and apps;
“Standard Contractual Clauses” mean:
(a). the International Data Transfer Addendum to the EU Standard Contractual Clauses made available on the ICO website (or any replacement publication made on the website), issued by the Information Commissioner and laid before Parliament in accordance withs.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum so that:
(b). until such time as the addendum above comes into force, the clauses for the transfer of Personal data to processors established in third countries which do not ensure an adequate level of protection for Personal Data adopted by the European Commission under Commission Decision C-2010/593(“2010 Standard Contractual Clauses”);
“Sub-Processor” means any entity which is engaged by KeyPay or by any other sub-processor of KeyPay who may access or process Customer Personal Data;
“UK GDPR” means the GDPR as applicable as part of UK domestic law by virtue of section 3of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)Regulations 2019 (as amended);
1.1.1 any words following the terms including, “include”, “in particular”, “for example”, or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms; and
1.1.2 references to Clauses and Schedules are, unless otherwise stated, references to the clauses of, and schedules to, this DPA; and
1.1.3 references to this DPA or any other agreement or document are to this DPA or such other agreement or document as it may be varied, amended, supplemented, restated, renewed, novated, or replaced from time to time.
2.1.1 Roles of the parties: The parties acknowledge that the Customer is the Data Controller and KeyPay is the Data Processor of Customer Personal Data. The parties acknowledge that KeyPay requires certain Personal Data to set up and manage the Customer’s account on the KeyPay Payroll Platform or related apps and provide Services under the Agreement. KeyPay may also provide specific services and support relating to individuals where it determines the purposes for which, and means in which, the Personal Data is processed, and in such cases, KeyPay will process such Personal Data as a Data Controller.
2.1.2 Scope of this DPA: This DPA only applies to the processing of Customer Personal Data by KeyPay in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Personal Data processed are set out in Schedule 1 of this DPA. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in Schedule 1 of this DPA. KeyPay shall process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by Applicable Law).
2.1.3 Legal compliance obligations: Each party warrants that in relation to this DPA it is compliant with and will remain compliant with all Applicable Law. The Customer shall ensure that it has a provided notice to Data Subjects and that there is a valid lawful basis under the GDPR and/or the UK GDPR Laws for all Customer Personal Data that is disclosed to KeyPay in connection with the Agreement for the data processing activities envisaged by the Agreement.
2.1.4 KeyPay’s responsibilities: Notwithstanding anything to the contrary in the Agreement, in relation to Customer Personal Data, KeyPay shall:
(a) process Customer Personal Data only in accordance with the Customer’s instructions as established in the Agreement or as provided inwriting by the Customer from time to time, provided such instructions are reasonable and subject to KeyPay’s right to charge additional sums at its current rates should the scope of the agreed services be exceeded. Notwithstanding the foregoing, KeyPay may process Customer Personal Data as required under Applicable Law. In this situation, KeyPay will take reasonable steps to inform the Customer of such a requirement before KeyPay processes the data, unless the law prohibits this;
(b) promptly notify the Customer, if in KeyPay’s opinion, an instruction from the Customer infringes Data Protection Law;
(c) where applicable, ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same;
(d) implement appropriate technical and organisational measures to protect against unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage, or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth in Schedule 1of this DPA. The Customer acknowledges that KeyPay may change the security measures through the adoption of new or enhanced security technologies and authorises KeyPay to make such changes provided that they do not materially diminish the level of protection. KeyPay shall make information about the most up to date security measures applicable to the Services available here;
(e) at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer’s obligation to respond to requests from Data Subjects of Customer Personal Data seeking to exercise their rights under Data Protection Law (to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided under the Agreement);
(f) at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing and the information available to KeyPay, assist the Customer with its obligations under Articles 32 to 36 of the GDPR; and
(g) upon written request by the Customer, delete or return to the Customer any such Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement(or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Law requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, KeyPay reserves the right to charge for such deletion or return of such Customer Personal Data. The Customer acknowledges and agrees that KeyPay may use Customer Personal Data for analytics, research, development and product improvement purposes.
2.2.1 Appointment of Sub-Processors: The Customer agrees that KeyPay may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in Schedule 1 of this DPA, provided that KeyPay complies with the provisions of this clause. KeyPay shall remain responsible for its Sub-Processor’s compliance with the obligations of this DPA. KeyPay shall ensure that any Sub-Processors to whom it transfers Customer Personal Data enter into written agreements with KeyPay requiring that the Sub-Processors abide by terms no less protective, in any material respect, than this DPA.
2.2.2 List of current Sub-Processors and notice of updates to the list: A current list of Sub-Processors is available here and is deemed to be pre-approved by the Customer. KeyPay can at any time and without justification (i)appoint a new Sub-Processor, or (ii) remove or change an existing Sub-Processor. If the Customer subscribes for updates in regard to the Sub-Processor list by emailing privacy@keypay.com, the Customer shall be given thirty (30) days’ prior written notice by email of such updates to the Sub-Processor list, or via the KeyPay Platform and/or apps. The Customer is also advised to periodically check KeyPay’s website, platforms, or apps for communications concerning updates to the Sub-Processor list.
2.2.3 Objections to Sub-Processors: If the Customer does not legitimately object to such changes within that timeframe, the Sub-Processor list update is deemed to be approved by the Customer. Legitimate objections to the Sub-Processor list update must contain reasonable and documented data protection grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Law. In the event the Customer reasonably objects to a new Sub-Processor, KeyPay will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services. This will be done to avoid processing of Personal Data by the new Sub-Processor to whom the Customer objects without unreasonably burdening the Customer. If KeyPay is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Customer may terminate the applicable Services which cannot be provided by KeyPay without the use of the objected-to new Sub-Processor with written notice to KeyPay
2.2.4 KeyPay must provide the Customer with agreements or contracts (subject to redaction of any confidential information) it has entered into with the Sub-Processor. Such copies will be provided by KeyPay in a manner to be determined in its discretion, only upon the written request by the Customer via email to privacy@keypay.com, and at the sole expense of the Customer.
2.3.1 The Customer acknowledges that in connection with the delivery of the Services, the Customer Personal Data may be transferred to, or accessed from, Australia or another Relevant Country. Where such transfer occurs, the Standard Contractual Clauses as specified in Schedule 3 of this DPA will apply and be incorporated as part of this DPA. For other Sub-Processors based in a Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in Data Protection Laws.
2.3.2 KeyPay shall not and shall ensure that none of its Affiliates or contractors, transfer, access or use EU or UK Personal Data in a Relevant Country other than in compliance with the terms of this DPA and the Standard Contractual Clauses. The Customer agrees to authorise the international transfers in application of Schedule 3 of this DPA and the parties and Customer agree to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this DPA, with the Customer as the ‘data exporter’ and KeyPay as the ‘data importer’, with the parties signature and dating of the Agreement being deemed to be the signature and dating of the Standard Contractual Clauses and with the Annexes and/or Appendices to the Standard Contractual Clauses being as set out in Schedule 3 to this DPA.
2.3.3 For the purposes of the EU Standard Contractual Clauses, the following shall apply:
(a) Clause 9 OPTION 2: where applicable, general written authorisation will be required for the engagement of new Sub-Processors. The parties agree that the time period for providing written notice of the engagement of a new Sub-Processor to Customers that have subscribed to receive such notice shall be thirty (30) days;
(b) Clause 17 (Governing law): the clauses shall be governed by the laws of the Republic of Ireland; and
(c) Clause 18 (Choice of forum and jurisdiction) the courts of the Republic of Ireland shall have jurisdiction.
2.4.1 KeyPay shall notify the Customer, without undue delay, if KeyPay becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by KeyPay (“Security Incident“), and take such steps as the Customer may reasonably require, within a reasonable timescales, to remedy the Security Incident and provide such further information as the Customer may reasonably require.
2.4.2 KeyPay will make reasonable efforts to identify the cause of any Security Incident and take steps as KeyPay deems necessary and reasonable to remediate the cause of such a Security Incident to the extent the remediation is within KeyPay’s reasonable control.
2.4.3 KeyPay’s assistance under this clause which exceeds any obligations set out by Applicable Law shall be chargeable, as incurred, at KeyPay’s then current rates unless the Customer demonstrates that such assistance is required because of a failure by KeyPay to comply with the obligations under this DPA.
2.4.4 The obligations under this clause shall not apply to Security Incidents that are caused by the Customer or its personnel.
2.5.1 Upon written request from the Customer, and at the Customer cost and expense, KeyPay shall audit the security of the computers and computing environment that it uses in processing Customer Personal Data and the physical locations from which it processes Customer Personal Data (including that of its Sub-Processors). This audit will be performed no more than once annually and it may be performed by independent third-party security professionals at KeyPay’s selection (in which case such selection is made at KeyPay’s expense). In the event that KeyPay has recently exercised such rights for another customer, it shall provide to the Customer a summary of the most recent audit results.
2.5.2 KeyPay shall respond, no more frequently than annually, to any reasonable security questionnaire provided by a Customer which seeks to assist Customer’s assessment of KeyPay’s compliance with the security obligations under this DPA and which may be applicable to the Services. The responses to such questionnaire and any supporting evidence provided by KeyPay shall be considered confidential information of KeyPay.
2.5.3 If the Customer desires to change this instruction regarding exercising the audit rights or the provision of information in order to demonstrate compliance with Article 28 of the GDPR, then the Customer has the right to change this instruction to the extent so required to ensure compliance, which shall be requested in writing via email to privacy@keypay.com, provided that KeyPay shall have no obligation to provide commercially confidential information.
2.6.1 At the end of the Services, upon the Customer's written request, KeyPay shall securely destroy, or return such Personal Data to the Customer, and delete existing copies unless Applicable Law require retention of such Personal Data.
2.6.2 To the extent applicable and required, the parties agree that the certification of deletion of the Personal Data shall be provided by KeyPay only upon the Customer’s written request via email to privacy@keypay.com.
2.7.1 The parties acknowledge and agree that any liability of KeyPay and/or its Affiliates arising out of or in relation to this DPA is subject to the liability sections of the Agreement (including applicable sections of the KeyPay Terms of Use and/or any other specified terms and conditions of an Agreement entered into with between the Customer and KeyPay).
2.8.1 Conflict: In the event of any conflict or inconsistency between the body of this DPA and any of its Schedules (not including the specifications of the Standard Contractual Clauses), and the Standard Contractual Clauses specified in Schedule 3, the Standard Contractual Clauses will prevail(unless this would result in the invalidity of this DPA under Data Protection Laws (in which case the relevant term(s) of this DPA shall prevail).
2.8.2 Changes to this DPA: KeyPay reserves the right to make any updates or changes to this DPA to reflect changes in its Services, information practices, operational requirements, or changes to laws and regulations. The Customer should periodically review this DPA to see any amendments that have been made. If KeyPay makes any significant changes to this DPA, KeyPay may provide notice to Customers via email or by other means of communication.
The development and provision of the Services provided by KeyPay as stated in this DPA.
Customers and end-users of the Services provided by KeyPay and its Affiliates,
The Personal Data transferred concern the following categories and special categories of data:
KeyPay shall process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by Applicable Law).
The Security Measures are detailed here and here, as may be updated by KeyPay from time to time in accordance with clause 2.1.4(d).
Name: Customer
Activities relevant to the data transferred under these Clauses: The Services, access and use of cloud-based payroll software services, all data processing categorised as “C2P” where the Controller is located inside,and the Processor is located outside, the EU/EEA.
Role (controller/processor): controller
Name: Webscale Pty Ltd, trading as KeyPay (ABN 70 154 693 955)
Address: Level 2, 441 Kent Street Sydney NSW 2000
Contact email: privacy@keypay.com
Activities relevant to the data transferred under these Clauses: The Services, development and supply of cloud-based payroll software services and all data processing categorised as “C2P”, where the Controller is located inside, and the Processor is located outside, the EU/EEA.
Role (controller/processor): processor
Module Two: Controller to Processor
Nature of Processing: See Schedule 1 above.
Purpose of Processing: See Schedule 1 above.
Categories of Data Subjects: See Schedule 1 above.
Categories of Personal data Transferred: See Schedule 1 above.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: See Schedule 1 above.
Frequency of transfer: Continuous.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU standard contractual clauses only): See Schedule 1 above.
For transfers to (sub-) processors, the subject matter, nature and duration of the processing (EU standard contractual clauses only): As set out in Schedule 1.
Irish Data Protection Commission
21 Fitzwilliam Square
South Dublin 2
Republic of Ireland
D02 RD28
Data importer has implemented and will maintain appropriate technical and organisational measures to protect Customer Personal Data (as defined in the DPA) against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The measures described in Schedule 2 of this DPA are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.
The following link provides a list of all KeyPay Sub-Processors:
https://www.keypay.com/sub-processor-list
The following link provides a list of all KeyPay Affiliates:
https://www.keypay.com/keypay-affiliates-list