Data Processing Addendum

Last updated: 30 June 2026

For enterprise customers and any customer whose use of Keep-Ready requires a written Data Processing Addendum ("DPA") under the GDPR, the UK GDPR, the Australian Privacy Act 1988 (Cth), the California Consumer Privacy Act, or equivalent law, Keep-Ready offers a standard DPA on request.

What our DPA covers

  • Roles and responsibilities of Keep-Ready as data processor and you as controller
  • The types of personal data we process and the purposes for which we process it
  • Our obligations to process only on your documented instructions
  • Technical and organisational security measures we implement
  • Our use of subprocessors and the notification process when we add or change one
  • International data transfer safeguards (Standard Contractual Clauses, equivalent measures)
  • Assistance with data subject access, correction, deletion, and portability requests
  • Personal Data Breach notification within 72 hours
  • Audit and information rights, and reasonable cooperation with regulatory enquiries
  • Return or deletion of personal data on termination

Alignment with industry standards

Our DPA is drafted to align with GDPR Article 28, the Australian Privacy Principles (APP 8 — cross-border disclosure), and ISO/IEC 27018 (protection of personally identifiable information in public clouds acting as processors). The accompanying security commitments map to ISO/IEC 27001 control objectives, although Keep-Ready is not (yet) ISO 27001 certified — see our Security page for a candid summary of our current and planned compliance posture.

Subprocessors

A current list of every third party that processes Keep-Ready user data on our behalf is maintained at keep-ready.com/subprocessors. Customers on a signed DPA receive at least 30 days' advance notice by email before any new subprocessor is added.

How to request a DPA

Email privacy@keep-ready.com with your company's legal name, registered office address, your jurisdiction(s), and the name of the Keep-Ready account the DPA will apply to. We will return a completed DPA for signature within five business days.

If your organisation has its own preferred DPA form, we're happy to review and either sign or propose redlines. Most reasonable forms are acceptable; we will flag any provisions that conflict with how the service operates and propose alternatives.

For individual (consumer) users

Individual users do not generally need a separate DPA — the standard Privacy Policy and Terms of Service between you and Keep-Ready already describe how your personal information is handled. If you have a specific concern, please reach out at the email address above.