1. PARTIES AND SCOPE
1.1 Parties. This Data Processing Addendum ("DPA") is entered into between:
- Kiey Holdings, Ltd., a Delaware C corporation, operating from 4112 Fieldstone Rd, Champaign, IL 61822, USA ("Kiey" or "Processor" / "Service Provider"); and
- The Real Estate Team Owner that has executed the Kiey Terms of Service & Subscription Agreement (the "Customer" or "Controller" / "Business").
1.2 Effect. This DPA is incorporated into and forms part of the Kiey Terms of Service & Subscription Agreement (the "Main Agreement") and applies to Kiey's processing of Personal Data on behalf of the Customer.
1.3 Order of Precedence. In the event of conflict between this DPA and the Main Agreement, this DPA controls solely with respect to the processing of Personal Data. The SCCs and UK Addendum (where incorporated) prevail over inconsistent terms in this DPA.
1.4 No Charge. Kiey does not charge a separate fee for entering into this DPA.
2. DEFINITIONS
Capitalized terms not defined here have the meanings given in the Main Agreement or the relevant Data Protection Law.
- "Applicable Data Protection Law" means all U.S., Canadian, EU/EEA, UK, and other privacy and data-protection laws and regulations applicable to a party's processing of Personal Data, including without limitation the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and analogous U.S. state laws, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Alberta PIPA, British Columbia PIPA, the Quebec Act respecting the protection of personal information in the private sector ("Law 25"), and successor laws.
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Kiey on behalf of the Customer in connection with the Service.
- "Sensitive Data" has the meaning given by Applicable Data Protection Law (e.g., GDPR Article 9 special categories; CCPA/CPRA "sensitive personal information"; biometric, health, financial-account, precise-geolocation, and similar categories).
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Processing" has the meaning given in GDPR Article 4(2) (or analogous law).
- "Controller" / "Processor" / "Sub-processor" / "Business" / "Service Provider" / "Contractor" have the meanings given in the relevant Applicable Data Protection Law.
- "SCCs" means the European Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries (Implementing Decision (EU) 2021/914 of 4 June 2021), as updated.
- "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK ICO (version B1.0, in force 21 March 2022).
- "Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Kiey (i.e., a "personal data breach" under GDPR Article 4(12), a "breach of security safeguards" under PIPEDA, a "confidentiality incident" under Quebec Law 25, or analogous concept).
3. ROLES OF THE PARTIES
3.1 Customer as Controller / Business. The Customer is the Controller (GDPR / UK GDPR / Quebec Law 25), Business (CCPA/CPRA), or Organization (PIPEDA) of Personal Data processed in connection with the Service. The Customer determines the purposes and means of processing.
3.2 Kiey as Processor / Service Provider. Kiey is the Processor (GDPR / UK GDPR), Service Provider (CCPA/CPRA), Processor (Quebec Law 25), or analogous role. Kiey processes Personal Data only on behalf of the Customer and only as instructed.
3.3 Each Party's Compliance. Each party will comply with its obligations under Applicable Data Protection Law in connection with this DPA. The Customer is responsible for the lawfulness of its instructions and the accuracy and lawful basis of the Personal Data it provides.
3.4 Independent Controllership. Kiey may, in limited circumstances and only as permitted by Applicable Data Protection Law, act as an independent Controller (e.g., for billing data, security logs, anti-fraud, account administration, business analytics on de-identified data). Such processing is governed by the Kiey Privacy Policy, not this DPA.
4. SUBJECT MATTER, NATURE, PURPOSE, AND DURATION
| Element | Description |
|---|---|
| Subject matter | Provision of the Kiey Service to the Customer under the Main Agreement. |
| Nature of processing | Hosting, storage, transmission, indexing, AI-assisted analysis, search, routing, and presentation of Personal Data submitted by the Customer and its Users; sending transactional and (where consented) marketing communications; processing payments through Stripe. |
| Purpose | To provide, maintain, secure, and improve the Service; to enable communications among the Customer's Users; to provide AI-assisted features; and to comply with law. |
| Categories of Data Subjects | Real Estate Team Owners, Agents, Vendors, Employees, Clients (homeowners), and other invited Users. |
| Categories of Personal Data | Identifiers (name, email, phone, address); account credentials; profile photos; payment-method tokens (Stripe); communications content (chat, calls, files); files and photos uploaded by Users; geolocation (where consented); device identifiers and tokens; usage and log data; AI inputs and outputs. |
| Sensitive Data | None should be submitted; the Customer instructs Users not to submit Sensitive Data. To the extent submitted incidentally (e.g., a homeowner's chat reference to a medical condition), Kiey processes solely as instructed. |
| Duration | For the term of the Main Agreement, plus the post-termination retention periods set forth in Section 11. |
5. CUSTOMER INSTRUCTIONS AND COMPLIANCE
5.1 Documented Instructions. Kiey will process Personal Data only on the Customer's documented instructions, which are the Main Agreement, this DPA, applicable order forms, and any further written instructions accepted by Kiey in writing.
5.2 Lawfulness of Instructions. The Customer warrants that its instructions are lawful and that it has the necessary legal basis (consent, contract, legitimate interest, etc.) for the processing.
5.3 Conflicts with Law. If Kiey is unable to comply with an instruction without violating Applicable Data Protection Law, Kiey will notify the Customer (unless prohibited by law) and the Customer may suspend the relevant processing or terminate the affected portion of the Service.
5.4 Service Provider / Processor Restrictions (CCPA/CPRA). Kiey will not (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data outside the direct business relationship with the Customer; (iii) retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Main Agreement and this DPA; or (iv) combine Personal Data received from the Customer with Personal Data received from another source, except as expressly permitted by Cal. Code Regs. tit. 11 § 7050(c).
5.5 Quebec Law 25. For Quebec residents' Personal Data, Kiey acknowledges Article 18.3 of Law 25 obligations, including processing only for the purposes for which it was disclosed, applying confidentiality measures, and not retaining Personal Data after the contract ends except as required by law.
6. CONFIDENTIALITY OF PERSONNEL
Kiey ensures that personnel authorized to process Personal Data are subject to written confidentiality obligations and have received appropriate training on their data-protection responsibilities.
7. SECURITY MEASURES (ANNEX II)
7.1 Technical and Organizational Measures. Kiey will implement and maintain commercially reasonable technical and organizational measures designed to protect Personal Data against Security Breaches. The current measures are described in Annex II to this DPA and include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- Role-based access controls; principle of least privilege; multi-factor authentication for administrative access;
- Network segmentation, firewalls, and intrusion-detection;
- Vulnerability scanning and timely patching;
- Security logging and monitoring;
- Background checks for employees with access to Personal Data;
- Incident response plan and runbooks;
- Vendor risk management;
- Periodic third-party security assessments;
- Secure software development lifecycle; code review.
7.2 Updates. Kiey may update Annex II from time to time provided the level of security is not materially decreased.
7.3 Customer Responsibility. The Customer is responsible for the security of its own systems, credentials, devices, and the actions of its Users.
8. SUB-PROCESSORS
8.1 General Authorization. The Customer grants Kiey a general written authorization to engage Sub-processors to process Personal Data on its behalf, subject to this Section 8.
8.2 Current Sub-processors. The current list of Sub-processors is published at https://kiey.com/subprocessors.
8.3 Notice of Changes. Kiey will provide reasonable notice (target: thirty (30) days) of any new or replacement Sub-processor by updating the URL above and/or by email to the Real Estate Team Owner contact on file.
8.4 Objections. The Customer may object to a new Sub-processor on reasonable data-protection grounds within thirty (30) days of notice. The parties will work in good faith to resolve the objection. If unresolved, the Customer's exclusive remedy is to terminate the affected portion of the Service.
8.5 Flow-Down. Kiey imposes data-protection obligations on its Sub-processors that are no less protective than those set forth in this DPA, and remains liable for the acts and omissions of its Sub-processors.
9. DATA SUBJECT RIGHTS / CONSUMER REQUESTS
9.1 Customer Responsibility. The Customer is responsible for responding to requests from Data Subjects to exercise their rights (access, deletion, correction, portability, opt-out of sale/share, opt-out of automated decision-making, etc.) under Applicable Data Protection Law.
9.2 Kiey Assistance. Taking into account the nature of processing, Kiey will provide reasonable assistance to the Customer in responding to such requests, including by providing in-Service tools (export, deletion, account-management) and, where necessary, by responding to specific Customer requests at support@kiey.com.
9.3 Direct Requests. If a Data Subject contacts Kiey directly, Kiey will, where reasonably possible, redirect the Data Subject to the Customer.
10. SECURITY BREACH NOTIFICATION
10.1 Notification. Kiey will notify the Customer without undue delay (target: within seventy-two (72) hours of confirmation) of a confirmed Security Breach affecting Customer Personal Data.
10.2 Contents of Notification. Notification will include, to the extent then known: the nature of the Security Breach, the categories and approximate volume of Personal Data and Data Subjects affected, the likely consequences, and the measures taken or proposed.
10.3 Customer's Responsibility to Notify. The Customer is responsible for any required notifications to regulators (e.g., supervisory authorities under GDPR Article 33; the U.S. state attorneys general; the federal Privacy Commissioner of Canada; the Commission d'accès à l'information du Québec; and so forth) and to Data Subjects. Kiey will reasonably cooperate.
10.4 No Implied Liability. Kiey's notification under this Section is not an admission of fault or liability.
11. RETURN OR DELETION
11.1 On Termination. On termination of the Main Agreement and expiration of the data-export window (Section 17.5 of the Main Agreement), Kiey will delete or return Personal Data, as instructed by the Customer, except as required by law to retain or as needed to defend or pursue legal claims.
11.2 Backups. Personal Data in routine backups is deleted in the ordinary course according to Kiey's retention schedule.
11.3 Anonymized / Aggregated Data. Kiey may retain anonymized, aggregated, or de-identified data that no longer identifies any Data Subject.
12. INTERNATIONAL TRANSFERS
12.1 Cross-Border. Personal Data may be transferred to and processed in the United States and in other jurisdictions where Kiey or its Sub-processors operate.
12.2 EU/EEA Transfers — SCCs. Where the GDPR applies and Personal Data is transferred from the EU/EEA to a third country not covered by an EU adequacy decision, the parties incorporate the SCCs (Implementing Decision (EU) 2021/914 of 4 June 2021) by reference, as follows:
- Module Two (Controller to Processor) applies where the Customer is the Controller and Kiey is the Processor.
- Module Three (Processor to Sub-processor) applies between Kiey and its Sub-processors.
- Annex I.A (Parties): Customer = Data Exporter; Kiey = Data Importer.
- Annex I.B (Description of Transfer): as set forth in Section 4 above.
- Annex I.C (Competent Supervisory Authority): the Customer's lead supervisory authority under GDPR.
- Annex II (Technical and Organizational Measures): as set forth in Annex II of this DPA.
- Annex III (Sub-processors): https://kiey.com/subprocessors.
- Clause 7 (Docking clause): incorporated.
- Clause 11(a) (Independent dispute resolution): not selected.
- Clause 17 / 18: governing law of an EU Member State / forum of the Data Subject's place of habitual residence; specific selections in Annex I.
12.3 UK Transfers. Where the UK GDPR applies, the parties incorporate the UK Addendum (Version B1.0) by reference. Tables 1–4 are completed by reference to the SCC selections above.
12.4 Swiss Transfers. Where Swiss FADP applies, the SCCs are interpreted with appropriate adjustments (Federal Data Protection Commissioner as supervisory authority, etc.).
12.5 Other Mechanisms. Where another lawful transfer mechanism applies (e.g., Data Privacy Framework certification), the parties may rely on that mechanism in lieu of the SCCs.
13. AUDITS AND ASSESSMENTS
13.1 Right to Audit. Subject to confidentiality and reasonable scope, the Customer may audit Kiey's compliance with this DPA once per twelve-month period upon at least sixty (60) days' written notice.
13.2 Method. Kiey will reasonably respond to the Customer's audit by providing one or more of: (a) responses to a reasonable security questionnaire; (b) a copy of Kiey's most recent SOC 2 Type II report or equivalent (when available); (c) a remote review of policies and procedures.
13.3 On-Site Audits. On-site audits are limited to circumstances where (i) reasonably required by Applicable Data Protection Law (including GDPR Article 28(3)(h)); (ii) (a) and (b) above are inadequate; or (iii) following a confirmed Security Breach affecting the Customer's Personal Data.
13.4 Costs. Each party bears its own costs except where the audit reveals material non-compliance, in which case Kiey bears the reasonable costs.
13.5 Confidentiality. The Customer will treat audit results as Confidential Information.
14. LIABILITY
14.1 Liability Cap. Each party's aggregate liability under this DPA is subject to the limitation of liability in the Main Agreement.
14.2 Apportionment. Where both parties are liable for the same claim, liability is apportioned by responsibility.
14.3 Carve-Outs. As under the Main Agreement.
15. GENERAL
15.1 Term. This DPA remains in effect for the duration of the Main Agreement and any post-termination retention period.
15.2 Order of Precedence (Re-stated). In the event of any conflict, the SCCs / UK Addendum prevail; then this DPA; then the Main Agreement.
15.3 Survival. Provisions that by their nature should survive (including security, confidentiality, audit results, deletion, liability) survive termination.
15.4 Governing Law / Jurisdiction. Governed by the laws of the State of Delaware as set forth in the Main Agreement, except where the SCCs / UK Addendum / GDPR / Quebec Law 25 / PIPEDA require otherwise.
15.5 No Waiver. Failure to enforce is not waiver.
15.6 Entire Agreement. This DPA, the Main Agreement, the SCCs / UK Addendum (where applicable), and the published Sub-processor list constitute the entire agreement on the subject matter.
15.7 Counterparts and Electronic Signatures. This DPA may be executed in counterparts and accepted electronically.
ANNEX I — DETAILS OF PROCESSING
A. List of Parties: Customer = Data Exporter; Kiey Holdings, Ltd. = Data Importer. B. Description of Transfer: see DPA Section 4. C. Competent Supervisory Authority: see DPA Section 12.2.
ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES
The following measures are in effect as of the Effective Date. Kiey may update these measures provided the level of security is not materially decreased.
1. Encryption
- In transit: All connections to and from the Service use TLS 1.2 or higher (HTTP Strict Transport Security enabled with
max-age=63072000; includeSubDomains; preload). - At rest: Personal Data stored in Google Cloud Firestore, Cloud Storage, and Cloud Functions infrastructure is encrypted at rest using AES-256 by default through Google's server-side encryption with Google-managed keys.
2. Access Controls
- End-user authentication: Firebase Authentication, with phone-number verification (SMS OTP) and email verification.
- Multi-tenant isolation: Firestore Security Rules enforce tenant scoping using JWT custom claims (
tenant_id,user_role); cross-tenant data access is denied at the database layer. - Server-side authentication: JWT-based with custom-claim validation on every authenticated endpoint.
- Administrative access: MFA required for Google Cloud Console, Firebase Console, and source-code repositories. Principle of least privilege applied to engineer access; production access is logged.
- Super-admin privileges: Step-up authentication via passphrase challenge for sensitive operations.
3. Network Controls
- HTTPS only: All public endpoints reject non-TLS connections.
- Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy same-origin.
- DDoS mitigation: Provided by Google Cloud's global edge infrastructure.
- Function isolation: Cloud Functions run in isolated containers with managed runtime; no direct host access.
4. Logging and Monitoring
- Application logs: Cloud Logging for all Cloud Functions invocations, including method, path, status code, duration, and authentication context.
- Security audit logs: Sensitive super-admin actions trigger audit-alert events.
- Error monitoring: Crashlytics and Cloud Error Reporting capture client and server errors.
- Retention: Logs retained per Google Cloud defaults; security-relevant logs retained for at least 90 days.
5. Vulnerability Management
- Dependency scanning: Automated scanning of npm dependencies for known vulnerabilities (npm audit / GitHub Dependabot).
- Patching: Critical security patches applied within 30 days of disclosure; high-severity within 60 days.
- Code review: All changes to production code subject to pull-request review.
- Lint and test gates: ESLint and Jest test suites run on every commit; deploy is blocked on test failure.
6. Incident Response
- Detection: Real-time alerts on authentication anomalies, error spikes, and audit-flagged operations.
- Triage: Documented incident response runbook (internal).
- Notification: Confirmed Personal Data breaches notified to Customers without undue delay (target 72 hours), per DPA Section 10.
- Post-incident: Root-cause analysis and remediation tracked.
7. Vendor / Sub-processor Management
- Vetted sub-processors: Each sub-processor is contractually bound to comparable security obligations.
- Public list: https://kiey.com/subprocessors (incorporated into DPA Section 8 and Annex III).
- Change notice: New or replacement sub-processors are announced with at least 30 days' notice.
8. Personnel
- Confidentiality: Personnel with access to Personal Data are bound by written confidentiality obligations.
- Training: Privacy and security training on hire and at least annually.
- Background checks: Conducted where lawful for personnel with access to Personal Data.
9. Software Development Lifecycle
- Source control: All code in version control (Git) with full history.
- Branch protection: Production branches protected; merges require review.
- Secret management: API keys, signing secrets, and credentials stored in environment-variable files (gitignored) and a canonical secret store; never in source code.
10. Backup and Recovery
- Firestore: Point-in-time recovery enabled; daily backups retained per Google Cloud retention policy.
- Restoration: Documented restore procedure; tested periodically.
11. Data Minimization and Retention
- Minimization: Customer-controlled data collection at signup; no excessive collection.
- Retention: Per DPA Section 11 and Main Agreement Section 17.5.
12. Physical Security
- Cloud-only: All Personal Data processed in Google Cloud / Firebase data centers; physical security is provided by Google under its certifications (ISO 27001, SOC 2/3, PCI-DSS, FedRAMP, etc.). Kiey does not operate its own data centers or self-host servers containing Personal Data.
13. Customer-Side Responsibilities
The Customer is responsible for: (a) the security of its own systems and devices; (b) protecting account credentials; (c) configuring user permissions and roles within the Service; (d) the actions of its Users and sub-users; (e) ensuring that Personal Data uploaded to the Service has a lawful basis under Applicable Data Protection Law.
ANNEX III — SUB-PROCESSORS
The current list is at https://kiey.com/subprocessors. As of the Effective Date, sub-processors include (illustrative):
| Sub-processor | Service | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA |
| Twilio Inc. | SMS, voice, messaging | USA |
| Anthropic, PBC | AI / LLM | USA |
| Google LLC (Firebase + GCP) | Hosting, database, FCM, auth | USA |
| Apple Inc. | iOS distribution, APNs | USA |
| Google LLC (Play) | Android distribution | USA |
END OF DOCUMENT.