KeyPort LogoKeyPort
Legal Document

Data Processing Agreement

Effective Date: April 14, 2026 Last Updated: April 14, 2026

This Data Processing Agreement ("DPA") governs the processing of Personal Data by KeyPort ("Processor") on behalf of its customers ("Controller") in connection with the Service. This DPA forms part of the Terms of Service.

1. Definitions

  • Controller: The developer or organization that uses KeyPort to manage licenses for its own users.
  • Processor: KeyPort, which processes data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person (i.e., your customers' email addresses, Discord IDs, and IP addresses).
  • Data Processing: Any operation performed on Personal Data, such as collection, storage, use, or erasure.

2. Roles and Responsibilities

2.1 Controller

The Controller is responsible for ensuring that it has a valid legal basis for collecting and processing its users' Personal Data. The Controller must provide its users with a clear privacy policy that accurately describes its data practices, including the use of third-party processors like KeyPort.

2.2 Processor

The Processor shall process Personal Data only on the documented instructions of the Controller (as outlined in these Terms and the API documentation) and solely for the purpose of providing the Service. The Processor shall comply with all applicable data protection laws in India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 when applicable.

3. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include:

  • Encryption of data in transit (TLS)
  • Hashing of sensitive identifiers (bcrypt/SHA-256)
  • Access controls to prevent unauthorized access to the database
  • Robust backup and recovery procedures
  • Regular security audits and vulnerability monitoring

4. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors to assist in delivering the Service:

  • Supabase — database hosting (PostgreSQL, hosted on AWS ap-south-1): Database and infrastructure hosting
  • Vercel: Frontend and API hosting
  • Zoho SMTP: Transactional email delivery
  • Dodo Payments: Billing and payment processing
  • Cloudflare: Security, DDoS protection, and DNS

The Processor shall ensure that any sub-processor it engages is bound by data protection obligations at least as restrictive as those outlined in this DPA.

5. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects (end-users) to exercise their rights (e.g., access, deletion, or correction). If a data subject contacts the Processor directly, the Processor will redirect them to the Controller.

6. Personal Data Breach

In the event of a Personal Data Breach that affects the Controller's data, the Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach. The notification shall include a description of the nature of the breach, its potential impact, and the measures being taken to mitigate it.

7. Audit and Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. Upon reasonable request and with 30 days notice, the Processor shall allow for and contribute to audits conducted by the Controller or an independent auditor.

8. Data Deletion

Upon termination of the Service, the Processor shall delete or return all Personal Data to the Controller, except where required by law to retain certain records for tax or legal purposes. Our standard retention period for deleted data is 30 days.

9. Governing Law

This DPA is governed by the laws of India. Any disputes arising from this agreement shall be subject to the exclusive jurisdiction of the courts in Ahmedabad, Gujarat, India.

10. Changes to This Agreement

We may update this DPA from time to time. We will notify you of material changes by email or notice on the Service. Continued use after changes constitutes acceptance.

While we typically aim to provide reasonable prior notice (at least 7 days where practicable) for material updates, some changes—including those related to security, sub-processor infrastructure, or legal compliance—may apply immediately at our discretion. On any changes, we will notify you via email or a notification in your dashboard.

11. Contact

If you have questions regarding this DPA or our data processing practices, please contact us. We respond within 48 hours (excluding weekends and public holidays):
Email: email@keyport.sbs
Website: keyport.sbs