Privacy Policy

Data Protection

This Data Protection Schedule ("Schedule" or “DPA”) forms part of the contract for cybersecurity, data input, data output, data processing, e-discovery, hosting, information governance, and/or document review services ("Contract") between Client and Ketrone, acting on its own behalf and in the name and on behalf of each Ketrone Affiliate.

The Parties hereby agree that this DPA forms part of the Contract with Ketrone to which it is an attachment.

Definitions

In this Schedule, unless otherwise defined herein, all defined terms shall have the meaning set out in the Contract.

The following terms shall have the meanings set out below:

  • "Affiliate" means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Client or Ketrone (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
  • "Client" shall have the meaning ascribed to it in the Contract.
  • "Controller Activities" means the Processing of Personal Data by Ketrone in circumstances in which Ketrone determines the purposes and means of the Processing, in particular where Ketrone takes relevant decisions concerning the collection and use of Personal Data in connection with the delivery of services to the Client, or is subject to applicable European Union or Member State law determining how Personal Data must be Processed.
  • "Data Protection Laws" means all legislation protecting the personal data of natural persons that is applicable to the processing of Client Personal Data, including (without limitation) DIFC Data Protection Law No.5 of 2020, the GDPR and any national legislation which supplements the GDPR and the data protection laws of any other country, state, or territory which apply to such processing.
  • "DIFC" means the Dubai International Financial Centre.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data.
  • The terms "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Process/Processing," and "Sub-Processor" have the same meaning as described in the Data Protection Laws.
  • "Legal Process" means any criminal, civil, or administrative subpoena, mandatory request, warrant, or court order issued by a Public Body.
  • "Public Body" means any law enforcement or intelligence authority, regulator, government department, agency, or court in any country or territory that is not part of the European Economic Area.
  • "Processor Activities" means the Processing of Personal Data by Ketrone in circumstances in which Ketrone Processes Personal Data on behalf of the Client or any Client Affiliate.
  • "Services" means the services provided by Ketrone to Client under the Contract. They include the web platform at "ketrone.io" as well as the "Ketrone" Office AddIn and any other supporting service to the processing such as storage or compute.

Role of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, and as more fully described in Annex 1 hereto, Ketrone acts as a Processor on behalf of the Client in respect of the Processor Activities and Ketrone acts as a Controller in respect of the Controller Activities.

  • Where Ketrone is acting as a Processor, the terms of Part A of this Schedule shall apply.
  • Where Ketrone is acting as a Controller, the terms of Part B of this Schedule shall apply.
  • Part C of this Schedule shall apply equally to both the Controller Activities and the Processor Activities.
  • Where applicable, references to the GDPR shall incorporate references to other applicable local laws, including without limitation, equivalent provisions in the DIFC Data Protection Law No. 5 of 2020 (as amended).

Description of Personal Data Processing

In Annex 1 to this Schedule, the parties have set out their understanding of the Personal Data to be Processed by Ketrone pursuant to this Schedule ("Client Personal Data").

PART A: Data Processing Terms

In the course of performing their mutual obligations pursuant to the Contract, both parties shall duly observe and comply with their respective obligations under the Data Protection Laws.

  1. Process the Client Personal Data solely on the documented instructions of Client.
  2. Take all measures reasonably appropriate in accordance with Data Protection Laws to ensure the security of the Personal Data.
  3. Ensure that any staff who may have access to the Client Personal Data commit themselves to contractual or statutory obligations of confidentiality.
  4. Be expressly and specifically authorized to use any Ketrone Affiliate as a Sub-Processor.
  5. Be generally authorized to engage any other Sub-Processor.
  6. Notify Client without undue delay of any Personal Data Breach.
  7. Provide commercially reasonable assistance requested by Client in relation to data protection impact assessments.
  8. Cease Processing the Client Personal Data upon termination or expiry of the Contract and delete or return Personal Data as instructed.

Ketrone agrees to:

Client shall ensure that, wherever it discloses Client Personal Data to Ketrone, it is authorized to do so in accordance with the Data Protection Laws.

PART B: Controller Terms

Ketrone and the Client will each act as separate and individual Controllers in relation to any Personal Data Processed.

  • Ketrone and the Client will each comply with their own respective obligations under the Data Protection Laws.
  • Ketrone may appoint Processors as required to deliver the services.
  • Ketrone and the Client will each respond to enquiries from Data Subjects and relevant authorities concerning Processing of Personal Data.
  • Ketrone may disclose Personal Data to other Controllers where necessary to deliver services.
  • The Client acknowledges that certain transfers of Personal Data may require cross-border processing.

PART C: Back-Up Location & Precedence

  • The Client acknowledges that Ketrone’s email records are replicated onto Google systems in the United States and European Union.
  • The provisions of this Schedule are supplemental to the Contract. In the event of inconsistencies, this Schedule shall prevail.

Annex 1: Description of Personal Data Processing

  • Subject matter and duration of the Processing.
    • The processing concerns user data processed at the user request within one of the Services.
    • The processing will continue as long as the user maintains an active account.
    • Client data is never used to train or improve services unless duly authorized by the Client.
  • Nature and purpose of the Processing.
    • Web Platform: The web platform collects names and emails to manage user accounts. Chat logs and processed responses are stored to provide the service.
      • 1.    Data collected: Names, emails, chat logs, processed responses, documents that are stored at the request of the Client in the offered Secure Vault service.
      • 2.    Purpose: User account management, service delivery.
    • Word AddIn: The Word AddIn functions solely as a processor and does not collect any user data. The Word AddIn only processes data on behalf of the user, meaning that no data is stored by Ketrone when using the Word AddIn.
  • Types of Personal Data Processed: Names, email addresses, chat content, documents content and any data shared by the user during the request.
  • Categories of Data Subjects.
    • Users of the web platform.
    • Users of the Word AddIn.
  • Obligations and rights of the Client.
    • Client is responsible of the accuracy the data that is provided.
    • Client can use the processed data without limitation.
    • Ketrone cannot be held responsible of incorrect data output, and the Client has the responsibility to verify the output data.
    • The Client can send a written request for a full deletion of it's stored data anytime. The request will be processed within 7 working days.
  • Retention period of Personal Data subject to Restricted Transfers.
    • Data is stored in Google Cloud Platform.
    • Client Data is kept for as long as the Client maintains an active account with Ketrone.

Annex 2: Technical and Organizational Security Measures

Ketrone shall implement the security measures specified on the TRUSTGood

Transforming the legal industry, one solution at a time.

Deploy your full potential with Ketrone

Get Started