Data Processing Agreement
Axeman Technology Solutions LLP · Keywords Everywhere · Last updated: July 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between:
Axeman Technology Solutions LLP, a limited liability partnership registered in India with its address at 502 B Anisha Apartments, Yari Road, Versova, Mumbai 400061, Maharashtra, India, operating the Keywords Everywhere service (the “Processor”),
and
the customer that accepts the Keywords Everywhere Terms of Service or uses the Services (the “Controller”).
This DPA applies where, and to the extent that, the Processor Processes Personal Data on behalf of the Controller in providing the Services. It is incorporated into the Principal Agreement by reference and takes effect automatically upon the Controller’s acceptance of the Principal Agreement or first use of the Services, whichever occurs first. No signature is required for this DPA to be effective.
The parties acknowledge that this Agreement is intended to comply with the requirements of the Digital Personal Data Protection Act, 2023 (India), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR and other applicable Data Protection Laws. In the event of any inconsistency between the provisions of this DPA and the mandatory requirement of any applicable Data Protection Laws, the mandatory provisions of such applicable Data Protection Laws shall prevail to the extent of such inconsistency.
1. Definitions
1.1“Data Protection Laws” means all laws applicable to the Processing of Personal Data under this DPA, including:
(a)the EU General Data Protection Regulation 2016/679 (“GDPR”);
(b)the UK GDPR;
(c)applicable US state privacy laws such as the California Consumer Privacy Act (“CCPA”), in each case as amended from time to time;
(d)the Digital Personal Data Protection Act, 2023 (India), the Digital Personal Data Protection Rules, 2025, and any amendments or subordinate legislation issued thereunder; and
(e)any other applicable privacy or data protection law.
1.2“Personal Data” means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller in connection with the Services, as described in Annex 1.
1.3“Processing”, “Controller”, “Processor”, “Data Subject” and “Personal Data Breach” have the meanings given to them in the GDPR, and “Process” is construed accordingly. Where the Processing is subject to the Digital Personal Data Protection Act, 2023, the terms “Data Fiduciary”, “Data Processor” and “Data Principal” shall have the meanings assigned to them under the Digital Personal Data Protection Act, 2023 and references in this DPA to “Controller” shall include a Data Fiduciary, references to “Processor” shall include a Data Processor and references to “Data Subject” shall include a Data Principal where the context so requires.
1.4“Principal Agreement” means the Keywords Everywhere Terms of Service available at https://keywordseverywhere.com/terms.html, together with the Controller’s subscription or order for the Services.
1.5“Services” means the Keywords Everywhere browser extension, website, APIs and related services provided by the Processor under the Principal Agreement.
1.6“Sub Processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
1.7“Data Principal” shall have the meaning assigned to it under the Digital Personal Data Protection Act, 2023.
2. Scope and Roles
2.1This DPA applies where, and to the extent that, the Processor Processes Personal Data on behalf of the Controller in the course of providing the Services.
2.2The parties acknowledge that, where the Digital Personal Data Protection Act, 2023, applies, the Controller shall be regarded as the Data Fiduciary and the Processor shall be regarded as the Data Processor for the purposes of such Act.
2.3To the extent the CCPA applies, the Processor acts as a “service provider” and shall not sell or share Personal Data, shall not retain, use or disclose Personal Data other than to provide the Services or as otherwise permitted by the CCPA, and shall not combine Personal Data with information received from other sources except as permitted by the CCPA.
2.4In the event of a conflict between this DPA and the Principal Agreement with respect to the Processing of Personal Data, this DPA prevails.
3. Processing Instructions
3.1The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.2The Principal Agreement, this DPA and the Controller’s configuration and use of the Services constitute the Controller’s complete documented instructions. Any additional instructions require the prior written agreement of both parties.
3.3The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.
3.4The Processor shall process Personal Data only for the purposes specified by the Controller/Data Fiduciary and in accordance with its documented instructions. The Processor shall not process Personal Data for any purpose incompatible with the specified purpose unless required by applicable law.
4. Personnel and Confidentiality
4.1The Processor shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2The Processor shall limit access to Personal Data to personnel who require such access to perform the Services.
5. Security
5.1Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risks to Data Subjects, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex 2.
5.2The Processor may update the measures in Annex 2 from time to time, provided that such updates do not materially reduce the overall level of protection of Personal Data.
5.3The Processor shall implement and maintain reasonable technical and organisational security safeguards in accordance with Section 8(5) of the Digital Personal Data Protection Act, 2023, to prevent personal data breaches and shall periodically review and update such safeguards.
6. Sub Processors
6.1The Controller provides a general authorisation for the Processor to engage the Sub Processors listed in Annex 3.
6.2The Processor shall give the Controller at least 30 days’ prior notice, by email or by updating the Sub Processor list published at https://keywordseverywhere.com/dpa.html, of the addition or replacement of any Sub Processor. The Controller may object in writing on reasonable data protection grounds within that notice period. If the parties are unable to resolve the objection, the Controller may terminate the affected Services in accordance with the Principal Agreement.
6.3The Processor shall impose on each Sub Processor data protection obligations that are no less protective than those set out in this DPA and remains fully liable to the Controller for the performance of each Sub Processor’s obligations.
6.4The Processor shall use commercially reasonable efforts to engage Sub Processors that maintain appropriate technical and organisational security measures and provide contractual or publicly documented privacy and security commitments appropriate to the nature of the processing.
7. Data Subject Requests
7.1Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, in so far as this is possible, in fulfilling the Controller’s obligation to respond to requests from Data Subjects exercising their rights (including access, rectification, correction, updating, erasure, restriction, portability, objection and, where applicable, the rights of Data Principals under the Digital Personal Data Protection Act, 2023).
7.2If the Processor receives a request from a Data Subject relating to Personal Data Processed on behalf of the Controller, it shall promptly forward the request to the Controller and shall not respond to it directly, except to direct the Data Subject to the Controller or where required by applicable law.
8. Personal Data Breach
8.1The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data processed under this Agreement. Where the Processing is subject to the Digital Personal Data Protection Act, 2023, the Processor shall provide all information reasonably required to enable the Controller/Data Fiduciary to comply with its statutory notification obligations under the applicable law.
8.2To the extent then known, the notification shall describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. The Processor may provide this information in phases as it becomes available.
8.3The Processor shall provide reasonable cooperation to the Controller in the investigation, mitigation and remediation of any such breach. The Processor shall also provide such assistance as may reasonably be required to enable the Controller to comply with its obligations under the Digital Personal Data Protection Act, 2023 and the Digital Data Protection Rules, 2025.
9. Assistance
9.1Taking into account the nature of the Processing and the information available to it, the Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required of the Controller under Data Protection Laws and related to the Services.
10. Deletion and Return of Personal Data
10.1Upon termination or expiry of the Services, the Processor shall, at the Controller’s choice, delete or return the Personal Data and delete existing copies, unless applicable law requires further storage of the Personal Data. Personal Data shall not be retained for longer than is necessary to fulfil the purpose for which it was processed, except where retention is required under the applicable law.
10.2Personal Data held in routine backups shall be deleted or overwritten in accordance with the Processor’s standard backup rotation cycle of no more than 90 days and shall remain subject to the protections of this DPA until deleted.
10.3The Processor shall retain Personal Data only for so long as necessary to fulfil the purposes of Processing or as required under applicable law, including the Digital Personal Data Protection Act, 2023.
11. Audit and Information
11.1The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including by completing the Controller’s reasonable written security questionnaires no more than once in any 12 month period.
11.2Where Data Protection Laws grant the Controller a mandatory audit right that cannot be satisfied under clause 11.1, the Controller may audit the Processor’s relevant Processing activities, subject to at least 30 days’ written notice, during normal business hours, no more than once in any 12 month period (except following a Personal Data Breach), at the Controller’s own cost, and subject to reasonable confidentiality and security requirements. Audits shall not require access to systems or data of the Processor’s other customers.
12. International Transfers
12.1Personal Data is primarily stored in data centres located in the European Union and may also be stored in the United States. Personal Data is accessed by the Processor’s personnel in India for the purposes of providing, supporting and maintaining the Services.
12.2Where a transfer of Personal Data originating from the EEA, the United Kingdom or Switzerland to a country not recognised as providing an adequate level of protection is subject to the GDPR or the UK GDPR, the parties agree that the EU Standard Contractual Clauses (Module Two: transfer controller to processor) adopted by Commission Implementing Decision (EU) 2021/914, and the UK International Data Transfer Addendum where applicable, are incorporated into this DPA by reference. Annexes 1 to 3 of this DPA serve as the corresponding annexes to those clauses. In the event of a conflict, the Standard Contractual Clauses prevail.
12.3Where Personal Data originates from India, any transfer outside India shall be subject to the Digital Personal Data Protection Act, 2023 and any restrictions or directions issued by the Government of India from time to time.
13. Grievance Redressal
13.1The Processor shall designate a Grievance Officer for addressing complaints relating to the processing of personal data under this Agreement and shall make the contact details of such Grievance Officer available to the Controller upon request.
14. Liability
14.1Each party’s liability arising out of or related to this DPA is subject to the exclusions and limitations of liability set out in the Principal Agreement.
15. Term
15.1This DPA takes effect upon the Controller’s acceptance of the Principal Agreement or first use of the Services, whichever occurs first, and remains in force for as long as the Processor Processes Personal Data on behalf of the Controller.
16. General
16.1This DPA is governed by the laws governing the Principal Agreement, being the laws of India, and the parties submit to the exclusive jurisdiction of the courts of Mumbai, India, except where Data Protection Laws require otherwise.
16.2If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force, and the invalid provision shall be replaced by a valid provision that most closely reflects its commercial intent.
16.3Notices under this DPA shall be sent to the Processor at privacy@keywordseverywhere.com and to the Controller at the email address associated with its account.
16.4Except as expressly amended by this DPA, the Principal Agreement remains unchanged and in full force.
16.5The Processor may update this DPA from time to time, including to reflect changes in Data Protection Laws or the Services. The current version will always be available at https://keywordseverywhere.com/dpa.html, and the Processor will provide notice of material changes by email or within the Services. Changes to the Sub Processor list follow the notice process in clause 6.2. Continued use of the Services after the effective date of an update constitutes acceptance of the updated DPA.
16.6Nothing in this Agreement shall relieve either party from complying with its obligations under the Digital Personal Data Protection Act, 2023 or any other applicable Data Protection Laws.
17. Notices and Consent
17.1The Controller shall ensure that all required privacy notices are provided to Data Subjects or Data Principals and that valid consent or another lawful basis for Processing exists where required under the applicable Data Protection Laws.
Annex 1: Details of Processing
| Subject matter | Processing of Personal Data in connection with the provision of the Keywords Everywhere Services to the Controller. |
|---|---|
| Duration | The term of the Principal Agreement, plus the deletion period set out in clause 10. |
| Nature and purpose | Hosting, storage, retrieval, display and analysis of data submitted by the Controller’s users in order to provide keyword research, search metrics and related functionality; account administration; billing; fraud prevention, regulatory compliance, customer support, information security and compliance with applicable law. |
| Categories of Data Subjects | The Controller’s employees, contractors and other individuals authorised by the Controller to use the Services. |
| Categories of Personal Data | Name; business email address; account API keys; IP address; browser and device information; usage data; keyword queries, domains and related search metrics submitted to the Services; billing contact details. Payments are processed by Paddle as merchant of record; the Processor does not store payment card data. |
| Special categories | None. The Services are not designed for special categories of Personal Data and the Controller shall not submit such data to the Services. |
| Frequency | Continuous, for the duration of the Services. |
Annex 2: Technical and Organisational Measures
The Processor maintains the following technical and organisational measures:
- Encryption in transit. Data transmitted between users and the Services is encrypted using TLS 1.2 or higher.
- Access control. Administrative access to production systems is restricted to a small number of named personnel, is authenticated using SSH keys with password authentication disabled, and is conducted over a private VPN.
- Network security. Host firewalls restrict inbound traffic to required services only.
- Authentication. The Services do not use passwords. Access is authenticated using unique per user API keys transmitted only over TLS, which removes the risk of a password database compromise. API keys can be reset if compromised.
- Least privilege. Access rights are granted on a need to know basis and are reviewed periodically. Access is revoked promptly upon role change or departure.
- Backups. Production databases are backed up regularly, with backups retained on a rolling basis of no more than 90 days.
- Patching. Security updates are applied to production systems on an ongoing basis.
- Logging and monitoring. System and application logs are maintained, and uptime and health monitoring alert personnel to incidents.
- Personnel. A small team bound by confidentiality obligations operates the Services.
- Physical security. Production infrastructure is hosted in professional data centres operated by Hetzner Online GmbH and Akamai Technologies (Linode), each of which maintains industry standard physical security controls and holds its own security certifications (including ISO 27001 and SOC 2 at the provider level).
Annex 3: Approved Sub Processors
| Sub Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany, Finland |
| Akamai Technologies, Inc. (Linode) | Cloud hosting | United States, EU |
| Cloudflare, Inc. | DNS, CDN and network security | United States (global network) |
| Amazon Web Services, Inc. | Email delivery (Amazon SES) | United States, EU |
| Twilio Inc. (SendGrid) | Transactional email delivery | United States |
| Paddle.com Market Ltd | Global Reseller (merchant of record) | United Kingdom |
Axeman Technology Solutions LLP · 502 B Anisha Apartments, Yari Road, Versova, Mumbai 400061, Maharashtra, India · privacy@keywordseverywhere.com