Terms & Conditions


KEKA – Terms of Service

Keka Technologies Private Limited (“Keka”, “we”, “us” or “our”) is a pioneering, technology-powered integrated service provider with a unique model rendering human resource management solutions.

Your use of the Website, application or Keka Platform, owned and managed by Keka, are governed by the following terms and conditions of this Agreement as applicable to the Website, application or Keka Platform, including the applicable policies which are incorporated herein by way of reference. By mere use of the Website, application or Keka Platform, You shall be contracting with Keka and these Terms including the policies constitute your binding obligations with Keka.

IF YOU ARE USING ANY SERVICE AS AN EMPLOYEE, AGENT, OR CONTRACTOR OF A CORPORATION, PARTNERSHIP OR ANY OTHER ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. THE RIGHTS GRANTED UNDER THIS AGREEMENT ARE EXPRESSLY CONDITIONED UPON ACCEPTANCE BY SUCH AUTHORIZED PERSONNEL.

Services offered by Keka are subject to the terms of our website/platform, policies [i.e. Terms of Use, Privacy Policy, Cancellation and Refund Policy etc.] (“Policies”), available at ‘https://www.keka.com/’ (“Website”). By contacting Keka for the services or availing the services or by registering with us or by accepting this Agreement, now or in the future, you being the person or entity placing an order for or accessing the Service (“Subscriber” or “Customer” “you”, “your”, “yourself” or “user”) signify that you agree to these Terms of the Agreement (“Terms”) and the Policies.

1. Definitions

1.1. "Affiliates" shall mean any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2. “Agreement” means this Master Subscription Agreement, including the Service Level Agreement, Data Processing Agreement, Security Agreement, and any other exhibits, addenda, or attachments hereto, and any fully executed Order Form.

1.3. "Authorised User" shall mean an individual user for whom a user license has been purchased by Subscriber pursuant to the terms of the Invoice and this Agreement, and to whom unique user credentials have been given to access Keka Platform. Authorised Users may include employees, individual contractors or consultants of Subscriber or Subscriber's Affiliates or third party service providers.

1.4. "Confidential Information" shall mean all information disclosed by a party ("Disclosing Party") to the other party ("Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Keka's Confidential Information shall include the terms of this Agreement and all Invoices (including all non-public pricing information). Confidential Information of each party shall include (without limitation) the business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information shall not include any information that (i) is or becomes generally known to the public without breach of obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party without the use of Disclosing Party's Confidential Information.

1.5. “Subscriber Data” means electronic data or information submitted to the Keka Platform by Subscriber.

1.6. “Subscriber Input” means suggestions, enhancement requests, recommendations or other feedback provided by Subscriber, its Employees relating to the operation or functionality of the Keka Platform.

1.7. "Documentation" shall mean the user manuals and documentation(s), whether in written or electronic form, provided by Keka to the Subscriber from time to time detailing the features, functionalities and operation of the Keka Platform.

1.8. “Employee” or “Worker” means employees, consultants, contingent workers, independent contractors, and retirees of Subscriber and its Affiliates, whether actively employed or terminated, whose business record(s) are or may be managed by the Service and for whom a subscription to the Service has been purchased in an Order Form.

1.9. “Improvements” means all improvements, updates, enhancements, error corrections, bug fixes, release notes, upgrades and changes to the Service and Documentation, as developed by Keka and made generally available for Production use without a separate charge to Subscribers.

1.10. “Intellectual Property” or “IP” shall mean all intellectual property (whether registered or not) including but not limited to patents, designs, literary work, artistic work, audio, video, any translations, adaptations, computer programme and/or any other works, materials, software, source, executable or object code, documentation, methods, apparatus, systems and the like, any copyrightable/patentable material, trade secrets and all trademarks and trade names and any other materials that can be protected under existing or future intellectual property rights in India or any other applicable jurisdiction.

1.11. “Intellectual Property Rights” means any and all common law, statutory and other industrial property rights and intellectual property rights, including copyrights, trademarks, trade secrets, patents and other proprietary rights in the IP issued, honoured or enforceable under any applicable laws anywhere in the world, and all moral rights related thereto.

1.12. “Law” means any local, state, national and/or foreign law, treaties, and/or regulations applicable to the respective party.

1.13. “Malicious Code” means viruses, worms, time bombs, Trojan horses and other malicious code, files, scripts, agents, bots or programs.

1.14. “Order Form” means the ordering documents under which Subscriber subscribes to the Service which is fully executed pursuant to this Agreement.

1.15. “Personal Data” has the definition set forth in the Exhibit 2.

1.16. “Production” means the Subscriber’s use of or Keka’s written verification of the availability of the Service (i) to administer Employees; (ii) to generate data for Subscriber’s books/records; or (iii) in any decision support capacity.

1.17. “Security Breach” means (i) any actual or reasonably suspected unauthorized use of, loss of, access to or disclosure of, Subscriber Data; provided that an incidental disclosure of Subscriber Data to an Authorized Party or Keka, or incidental access to Subscriber Data by an Authorized Party or Keka, where no reasonable suspicion exists that such disclosure or access involves theft, or is fraudulent, criminal or malicious in nature, shall not be considered a “Security Breach” for purposes of this definition, unless such incidental disclosure or incidental access triggers a notification obligation under any applicable Law and (ii) any security breach (or substantially similar term) as defined by applicable Law.

1.18. “Keka Platform” means Keka’s software-as-a-service applications as described in the Documentation and subscribed to under an Order Form.

1.19. "Non-Keka Services" shall mean third party applications, services, software, networks, systems, websites or databases that are integrated with the Keka Platform to interoperate with the Keka Platform.

1.20. "Invoice" shall mean the document evidencing a subscription to Keka Services that specifies the description of services subscribed, subscription plan, Subscription Period, number of user licenses purchased and applicable fees.

1.21. “Subscriber Data” shall mean electronic data and information submitted to and stored within the Keka Platform by the Subscriber or an Authorized User as a result of Subscriber’s or Authorised User's use of the Keka Platform.

1.22. “Subscription Period(s)” shall mean, in respect of each of the Keka Platform, the duration of validity of each fee-based subscription plan purchased by Subscriber.

1.23. "Usage Limits" shall mean the limits on use of each of the Keka Platform corresponding to the fee-based subscription plan purchased by the Subscriber.

1.24. "Taxes" shall mean all taxes, duties, levies, imposts, fines or similar governmental assessments, including sales and use taxes, value-added taxes, goods and services taxes, excise, business, service, and other similar transactional taxes imposed by any local, state, provincial or foreign jurisdiction and include the interest and penalties thereon.

1.25. "Terms of Service" shall mean the terms and conditions available for access and use of the Keka Platform, as modified from time to time.

2. Use of the Keka Platform, Restrictions and Responsibilities.

2.1. Rights Granted. Subject to the terms and conditions of this Agreement, Keka will make the Keka Platform available to Subscribers for the Subscription Period as set out in the Invoice. Keka grants Subscriber a revocable, non-exclusive, non-transferable right and limited license to access, use and, where applicable, download the Keka Platform during such Subscription Period for Subscriber’s internal business purposes. If the Subscriber exceeds the Usage Limits of the Keka Platform or functionalities within the Keka Platform, Subscriber may purchase additional quantities of the Keka Platform by making payment(s) for such excess usage.

2.2. Usage Restrictions. Subscriber shall not and shall not permit its Authorised Users to:

  1. copy, modify, create derivative works or otherwise attempt to gain unauthorised access to the Keka Platform.
  2. except as permitted under applicable law, attempt to disassemble, reverse engineer or decompile the Keka Platform.
  3. use the Keka Platform on behalf of any third party or include the Keka Platform as part of service bureau or provide any business process service.
  4. use the Keka Platform in any manner that interferes with or disrupts the integrity, security or performance of the Keka Platform, its components and the data contained therein.
  5. sell, resell, license, sublicense, rent, lease, transfer, assign or otherwise make the Keka Platform available to any third-party without an Authorised User subscription.
  6. use the Keka Platform to send or store material containing software viruses, worms or other harmful computer codes, files, scripts or programs.
  7. Upload or transmit (or attempt to upload or to transmit) any material that acts as a passive or active information collection or transmission mechanism, including without limitation, clear graphics interchange formats (“gifs”), 1×1 pixels, web bugs, cookies, or other similar devices (sometimes referred to as “spyware” or “passive collection mechanisms” or “pcms”).
  8. use the Keka Platform to store or transmit any material that is unlawful, abusive, malicious, harassing, tortious, defamatory, vulgar, obscene, libellous, or violates any third party rights
  9. permit direct or indirect access to or use of the Keka Platform in a way that circumvents the Usage Limits.
  10. use the Keka Platform in any manner that could damage, disable, overburden, impair or harm any server, network, computer system, or resource of Keka.
  11. allow Authorised User licenses to be shared or used by more than one individual other than by way of reassigning the user license to a new user.
  12. remove or obscure any proprietary or other notices contained in the Keka Platform.
  13. attempt to gain unauthorized access to the Keka Platform (including features and functionality) or its related systems or network.
  14. use the Keka Platform for any form of competitive or benchmarking purposes.

2.3. Subscriber Responsibilities. Subscriber shall be responsible for (i) providing accurate, current and complete information regarding the Subscriber in connection with Subscriber's access and use of the Keka Platform; (ii) Authorized Users' compliance with the Agreement, Documentation and Invoice; (iii) accuracy, quality and legality of the Subscriber Data; (iv) means by which the Subscriber Data was acquired and Subscriber's use of the Subscriber Data; (v) using commercially reasonable efforts to prevent unauthorised access to or use of the Keka Platform; (vi) using the Keka Platform in accordance with this Agreement, Documentation and Invoice; (vii) all activities that occur under Subscriber's account; and (viii) compliance with all applicable laws and regulations;.

3. Fees and Payments

3.1. Fees: Subscriber will pay to Keka, without any deductions, the fees set forth in the applicable Invoice. Except as otherwise specified in the Agreement, all payment obligations are non-cancellable and all amounts paid are non-refundable whether or not the Keka Platform is actively being used. Additional charges will apply for additional purchases or usage in excess of the purchased subscription(s). All pricing terms provided for the Subscriber are confidential and Subscriber agrees not to disclose them to any third party without Keka’s prior written authorization.

3.2. Invoicing and Payment: Payments for Subscription Period of less than one (1) year shall be made through Keka's online store using a credit card or online banking facilities. Offline or manual payment options are not entertained. The Subscription Period will commence only upon receipt of payment or a purchase order acceptable to Keka. Subscriber shall be responsible for providing complete and accurate payment information to Keka. Subscriber shall promptly update any change in the billing information. If a purchase order raised by the Subscriber is accepted by Keka, the payment must be made by the Subscriber within fifteen (15) days from the receipt of an invoice by email, unless otherwise stated in the Invoice.

3.3. The Subscription Fee paid by the Subscriber shall be converted into service credits (“Keka Service Credits”) which will be stored in a Subscriber e-wallet (“Keka Wallet”) provided by Keka, created pursuant to the aforementioned License under clause 2 of this Agreement. For the purpose of this Agreement, one (1) Keka Service Credit shall be equivalent to one (1) currency unit as the case may be.

3.4. The Subscriber will be able to use the Keka Service Credits from its Keka Wallet for its use of the Software. Upon the expiry of the Keka Service Credits and subject to the billing cycle provided under the Order Form, the Subscriber shall be liable to top-up the Keka Wallet according to its usage of the Software.

3.5. Overdue Payments. Undisputed overdue payments shall bear interest at the rate of one (1)% per month or the maximum rate allowed under applicable law. Subscriber acknowledges and accepts that non-payment of any undisputed fees within the term defined in the applicable Invoice constitutes a material breach of this Agreement and that Keka shall have the right to: (i) block and/or suspend the access to the Keka Platform until all such due and undisputed amounts and applicable interests, if any, have been paid; and/or (ii) terminate the Agreement as specified under Term and termination clause of this Agreement.

3.6. Payment Disputes: In the event Subscriber has any disputes with regard to the invoice raised by Keka, then the Subscriber shall raise the same within five (5) business days from the date of receipt of invoice. Subscriber shall not be considered to have defaulted on Subscriber's payment obligations under this Section, if the Subscriber (i) has disputed the fees in good faith in accordance with clause 3.6and is co-operating diligently to resolve the dispute; and (ii) remits payment for any undisputed amounts in a timely manner.

3.7. Taxes: Subscriber shall be responsible for paying the Taxes in addition to the fees applicable for the Keka Platform as specified in the Invoice. If the Subscriber is withholding Taxes, Subscriber shall pay the withholding Tax directly to the appropriate government entity and shall furnish a tax certificate to Keka evidencing such payment within hundred (100) days of making such payments. In the event of a failure to furnish the tax certificate within the timer period specified herein, the concerned tax amount shall be fortified by Keka.

3.8. Pricing: Keka reserves the right to unilaterally determine and modify its pricing for the Keka Platform. Where an Invoice is in effect, the pricing for the Keka Platform shall remain as agreed for the term specified in such Invoice.

4. Availability and Technical Support

4.1. Keka will make the Keka Platform available to the Subscriber pursuant to the terms of this Agreement, applicable Invoice and Documentation. Keka shall use commercially reasonable efforts to make the Keka Platform available 24 hours a day, 7 days a week and honour the Monthly Uptime Commitment as set forth in Exhibit 1, except during: (i) Scheduled Downtime, and (ii) Force Majeure Events.

4.2. Keka will provide product support to the Subscriber according to the timeframe specified in Exhibit 1.

5. Privacy and Security

5.1. Privacy. To the extent that Personal Information (as defined under the Exhibit 2) is processed by Keka when Subscriber uses the Keka Platform, Keka shall comply with applicable legal requirements for privacy, data protection and confidentiality. Keka’s processing of Personal Information will, at all times, be compliant with Exhibit 2 of this Agreement. Exhibit 2 explains how Keka will, (i) process Personal Information; (ii) use third party service providers who process Personal Information on Keka’s behalf; (iii) assist Subscriber to handle data subject requests; (iv) handle Security Incidents; (v) accommodate an audit request from Subscriber; (vi) ensure that its personnel maintain confidentiality and security of Personal Information; and (vii) handle return or deletion of Personal Information.

5.2. Security. Keka has implemented and will maintain industry-standard administrative, technical, and physical safeguards to reasonably protect the security, confidentiality and integrity of the Subscriber Data as described in Exhibit 3 of this Agreement. Keka will periodically review and update its security practices to address new and evolving security threats and to implement evolving security technologies and industry standard practices. Keka warrants that no modification to the security practices will materially degrade the security of the Keka Platform.

6. Proprietary Rights and Licenses

6.1. Reservation of Intellectual Property Rights. As between the Parties to this Agreement, Keka retains all the rights, title and interest in and to the Keka Platform and Documentation, including all related Intellectual Property Rights. Except as expressly stated herein, this Agreement does not grant any additional rights or licenses to the Subscriber in the Keka Platform or in any intellectual property rights of Keka. The Subscriber agrees and acknowledges that unless as provided herein this Agreement, any other use of the Keka Platform shall constitute a material breach of this Agreement and an infringement under applicable laws. Such material breach or infringement shall cause Keka irreparable loss and damage. Therefore, in addition to and without limitation to the rights provided herein this Agreement, Keka shall have the right to recover damages and injunctive relief under applicable laws.

6.2. License to use Suggestion and Feedback. Subscriber grants to Keka a fully paid-up, royalty free, worldwide, sub-licensable, assignable, irrevocable and perpetual license to use and incorporate into the Keka Platform any idea, suggestion for enhancement, recommendation, correction or other feedback provided by Subscriber to Keka in connection with such Subscriber’s use of the Keka Platform.

6.3. Subscriber Input. Subscriber Input is defined as any information subscriber may have provided Keka as an idea, feature request, enhancement or bug-fix on Keka product offerings to Keka. Keka shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate into the Service any Subscriber Input. Keka shall have no obligation to make Subscriber Input an Improvement. Subscriber shall have no obligation to provide subscriber Input.

6.4. Statistical Data Use. Keka has exclusive rights to use the statistical data derived from the operation of the Service, including, without limitation, the number of records in the Service, the number and types of transactions, configurations, and reports processed in the Service and the performance results for the Service (the “Aggregated Data”). Nothing herein shall be construed as prohibiting Keka from utilizing the Aggregated Data for purposes of operating Keka’s business, provided that Keka’s use of Aggregated Data will not reveal the identity, whether directly or indirectly, of any individual or specific data entered by any individual into the Service. In no event does the Aggregated Data include any personally identifiable information or corporate identifiable information.

6.5. Use of name: In connection with any literature of an advertising or similar nature, Keka’s name shall not be used or quoted without the prior written permission of Keka. Keka may use the fact of its involvement with the Subscriber in this Agreement in its credentials, proposals and publicity material subject to applicable law and professional regulations. The Customer agrees to such use and Keka may, on the Subscriber’s specific request, share samples of such use.

7. Confidentiality

7.1. Confidentiality Obligations. Except as otherwise permitted in writing by the Disclosing Party, the Receiving Party shall (i) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) not to disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) limit access to Confidential Information of the Disclosing Party to those of its employees, contractors and agents who need such access for the purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those contained herein. Any exchange of Confidential Information prior to the execution of this Agreement shall continue to be governed by any non-disclosure agreement executed by and between the parties and not the terms of this Agreement. All copies of Confidential Information, regardless of form, shall, at the discretion of the Disclosing Party, either be destroyed or returned to the Disclosing Party, promptly upon the earlier of: (i) Disclosing Party’s written request, or (ii) expiration or termination of this Agreement for any reason.

7.2. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party (i) as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction; or (ii) as reasonably necessary to comply with any applicable law or regulation; or (iii) as necessary to establish the rights of the Receiving Party, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. Any such disclosure shall be limited to only what is required and shall be subject to the confidentiality obligations to the extent reasonably practicable.

8. Representations, Warranties and Disclaimers

8.1. Mutual Representation. Each party represents and warrants to the other party that it is duly organized and validly existing under the laws of the state of its incorporation and has full corporate power and authority, and is duly authorized, to enter into the Agreement and to carry out the provisions thereof.

8.2. Warranty by Keka. Keka warrants that during an applicable Subscription Period (i) the Keka Platform will perform materially in accordance with the Documentation when Subscriber uses the Keka Platform in accordance with such Documentation; (ii) Keka will, at a minimum, implement safeguards for protection of the security, confidentiality and integrity of Subscriber Data, as set forth in DPA of this Agreement; (iii) Keka will not materially decrease the overall functionality of the Keka Platform. In case of any breach of warranty listed in this Section, the Subscriber shall be entitled to sole and exclusive remedies against Keka as described in Sections 11.2. and 11.3. of this Agreement.

8.3. Warranty Disclaimer. Subscriber understands and agrees that the use of the Keka Platform is at subscriber's sole risk. Except as expressly provided herein, Keka Platform is provided on an "as is" and "as available" basis, without any warranties of any kind. Except for warranties specified in this agreement, Keka disclaims warranties of all kinds, including, but not limited to, the implied warranties of merchantability, title, fitness for a particular purpose, and non-infringement. Keka further disclaims warranties that the Keka Platform will be uninterrupted, timely, secure, error-free or free from viruses or other malicious software. No advice or information obtained by subscriber from Keka or from any third party shall create any warranty not expressly stated in this agreement. The foregoing exclusions and limitations shall apply to the maximum extent permitted by applicable law, even if remedy fails its essential purpose.

9. Indemnification

Indemnification by Keka

9.1. Keka shall defend Subscriber , at Keka’s expense, from claims, demands, suits, or proceedings made or brought against Subscriber by a third party (“Claims”) alleging that the use of the Keka Platform as contemplated hereunder infringes such third party’s Intellectual Property Rights and shall indemnify and hold Subscriber harmless against any loss, damage or costs finally awarded or entered into in settlement (including, without limitation, reasonable attorneys' fees) (collectively, “Losses”); provided that Subscriber : (a) promptly gives written notice of the Claim to Keka (although a delay of notice will not relieve Keka of its obligations under this section except to the extent that Keka is prejudiced by such delay); (b) gives Keka sole control of the defense and settlement of the Claim (although Keka may not settle any Claim unless it unconditionally releases Subscriber of all liability); and (c) provides to Keka, at Keka's cost, all reasonable assistance. Keka shall have no liability for Claims or Losses to the extent arising from: (d) modification of the Keka Platform by anyone other than Keka; (e) use of the Keka Platform in a manner inconsistent with the Agreement or Documentation; or (f) use of the Keka Platform in combination with any other product or service not provided by Keka. If Subscriber is enjoined from using the Keka Platform or Keka reasonably believes it will be enjoined, Keka shall have the right, at its sole option, to obtain for Subscriber the right to continue use of the Keka Platform or to replace or modify the Keka Platform so that it is no longer infringing. If neither of the foregoing options is reasonably available to Keka, then the Agreement may be terminated at either party’s option and Keka’s sole liability, in addition to the indemnification obligations herein, shall be to refund any prepaid fees for the Keka Platform that was to be provided after the effective date of termination.

Indemnification by the Subscriber

9.2. Subscriber agrees to indemnify and hold harmless Keka, its directors, officers, employees, affiliates, agents and representatives from and against, including but not limited to, any and all claims, damages, liabilities, fines, penalties, costs and expenses (including reasonable attorneys' fees) to which Keka may be subjected as a result of Subscriber's, its employee’s or agent’s (i) business operations, including, without limitation, Subscriber employee claims, (ii) any act or omission to act which constitutes a breach of this Agreement, or (iii) performance hereunder in a manner that is negligent, grossly negligent, reckless, or improper.

9.3. Subscriber recognizes that Keka will be irreparably harmed by a violation of Subscriber’s confidentiality, non-use or other obligations hereunder. Therefore, in addition to any other available remedies, Keka is entitled to an injunction or other decree of specific performance with respect to any violation thereof by Subscriber.

10. Limitation of Liability

Under no circumstances and under no legal theory, whether tort, contract, product liability, negligence or otherwise, shall Keka or its affiliates be liable to you or any other affiliate or third party for any lost profits, lost sales or lost revenue, loss of data, business interruption, loss of goodwill or for any indirect, special, incidental, exemplary, consequential or punitive damages, even if a party or its affiliates have been advised of the possibility of such damages. In no event shall the liability of either party to the other party or its affiliates, for any claim or action arising out of this agreement, exceed the value of 10% of aggregate of all amounts paid by the Subscriber to Keka in the twelve (12) months preceding the first event giving rise to such claim or action. The limitations specified herein will not limit Subscriber’s obligation to pay fees in accordance with this agreement.

11. Term and Termination

11.1. Term. The term of this Agreement shall commence on the Effective Date and shall thereafter continue for the duration of the Subscription Period of the relevant Invoice, unless terminated in accordance with the provisions of this Section. Except as otherwise specified in the Agreement or Invoice, subscriptions will automatically renew for additional terms equivalent to the expiring Subscription Period.

11.2. Termination for cause. A party may terminate this Agreement for cause : (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of the creditors.

11.3. Termination by Keka: Keka shall be entitled to terminate this Agreement forthwith upon giving written notice of thirty (30 days) to the subscriber if it: (i) enters an agreement with creditors without authorisation Keka and/or steps have been taken for its winding up (other than for the purposes of bona fide reconstruction); (ii) has reasonable grounds to suspect that it has participated in illegal practices and/or acts or been charged in a court of law acts in a manner prejudicial to the interests of Keka; (iii) commits misconduct, fraudulent, dishonest, undisciplined conduct or breach of integrity or embezzlement or misappropriation or misuse or causing damage to the Software and other property of Keka; (iv) misrepresents, makes false statements and breaches the representations and warranties under the Agreement; and (v) ceases or threatens to cease to carry on business.

11.4. Termination for Convenience: Notwithstanding any other provision in this Agreement, Keka shall at its absolute discretion be entitled to terminate this Agreement without provision of reasons by giving at least 30 (thirty) days prior written notice to the other Party.

11.5. Refund. Upon termination for cause by Subscriber, Keka shall refund Subscriber any prepaid fees covering the unused portion of the Subscription Period. Upon any termination for cause by Keka, Subscriber shall expedite all payments due to Keka and in no event will termination of this Agreement relieve Subscriber of its obligation to pay any fees due to Keka. Notwithstanding anything contained herein, in the event Subscriber terminates the Agreement except as mentioned in Section 11.2 of the Agreement, Keka is under no obligation to refund the fees paid by the Subscriber.

11.6. Retrieval of Subscriber Data. Upon Subscriber’s written request made on or prior to expiration or termination of the Agreement, Keka will give Subscriber limited access to the Keka Platform for a period of up to thirty (30) days, at no additional cost, solely for purposes of retrieving Subscriber Data. Subject to such thirty day period and Keka’s legal obligations, Keka has no obligation to maintain or provide any Subscriber Data and may, unless legally prohibited, delete Subscriber Data; provided, however, that Keka will not be required to remove copies of the Subscriber Data from its backup media and servers until such time as the backup copies are scheduled to be deleted.

11.7. Surviving Provisions. Sections "Confidentiality," "Fees and Payments," "Warranty Disclaimers," "Limitation of Liability," "Indemnification," "Termination," "Surviving Provisions" and "General" shall survive termination of this Agreement.

12. General

12.1. Applicability of Terms of Service. Subscriber understands that, in addition to the terms of this Agreement, Keka's Terms of Service will apply to Subscriber's access and use of the Keka Platform. In the event of any conflict between this Agreement and the Terms of Service, the terms of this Agreement shall prevail.

12.2. Entire Agreement. This Agreement, including the Exhibits attached hereto and the Terms of Service, constitute the entire agreement between the parties with respect to the subject matter of this Agreement and supersedes any and all prior and contemporaneous agreements, negotiations, correspondence, understandings and communications between the parties, whether written or oral, concerning the subject matter hereof.

12.3. Amendment. No changes, modifications or amendment of any nature made to this Agreement shall be valid unless evidenced in writing and signed for and on behalf of both parties by the respective authorized representatives.

12.4. Governing Law and Jurisdiction. This Agreement shall be governed by and construed strictly in accordance with the laws of India (excluding the rules governing conflict of laws). Any dispute arising out of or resulting from this Agreement shall be subject to the exclusive jurisdiction of courts in Hyderabad to the exclusion of all other courts.

12.5. Notices. All notices required under this Agreement shall be in writing and shall be sent to the respective address set forth below. Any such notice may be delivered by hand, by overnight courier, by registered post or certified mail with return receipt requested, or by electronic mail to the person to whom such notice is to be sent as per the terms of this Agreement. Such notice shall be deemed to have been received: (i) by hand delivery, at the time of delivery; (ii) by overnight courier, on the succeeding business day; (iii) by registered post or certified mail, on the date marked in proof of receipt; and (v) by electronic mail, when sent. All notices shall be sent to: Legal Team on support@keka.com

12.6. Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Neither party shall have the power to bind the other or incur obligations on the other party's behalf without the other party's written consent.

12.7. Assignment. Neither party shall assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (which consent shall not be unreasonably withheld). . Any attempt by a party to assign its rights or obligations under this Agreement other than as permitted by this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.

12.8. Affairs of the Parties: It has been explicitly agreed between the Parties that at any time within the term of this Agreement, the Subscriber undergoes one of the following including the sale of the company/entity, then the Subscriber shall have the sole unconditional rights, among others, to:

  1. Change in the management;
  2. Change in the corporate name or brand name or trademark
  3. Restructuring;
  4. Acquisition and merger
  5. Any Private Equity or Loan infusion into the Party

KEKA will not interfere or raise any objections in or under the above circumstances, provided that the Subscriber shall ensure that the rights of KEKA under this Agreement are not adversely affected or curtailed by virtue of such an event. The existence of the Agreement or/and rights of KEKA under this Agreement shall not be affected in any manner and the Subscriber shall ensure the same terms and conditions are carried through the Term of the Agreement. If the Agreement terminates or any rights of KEKA are adversely effected due to any of the above circumstances as laid down under this clause above, then the defaulting party, i.e., the Subscriber shall indemnify KEKA and compensate it from any loss or expenditure that KEKA incurs.

12.9. No Third Party Beneficiaries. The provisions of this Agreement shall be binding and inure solely to the benefit of the parties, their successors, and permitted assigns. Nothing herein, whether express or implied, will confer any right, benefit or remedy upon any person or entity other than the parties, their successors and permitted assigns.

12.10. Force Majeure. No Party shall be liable to the other if, and to the extent, that the performance or delay in performance of any of its obligations under this Agreement is prevented, restricted, delayed or interfered with, due to circumstances beyond the reasonable control of such Party, including but not limited to, Government legislations, fires, floods, explosions, epidemics, accidents, acts of God, wars, riots, strikes, lockouts, or other concerted acts of workmen, acts of Government. The Party claiming an event of force majeure shall promptly notify the other Party in writing and provide full particulars of the cause or event and the date of first occurrence thereof, as soon as possible after the event and also keep the other Party informed of any further developments. The Party so affected shall use its best efforts to remove the cause of non-performance, and the Parties shall resume performance as soon as such cause is removed.

12.11. Severability. Any provision of this Agreement, which is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof or affecting the validity or enforceability of such provision in any other jurisdiction. Accordingly, this Agreement shall be construed as if such portion had not been inserted and the remaining provisions of this Agreement shall remain in full force and effect.

12.12. Waiver. Except as otherwise provided in this Agreement, failure on the part of either Party to exercise any right hereunder or to insist upon strict compliance by the other Party with any of the terms, covenants or conditions hereof shall not be deemed a waiver of such right, term, covenant or condition.

12.13. Interpretation. No provision of this Agreement shall be construed against one party by reason of being deemed the "author" of the Agreement. The headings used in this Agreement are for convenience only and shall not affect the interpretation of the terms of this Agreement.

12.14. Specific terms of use for payment automation services – refer exhibit 4


Exhibit 1

SERVICE LEVEL AVAILABILITY

This Exhibit documents Keka’s Service Level Availability Policy (“SLA”) with its Subscribers. Capitalized terms, unless otherwise defined herein, shall have the same meaning as in the Master Subscription Agreement.

1. Definitions

"Downtime" shall mean inability to access Keka Platform due to a Qualifying Fault. Downtime is measured based on availability of the Keka Platform as measured by Keka’s monitoring tools.

“Qualifying Fault” shall mean and include server side errors and reachability errors attributable to the Keka Platform.

“Downtime Period" shall mean ten or more consecutive minutes of Downtime. Intermittent Downtime for a period of less than ten minutes will not be counted towards any Downtime Periods.

“Monthly Uptime” shall mean total number of minutes in a calendar month minus the number of minutes of Downtime suffered from all Downtime Periods in a calendar month.

"Monthly Uptime Percentage" shall mean the percentage calculated by dividing Monthly Uptime by the total number of minutes in a calendar month.

"Scheduled Downtime" shall mean unavailability of the Keka Platform about which Subscriber is informed at least forty eight (48) hours in advance. A Schedule Downtime will not constitute a Qualifying Fault.

"Keka SLA Service Credit" shall mean Keka Service Credits added to the Keka Wallet at no additional cost as compensation for Keka’s failure to meet the monthly uptime commitment.

2. Service availability

Keka Platform will have a Monthly Uptime Percentage of 99.8%.

3. Keka Platform Updates

Periodically, Keka introduces new features in the Keka Platform with enhanced functionality. Features and functionality will be made available as part of a major feature release (“Feature Release”) or as part of weekly service updates (“Service Updates”).

4. SLA Service Credits

  1. Calculation of Keka SLA Service Credit:
    UptimeCompensation for Downtime (% of Monthly Subscription Fees)
    99.5% to 99.8%5%
    99% to 99.5%15%
    <99%25%
  2. In order to receive any of the Keka SLA Service Credits described above, Subscriber must notify Keka within ten (10) days from the time Subscriber becomes eligible to receive a Keka SLA Service Credit. Failure to comply with this requirement will result in forfeiture of Subscriber’s right to receive a Service Credit.
  3. Keka SLA Service Credits will not be exchanged for, or converted to, monetary compensation.
  4. Subscriber’s sole and exclusive remedy for Keka’s failure to meet the uptime commitment is to receive Keka SLA Service Credit.

5. Keka Support Scope

Keka will support functionality that is delivered by Keka as part of the Keka Platform. For all other functionality, and/or issues or errors in the Keka Platform caused by issues, errors and/or changes in Subscriber's information systems, customizations, and/or third-party products or services, Keka may assist Subscriber and its third-party providers in diagnosing and resolving issues or errors but Subscriber acknowledges that these matters are outside of Keka's support obligations. Failure to meet obligations or commitments under this SLA that are attributable to (i) Subscriber's acts or omissions; and (ii) force majeure events shall be excused.

6. Issue Submission and Reporting

Subscriber’s Named Support Contacts may submit cases to Keka Support via the Keka Support Portal. Named Support Contacts must be trained on the Keka Platform. Each case will be assigned a unique case number. Keka will respond to each case in accordance with this SLA and will work diligently toward resolution of the issue taking into consideration its severity and impact on the Subscriber’s business operations. Actual resolution time will depend on the nature of the case and the resolution itself. A resolution may consist of a fix, workaround, delivery of information or other reasonable solution to the issue. Case reporting is available on demand via the Keka Support Portal.

7. Severity level determination

Subscriber shall reasonably self-diagnose each support issue and recommend to Keka an appropriate Severity Level designation. Keka shall validate Subscriber's Severity Level designation or notify Subscriber of the change in the Severity Level designation to a higher or lower level with justification. The following definition shall be used in determination of severity level:

Severity Level 1

Description: This Problem Severity Level is associated with: the software, as a whole, is non-functional or is not accessible; unauthorized exposure of all or part of the client's data; or loss or corruption of all or part of the client's data.

Severity Level 2

Description: This Problem Severity Level is associated with significant and / or ongoing interruption of an authorized user’s use of a critical function of the software and for which no acceptable work-around is available.

Severity Level 3

Description: This Problem Severity Level is associated with: a minor and/or limited interruption of an authorized user’s use of a non-critical function of the software; or, problems which are not included in Problem Severity Levels 1 or 2.

Severity Level 4

Description: This Problem Severity Level is associated with: general questions about the software; or, configuration changes that have been previously agreed to be in scope by the client.

8. Response and resolution

Response, Problem Determination and Resolution/Restoration/Work-around Timeframe

Severity LevelResponse
(business hours)
Problem Determination
(business hours / business days)
Resolution / Restoration / Work-around
(business days)
11 hour4 hours8 hours
28 hours24 hours3 days
324 hours7 days10 days
424 hours10 days14 days

9. Exclusions

The SLA does not apply to any performance and availability issues:

  1. caused by factors outside of Keka’s reasonable control;
  2. that resulted from any actions or inactions of Subscriber; or
  3. that resulted from Subscriber’s equipment and/or third party equipment that are not within Keka’s reasonable control.
  4. any issues which required coding changes from back-end.

Exhibit 2

Data Processing Agreement

GDPR Regulation (EU) 2016/679

Your use of the Website, application or Keka Platform, owned and managed by Keka, are governed by the following terms and conditions of this Agreement as applicable to the Website, application or Keka Platform, including the applicable policies which are incorporated herein by way of reference. By mere use of the Website, application or Keka Platform, You shall be contracting with Keka and these terms and conditions including the policies constitute your binding obligations with Keka.

This Agreement is hereby executed and enforceable between:
Customer/Partner (Hereinafter referred to as “Data Controller”)

AND

Keka Technologies Private Limited, a company incorporated as per Indian Companies Act, 2013 (Hereinafter referred to as the “Data Processor” or “Keka”)

Data Controller and Data Processor may be referred to as “Party” individually and “Parties” collectively in this DPA.

WHEREAS

A. The Data Controller is, for the purpose of this DPA, a data controller as provided under Article 4 sub-article 7 of the GDPR Regulation (EU) 2016/679 (“GDPR Regulation”).

B. The Data Controller wishes to obtain certain services from the Data Processor in light of which it will share certain information/data/material which shall require processing compliances with GDPR Regulation by both Parties.

C. Therefore, the Parties have agreed to enter into this DPA which contains the relevant GDPR Regulation clauses to be followed by the Parties who signed the Subscription Services with Keka.

Therefore, In consideration of the mutual obligations set out in this DPA, the parties agree as follows:

  1. This DPA details the roles of both Parties set forth in GDPR Regulation under Articles 28, 32, and 82.
  2. The capitalised terms as provided under this DPA and not defined therein, shall have their respective meaning prescribed under Annexure 2 of this DPA.

    This DPA is applicable for below Clauses

    1. If the Customer entity signing this DPA is also a party to the MSA, then this DPA shall form an integral part of such MSA.
    2. If the Customer entity signing this DPA has executed an Order Form with Keka, or its Affiliate pursuant to the relevant agreement, but is not by itself a party to the Agreement, then this DPA is an addendum to that Order Form and/or applicable renewal Order Forms.
    3. If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
    4. If the Customer entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with Keka, but is instead a customer indirectly via an authorized reseller of Keka, services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required. This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in Customer’s Agreement (including any existing data processing addendum to the Agreement).
    5. The Data Controller and Keka, each warrant that they are and will continue to adhere to GDPR and shall perform their obligations under this DPA in accordance with the provisions of the GDPR from time to time in force.
    6. The parties acknowledge that for the purposes of GDPR, that the Customer/Partner is the Data Controller for the Personal Data (Personal Data of Customer’s Employees or the Customer’s Customer or Contractor as applicable) and the performance of the services will require the processing of Personal Data by Keka, for the Data Controller.

    The parties acknowledge that for the purposes of GDPR:

    1. Keka, shall be processing the personal data provided by Data Controller that is limited to Name, Phone, E-Mail and Job Title for the escalation and communication that is used to send notifications/ alerts during the business operations to the Data Subjects whose personal data is shared by the Data Controller.
    2. Keka, implements controls to undertake Consent from Users of the platform without disrupting Customer’s Operations. The Data Controller is responsible for ensuring the respective customers and users accept the user consent.
    3. Keka, may use various software tools/Cloud Services for storing such Personal Data in their repositories which is vetted as per the conditions as laid down under Article 32 of the GDPR Regulation.
    4. Keka, may use or store the Personal Data for retracting any reference to the Data Subject, as mentioned in their Privacy Policy, if it is required in future even after expiry of the agreement for identifying or tracing any alerts/ notifications sent to the Data Subject.
    5. The Customer/Partner shall be responsible to notify and undertake Consent from their Employees/ Customers/ Contractors on how the Personal Data is processed by Keka, and their Data Sub-Processor, without which compliance to GDPR Regulation by the Data Controller/Keka, /Data Sub Processor would be difficult.
    6. Keka, shall bring to the Customer’s /Partner’s attention if they find a Personal Data Breach in their or their Data Sub-Processor environment that has impacted any form of Personal Data stored by either or both parties.
  3. Keka, shall not process Personal Data (Personal Data collected from the Data Controller) other than for the purposes of the processing which are documented in the Agreement.Keka warrants to the Data Controller (Customer/Partner) to comply with below,
    1. It shall fully comply with the provisions of GDPR in carrying out its obligations under this DPA.
    2. It has all provisions for data protection necessary for carrying out of its obligations under this agreement and shall maintain such provisions throughout the term.
  4. Keka, shall:
    1. Adopt and maintain appropriate technical and organizational measures to ensure Personal Data is kept secure throughout the data life cycle, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, and take such precautions as are necessary to ensure the integrity of Personal Data and to prevent any Personal Data Breach.
    2. Appoint, transfer or transmit the Personal Data to Data Sub-Processors only after they have received express written permission of the Data Controller.
    3. Ensure that the Data Sub-Processors process the Personal Data (Personal Data collected from the Data Controller) as per the instructions provided by Keka, in accordance with the requirements of GDPR.
    4. Shall not collect Personal Data (Personal Data collected from the Data Controller), more than that is required to Keka, for Processing.
    5. Shall not appoint any other Data Sub-Processor/ Third Party for processing Personal Data (Personal Data collected from the Data Controller) that does not meet the requirements of GDPR
    6. Allow Data Subjects to keep contents of their Personal Data (Personal Data collected from the Data Controller) accurate
    7. On reasonable written notice by the Data Controller, make available to the Data Controller all such information as is necessary to demonstrate Keka’s compliance with GDPR, including where such information is requested as part of an audit/assessment/compliance check.
    8. On termination of the Agreement, at the Data Controller’s sole written requisition, provide all Personal Data (Personal Data collected from the Data Controller) to the Data Controller and shall provide reasonable evidence of erasure.
    9. Keep the records of the Processing activities that are carried out on behalf of Data Controller
    10. Assist the controller in meeting its GDPR obligations to notify the Personal Data Breaches to the Supervisory Authority along with the process and information required to be submitted for the same.
    11. Shall Not use the Personal Data (Personal Data collected from the Data Controller) for activities like analytics and profiling unless required for business operations to provide subscribed services.
  5. Customer Data Incident Management:

    Keka maintains security incident management policies and procedures specified in the Security Policy on the website and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Keka, or its Sub-processors of which Keka, becomes aware (a “Customer Data Incident”). Keka, shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Keka, deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Keka’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

    Immediately notify the Data Controller with full details of:

    1. Any Personal Data Breach in relation to this Agreement;
    2. Processing of Personal Data (Personal Data collected from the Data Controller) which are contrary to or would require it to act in a way contrary to GDPR
    3. Any request received (including from an individual or the Supervisory Authority) to disclose any Personal Data
  6. Return and Erasure of Customer Data: -

    Keka, has made provision for retrieval of customer data from the platform by authorization, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Retention Policies

  7. Nothing in this Agreement shall relieve Keka, of its own direct responsibilities and liabilities under GDPR.
  8. The Clauses in this document shall be governed by the law of the Member State of EEA (European Economic Area) in which the data processing is established.

In assessing the appropriate level of security, Keka, shall conduct DPIA (Data Protection Impact Assessment) on a periodic basis to evaluate the risks that are presented by processing, from a Personal Data Breach.


Appendix 1

This Appendix forms part of the DPA covering Information Security of the Platform and Operations. Description of the technical and organizational security measures implemented by Keka, in accordance with Data Processing Agreement

Keka currently observes the security practices described in this Appendix 1. Notwithstanding any provision to the contrary otherwise agreed to by data controller, Keka may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

  • Access Control

    Preventing Unauthorized Product Access

    1. Outsourced processing: Keka, hosts its Service in a Colocation and outsourced cloud infrastructure providers. Keka, maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement.
    2. Keka relies on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
    3. Physical and environmental security: Keka, hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC2 Type II and ISO 27001 compliance, among other certifications.
    4. Authentication: Keka, implemented a unifies password policy for its Platform.
    5. Customers who interact with the platform via the user interface must authenticate before accessing their data. Keka, also has a provision for integrating with various single sign on tools or use Keka’s authentication mechanisms
    6. Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Keka’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against role-based access policies defined by the Customer
    7. Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through any other authorized process or method.

    Preventing Unauthorized Product Use :

    Keka implements standard access controls and detection capabilities for the internal networks that support its products.

    1. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The control measures are implemented by security group assignment, and traditional firewall rules.
    2. Intrusion detection and prevention: Keka implemented Firewalls designed to identify and prevent attacks against publicly available network services. A regular VA and PT assessment is carried on to proactively identify any threats and remediate as required.
    3. Static code analysis: Security reviews of code stored in Keka’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

    Limitations of Privilege & Authorization Requirements

    1. Product access: An authorized group of Keka’s employees have access to the Platform and to customer data via controlled interfaces. The intent of providing access to an authorized employee is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through a Service request process for all requests for access. Employees are granted access by role and responsibility. Employee roles are reviewed at least once every six months as part of Internal Security Audit.
    2. Product access: All Keka employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
  • Data Transfer Controls
    1. In-transit: Keka, makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its logins. Data is transmitted between systems in same geographical regions
    2. At-rest: Keka, stores user passwords following policies that follow industry standard practices for security. Keka, has implemented technologies to ensure that stored data is encrypted at rest.
  • Data Input
    1. Detection: Keka has designed an internal monitoring and management systems to log information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems alert appropriate Platform Support Groups of malicious, unintended, or anomalous activities. Keka has established support process and personnel for security, operations to respond to various incidents
    2. Response and tracking: Keka, maintains a record of known security incidents that includes description, dates and times, priority and remediation process. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Keka will take appropriate steps to minimize Product and Customer damage or unauthorized disclosure.
    3. Communication: If Keka becomes aware of unlawful access to Customer data stored within its products, Keka, will
      1. notify the affected Customers of the incident
      2. provide a description of the steps taken to resolve the incident; and
      3. provide status updates to the Customer contact, as Keka deems necessary. Notification(s) of incidents, if any, shall be delivered to one or more of the Customer’s contacts in a form Keka, selects, which may include via email through Customer Support
  • Availability Control
    1. Infrastructure availability: Keka, is obligated to provide a minimum of 99.8% uptime for the Platform. The providers maintain a minimum of N+1 redundancy to power, network, and other Services in the Colo.
    2. B. Fault tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple systems. Keka maintains an Active -Active set-up for disaster recovery to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Keka’s operations in maintaining and updating the product applications and backend while limiting downtime.
  • Audits and Certification

    Keka, is certified for ISO 27001:2013 and has been assessed in compliant with the controls stipulated in SOC 2 Type II.


Appendix 2
Definitions:
  • Personal Data: Personal Data means any information relating to an identified or identifiable natural person ('Data Subject'). The following data, often used for the express purpose of distinguishing individual identity, can be classified as Personal Data
    • Name
    • Identification Number
    • Location data
    • An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a Natural Person.
    • IP Address
    • Cookie Identifiers
    • Radio Frequency ID (RF ID) tags
  • Natural Person/Data Subject: An identifiable Natural Person/Data Subject is one who can be identified, directly or indirectly, by reference to his/her Personal Data.
  • Processing: Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data by automated means, such as
    • Collection
    • Recording
    • Organisation
    • Structuring
    • Storage
    • Adaptation or alteration
    • Retrieval/Downloading data
    • Consultation
    • Use
    • Disclosure by transmission
    • Dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  • Data Controller: Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • Data Processor: Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
  • Data Sub-Processor: Data Sub-Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Data Processor.
  • GDPR: The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of Personal Data of individuals within the European Union (EU).
  • Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • Personal Data Breach: Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • Consent: Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the Data Subject.
  • Data Protection Impact Assessment (DPIA): This activity is carried out to enhance compliance with GDPR where processing operations are likely to result in a high risk to the rights and freedoms of Data Subjects.
  • Supervisory Authority: Supervisory authority means an independent public authority which is established by an EU member state. Supervisory Authority Concerned means a Supervisory Authority which is concerned by the processing of personal data because:
    1. The Data Controller or processor is established on the territory of the Member State of that supervisory authority;
    2. Data Subjects residing in the Member State of that Supervisory Authority are substantially affected or likely to be substantially affected by the processing; or
    3. A complaint has been lodged with that supervisory authority



Exhibit 3

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Keka has established, and will maintain at a minimum, an information security management system that includes the following:

Security Governance
  1. A governance framework that supports relevant aspects of information security through appropriate policies and standards.
  2. Formal documentation of the roles and responsibilities of employees with respect to governance of Information Security within Keka that are communicated by the management to employees.
  3. An information security program in accordance with the international standard ISO 27001 that includes technical, organizational and physical security measures in order to protect Personal Information against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction.
  4. Formally documented information security policy, data privacy policy and other policies that are communicated periodically to employees responsible for the design, implementation and maintenance of security and privacy controls. The policies will be reviewed annually to keep them up-to-date.
  5. Compliance with industry standard security measures as described at https://www.Keka.com/compliance.html.
Risk Management
  1. Annual risk assessment, to prioritize mitigation of identified risks.
  2. Established internal audit requirements and periodical audits on information systems and processes at planned intervals.
  3. Assessment of the design and operating effectiveness of controls against the established control framework through which corrective actions related to identified deficiencies will be tracked to resolution.
Human Resources Security
  1. Background verification of all employees having access to confidential data that includes verification of criminal records, previous employment records if any, and educational background.
  2. Signing of confidentiality agreement and acceptable use policy by employees upon their employment with clauses on protection of confidential information.
  3. Training on security and privacy awareness including training on Keka's policies, standards and relevant technologies along with maintenance and retention of training completion records.
  4. Employees will be required to adhere to the information security policies and procedures. Disciplinary process for non adherence will be defined and communicated.
Identity and Access management of Keka Personnel
  1. Creation of unique identifiers for employees to access information systems and prohibition of sharing user accounts among employees
  2. User authentication to information systems protected by passwords that meet Keka's password policy requirements derived based on NIST SP 800-63B standards.
  3. Strong password configurations that include i) 8 character minimum length; ii) non dictionary words and iii) screening of passwords against list of known compromised passwords.
  4. Mandatory Two factor authentication for access to information systems involving confidential data.
  5. Secure remote access to the corporate network provisioned via SSL VPN with strong encryption and two factor authentication.
  6. Adherence to the principles of least privilege and need-to-know and need-to-use basis for access control.
  7. Approval mechanism from appropriate personnel to provide access to information systems.
  8. Revocation of access that is no longer required in the event of termination or role change.
  9. Recording of approval, assignment, alteration and withdrawal of access rights.
  10. User access reviews on a half yearly basis and corrective actions whenever necessary.
  11. Restrictions on administrative access to Personal Information and provision of access on a strictly need-to-know basis along with implementation of access-control measures such as mandatory two factor authentication.
Asset Management
  1. Inventory maintenance of assets associated with information processing. Owners are assigned for each asset and rules for acceptable use of assets are defined. Assets assigned to employees are returned in the event of termination or role change.
  2. Capacity management policies through which resources are continuously monitored and projections are made for future requirements.
  3. Determined procedures in accordance with industry best practices for the reuse, secure disposal and destruction of electronic media to ensure that the data is rendered unreadable and unrecoverable.
  4. Disposal of unusable devices by verified and authorized vendors which includes storing of such devices in a secure location until disposal, formatting any information contained in the devices before disposal, degaussing and physical destruction of failed hard drives using shredder and crypto-erasing and shredding of failed SSDs.
Physical Security
  1. Physical access to Keka's data center is highly restricted and requires prior management approval. The data centers are housed in facilities that require electronic card key access. Additional two-factor authentication and biometric authentication are required to enter the data center premises and there is continuous monitoring of CCTV cameras and alarm systems.
  2. Control of physical access to Keka's development facilities using access cards and monitoring by security personnel.
  3. Installation of CCTV cameras and review of access logs and CCTV footage in case of any incidents.
  4. Defined visitor management process to authorize visitor entries and maintenance of access records of visitors.
  5. Revocation of physical access to employees in the event of termination of employment or role change.
Network Security and Operations
  1. A dedicated Network Operations Center (NOC), which operates 24x7 monitoring the infrastructure health.
  2. Establishment and implementation of firewall rules in accordance to identified security requirements and business justifications.
  3. Review of firewall rules on a quarterly basis to ensure that legacy rules are removed and active rules are configured correctly.
  4. Establishment and maintenance of appropriate network segmentation, that includes use of virtual local area networks (VLANS) where appropriate, to restrict access to systems storing confidential data with a data storage layer that is designed to be not directly accessible from the Internet.
  5. Clear separation of production, development and integration environments to ensure that production data is not replicated or used in non-production environments for testing purposes.
  6. Management of access to production environments by a central directory and authentication for such access using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Access to the production environment is facilitated through a separate network with strict rules.
  7. Deployment of DDOS mitigation capabilities from well established service providers to prevent volumetric attacks and to keep the applications available and performing.
Secure Software Development
  1. Well defined security process that is implemented and monitored throughout the SDLC taking into consideration confidentiality, availability and integrity requirements.
  2. Implementation of secure software development policies, procedures, and standards that are aligned to industry standard practices such as OWASP, CSA, CWE/SANS including secure design review, secure coding practices, risk based testing and remediation requirements.
  3. Training on secure coding principles and industry standards to personnel involved in the development and coding of products.
  4. "Secure by design" approach by incorporating security risk assessments and Threat modeling in the planning and analysis phase of SDLC and review of the design to prevent new threats.
  5. Examination of Source code changes for potential security issues using Keka's proprietary SAST (static code analysis) tools and manual review process before deployment.
  6. Web Application Firewall (WAF) layer that is embedded in all web applications for protection against Open Web Application Security Project (OWASP) threats, including SQL injections, Cross-site scripting (XSS) and remote file inclusions.
  7. Maintenance of inventory of third party software that gets bundled in the products/services .
  8. Alerts on potential security vulnerabilities in the third party software by Keka's proprietory SCA(Software Composition Analysis) that is reviewed periodically to check its applicability and impact and to take steps to upgrade third party software to the latest version.
  9. Appropriate checking and elimination procedures to ensure that the service is not affected by malware/viruses during development, maintenance and operation.
  10. Appropriate security controls to ensure the confidentiality, integrity and availability of the CI/CD pipeline in the software development environment used to develop, deploy, and support the products.
  11. Maintenance of clear distinction between the development, QA and production environments.
Data Security and Management
  1. Information classification scheme with data handling guidelines related to access control, physical and electronic storage, and electronic transfer.
  2. Logical separation of each subscriber's service data from other subscriber' data by distributing and maintaining separate logical cloud space for each subscriber.
  3. Deletion of data from active database upon termination of Keka Platforms by the subscriber (clean-up occurs once in every 6 months), deletion of backup data within 3 months of deletion from active database and termination of accounts that remain unpaid and inactive for a continuous period of 120 days by giving prior notice to the subscriber.
Encryption
  1. Use of transport encryption for information that traverses across networks outside of the direct control of Keka including, but not limited to the Internet, Wi-Fi and mobile phone networks.
  2. Encryption of data transmission to Keka Platforms are made using TLS 1.2/TLS1.3 protocols, with latest and strong ciphers like AES_CBC/AES_GCM 256 bit/128 bit keys, authentication of message using SHA2 and use of ECDHE_RSA as the key exchange mechanism.
  3. Encryption of sensitive Personal Information at rest using 256-bit Advanced Encryption Standard (AES). (The data that is encrypted at rest varies specific to Keka Platforms and also options are provided where the subscriber defines the fields to encrypt depending on their business need and data sensitivity).
  4. Irreversible industry standard algorithm (bcrypt) will be used to hash and store the passwords of Keka Platforms with randomly generated per user salt added to the input.
  5. Keka's in-house Key Management Service (KMS) to own and maintain encryption keys that includes additional layer of security by encrypting the data encryption keys using master keys.
  6. Separation of master keys and data encryption keys by physically storing them in different servers with limited access.
Change Management
  1. A change management policy that governs changes in all components of the service environment whereby all changes are planned, tested, reviewed and authorized before implementation into production.
  2. Assessment of the potential impacts, including information security and privacy impacts of the changes.
  3. Documented fall-back mechanisms including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.
  4. Notification to subscriber of any changes that may affect subscribers in an adverse manner.
Configuration Management
  1. Implementation of security hardening and baseline configuration standards in accordance with industry standards that are reviewed and updated periodically.
  2. Predefined OS images with security baselines are used to build systems in development and production.
  3. Hardening standards including (i) ensuring that unnecessary features, services, components, files, protocols and ports are removed from the production environment; and (ii) removing unnecessary user logins and disabling or changing default passwords.
  4. Approval from the appropriate personnel to install any software package in the production environment.
Vulnerability Management
  1. Vulnerability management plan designed to (i) identify promptly, prevent, investigate, and mitigate any cyber security vulnerabilities; (ii) analyze the vulnerability; (iii) perform recovery actions to remedy the impact.
  2. Vulnerability assessments using automated scanners performed periodically on Keka's internet facing systems.
  3. Application penetration testing by Keka's in house security personnel performed annually in accordance to defined test methodologies
  4. Review of identified issues from vulnerability assessments and penetration testing, determination of its applicability, impact and priority and rectification in accordance with the SLA definition: High level vulnerabilities within 7 calendar days of discovery, Medium level vulnerabilities within 30 calendar days of discovery and Low level vulnerabilities within 60 calendar days of discovery.
  5. Monitoring known vulnerabilities from common sources such as OWASP, CVE, NVD and other vendor security lists and installation of security relevant patches to product and/or supporting systems in accordance with Keka's patch management policy
  6. Antivirus deployment by running the current version of industry standard anti-virus software as a part of which signature definitions are updated periodically within 24 hours of release, real time scans are enabled and alerts are reviewed and resolved by appropriate personnel.
Security Logging and Monitoring
  1. Use of centralized logging solution to aggregate and correlate events from various components including network devices, servers and applications.
  2. Maintenance of audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events and retention of logs in accordance with applicable policies and regulations.
  3. Host and application intrusion detection (IDS) technology to facilitate timely detection, investigation and response to incidents.
  4. Restrictions on physical and logical access of logs by authorized personnel.
Business continuity and Disaster recovery
  1. Disaster recovery and business continuity plans and processes (i) to ensure continuous availability of the services in case of any disaster; (ii) to provide an effective and accurate recovery.
  2. Annual review of business continuity plan to evaluate its adequacy & effectiveness
  3. Redundancy mechanisms to eliminate single point of failure consisting of (i) dual or multiple circuits, switches, networks or other necessary devices; and (ii) storing of application data in a resilient storage that is replicated in near real time across data centers.
  4. Taking periodic backups (incremental backups every day and weekly full backups) and storing them in an encrypted format in the same datacenter.
  5. Retention of backups for a period of three months and testing recovery of backups at planned intervals.
  6. SLA for service availability with 99.9% monthly uptime as a part of which real time availability can be viewed in https://status.Keka.com.
Incident Management
  1. An incident response plan and program containing procedures that are to be followed in the event of an information security incident.
  2. Dedicated email (incidents@keka.com) to which external parties can report security incidents and creating awareness among employees to report any potential security incident or weakness on time without any delay.
  3. Tracking of security incidents, fixing of such incidents through appropriate actions, maintenance of such records in the incident registry and implementation of controls to prevent recurrence of similar incidents.
  4. Incident management procedures that lays down the steps for notifying the client, and other stakeholders in a timely manner in accordance with breach notification obligations.
  5. Implementation of appropriate forensic procedures including chain of custody for collection, retention, and presentation of evidence in the event of an information security incident likely to result in a legal action.
Third-Party Vendor Management
  1. Vendor management policy through which Keka evaluates and qualifies third party vendors as a part of which new vendors are onboarded only after understanding their processes and performing risk assessments.
  2. Execution of agreements with vendors that require vendors to adhere to confidentiality, availability, and integrity commitments in order to maintain Keka's security stance.
  3. Execution of agreements with vendors that require vendors to adhere to confidentiality, availability, and integrity commitments in order to maintain Keka's security stance.



Exhibit 4

Specific terms of use for payment automation services

This document/agreement/understanding is a computer-generated electronic record published in terms of Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (amended from time to time) read with Information Technology Act, 2000 (amended from time to time) and does not require any physical or digital signatures.

  1. You agree that your use of any value-added service shall be construed as a consent to any additional fees which may be levied by Keka on such additional Service or value-added service.
  2. You agree that the fees shall be charged according to the manner, rates and frequency determined by Keka. Keka reserves the right to update the amount of the Fees at any point of time.
  3. Fees are exclusive of applicable taxes and Keka will charge such applicable taxes on the fees from time to time. You agree that any statutory variations in applicable taxes during the subsistence of these Terms shall be borne by You.
  4. For fees deducted upfront before provision of the specific Service, it is agreed that if You deposit applicable taxes under Section 194J of the Income Tax Act, 1961 (in respect of invoices received by You) and furnish to Keka Form 16-A in respect of such taxes paid, then Keka shall reimburse to You, on a quarterly basis, the amount in respect of such taxes paid. In all other cases, with respect to invoices received by You, at the time of payment of the Fees, You will withhold applicable taxes under Section 194J of the Income Tax Act, 1961 (in case LTDC is provided as per the LTDC issued). You shall deposit the withheld taxes with the government treasury, file the statutorily mandated returns and furnish the requisite tax deduction certificate (Form 16-A) to Keka within the timelines prescribed so as to enable Keka to obtain full credit for the taxes deducted at source.
  5. You understand that the sender account name being reflected in the receivers' bank transfer will be ‘Keka Technologies Private Limited’.
  6. You shall be solely responsible for any incorrect transaction or transaction processed for any reason other than the intended use from Keka. Keka will process transactions on your behalf in good faith.
  7. If Keka is intimated, by a Facility Provider, that a customer has reported an unauthorized debit of the customer’s Payment Instrument (“ Fraudulent Transaction ”), then in addition to its rights under Clause 1T&6 of the General Terms of Use, Keka shall be entitled to suspend settlements to You during the pendency of inquiries, investigations and resolution thereof by the Facility Providers
  8. If the amount in respect of the Fraudulent Transaction has already been settled to You pursuant to these Terms, any dispute arising in relation to the said Fraudulent Transaction, following settlement, shall be resolved in accordance with the RBI’s notification DBR.No.Leg.BC.78/09.07.005/2017-18, dated July 6, 2017 read with RBI’s notification DBOD. LEG. BC 86/09.07.007/2001-02 dated April 8, 2002 and other notifications, circulars and guidelines issued by the RBI in this regard from time to time.
  9. Subject to Clause 5 above, if the Fraudulent Transaction results in a Chargeback, then such Chargeback shall be resolved in accordance with the provisions set out in the Terms.
  10. You shall be liable in the event of breach of the fraud amount thresholds as provided under the NPCI guideline on ‘Fraud liability guidelines on UPI transactions’ NPCI/2022- 23/RMD/001. You hereby understand and agree that the decision of the NPCI or the concerned acquiring bank, as the case may be, shall be final and binding.
  11. You shall be responsible to do reconciliation on a daily basis for all the transactions processed. In case of discrepancies, You shall report to Keka regarding such discrepancy within three (3) working days. However, if any reconciliation issue is highlighted by You to Keka after three (3) working days from the transaction date, Keka shall not be responsible or liable in any way whatsoever in case such queries and/or concerns are not resolved.
  12. You shall be solely responsible for updating Your GST registration number with Keka before Keka generates the invoice and shall also submit the GST certificate as part of KYC. Keka will raise a GST tax invoice and report the transactions in the GST returns based on the information provided by You. The GST returns will be filed as per the statutory timelines, to enable You to avail appropriate input tax credit. Keka shall not be responsible for any mistake and or misrepresentation by You in updating the GST number and other particulars as per the GST certificate. Further, any liability raised on Keka by the GST authorities due to incorrect information provided by You or deliberate withholding of any statutory information by You shall be recovered by Keka from You.
  13. We will raise invoices in respect of fees charged for Services provided. Any dispute in respect of an invoice must be communicated by You to Us via a notice no later than ten (10) days from the date of the invoice. Keka shall use good faith efforts to reconcile any reasonably disputed amounts
cookie image

By clicking “Accept", you consent to our website's use of cookies to give you the most relevant experience by remembering your preferences and repeat visits. You may visit "cookie policy” to know more about cookies we use.