Keepit Online Terms of Service

Updated Feb 14th 2019

This document describes the Terms of Service for the Keepit Cloud Backup Service.

These terms do not apply to the Desktop Backup or PC Backup offering known as “Keepit Classic” which may be found here. This service is governed by its own Terms of Service.

Background and purpose

This agreement is entered into between the Supplier and the Customer concerning the Customers right to use the Keepit Service (from here on out referenced as the “Service”) and the obligations that befall Keepit and the Customer.

The business terms and data processing agreement for Keepit are an integrated part of this agreement.

Acceptable use policy

Neither Customer, nor anyone who acts on instructions of Customer, may use the Service in a way

1: that is prohibited by applicable law or other regulation
2: that could harm the Service or other customers use of it

In case these terms are violated, Keepit reserves the right to suspend the Service for the Customer to the extent deemed necessary. Keepit will make reasonable effort to assist the customer with addressing the issue so that Service can be resumed as soon as possible.

Suspension of Customer access to the Service on the grounds described here do not constitute “downtime” as defined under the Service Level Agreement and will thus not make the Customer eligible for service credits.

Service Level Agreement

Access to the Keepit service relies on the Keepit web application and the API front-end servers serving data thereto, in the region where the Customer has chosen to have their Keepit service delivered. Keepit will monitor the responsiveness of the API front-end servers every 30 seconds. In the event that all front-end servers for the region chosen by the Customer are unavailable for ICMP and HTTPS service for more than a full minute, this counts as downtime. Scheduled maintenance windows are discounted from this downtime.

The service goal for Keepit is to deliver 99.9% uptime (0.1% or less downtime as defined above) over any calendar quarter.

The service level guarantee for Keepit is

1: to have no more than 72 hours of consecutive downtime excluding scheduled maintenance, except for situations of Force Majeure.

2: to have at least 99.5% uptime excluding scheduled maintenance windows, over any calendar quarter, except for situations of Force Majeure.

If any of these guarantees are breached, the Customer may be eligible for service credits (extending the subscription period without further cost to the Customer).

Service Credits

If Customer believes it is entitled to a remedy in accordance with this Service Level Agreement, Customer must submit a Credit Request within thirty (30) business days of the end of the calendar month in which the suspected service level non-compliance occurred. Customer recognises that logs are only kept for a limited time and therefore any credit request submitted outside of the provided time-frame cannot be met. The request must specify which service was impacted, and the dates and times of service unavailability.

If service uptime was between 99.0% and 99.5% a 3 day Service Credit can be offered. If service uptime was less than 99.0% a 7 day Service Credit can be offered. Service credits can be granted at most once for any given calendar quarter.

Force Majeure

Under this Agreement, neither the Keepit nor the Customer shall be considered liable towards the other Party where the liability arises out of circumstances beyond the control of the relevant Party which could not have been taken into account at signing and could not reasonably have been avoided or surmounted by the relevant Party.

As force majeure is considered the following circumstances: War, civil war, natural disasters or other similar extraordinary event outside of the Party’s reasonable control.

The Party’s obligations will be suspended until the time when the Party is again able to meet its obligations. If the obstacle lasts more than 90 days, the other Party will be able to terminate the Agreement with a 3 month notice in writing if the force majeure circumstances continue to exist by the end of the notice.

Compliance with Laws and regulation

Keepit will comply with all relevant law and regulation applicable to the Service. However, Keepit is not responsible for compliance with laws or regulations that apply to the Customer or to the Customers use of the Service that are not generally applicable to online services or service providers. Keepit cannot and shall not attempt to determine if Customer data may be subject to any additional laws or regulations.

Customer must comply with all applicable laws and regulation surrounding its use of the Service. Customer is responsible for determining if the use of the Service is appropriate for storage and processing of Customer data.

Ownership of data

Customer Data is used and processed only for the purpose of providing the Service to the Customer. Keepit will not process and derive information from Customer Data for advertising or other commercial purposes.

Customer retains all right, title and interest in and to Customer Data. Keepit acquires no rights in Customer Data other than the rights the Customer grants to Keepit to provide the Service to the Customer.

Disclosure of data

Keepit will not disclose Customer Data outside of the Keepit organisation except

1: as directed by the Customer
2: as described in these Service Terms
3: as required by law

Notwithstanding the provisions of this Agreement, Keepit is entitled to process the Customer Data without instructions from Customer, if, and to the extent, such processing is prescribed pursuant to European Union and/or member state law. In such an event, Keepit shall, to the extent permitted by law, inform the Customer of such injunction beforehand and, to the extent possible, allow for the Customer to object thereto.

Processing of Personal Data – GDPR

Any Personal Data provided to Keepit by the Customer is also Customer Data. Customer and Keepit agrees that in relation to the General Data Protection Regulation (GDPR) the Customer acts as “Data Controller” and Keepit as “Data Processor” except for situations where the Customer is the “Data Processor” and Keepit the “Subprocessor”.

Keepit will process data only as instructed by Customer. Customer agrees that these Service Terms along with the Customers configuration and use of the Service constitute Customers complete and documented instructions to Keepit for processing of Customer Data including personal data.

In an instance where GDPR applies and the Customer is Data Processor and Keepit a Subprocessor, Customer warrants that Customers instructions to Keepit have been authorised by the relevant Data Controller.

Records of Processing Activities

Keepit maintains records of processing activities as per GDPR Article 30(2) and makes these records available to the Customer upon request or directly as part of the Service.

Data Security

Keepit implements and maintains appropriate organisational and technical measures to protect Customer Data. These measures are based on industry best practices such as ISO 27001, ISO27002, NIST SP800-30, NIST SP800-39 and FEMA guidelines.

The Keepit organisation undergoes and maintains an ISAE 3402 Type II certification annually. Any facility in which Customer Data is physically located undergoes equivalent or stricter certifications annually as well.

Keepit may, at its discretion, discontinue its ISAE 3402 certification in favour of ISO 27001 certification.

Customer responsibilities

Customer is solely responsible for determining if the technical and organisational measures around the Service meets the requirements for the Customer and the Customer Data. This includes, but is not limited to the GDPR (where applicable).

Customer agrees and acknowledges that the security practices and policies implemented and maintained by Keepit provide a level of security that is reasonable and adequate taking into account the nature of the Customer Data.

Customer is responsible for maintaining security around credentials for accessing the Service and, when applicable, security around the Customer identity provider which may be used to authenticate against the Service.

Auditing

Keepit will conduct independent third party audits of its organisational procedures, security and assets on a yearly basis as part of maintaining the aforementioned certification.

The results of the most recent audit can be requested by the customer under a Non Disclosure Agreement.

In case GDPR applies, Customer agrees to exercise its audit right by requesting a third party audit as described here or by requesting the most recent audit report.

Security Incident Notification

In the event Keepit becomes aware of a breach of security which has lead to accidental or malicious destruction, loss, alteration or distribution of Customer Data while processed by Keepit, Keepit will

1: notify the Customer without undue delay 2: investigate the incident and provide the Customer with detailed information about the incident
3: take reasonable steps to mitigate the effects and minimise the damage from the incident

Notification of a security incident will be delivered to a registered contact person with the Customer by any means available (including e-mail).

Customer is solely responsible for fulfilling any third-party notification obligations, such as GDPR Article 33 or any other applicable law or regulation.

Notification by Keepit of a security incident does not in itself constitute an acknowledgment of any wrongdoing, fault or liability by Keepit.

Data Transfer and Location

The Service is provided in several regions; currently EU, USA and Australia. Keepit may add new regions to the offering at any time but will not remove an existing region without negotiating an exit from that region with the individual customers on the region.

The Customer can choose (upon Service provisioning) from which region the Service must be provided.

Customer Data transferred to the Service will be stored and processed exclusively in the region as chosen by the Customer. Customer appoints Keepit to transfer Customer Data to the chosen region and to store and process Customer Data in the chosen region.

Keepit may remotely manage data storage and processing facilities in the regions from non-regional offices. Organisational measures are in place to ensure that Customer Data is never transferred from its region.

The Keepit support organisation may, as part of an ongoing support issue with the Customer, request access to the Customer Data from the Customer. It is the responsibility of the Customer to determine if such access can be granted under applicable laws and regulations, for example under GDPR Article 49, before granting such access.

It is the responsibility of the Customer to choose a region suitable for the storage of Customer Data. For example, if Customer Data may not be exported from the EU, then the Customer must choose the EU region for the Service.

Keepit does not control or limit the geographies from which the Service can be accessed by the Customer and to or from which geographies transfers can be made by the Customer.

Any Keepit personnel engaged in the maintenance, support or processing of Customer Data is instructed and obligated to maintain the confidentiality of Customer Data, including after the termination of the Service.

Data retention and deletion

Keepit will retain all Customer Data for 30 days after the deletion of the account or termination of this agreement. This “deletion retention” will ensure that Customer access to Customer Data can be re-established after any conceivable targeted attack against customer primary data and backup data.

After expiration of the retention period, Keepit will delete all records of Customer Data without undue delay. Any physical media used to store Customer Data is later either overwritten or physically destroyed as part of the internal Keepit storage lifecycle management process.

Historical records of Customer Data, as provided by the Service, are immutable as is necessary for the reliable delivery of the Service. It is the Customers responsibility upon accessing historical records, to maintain an inventory of records that may no longer be accessed due to applicable law or regulation, such as GDPR Article 17.

Disputes

The terms of service is subject to Danish law and any disputes and disagreements between the Customer and Keepit will be determined by the Maritime and Commercial Court in Copenhagen, Denmark.