Skip to content
CFO Business Breakfast — How to trust AI in financeRequest Invite

Data Processing Agreement

Last Updated: February 26th, 2026

For older version (applies to Order Forms signed before August 18th, 2024), see this page →

Introduction

This is the DPA (Data Processing Agreement) as referred to in the Order Form signed between Keboola and the Client, as such parties are identified in the Order Form, for Services, as defined in the Order Form. This DPA is incorporated in the Order Form. Capitalized terms have the meaning ascribed to them in the Order Form.

Services may involve processing of personal data by Keboola (as a processor or another processor) for the Client (as a controller or a processor) within the meaning of the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/EC (General Data Protection Regulation) (GDPR).

Mandatory information

Subject-matter, nature and duration of the processing: The subject-matter and nature of the personal data processing is given by the nature of the Services and it is determined in every single case by the Client by the way the Client uses the Services, in particular the Keboola Connection platform. Keboola processes the personal data in accordance with the instructions of the Client. The Client may give the instructions also by using the Keboola Connection. By default, the subject-matter and nature of the processing is providing of Keboola Connection platform by Keboola to the Client and the Client using such platform. Personal data are processed during the term of Services under the Order Form.

Categories of data subjects and types of personal data: Categories of data subjects and types of personal data processed by Keboola for the Client are defined by the Client’s use of the Services and as of the Effective Date the following applies:

Categories of data subjects

(a) users of Client’s services

(b) Client’s staff (employees and/or contractors)

(c ) Client’s business partners

other (if applicable)

Types of personal data

(a) identification and contact information

(b) information about use of Client’s services and about other engagement of the subject with the Client

other (if applicable)

The Client may update the list of categories of data subjects and/or types of personal data by a notice to Keboola and unless Keboola objects to the notice within 10 days, the updated list shall be incorporated into this DPA.

Other categories of data subjects and types of personal data may be determined by usage of the Services by the Client. In such a case, Keboola shall process any personal data provided by the Client according to the rules set out in this DPA.

No personal data of special categories to be processed, unless such categories are expressly specified above.

Purpose of the processing: Providing the Services by Keboola to the Client.

Notifications and cooperation

Keboola shall notify the Client immediately, but no later than within 48 hours from the time Keboola discovers or is notified by any Sub-processor that any of the following has occurred:

(a) failure to comply with the provisions of this DPA or GDPR or other personal data protection laws; or

(b) security breach of personal data.

In the notification, Keboola shall provide the Client with the following information

(a) the date and time of the incident,

(b) description of the incident,

(c ) names of persons who could be affected by the incident and the category of personal data affected by the incident.

Keboola shall notify the Client immediately, but no later than within 3 days, of:

(a) complaints or requests of personal data subjects in relation to personal data; and

(b) notification of orders or requests of the relevant supervisory authorities or courts in relation to personal data.

In such cases, Keboola shall take no action, other than as instructed by the Client, and upon the Client’s instruction, Keboola shall provide reasonable assistance necessary for the Client to comply with applicable laws.

Sub-processors

Definitions

(a) “Sub-processor” means any third party data processor engaged by Keboola, who receives personal data from Keboola for processing on behalf of the Client and in accordance with Client's instructions;

(b) “Standard Contractual Clauses” means standard contractual clauses referred to as appropriate safeguards for international data transfers in GDPR.

The Client acknowledges and consents that Keboola engages the following Sub-processors for the purpose of providing the Services, to the extent required for the efficient provision of the Services:

(a) Affiliates (which means entities within Keboola group as defined in the Agreement),

(b) individual contractors cooperating with the Keboola or its Affiliates as freelancers or via a sole-proprietor company in providing of the Services, provided that such contractors have entered into a data processing agreement which is materially the same in substance as this DPA,

(c ) other Sub-processors listed at Keboola/subprocessors as of the date of this Agreement.

The Client acknowledges and consents that Keboola engages Sub-processors for the purpose of use of their data cloud platforms in providing the Services, in accordance with the terms of services of such Sub-processors, to the extent their services form part of the Services (Data Cloud Sub-processors), as listed at Keboola/subprocessors.

The Client consents that Keboola engages other Sub-processors as may be required for providing the Services, but always only under the following procedure:

(a) Keboola shall notify any new Sub-processor to be appointed, at least 20 days prior to the date on which the Sub-processor is intended to commence the sub-processing for Keboola (New Sub-Processor Commencement Date). Notification can be done by an update to the List of Sub-processors or by other means.

(b) In the event that the Client objects to any such newly appointed Sub-processor, it shall inform Keboola immediately, but no later than 10 days prior to the New Sub-Processor Commencement Date. In such event, Keboola will either (i) not engage such objected Sub-processor, in which event this DPA shall continue unaffected, or (ii) allow the Client to terminate the Services as of the New Sub-Processor Commencement Date.

Processing within the EU

Keboola undertakes to carry out the processing under this DPA exclusively in a member state of the European Union or third countries with the adequate level of protection within the meaning of GDPR.

To the extent Keboola uses any Data Cloud Sub-processors in provision of the Services, Keboola shall instruct these to process personal data only in data centers within the EU, unless the Client expressly requires a data center in another region. The Client acknowledges that based on publicly available terms of services of Data Cloud Sub-processors, the processed data may be transferred outside the EU in exceptional circumstances, in particular as necessary to comply with the law or binding order of a governmental body. Keboola undertakes to:

(a) have in place the Standard Contractual Clauses with each Data Cloud Sub-processor engaged in provision of the Services;

(b) monitor the approach of competent supervisory authorities to the applicability of the Standard Contractual Clauses for each Data Cloud Sub-processor and to notify the Client in case of any change substantial change in the circumstance which could suggest that the Standard Contractual Clauses do not provide for appropriate safeguards for the potential transfer of personal data to such Data Cloud Sub-processors; this does not apply, if the Data Cloud Sub-processor does not process the personal data outside the countries with the adequate level of protection within the meaning of GDPR.

Other rights and obligation of the parties

The Client, as the controller of personal data (or processor engaging Keboola), undertakes to comply with the obligations imposed at it by the GDPR (including, but not limited to, furnishing data subjects with relevant information regarding personal data processing and making sure that personal data are processed based on valid legal grounds). Keboola undertakes to process personal data in such a manner so as not to violate any provision of the GDPR or any other personal data protection laws and not to cause any violation of the GDPR by the Client. Keboola undertakes, in particular, but not limited to, to abide by the following GDPR requirements:

(a) to process personal data in accordance with the Client’s instructions as set out in this DPA and in accordance with any other documented instruction of the Client and to the extent and in compliance with the purpose for which personal data is to be processed;

(b) to provide on an ongoing basis the Client with electronic access to Services which contain the processed personal data in order to allow the Client to respond to and comply with data subjects’ requests pursuant to Articles 12 to 22 of the GDPR; should such an electronic access be unavailable to the Client, Keboola undertakes to follow, without undue delay, the Client’s detailed written instruction re0garding the relevant data subjects’ requests;

(c ) to assist, insofar as this is technically possible, the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36, always, however, subject to the nature of the processing and the information available to Keboola;

(d) to provide the Client or Client’s auditor or other controlling entity with full documentation related to the provision of the Services under the DPA anytime upon Client’s request, to the extent as required for the Client to comply with GDPR and provided that the Client and the Client’s auditor or other controlling entity will not be allowed to use such documents and information for any purpose other than the audit or control.

Keboola declares that organizational and technical measures to ensure the security of personal data have been implemented pursuant to Article 32 of the GDPR in order to ensure the level of security appropriate to the personal data processing under this DPA, in particular by adhering to SOC2 framework.

Keboola undertakes to maintain confidentiality and to ensure confidentiality of all persons who shall within their scope of authorization have access to personal data processed under this DPA.

Upon the Client’s instruction to so, or within 30 days after the termination of the Services, Keboola undertakes to delete or return to the Client (to the extent these have not been deleted earlier), at the Client’s choice (and if there is no choice within 15 days from the termination, to delete) all the personal data contained within the Services in accordance with applicable laws.

Final provisions

This DPA terminates on later of:

(a) Final termination of the Services and

(b) the day when Keboola and each Sub-processor deletes or returns all personal data processed for the Client.