Keeper Security Terms and Conditions

Data Processing Addendum

This Data Processing Addendum ("Addendum") supplements the Terms of Use ("Terms") and/or other written or electronic agreement ("Agreement") between: (i) Keeper, meaning the Keeper entity that is the contracting party under the Agreement, ("Keeper" or "Vendor") acting on its own behalf and as agent for any Keeper Affiliate; and (ii) the Keeper Customer ("You" or "Customer") acting on its own behalf and as agent for any Customer Affiliate.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or is undefined in either the Addendum or Agreement, such terms shall have the meaning as per the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)(as amended from time to time) ("GDPR"). Except as modified below, the terms of the Agreement shall remain in full force and effect.

Определения

В этом Дополнении следующие термины имеют значения, изложенные ниже:

1. Affiliate means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. "Control" for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
2. Applicable Laws means all laws applicable to the Processing of Customer Data, which may include EU Data Protection Laws, other laws of the European Union or any Member State thereof, UK laws and the laws of any other country to which the Customer or the Customer Data is subject.
3. Customer Data means Personal Data that Keeper collects, receives and/or processes on behalf of and in accordance with the instructions of the Controller pursuant to the Agreement, excluding any Personal Data that Keeper processes as a Controller. Examples of Customer Data include lists of authorized user names, emails, designated roles or other contact information.
4. Controller means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data. For clarity, nothing in this Addendum is intended to create a joint controller relationship between the parties. Each party shall remain individually responsible for compliance with its respective obligations under Applicable Laws.
5. Субъект Данных означает физическое лицо, Персональные Данные которого обрабатываются в контексте настоящего Дополнения.
6. EU Data Protection Laws means GDPR and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC and as amended and replaced from time to time) and their national implementing legislation, if any.
7. GDPR означает Общий регламент ЕС по защите данных 2016/679;
8. UK GDPR means the United Kingdom General Data Protection Regulation and the Data Protection Act 2018
9. Independent Controller means an entity that determines the purposes and means of processing Personal Data for its own independent purposes.
10. Personal Data means Customer Data comprising any information relating to an identified or identifiable natural person.
11. Обработчик данных означает организацию, которая обрабатывает Персональные Данные от имени Контроллера.
12. Обработка означает любую операцию или набор операций, выполняемых с Персональными Данными, отдельно или в наборах, с помощью автоматизированных или других средств, например сбор, запись, организация, структурирование, хранение, адаптация или изменение, поиск, консультация, использование, раскрытие путем передачи, разглашения или иного предоставления доступа, согласование или комбинация, ограничение, удаление или уничтожение
13. Услуги означают услуги и другие действия, которые должны быть предоставлены или выполнены Keeper для Заказчика в соответствии с Соглашением;
14. Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection set out in the European Commission's decision 2021/914 of 4 June 2021.
15. Sub-Processor means any Processor engaged by Keeper to process personal data in connection with the Services.

ОБРАБОТКА ПЕРСОНАЛЬНЫХ ДАННЫХ

1. The purpose of the processing under the Addendum is the provision of the Services by Keeper as specified in the Agreement. The parties agree that with regard to the processing by Keeper on behalf of Customer, Customer is the Controller and Keeper is the Processor except for some limited data identified in 2.4 where Keeper acts as Controller. The categories and types of Personal Data processed by Keeper are listed in Sub-Appendix A. The duration of the processing of Personal Data under this Addendum shall be for the term of the Agreement, unless otherwise required by Applicable Laws.
2. Keeper may only act and process the Personal Data in accordance with the documented instructions from the Customer (the "Instruction"), unless required by law to act without such instruction. The Instruction at the time of entering into this Addendum is that Keeper may only process the Personal Data with the purpose of delivering the Services as described in the Agreement. Subject to the terms of this Addendum and with mutual agreement of the parties, the Customer may issue additional written instructions consistent with the terms of this Addendum. The Customer is responsible for ensuring that all individuals who provide written instructions are authorized to do so.
3. Keeper will inform the Customer of any instruction that it deems to be in violation of Applicable Laws, including EU Data Protection Laws and will not execute the instructions until they have been confirmed or modified.
4. Data Processing as a Controller: Keeper will process certain personal data for its own lawful purposes, as an Independent Controller, solely when the processing is necessary and proportionate to one of the following legitimate business purposes: (i) security or fraud detection, (ii) collection and use of analytics for Keeper's reasonable business purposes and for Customer's benefit, (iii) delivery and improvement of technical support and maintenance for the Services (including account registration, billing) and (iv) Customer relationship management, such as processing Customer contact details to receive communications.

КОНФИДЕНЦИАЛЬНОСТЬ И БЕЗОПАСНОСТЬ

1. Keeper shall treat all Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Customer in writing has agreed. Keeper's employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Addendum with strict confidentiality. Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Services and this Addendum.
2. Keeper shall implement the appropriate technical and organizational measures as set out in Sub-Appendix C to this Agreement and in compliance with Applicable Laws, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. Keeper may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.

ПРАВА СУБЪЕКТА ДАННЫХ

1. If the Customer receives a request from a data subject for the exercise of the data subject's rights under the Applicable Laws and the correct and legitimate reply to such a request requires Keeper's assistance, Keeper shall assist the Customer by providing the necessary information and documentation. Keeper shall be given reasonable time to assist the Customer with such requests in accordance with the Applicable Laws.
2. If Keeper receives a request from a data subject for the exercise of the data subject's rights under the Applicable Laws and such request is related to the Personal Data of the Customer, unless prohibited by law, Keeper will promptly forward the request to the Customer and refrain from responding to the person directly unless and until otherwise instructed by Customer.

НАРУШЕНИЯ БЕЗОПАСНОСТИ ПЕРСОНАЛЬНЫХ ДАННЫХ

1. Keeper shall give prompt notice but no later than 72 hours to the Customer after confirming a breach has occurred, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Personal Data transmitted, stored or otherwise processed on behalf of the Customer (a "Personal Data Breach").
2. Keeper shall make reasonable efforts to identify the cause of such a breach and take those step as they deem necessary to establish the cause and to prevent such a breach from reoccurring.

ДОКУМЕНТАЦИЯ СООТВЕТСТВИЯ И ПРАВА НА АУДИТОРСКИЕ ПРОВЕРКИ

1. Upon request by a Customer, for cause or to the extent required by Article 28 of the GDPR, Keeper shall make available to the Customer all relevant information necessary to demonstrate compliance with this Addendum and shall allow for and reasonably cooperate with audits, including inspections by the Customer or an auditor mandated by the Customer. The Customer shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavors to avoid causing damage or disruption to Keeper's premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than sixty (60) calendar days and shall not be conducted more than once a year.
2. Notwithstanding the above limitations, additional audits shall be permitted at any time where there are indications of non-compliance, a Security Incident or upon request or instruction of a competent supervisory authority.
3. Заказчику может быть выражена просьба подписать соглашение о неразглашении, в разумных рамках приемлемое для Keeper, прежде чем ему будет предоставлена вышеизложенная информация.

ПЕРЕДАЧА ДАННЫХ

1. European Economic Area and Switzerland
   With respect to Customer Personal Data originating from the European Economic Area ("EEA") or Switzerland that is transferred from Customer to Keeper, the Parties agree to comply with the Standard Contractual Clauses approved under Commission Implementing Decision (EU) 2021/914 (the "EU SCCs"), which are incorporated herein by reference.
2. The Parties agree the Controller to Processor terms (Module Two) apply. For data originating from Switzerland, references to "Member State" shall include Switzerland and references to "GDPR" shall be understood as references to the Swiss Federal Act on Data Protection ("FADP"). The Swiss Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority.
3. EU SCC Completion
   For purposes of the EU SCCs:
   (a) Customer acts as the data exporter and Keeper as the data importer;
   (b) Clause 7 (Docking Clause) shall apply only upon mutual written agreement of the Parties;
   (c) Clause 9 (Use of Sub-Processors) Option 2 applies, with Sub-Processors as identified in Sub Appendix B
   (d) Clause 11 (Independent dispute resolution) optional language shall not apply;
   (e) Clause 17 (Governing law) the laws of Ireland; Clause 18 (Jurisdiction) — the courts of Ireland; and
   (f) Annex I and II are completed by reference to this DPA and. Keeper's technical and organizational measures are described at Sub-Appendix C
4. United Kingdom
   For Customer Personal Data transferred from the United Kingdom to Keeper, the Parties agree that the UK International Data Transfer Agreement (IDTA), UK Addendum to the EU SCCs, as issued by the Information Commissioner's Office, shall apply and are incorporated by reference. For purposes of the UK Addendum:
   (a) Customer acts as data exporter and Keeper as data importer;
   (b) Governing law and jurisdiction — England and Wales; and
   (c) Security measures are as set out in Sub Appendix C and in Keeper's Security Documentation.
   The docking clause shall apply only upon mutual written agreement of the Parties.
5. Brazil (LGPD)
   For Customer Personal Data subject to the Lei Geral de Proteção de Dados Pessoais (Federal Law No. 13,709/2018 - "LGPD"), the Parties agree that international transfers shall comply with Articles 33-36 of the LGPD and the Regulation on International Transfers of Personal Data issued by the Autoridade Nacional de Proteção de Dados (ANPD), including the Standard Contractual Clauses (Cláusulas-Padrão Contratuais) approved in Annex II of that Regulation, which are incorporated herein by reference.

   5.1 These Clauses shall apply without modification and be completed as follows:
   website_terms_dpa_0032_a website_terms_dpa_0032_b website_terms_dpa_0032_c website_terms_dpa_0032_d website_terms_dpa_0032_e website_terms_dpa_0032_f website_terms_dpa_0032_g website_terms_dpa_0032_h website_terms_dpa_0032_i

   5.2 The Docking Clause (Clause 9 of the Brazilian SCCs) shall apply only upon mutual written agreement of the Parties.

6. For all other jurisdictions lacking an adequacy decision, Keeper shall implement suitable transfer mechanisms under Article 46 GDPR, the UK GDPR and Articles 33-36 of the LGPD; or other applicable law to ensure adequate protection.
7. Where DPF frameworks do not apply, the Parties shall rely on the appropriate Standard Contractual Clauses or equivalent safeguards recognized under applicable Data Protection Laws.
8. For all other jurisdictions lacking an adequacy decision, Keeper shall implement suitable transfer mechanisms under Article 46 GDPR, the UK GDPR and Articles 33-36 of the LGPD; or other applicable law to ensure adequate protection.
9. Updates to Transfer Mechanisms
   If the European Commission, UK ICO, Swiss FDPIC or Brazilian ANPD adopts revised or replacement transfer mechanisms, those shall automatically replace the clauses referenced herein to maintain continuous compliance with applicable Data Protection Laws.
10. EU-U.S. Data Privacy Framework
    Keeper is an active participant in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework. You may check Keeper's certification status here: https://www.dataprivacyframework.gov/list. Should the Data Privacy Framework cease to apply, data transfers will continue under the Standard Contractual Clauses.
11. Если Заказчик считает, что этих мер недостаточно для удовлетворения юридических требований в каких-либо конкретных обстоятельствах, Заказчик должен предоставить Keeper письменное уведомление об обоснованиях таких точек зрения, и Стороны должны добросовестно работать вместе над поиском взаимоприемлемой альтернативы.
12. U.S. State Privacy Laws (including the CCPA, as amended)
    

    To the extent Keeper processes Customer Personal Data that is subject to the California Consumer Privacy Act of 2018, as amended and in force from time to time (including the California Privacy Rights Act and any subsequent amendments, collectively the "CCPA") or any other U.S. state privacy law imposing materially similar obligations on processors or service providers (collectively, the "State Privacy Laws"), Keeper will act as Customer's Service Provider or Processor, as applicable:

    (a) Keeper will process such Personal Data only for the business purposes described in the Agreement and this Addendum and not for any purpose other than providing the Services.
    (b) Keeper will not sell, share or otherwise disclose Personal Data, or disclose such data for any purpose outside the direct business relationship with Customer, except as permitted by the State Privacy Laws.
    (c) Keeper will ensure that any Sub-Processor agreement includes equivalent service provider or processor restrictions and obligations.
    (d) Keeper will promptly notify Customer if it determines that it can no longer meet its obligations under State Privacy Laws and Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.
    (e) Keeper certifies that it understands and will comply with its obligations under the State Privacy Laws.

СУБОБРАБОТЧИКИ

1. Keeper is given general authorization to engage third-parties to process the Personal Data ("Sub-Processors") without obtaining any further written, specific authorization from the Customer. Keeper shall complete a written Sub-Processor agreement with any Sub-Processor. Such an agreement shall at a minimum provide the same data protection obligations as the ones applicable to Keeper, including the obligations under this Addendum. Keeper shall, on an ongoing basis, monitor and control its Sub-Processors' compliance with the applicable Data Protection Law and documentation of such monitoring and control shall be provided to the Customer, if requested in writing.
2. If Sub-Processor performs the agreed services outside the EU/EEA, Keeper shall ensure their admissibility under data protection law by taking appropriate measures.
3. At the time of entering into this Addendum, Keeper is using the Sub-Processors as referenced in Sub-Appendix B . Keeper provides Customer with a mechanism to register for updates of new Sub-Processors on its Trust Center. Notice of new or replacement Sub Processors shall be provided via Keeper's Trust Center or other reasonable electronic means and the objection period shall commence upon such notice.
4. Customer may, in good faith, reasonably object to Keeper's change of or use of a new Sub-Processor by providing written notice by e-mail at privacy@keepersecurity.com within ten (10) business days of receiving notification from Keeper of a new Sub-Processor. Such written notice shall include, at a minimum, Customer's good faith, reasonable grounds for the objection. Keeper shall use commercially reasonable efforts to recommend a change to Customer's use of the Services. The absence of any objections from the Customer within ten (10) business days shall be deemed consent to the relevant Sub-Processor.
5. In the event the Customer objects to a new Sub-Processor and the parties cannot mutually resolve the Customer's objection, Customer may terminate the Services with respect only to the Services that cannot be provided by Keeper without the use of the challenged new Sub-Processors by providing written notice to Keeper.
6. Keeper несет ответственность перед Заказчиком за любого Субобработчика так же, как и за свои собственные действия и бездействие.

РАСТОРЖЕНИЕ СОГЛАШЕНИЯ; ВОЗВРАТ ИЛИ УДАЛЕНИЕ ПЕРСОНАЛЬНЫХ ДАННЫХ

1. После истечения или в случае расторжения Соглашения Keeper удалит или вернет Заказчику все Персональные Данные, находящиеся в его распоряжении, как это предусмотрено в Соглашении, за исключением случаев, когда Применимые Законы требуют от Keeper сохранить некоторые или все Персональные Данные (в этом случае Keeper заархивирует данные и примет разумные меры для предотвращения любой дальнейшей обработки Персональных Данных). Условия настоящего Дополнения будут по-прежнему применяться к таким Персональным Данным.

ОЦЕНКА ВЛИЯНИЯ НА ЗАЩИТУ ДАННЫХ И ПРЕДВАРИТЕЛЬНАЯ КОНСУЛЬТАЦИЯ

1. If Keeper's assistance is necessary and relevant, the parties will cooperate to the extent reasonably necessary in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36. The parties will each bear their respective costs when fulfilling such obligations.

ПРОЧИЕ УСЛОВИЯ

1. Modification of Addendum: This Addendum may only be modified by a written amendment signed by each of the Parties.
2. Governing Law, Venue and Jurisdiction: All disputes and actions regarding this Agreement shall be exclusively: brought before the courts of and construed (without regard to conflict of law provisions) pursuant the laws specified in the Agreement.
3. Invalidity and Severability; Conflict: If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect. In the event of any inconsistency between this Addendum and Standard Contractual Clauses entered into by the parties, if any, the Standard Contractual Clauses shall prevail.

СУБПРИЛОЖЕНИЕ А

Персональные данные

1. Keeper обрабатывает следующие типы Персональных Данных в связи с предоставлением услуг:
   1. Переданные персональные данные касаются контактной информации (имя, адрес, адрес электронной почты, телефон), данных о субъекте, IP-адреса, идентификатора устройства и информации о версии приложения.

Категории Субъектов Данных

1. Keeper обрабатывает персональные данные о следующих категориях субъектов данных от имени Заказчика:
   1. Заказчик
   2. Customer's Authorized End Users, including employees of Customer.

SUB-APPENDIX B - Approved Sub-processors

A current list of Keeper's Sub-Processors is available at 1B Sub-Processors . This includes details of Sub Processor legal entity names and locations. Sub-Processors are updated from time to time and Customer may register to receive updates on Keeper's Trust Center.

SUB-APPENDIX C - Data Security Schedule

This Data Security Schedule supplements the Agreement between Customer and Keeper governing your use of the Services. Unless otherwise defined in this Schedule, all capitalized terms used in this Schedule will have the meanings given to them in the Agreement.

1. Data Processing Scope. This Schedule applies to all Keeper Services and the processing of all data provided by Customer to Keeper ("Customer Data").
2. Confidentiality of Customer Data. Keeper will not access, use or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Keeper a demand for Customer Data, Keeper will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Keeper may provide Customer's basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Keeper will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Keeper is legally prohibited from doing so. Keeper restricts its personnel from processing Customer Data without authorization by Keeper as described in Annex 1 - Security Standards attached hereto. Keeper imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
3. Security of Data Processing. Keeper has implemented and will maintain the technical and organizational measures for the Keeper systems as described in the Security Standards and this Section. In particular, Keeper has implemented and will maintain the following technical and organizational measures:
   
   1. security of the Keeper systems as set out in the Security Standards;
   2. physical security of the facilities as set out in the Security Standards;
   3. measures to control access rights for authorized personnel to the Keeper Systems as set out in Security Standards; and
   4. processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Keeper as described in Section 2 of the Security Standards.
4. Keeper Certifications and Audits.
   
   1. Keeper Certification and Reports. In addition to the information contained in this Schedule, upon Customer's request, Keeper will make available its ISO 27001 and its SOC2 certificates. Keeper's information-security controls are validated through independent assessments and certifications and can be accessed on Keeper's Trust Center, certifications include:
      • SOC 2 Type II (AICPA Trust Services Criteria)
      • ISO 27001, ISO 27017 and ISO 27018
      • FedRAMP Moderate Authorisation (for Keeper Security Government Cloud)
      • FIPS 140-3 validated cryptographic modules
      • HIPAA-aligned architecture (Keeper is not a Business Associate as it cannot access ePHI)
      • GDPR, UK GDPR and Digital Operational Resilience Act (DORA) compliance alignment
   2. Audits. Keeper uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers from which Keeper provides the Services. This audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent thereto; (c) will be performed by independent third-party security professionals at Keeper's selection and expense; and (d) will result in the generation of an audit report ("Report"), which will be Keeper's Confidential Information.

Annex 1 - Security Standards

Information Security Program. Keeper will maintain an information security program designed to (a) enable Customer to secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the Keeper systems and (c) minimize physical and logical security risks to the Keeper systems, including through regular risk assessment and testing. KEEPER will designate one or more employees to coordinate and be accountable for the information security program.

Keeper's information security program will include the following measures:

1. Logical Security.
   
   1. Access Controls. Keeper will make the Keeper systems accessible only to authorized personnel and only as necessary to maintain and provide the Services. Keeper will maintain access controls and policies to manage authorizations for access to the Keeper systems from each network connection and user, including through the use of firewalls or functionally equivalent technology and authentication controls. Keeper will maintain access controls designed to (i) restrict unauthorized access to data and (ii) segregate each customer's data from other customers' data.
   2. Restricted User Access. Keeper will (i) provision and restrict user access to the Keeper systems in accordance with least privilege principles based on personnel job functions, (ii) require review and approval prior to provisioning access to the Keeper systems above least privileged principles, including administrator accounts; (iii) require at least quarterly review of Keeper systems access privileges and, where necessary, revoke Keeper systems access privileges in a timely manner and (iv) require two- factor authentication for access to the Keeper systems from remote locations.
   3. Vulnerability Assessments. Keeper will perform regular external vulnerability assessments and penetration testing of the Keeper systems and will investigate identified issues and track them to resolution in a timely manner.
   4. Application Security. Before publicly launching new Services or significant new features of Services, Keeper will perform application security reviews designed to identify, mitigate and remediate security risks.
   5. Change Management. Keeper will maintain controls designed to log, authorize, test, approve and document changes to existing Keeper systems resources and will document change details within its change management or deployment tools. Keeper will test changes according to its change management standards prior to migration to production. Keeper will maintain processes designed to detect unauthorized changes to the Keeper systems and track identified issues to a resolution. Keeper has secure coding standards, static/dynamic analysis, peer review and formal change approval prior to production deployment. Developers receive annual security and privacy training.
   6. Data Integrity. Keeper will maintain controls designed to provide data integrity during transmission, storage and processing within the Keeper systems. Keeper will provide Customer the ability to delete Customer Data from the Keeper systems.
   7. Encryption and decryption occur solely on the end-user device. Keeper cannot access plaintext vault content or master passwords. Zero-trust principles enforce user and device authentication before access. Encryption keys are derived on the user's device (e.g., PBKDF2 derivation). Unencrypted keys or master passwords are never stored or transmitted to Keeper.
   8. Keeper supports TOTP, Duo Security, FIDO/U2F keys and biometrics. SSO Connect® and SSO Connect® Cloud provide zero-knowledge authentication via SAML 2.0. Granular role-based access controls are available to administrators.
   9. TLS encryption for all connections, strong API authentication, network segmentation, intrusion detection and 24x7 monitoring for availability and threat events.
   10. Business Continuity and Disaster Recovery. Keeper will maintain a formal risk management program designed to support the continuity of its critical business functions ("Business Continuity Program"). The Business Continuity Program includes processes and procedures for identification of, response to and recovery from, events that could prevent or materially impair Keeper provision of the Services (a "BCP Event"). The Business Continuity Program includes a three-phased approach that Keeper will follow to manage BCP Events:
2. Activation & Notification Phase. As Keeper identifies issues likely to result in a BCP Event, Keeper will escalate, validate and investigate those issues. During this phase, Keeper will analyze the root cause of the BCP Event.
   1. Recovery Phase. Keeper assigns responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected Services.
   2. Reconstitution Phase. Keeper leadership reviews actions taken and confirms that the recovery effort is complete and the affected portions of the Services and Keeper systems have been restored. Following such confirmation, Keeper conducts a post-mortem analysis of the BCP Event.
3. Incident Management. Keeper will maintain corrective action plans and incident response plans to respond to potential security threats to the Keeper systems. Keeper incident response plans will have defined processes to detect, mitigate, investigate and report security incidents. The Keeper incident response plans include incident verification, attack analysis, containment, data collection and problem remediation.
4. Storage Media Decommissioning. Keeper will maintain a media decommissioning process that is conducted prior to final disposal of storage media used to store Customer Data. Prior to final disposal, storage media that was used to store Customer Data will be degaussed, erased, purged, physically destroyed or otherwise sanitized in accordance with industry standard practices designed to ensure that the Customer Data cannot be retrieved from the applicable type of storage media.
5. Physical Security.
   
   1. Access Controls. Keeper will (i) implement and maintain physical safeguards designed to prevent unauthorized physical access, damage or interference to the Keeper systems, (ii) use appropriate control devices to restrict physical access to the Keeper systems to only authorized personnel who have a legitimate business need for such access, (iii) monitor physical access to the Keeper systems using intrusion detection systems designed to monitor, detect and alert appropriate personnel of security incidents, (iv) log and regularly audit physical access to the Keeper systems and (v) perform periodic reviews to validate adherence with these standards.
   2. Availability. Keeper will (i) implement redundant systems for the Keeper systems designed to minimize the effect of a malfunction on the Keeper systems, (ii) design the Keeper systems to anticipate and tolerate hardware failures and (iii) implement automated processes designed to move customer data traffic away from the affected area in the case of hardware failure.
6. Keeper Employees
   1. Employee Security Training. Keeper will implement and maintain employee security training programs regarding Keeper information security requirements. The security awareness training programs will be reviewed and updated at least annually.
   2. Background Checks. Where permitted by law and to the extent available from applicable governmental authorities, Keeper will require that each employee undergo a background investigation that is reasonable and appropriate for that employee's position and level of access to the Keeper systems.
7. Continued Evaluation. Keeper will conduct periodic reviews of the information security program for the Keeper systems. Keeper will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.
8. Соблюдение Закона об устойчивости цифровых операций (DORA)
   In support of compliance with the Digital Operational Resilience Act (DORA), Keeper maintains thorough operational and security measures to safeguard Keeper's software and systems. This includes, but is not limited to, implementing effective risk management processes, tracking and management of uptime availability, maintaining strict internal policies for security, requiring internal security trainings and establishing incident response protocols. Keeper continuously monitors, updates and refines procedures to mitigate risks and ensure operational functionality and security across Keeper software and services.