legal

PRIVACY AGREEMENT

1. Introduction

Keybe is committed to protecting the privacy of the people who visit the Company’s websites (“Visitor(s)”, “You,” and the derived adjective “Your”), the people who register to use the Service as defined below (“Clients”), and the people who register who attend the Company’s corporate events (“Attendees”). This Privacy Statement describes Keybe’s privacy practices with respect to its websites and related services and applications offered by Keybe (collectively, the “Service”).

If you have questions or complaints regarding Keybe’s Privacy Statement or Practices, please contact us at [email protected].

2. Covered websites

Keybe has established this Privacy Statement to help you understand how Keybe collects and uses personally identifiable information. This Privacy Statement covers the information practices of websites that link to this Privacy Agreement, including but not limited to  https://keybe.us.

Keybe’s websites may contain links to other websites. Keybe is not responsible for the information practices or the content of such websites. The Company encourages you to review the privacy statements of other websites to understand their information practices.

3. Information collected by Keybe

Keybe collects information from visitors. This information is collected in accordance with this Privacy Statement, from sources including, but not limited to, content syndication, website registration forms, webinar, and conference registration forms.

Personal information you provide to us. Keybe collects information from visitors to Keybe’s websites and customers of the service. Keybe receives and stores any information entered when you express interest in obtaining more information about the Service or register to use the Service.

“Personal Information" is described below:

• Contact Information: email addresses, phone numbers, physical, numeric, or metaverse addresses.
• Demographic Information
• Personality Data
• Preference Data
• Security Data
• Health Data
• Financial Data
• Third-party data
• Public Web Data
• Transactions
• Photographs
• Videos
• Audios
• Contact lists

Personal information is collected automatically. By agreeing to the "Privacy Agreement" through the "Covered websites", an "Individual" as a visitor, agrees that Keybe may collect, store, manage, enhance and use their "Personal Information" for marketing, legal and financial purposes. Keybe may also automatically collect information using commonly used information collection tools such as cookies and web beacons.

Keybe has policies and principles of "good behavior". Our culture and purpose always put the "Individual" first, with integrity, safety and security.

4. Other third-party tracking

Keybe contracts with third parties, who use web beacons, images, and scripts, to help better manage the content on Keybe’s websites. Keybe does not provide personal information to third parties, but may link information collected from third-party tracking to personal information of visitors for marketing purposes.

5. Cookies:

Keybe uses cookies to make interactions with websites easy and meaningful. When a visitor interacts with the websites, Keybe’s servers send a cookie to the visitor’s computer. Standing, cookies do not personally identify the visitor, but simply recognize the visitor’s web browser. Unless the visitor chooses to identify themselves with Keybe, either by responding to a promotional offer, opening an account, or completing a web form, Keybe has no way of associating this cookie information with the visitor’s personal information.

For websites, Keybe uses session-based cookies. Session cookies exist only during a session. They disappear from the Vis

Most browsers have an option to disable cookies, which will prevent the browser from accepting new cookies, as well as (depending on the sophistication of the browser software) allowing the visitor to decide on the acceptance of each new cookie in various ways.

Keybe’s websites connect visitors to third-party services, with whom Keybe partners to provide relevant content. The use of cookies by Keybe partners is not covered by the Keybe Privacy Statement. Keybe does not have access or control over these cookies. Keybe’s partners use session ID cookies to manage a Client’s connection to the partner’s service.

6. DATA CONTROLLER:

Company Name: KEYBE INC
2915 Biscayne Blvd. Suite 300
Miami, FL
33137

Email: [email protected]
Website: https://keybe.us

7. OBJECTIVE AND SCOPE:

At Keybe we recognize the importance of the security, privacy, and confidentiality of the personal information of our clients, workers, suppliers, and the people who use our identity services, who provide us with information through various enabled channels (including websites, applications, API’s, physical documents, among others) and we are committed to the protection and adequate treatment of them, in accordance with the legal regime for the protection of personal data applicable to each country where we operate.

For KEYBE it is necessary to collect certain personal data to carry out the activities intrinsic to its commercial line of business. KEYBE has a legal and social obligation to implement adequate security measures to protect the personal data it has collected for the purposes specified in this Privacy and Personal Data Protection Agreement (“Policy”).

Therefore, the objective of this Policy is to communicate to our clients, workers, suppliers, users of the Website and, in general, to the owners of personal information (data subjects), the type of data, the purposes of the Treatment to make possible the provision of our service, the protection and rights that assist you as the data subject of the information and the procedures to exercise them.

In general, all the information and data that you provide us, or that we otherwise collect in the context, by any means or by reason of the ordinary course of your commercial activities, will be used by KEYBE in accordance with the Regulation (UE) 2016/679 (“GDPR”) and Law 1581 of 2012. The foregoing means that any form of processing of your personal data carried out by KEYBE will uphold the principles of legality, equity, transparency, purpose limitation, storage limitation, data minimization, accuracy, integrity and confidentiality.

8. DEFINITIONS AND CONCEPTS:

For the interpretation of this Policy, we ask you to take into account the following definitions:

• Authorization: prior, express and informed consent of the Data Subject to carry out the processing of personal data.
• Database: organized set of personal data that is subject to Treatment.
• Consent: it is a manifestation of the informed, free, and unequivocal will, through which the data subject of the personal data accepts that a third party uses their information.
• Queries: the Data Subjects or their successors in title may consult the Data Subject’s personal information that resides in any database, be it the public or private sector. The Data Controller or Data Processor must provide them with all the information contained in the individual record or that is linked to the identification of the Data Subject.
• Personal Data: refers to any information associated with an identified or identifiable natural person, relative to their identity, as well as their existence and occupations.
• Public Data: it is the data classified as such by the Constitution or the Law and all that is not semi-private or private, in accordance with this law. The data contained in public documents, gazettes and judicial bulletins, duly executed judicial decisions that are not subject to reserve, and those related to the civil status of people are public, among others.
• Semi-private data: The data that is not intimate, reserved, or public in nature, and which knowledge or disclosure may interest not only the data subject but also a certain sector or group of people or society in general is semi-private, such as financial and credit data of commercial activity or services.
• Private Data: It is the data that due to its intimate or reserved nature is only relevant to the data subject.
• Sensitive Data: For the purposes of this policy, sensitive data is understood to be anything that affects the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social or human rights organizations or that promote the interests of any political party or that guarantees the rights and warranties of opposition political parties as well as data related to health, sexual life, biometric data, passwords and financial data.
• Data Processor: Natural or legal person, public or private, that by themselves or in association with others, carries out the Treatment of personal data on behalf of the Data Controller.
• Habeas Data: It is the right that every owner of information (data subject) has to know, update, rectify or oppose the information concerning their personal data
• Data Processing Policy, or Policy: refers to this document as the personal data processing policy applied by the Company in accordance with the guidelines of current legislation on the matter.
• Provider: any natural or legal person that provides a service to the Company by virtue of a contractual or mandatory relationship.
• Claim: the Data Subject or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in this law, they may file a claim before the Data Controller or the Data Processor.
• Data Controller: natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of personal data.
• Treatment: any physical or automated operation or procedures that allow to capture, record, reproduce, conserve, organize, modify, and/or transmit personal data.
• Data Subject: is the natural person whose personal data is being processed by a third party, be it a client, supplier, employee, or any third party who, due to a legal or commercial relationship, provides personal data to the Company.
• Transmission: refers to the communication of personal data by the Responsible Party to the Manager, located within or outside the national territory, so that the Manager, on behalf of the Responsible Party, treats personal data.
• reatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.

To understand the terms that are not included in the previous list, you must refer to current legislation, especially Law 1581 of 2012 and chapters 25 and 26 of Decree 1074 of 2015 and Regulation (EU) 2016 / 679 (“GDPR”), giving the meaning used in said standards to the terms whose definition there is doubt.

9. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

At KEYBE we are committed to complying with the principles that govern the processing of personal data of our stakeholders and, in general, of any natural person whose personal data is in our databases and/or files, guaranteeing the application of the general principles for the treatment of this type of data, which are indicated below:

• Principle of Legality. The processing of personal data is a regulated activity and must obey a legitimate purpose, for which KEYBE will compulsorily comply with the provisions of Law 1581 and the other provisions that develop it.
• Principle of Purpose. KEYBE will treat personal data always obeying a legitimate purpose which will be previously informed to the data subject.
• Principle of Freedom. KEYBE will only process personal data when it has the prior, express and informed consent of the data subject. The Data Subject may, in any case, refuse the processing of their sensitive data.
• Principle of Veracity or Quality. The personal data processed by KEYBE must be truthful, complete, exact, updated, verifiable and understandable
• Principle of Transparency. KEYBE, will guarantee the owner of the personal data (data subject), at any time and without restrictions, to obtain information about the existence of data that concerns them.
• Principle of Access and Restricted Circulation. KEYBE, undertakes that the processing of personal data will be carried out by entities authorized by the data subject and/or by the persons provided for in Law 1581 of 2012. Personal data may not be available on the internet or other means of disclosure or massive communication, unless the access is technically controllable to provide restricted knowledge only to the data subjects or authorized third parties.
• Principle of Security. The information subject to treatment by KEYBE, will be handled with the technical, human and administrative measures necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Principle of Confidentiality. KEYBE, undertakes that the people who intervene in the processing of personal data that are not public in nature will be obliged to guarantee the reserving of the information, even after the end of their relationship with any of the tasks that comprise the treatment, being able to only supply or communicate personal data when this corresponds to the development of authorized activities.
• Principle of Demonstrated Responsibility (Accountability). One that is based on the approach of recognition and commitment of organizations in order to increase the standards of protection to ensure and guarantee people an adequate treatment of their personal data. This principle entails an obligation for KEYBE to be accountable for its activities regarding the protection of personal data, accept responsibility for them and disclose the results in a transparent manner.

10.DUTIES OF KEYBE AS PEROSNAL DATA CONTROLLER

KEYBE as Data Controller will fulfill the following duties, without prejudice to the other provisions provided in the law and in others that govern its commercial activity:

• Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data;
• Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject;
• Properly inform the Data Subject about the purpose of the collection and the rights that assist him by virtue of the authorization granted;
• Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
• Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable;
• Update the information, communicating in a timely manner to the Data Processor, all the updates regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to them is kept up-to-date;
• Rectify the information when it is incorrect and communicate the pertinent to the Data Processor;
• Provide the Data Processor, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of the law;
• Require the Data Processor, at all times, to respect the security and privacy conditions of the Data Subject’s information;
• Process the queries and claims formulated in the terms indicated in the present law;
• Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and complaints;
• Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been submitted and the respective procedure has not been completed;
• Inform at the request of the Data Subject about the use given to their data;
• Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Data Subjects.
• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

11.  TEMPORARY LIMITATIONS TO THE PROCESSING OF PERSONAL DATA

KEYBE will only collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified the treatment, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical information. Once the purpose or purposes of the treatment have been fulfilled and, without prejudice to legal regulations that provide otherwise, it will proceed to delete the personal data in its possession. However, KEYBE may keep your personal data when required to comply with a legal or contractual obligation.

Notwithstanding the foregoing, you as the Data Subject may, at any time, revoke the consent you have given for the processing of your personal data, unless legally or contractually KEYBE must process said information, by sending a communication and/or written request, through the contact channels contemplated in this Policy, providing a copy of your identification document or any other document that, in the opinion of KEYBE, allows you to prove your identity.

12. PURPOSES OF THE TREATMENT

KEYBE recognizes that the owner of personal data (Data Subject) has the right to have a reasonable expectation of their privacy, taking into account, in any case, their responsibilities, rights and obligations with KEYBE. By virtue of the relationship established between you and KEYBE, we inform you that your personal data will be treated with full respect for the principles defined in the applicable law and that the collection, use, circulation, transmission, transfer and, in general, any form of treatment on them, will be done in accordance with the following purposes that will be previously informed, corresponding, in any case, to the development of its corporate purpose and the ordinary course of its activities.

13. General Purposes:

The purposes described below will be applicable to all Data Subjects who have previously, in an express and informed way, authorized the processing of their personal data:

• Confirm, comply with and provide the services and/or products purchased, directly and/or with the participation of third party providers of products or services.
• Inform about substantial changes in the Policy adopted by KEYBE.
• Establish and manage the relationship, may it be pre-contractual and contractual, commercial, labor, civil, and of any other nature that arises by virtue of the fulfillment of a legal or contractual obligation in responsibility of KEYBE.
• Respond to requests, queries, claims and/or complaints made by the holders of personal information (Data Subjects) through any of the channels enabled by KEYBE for this purpose.
• Transfer or transmit your personal data to entities and/or judicial and/or administrative authorities, when these are required in relation to their purpose, and necessary for the fulfillment of their legal or contractual functions.

14. Shareholders:

The treatment of the personal data of KEYBE shareholders will be carried out in accordance with the provisions of the Commercial Code, and with any other rule that regulates this matter. The purposes applicable to the shareholders’ personal data are the following:

• Allow the exercise of the rights and duties derived from the function of shareholders.
• Make the payment of dividends.
• Collect, register and update your personal data in order to inform, communicate, organize, control, attend and accredit the activities in relation to their function of shareholders.
• Comply with judicial, administrative and legal decisions related to their function of shareholders.

15. Candidates for a Vacancy:

KEYBE will use the personal data of the candidates for a vacancy in accordance with the purposes listed below:

• Establish and manage the recruitment, selection and hiring process.
• Carry out selection, competencies and skills tests, home visits, psychosocial evaluations, and all other evaluations that are deemed convenient in order to identify the relevance of the candidate’s hiring.
• Store the personal data in a physical and/or digital file or folder that will be identified with the CANDIDATE’s name; the folder or file, may be accessed by KEYBE management or by whoever has been delegated for this purpose.
• KEYBE will keep the information that resides in the file or folder of the candidate for a vacancy for an indefinite period of time to meet the requirements of administrative authorities, and audit requirements.

16.  Employees:

KEYBE will use the personal data of its employees in accordance with the purposes listed below:

• Incorporate the personal data in the employment contract, and make modifications and additions to said contract, as well as in the other documents that are necessary to manage the employment relationship and obligations derived from it that are in care of KEYBE as Data Controller of their personal information.
• Carry out performance, competencies and skills tests, home visits, psychosocial evaluations and others that are deemed appropriate in order to identify the relevance of the person’s employment relationship.
• Develop proper management of the employment relationship that links the owner of the personal data (Data Subject) with KEYBE.
• To have the personal data of the collaborators to incorporate them appropriately in the active and historical labor files of KEYBE and keep them updated.
• Send internal communications related or not to your employment relationship.
• Manage personal data so that KEYBE, as an employer, correctly fulfills its obligations. For example: carry out the affiliations to which the worker is entitled by law before the Comprehensive Social Security System, family compensation funds and other matters related to social benefits, contributions, withholdings, taxes, labor disputes, as well as in the case of contributions or payments to other entities where the collaborator had previously authorized the processing of their data.
• Manage the personal data of the data subject and those of his family nucleus to carry out affiliation procedures with health promoting entities, family compensation funds, labor risk administrators, and others necessary for KEYBE to fulfill its duty as an employer.
• Respond to requests from the worker regarding the issuance of certificates, records and other documents requested from KEYBE in cause of the employment relationship.
• Promote the participation in programs developed by KEYBE aimed at well-being and a good work environment.
• Manage the personal data to guarantee a correct assignment of work tools (including IT tools such as email, computers, mobile devices, access to databases, etc.)
• Manage the personal data to ensure proper execution of the provisions of the Internal Work Regulations, including disciplinary processes and pertinent investigations.
• Monitor and use the images captured through video surveillance systems in order to control and evaluate the development and performance of work activities in the workplace.
• Manage the personal data to make the correct payroll payment, including making discounts for payments to third parties that the employee has previously authorized and making reports related to this process.

17. Suppliers and/or Contractors:

KEYBE will use the personal data of the suppliers and/or contractors in accordance with the purposes listed below:

• Develop proper management of the contractual relationship
• Collect, register and update the personal data in order to inform, communicate, organize, control, attend, and/or accredit the activities in relation to your status as provider and/or third party related to KEYBE and other associated procedures in charge of the Data Controller.
•  Manage the data to carry out the different payment processes, invoices and collection accounts presented to KEYBE, and collection management that are in their control.
• Evaluate the services offered or provided by the supplier and/or contractor.
• Comply with any other legal obligation that is in control of KEYBE.
• Analyze financial, technical and other aspects that allow KEYBE to identify the supplier’s compliance capacity.
• Fulfill the obligations derived from the commercial relationship established with the supplier or contractor.
• Provide assistance and/or information of general and/or commercial interest to the supplier or contractor.
• Develop and apply processes of selection, evaluation, and preparation of responses to a request for information, and prepare requests for quotation and proposal and/or award of contracts.
• Evaluate the quality of the products and services offered or provided to KEYBE.
• Use, in the event that it is necessary, the personal data of the supplier’s collaborator in order to establish access controls to the logical or physical infrastructure of KEYBE.
• Manage personal data to make payments to suppliers, including the administration of bank account numbers for the correct management of payments.
• Send or provide information to the competent authorities, when so requested, or in the course of contractual disputes.
• Transfer information to administrative authorities that, due to their functions, require it in order to comply with the legal obligations in our charge.
• KEYBE understands that your personal data and that of third parties that the supplier or contractor provides, such as workers authorized to carry out the management or service entrusted, references and commercial certifications, have the authorization of the data subjects to be delivered and processed in accordance with the purposes contemplated in this Policy.

18. Clients and Commercial Prospects:

KEYBE will use, directly or with the participation of third-party providers of products or services, the personal data of customers and commercial prospects in accordance with the purposes listed below:

• Evaluate them as a potential KEYBE customer.
• Register them as a KEYBE customer.
• Verify that the information provided is true.
• Show that their assets do not come from illegal activities.
•  Consult and report their information in risk and credit information centers.
• Provide information about the brands and products that we sell, as well as about the promotional activities that we carry out, all within the terms authorized by the respective legislation.
• Provide services in accordance with the needs of the Data Subject.
• Collect, register, and update the personal data in order to inform, communicate, organize, control, attend to, and/or accredit activities in relation to their status as a customer or business prospect.
• Respond to requests or requirements for information about our services.
• Send to physical or electronic mail, cell phone or mobile device, via text messages (SMS and/or MMS) or via WhatsApp or Facebook Messenger, or through any other analog and/or digital means of communication created or to be created, commercial information, advertising or promotional products and/or services, events and/or promotions of a commercial nature, in order to promote, invite, direct, execute, inform and, in general, carry out campaigns, promotions or contests of a commercial or advertising nature, carried out directly by KEYBE and/or by third parties.
• Develop loyalty programs.
• Carry out credit, collection and credit risk studies.
• Verification of data through consultations in public databases or risk centers.
• Evaluate the quality of our products or services and carry out satisfaction surveys.
• Prepare and carry out market studies and statistical analysis of trends, consumption habits, and consumer behavior.
• Keep accounting, financial and statistical records.
• Carry out statistical analysis of trends, consumption habits and consumer behavior.
• Share the information with third parties and/or allied managers for the fulfillment of the purposes described above.
• Other purposes determined by KEYBE in the information collection processes for its treatment and which are communicated to the Data Subjects at the time of personal data collection.

19. SPECIAL REQUIREMENTS FOR THE TREATMENT OF SENSITIVE DATA

KEYBE, in its capacity as Data Controller, will identify the sensitive data that it will eventually collect or process to meet the following objectives:

• Implement special attention and reinforce its responsibility for the treatment of this type of data, which translates into a greater demand in terms of compliance with the principles and duties established by current regulations on data protection.
• Establish technical, legal and administrative security levels to treat this information appropriately.
• Increase restrictions on access and use by the staff of KEYBE, in its capacity as employer, and third-party contractors or suppliers.

20. PERSONAL DATA OF GIRLS, BOYS AND ADOLESCENTS

The processing of personal data of children and adolescents by KEYBE will be carried out always respecting the following requirements:

• Respond to and respect the best interests of children and adolescents.
• Ensure, on behalf of the person in charge, the respect for their fundamental rights.
• Guarantee that the legal representative of the minor grants authorization, after exercising his right to be heard, an opinion that, as far as possible, should be valued taking into account the following factors:
• Maturity
• Autonomy
• Ability to understand the purpose of said treatment
• Explain the consequences of the treatment

IMPORTANT: The assessment of the above characteristics will not be carried out by KEYBE in a general way. Any person in charge, manager, or third party involved in the processing of the personal data of minors, must always ensure the adequate use of this type of personal data.

21. TRANSMISSION OF PERSONAL DATA TO THIRD PARTIES

If you provide us with Personal Data, this information will be used only for the purposes indicated in this Policy, and we will not proceed to sell, license, transmit or disclose it to third parties, unless, i) you expressly authorize us to do so; ii) it is necessary to enable our contractors or agents to provide the services we have entrusted to them; iii) it is necessary for the effective provision and fulfillment of the service acquired; iv) in order to provide our products or services to you; v) it is necessary to allow third parties to provide marketing services on our behalf or to other entities with which they have joint market agreements; vi) it is related to a merger, consolidation, acquisition, divestment or other restructuring process; vii) it is required to finalize administrative operations; or viii) it is required or permitted by law.

In order to implement the purposes described above, your personal data may be disclosed for the reasons indicated in this Policy to human resources personnel, managers, consultants, advisors and other persons and offices, as appropriate.

KEYBE may subcontract third parties for the processing of certain functions or information. When we effectively subcontract with third parties the processing of your personal information, or provide your personal information to third party service providers, we warn said third parties about the need to protect said personal information with appropriate security measures, we prohibit the use of your personal information for their own purposes and we prevent them from disclosing your personal information to others.

However, when KEYBE carries out a Transmission of Personal Data to third-party Managers located in Colombia or in other jurisdictions, it must prove (i) a prior, express and informed authorization by the Data Subject, or (ii) a contract for the transmission of Personal Data that contains the requirements contemplated in article 2.2.2.25.5.2 of Decree 1074 of 2015.

Similarly, KEYBE may transfer or transmit (as appropriate) your personal data to other companies abroad for reasons of security, administrative efficiency and better service, in accordance with the authorizations of each of these persons. Under this understanding, your data may be transmitted or transferred, as appropriate, for the completion of administrative operations in favor and under instructions of KEYBE or in favor of the global operation of KEYBE, Inc., its affiliates or subsidiaries.

22. PROCESSING OF PERSONAL DATA ON BEHALF OF A THIRD PARTY

KEYBE may act in certain events as in Data Processor of the data supplied or transmitted by some of its interest groups that have hired KEYBE, and by virtue of this contractual relationship, it commits to comply with the following duties:

• Verify that the Data Controller is authorized to supply the personal data that will be processed as Data Processor.
• Guarantee to the Data Subject, at all times, the full and effective exercise of the right to habeas data.
• Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Timely update, rectify or delete the data.
• Update the information reported by the Data Controller within five (5) business days from receipt.
• Process the queries and claims made by the data subjects by the terms indicated in this policy.
• Register in the database the caption “claim in process” in the form in which it is established in this policy.
• Insert in the database the caption “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
• Refrain from circulating information that is being controverted by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.
• Allow access to information only to persons authorized by the data subject or empowered by law for that purpose.
• Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the data subject.
• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

23. SECURITY, INTEGRITY AND CONFIDENTIALITY

In development of the security principle contemplated in Law 1581 of 2012, KEYBE has adopted and incorporated in its different processes the necessary and adequate technical, human and administrative measures to grant security to the records with personal information avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access. The personnel who process the personal data will execute the protocols established by KEYBE in order to guarantee the security of the information. The foregoing in accordance with the state of technology, the type and nature of the data found in our databases and the risks to which they are exposed.

The personal data that KEYBE obtains through any format, contract, physical or electronic communication, will be treated with total reserve and confidentiality, committing to keep due secrecy regarding them and guaranteeing the duty to store them by adopting necessary measures to avoid their alteration, loss, and unauthorized treatment or access, in accordance with the provisions of the applicable legislation.

24. RIGHTS OF PERSONAL DATA SUBJECTS

Personal Data Subjects may exercise the right to habeas data before KEYBE in order to:

• Know and access their personal data that has been subject to treatment.
• Update their personal data that has been subject to treatment.
• Rectify personal data that has been subject to treatment.
• Delete the authorization for the processing of their personal data, when the principles established in Law 1581 of 2012 have not been respected in the treatment thereof.
• Request proof of the authorization granted for the processing of their personal data.

These rights may be exercised directly by the Personal Data Subject, his attorney or his successor in title, as the case may be. If the Data Subject wishes to exercise their right to habeas data through a legal representative, they must present a duly authenticated general or special power of attorney.

The content and details of each of the rights that you, as the personal Data Subject, can exercise are described below:

• Right of access. Any natural person will have the right to know if their personal data has been subjected to any form of treatment by KEYBE in the terms expressed in the norm, in addition to exercising the right to know the origin of their data and if they have been transmitted or transferred or not to third parties and, therefore, the identification of those third parties.
• Right to update. Any natural person will have the right to update the information kept by KEYBE as personal data in the terms expressed in the norm.
• Rights of rectification. Any natural person has the right to verify before the data controller the accuracy and veracity of the personal data collected and request the rectification of it when it is inaccurate, incomplete or lead to error. The data subjects must indicate the data they request to correct and also accompany the documentation that justifies the request.
• Request for deletion or cancellation of the data. The personal data subject must indicate the data that must be canceled or rectified, providing, if necessary, the documentation or proof that justifies it. The cancellation will lead to the blocking of your data, being kept by the data controller, with the sole purpose of making it accessible to administrative or judicial authorities, always obeying the limitation period that exists on it. Once this period has elapsed, the data controller must proceed to the definitive cancellation of the personal information of the interested or affected party, which resides in our databases or files.

Likewise, the data subject may request the deletion or cancellation of their personal data when the treatment of these by the Data Controller or Data Processor is excessive or even inappropriate. The personal data of the data subjects will be kept for the time provided for in the applicable regulations and/or, depending on the case, of the contractual relations between the data subject and the data controller.

In any case, the request to delete the information and the revocation of the authorization will not proceed when the data subject has a legal or contractual duty to remain in the database.

25. FORMS TO EXERCISE THE RIGHT OF HABEAS DATA

The Data Subjects may exercise habeas data at any time and effectively to guarantee their right of access, rectification, deletion and proof of authorization before KEYBE through any of the following contact channels enabled:

• Email: you can contact us via email at  [email protected]
• Website: keybe.us

The following are the legally permitted ways to exercise the right to habeas data:

• On your own behalf: you, as the data subject of personal data that is stored in databases and/or files of KEYBE, will have the right to know, update, access, rectify, delete, and be informed about the use of your data, request proof of authorization granted, and revoke the authorization granted.
• Through a proxy: This right can be exercised by the duly identified interested party or by the proxy of the data subject of the personal information, for which the duly authenticated special or general power of attorney must be attached to the request.
• Exercise of the right of minors: Minors must exercise their right to habeas data through whoever proves their legal representation.

26. PROCEDURES FOR QUERIES AND COMPLAINTS

• Query Procedure: Data Subjects who wish to make queries, should bear in mind that KEYBE, as the Data Controller, will provide said persons with all the information contained in the individual record or that is linked to the data subject’s identification. The query will be made through the channels enabled by KEYBE and will be answered within a maximum term of ten (10) business days from the date of receipt of the request. When it is not possible to attend the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be attended, which in no case may exceed five (5) business days following expiration of the first term, notwithstanding the provisions contained in special laws or regulations issued by the National Government that may establish lower terms, taking into account the nature of the personal data.
• Claim Procedure: The Data Subject who considers that the information contained in a KEYBE database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may submit a claim before the Data Controller or the Data Processor, which will be processed under the following rules:
  • The claim will be formulated by means of a request addressed to the data controller or the data processor, with the identification of the data subject, the description of the facts that give rise to the claim, and the address, accompanying the documents that you want to enforce.
  • If the claim is incomplete, the interested party will be required within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that they have withdrawn the claim.
  • In the event that the person who receives the claim is not competent to resolve it, he or she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation
  • Once the complete claim has been received, within a period of no more than two (2) business days, a caption that says “claim in process” and the causes that motivated it will be included in the database. Said caption must be maintained until the claim is resolved in substance.
  • The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

27. MODIFICATIONS TO THIS POLICY

This policy can be adjusted or modified at any time, for which reason we recommend that you periodically review our corporate website, through which you will be notified of the change and the latest version of this Policy or the mechanisms to obtain a copy of it.

28. PERSONAL DATA PROTECTION OFFICER

KEYBE, in compliance with the principle of demonstrated responsibility, has internally designated [Daniel Agudelo] as Personal Data Protection Officer (“DPO”), who will be in charge of implementing the policies and procedures adopted by KEYBE to comply with the norm of personal data protection, as well as the implementation of good personal data management practices within the company.

The designated KEYBE DPO is internally responsible for updating and distributing the Policy, which is why any change made must be approved by them. If you, as the data subject, do not agree with the changes made to it, you can exercise your right to habeas data through the channels and in the manner established in this Policy.

At KEYBE the Data Protection Officer is [Daniel Agudelo [email protected]]

29. DATE OF ENTRY INTO EFFECT

This Policy became effective on [January 1, 2020]

30. ANNEX PRIVACY POLICY FOR DATA SUBJECTS WHO ARE IN COUNTRIES OF THE EUROPEAN UNION

For clients and users of our Website and, in general, any Personal Data Subject residing in a country of the European Union, as well as for clients who purchase KEYBE’s products or services in a country of the European Union, governs the provisions of this annex, which is applied in accordance with the Privacy and Protection of Personal Data Policy of our stakeholders and is an integral part of it.

31. METHOD OF OBTAINING YOUR PERSONAL DATA

KEYBE collects personal data from its customers and Website users each time they use our services, including when they use our Website or when they interact with us electronically or through our customer service contact channels.

32. DATA COLLECTED AND PROCESSED

KEYBE may collect information and personal data from customers and users of its Website, that may vary due to technological facilities, nature of the product or service to be supplied, among others. For that purpose, we may collect the following personal information:

• General identification data: Name and surname of the client or user, date of birth, identification or ID number, gender, marital status, profession or trade, postal and/or electronic address (personal and/or work), nationality and/or country of residence, landlines and mobile contact numbers (personal and/or work).
• Socio-economic content data: Personal data of the cardholder (names and surnames, type and identification number), billing address information, credit card information(s).
• Sensitive data: biometric data, including images, photographs, videos, voices and/or sounds, and fingerprints that identify or make identifiable our clients and users and/or any individual who is or transits in any place where KEYBE has installed video surveillance camera or georeferencing equipment.
• Other data: IP of the client, through cookies, and information about the location of your device if you have been browsing our website or using our mobile application.
• Information on purchasing channels (including representatives or agents, call centers, websites, mobile applications)
• Information and personal data collected through surveys, focus groups or other market research methods.
• Information required by officials or customer service representatives, such as sales and/or customer relations representatives, in order to attend to requests or claims.
• Certain categories of personal data, such as those related to racial origin, ethnicity, religion, health, sexual orientation or biometric data, constitute special categories of personal data that require additional protection in accordance with the data protection regulations of the European Union. Although at KEYBE we try to limit the circumstances in which we collect and process data of this nature, it is possible that we collect and process this data from customers and users in certain circumstances.

33. PURPOSES OF THE TREATMENT:

In addition to the purposes described in paragraph IX of the Privacy and Protection of Personal Data Policy, KEYBE will process your data for the following purposes:

• Celebration and management of the contractual relationship.
• Management of marketing activities.
• Compliance with legal and security obligations.
• Loyalty programs.
• Personalized communications.
• Personalization of content.
• Analysis and processing of data through Artificial Intelligence.

34. TIME OF CONSERVATION OF PERSONAL DATA:

The personal data provided by clients or users will be kept as long as the commercial or contractual relationship is in force. The foregoing, notwithstanding its conservation for the years necessary to comply with legal obligations, especially in accounting, fiscal and tax matters, and may be kept for a period of up to ten (10) years. For marketing purposes, we will keep your personal data until you ask us to delete or cancel it

35.  LEGITIMATION FOR THE PROCESSING OF PERSONAL DATA:

The fundamental legal basis that allows us to process the personal data of clients and users of our Website is the execution of any contract with KEYBE, from which rights and obligations are derived for the parties to the contractual relationship.

Also, there are legal obligations in tax and fiscal matters, among others, that oblige us to process your personal data in compliance with the procedures and requirements that KEYBE must comply with before the authorities and entities of control and surveillance of any jurisdiction in which these operate.

For the provision of the services acquired, as well as in compliance with certain legal requirements, certain essential data must be collected. The client or user is obliged to provide that personal data (truthful and updated) that is required by legal requirement, and that that is necessary to sign the contract. In case of not providing it or requesting its deletion prior to the total execution of the contract, we will not be able to manage and perfect the contractual relationship, and may even communicate inaccurate data.

On some occasions, the treatment we carry out is based on our legitimate business interest, such as fraud prevention, or the distribution by email of commercial communications about products and services similar to those contracted by you; provided that they do not prevail over the interests or the rights and freedoms of the clients.

The processing of personal data for the distribution of commercial communications and, where appropriate, the treatment of special categories of data is carried out by KEYBE based on the consent given by the client or user.

Whenever we request your consent for any treatment, we will inform you about it at that time. In any case, we inform you that you have the right to withdraw your consent at any time, without the withdrawal of that consent conditioning the execution of the contract. If you are a registered user of our services, you can change your privacy preferences at any time, modifying your online profile, and accessing your private area. In addition, all commercial communications that we send you by email, SMS, PUSH or WhatsApp, will have an option to “unsubscribe” that will allow you to stop receiving electronic communications of a commercial nature. Although we do everything possible to process requests to unsubscribe from commercial communications within a period of fifteen (15) business days from when we receive the request, it is possible that you will receive some commercial communication during that period.

36. RECIPIENTS TO WHOM WE COMMUNICATE PERSONAL DATA:

The data of the clients and users may be legitimately communicated to the following third parties:

• For the management of the contractual relationship.
• For marketing activities, although we may share your data with data processors or with commercial partners, we inform you that KEYBE will not sell your personal data to any third party.
• For the fulfillment of legal obligations.
• For loyalty programs.

In the event that data is transferred outside the European Economic Area, it will be done in accordance with the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of this Data, as well as the national laws of the Member States on the matter). For transfers outside the EEA, KEYBE uses contractual data protection clauses adopted by the European Commission and the EU – US Privacy Shield as a guarantee of those transfers made to countries that do not have an adequacy decision from the European Commission.

37. RIGHTS OF PERSONAL DATA SUBJECTS:

• You have the right to obtain confirmation on whether or not we are treating your personal data.
• You have the right to access your personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. Likewise, you will have the right to the portability of your data in the cases provided for in the regulations.
• n certain circumstances, you may request the limitation of the processing of your data, in which case, with the exception of its conservation, we will only treat it for the formulation, exercise or defense of claims or in the other cases provided for in the applicable legislation.
• In certain circumstances and for reasons related to your particular situation, you may object to the processing of your data. We will stop processing the data, except for compelling legitimate reasons, or for the formulation, exercise or defense of possible claims.
• Finally, regarding those treatments that you have voluntarily consented to, you may withdraw your consent at any time; but this withdrawal may not affect the fulfillment of the legal obligations in responsibility of KEYBE.

To exercise your rights, you must send a request through the means enabled by KEYBE, attaching the document that proves your identity, the passport for validation associated with international flights, the description of your request and the means of contact:

38. Enabled media:

Email:  [email protected]

If you wish to obtain more information about your rights, if you have not obtained satisfaction in the exercise of your rights, and/or wish to file a claim, you can do so by contacting the data protection control authority of the corresponding country.

39. RIGHTS OF PERSONAL DATA SUBJECTS:

KEYBE does not carry out direct marketing to minors, nor can they be users of the products or services we offer, unless they act through, or are duly authorized by, their parents or by those who have parental authority or legal representation of the minor.

40. SPECIFIC PRIVACY POLICY FOR THE KEYBE APP

Our App collects information from users through a registration form, a chat, and the option to upload files. The collected data includes: identity, address, phone number, email address, and identification document. Users also have the option to upload any other type of personal information of their own choice through the aforementioned file.

The collected information is used to provide a more personalized service and to improve the user experience on our app. This information will not be shared with third parties without the user's prior consent, unless required by law.

Users have the right to access, correct, and delete their personal data at any time. If you wish to exercise these rights, please contact us through our email or phone number provided in our privacy policy.

The security of user information is important to us, so we take measures to protect the information from unauthorized access, alteration, disclosure, or destruction. However, we cannot guarantee absolute security of information sent through the internet.

By using our App, users accept the terms of this privacy policy. If you do not agree with these terms, please do not use our App. This privacy policy may be updated at any time, so we recommend reviewing it periodically.

41. Limited Use Requirements

The use and transfer of information received from Google APIs by our App Keybe Green Mountain to any other application will comply with the Google API Services User Data Policy, including the Limited Use requirements.

42. Specific Information about AI Models

Our privacy policy details the use and sharing of data with third-party AI models to ensure transparency and user control over their data. Below is specific information provided and explicit user consent will be obtained:

• Third-party AI models used: We use AI models provided by third parties to improve our services.
• Data shared with these models: We share user data that may include, among other things, contact information, interactions within the application, and usage data.
• Purpose of sharing this data: Data is shared to improve the accuracy and efficiency of our AI-based services, offer personalized recommendations, and optimize the user experience.
• Use of data by AI models: AI models use this data to learn and continuously improve their capabilities, positively impacting the personalization and quality of the service offered to users.
• User control options: Users have the option to control or decline the sharing of their data with AI models through specific settings in the application.
• Responsible and ethical use of data: We ensure the responsible and ethical use of data shared with AI models, complying with all applicable regulations and protecting user privacy.

43. Explicit User Consent

Users are explicitly informed about the use of AI models and the potential data sharing involved through clear notices within the application and in this privacy policy. The application obtains explicit consent from users before sharing their data with any third-party AI models through a clear opt-in checkbox and detailed explanations. Consent is obtained in a clear and transparent manner, providing users with all the necessary information to make an informed decision.

44. VALIDITY

This annex is effective from the day of its publication.

SERVICE LEVEL AGREEMENT (SLA)

We guarantee our work and repair the errors detected in the fastest and most stable way possible. We have a specialized team ready to respond and will be available to advise on the best practices for using the Keybe platform.

Notwithstanding any provision in this Agreement, a service unavailability will not be deemed to have occurred if the downtime:

1. Is caused by factors beyond Keybe’s reasonable control, including, without limitation, problems or issues related to our telecommunications and cloud service providers, Internet access or related problems that occur beyond the point of the network where Keybe maintains access and control of the Services;
2. Is the result of any action or inactivity of the Client or any third party (except Keybe’s agents and subcontractors);
3. Is the result of the Client’s Applications, Client’s equipment, software or other technology, supplementary services, or third-party equipment, software or other technology (with the exception of equipment within the direct control of Keybe ); 
4. Occurs during Keybe’s scheduled maintenance for which Keybe will provide notice at least twenty-four (24) hours in advance;
5. Occurs during Keybe’s emergency maintenance (maintenance that is necessary for the purpose of maintaining the integrity or operation of the Services), regardless of the notification provided by Keybe; or
6. The results of any alpha, beta, developer preview, development benchmark environments, import descriptions, similar or not, otherwise generally available Keybe features or products; or
7. Periods of monthly unavailable time that are less than five (5) minutes of continuous unavailability in duration (collectively, the “Monthly Excluded Times”).

Specific Exclusions from the SLA

For the purposes of this Service Level Agreement, it is expressly stated that WhatsApp lines and the personal lines of the sales team are neither subject to nor included within the obligations and guarantees provided by Keybe in this SLA. Users should not expect or demand the same level of service, response, or availability on these channels compared to the channels officially listed in this agreement.

This Agreement guarantees:

With respect to any failure of Keybe to meet the monthly activity uptime percentage threshold or successful connection rate, as the case may be, this addendum sets forth Keybe’s sole and complete liability to the customer and the customer’s sole recourse.

PRIVACY AGREEMENT

1. Introduction

Keybe is committed to protecting the privacy of the people who visit the Company’s websites (“Visitor(s)”, “You,” and the derived adjective “Your”), the people who register to use the Service as defined below (“Clients”), and the people who register who attend the Company’s corporate events (“Attendees”). This Privacy Statement describes Keybe’s privacy practices with respect to its websites and related services and applications offered by Keybe (collectively, the “Service”).

If you have questions or complaints regarding Keybe’s Privacy Statement or Practices, please contact us at [email protected].

2. Covered websites

Keybe has established this Privacy Statement to help you understand how Keybe collects and uses personally identifiable information. This Privacy Statement covers the information practices of websites that link to this Privacy Agreement, including but not limited to  https://keybe.us.

Keybe’s websites may contain links to other websites. Keybe is not responsible for the information practices or the content of such websites. The Company encourages you to review the privacy statements of other websites to understand their information practices.

3. Information collected by Keybe

Keybe collects information from visitors. This information is collected in accordance with this Privacy Statement, from sources including, but not limited to, content syndication, website registration forms, webinar, and conference registration forms.

Personal information you provide to us. Keybe collects information from visitors to Keybe’s websites and customers of the service. Keybe receives and stores any information entered when you express interest in obtaining more information about the Service or register to use the Service.

“Personal Information" is described below:

• Contact Information: email addresses, phone numbers, physical, numeric, or metaverse addresses.
• Demographic Information
• Personality Data
• Preference Data
• Security Data
• Health Data
• Financial Data
• Third-party data
• Public Web Data
• Transactions
• Photographs
• Videos
• Audios
• Contact lists

Personal information is collected automatically. By agreeing to the "Privacy Agreement" through the "Covered websites", an "Individual" as a visitor, agrees that Keybe may collect, store, manage, enhance and use their "Personal Information" for marketing, legal and financial purposes. Keybe may also automatically collect information using commonly used information collection tools such as cookies and web beacons.

Keybe has policies and principles of "good behavior". Our culture and purpose always put the "Individual" first, with integrity, safety and security.

4. Other third-party tracking

Keybe contracts with third parties, who use web beacons, images, and scripts, to help better manage the content on Keybe’s websites. Keybe does not provide personal information to third parties, but may link information collected from third-party tracking to personal information of visitors for marketing purposes.

5. Cookies:

Keybe uses cookies to make interactions with websites easy and meaningful. When a visitor interacts with the websites, Keybe’s servers send a cookie to the visitor’s computer. Standing, cookies do not personally identify the visitor, but simply recognize the visitor’s web browser. Unless the visitor chooses to identify themselves with Keybe, either by responding to a promotional offer, opening an account, or completing a web form, Keybe has no way of associating this cookie information with the visitor’s personal information.

For websites, Keybe uses session-based cookies. Session cookies exist only during a session. They disappear from the Vis

Most browsers have an option to disable cookies, which will prevent the browser from accepting new cookies, as well as (depending on the sophistication of the browser software) allowing the visitor to decide on the acceptance of each new cookie in various ways.

Keybe’s websites connect visitors to third-party services, with whom Keybe partners to provide relevant content. The use of cookies by Keybe partners is not covered by the Keybe Privacy Statement. Keybe does not have access or control over these cookies. Keybe’s partners use session ID cookies to manage a Client’s connection to the partner’s service.

6. DATA CONTROLLER:

Company Name: KEYBE AI CORP
55 RIVERWALK PLACE INT 749
WEST NEW YORK NJ 07093-0709

Email: [email protected]
Website: https://keybe.us

7. OBJECTIVE AND SCOPE:

At Keybe we recognize the importance of the security, privacy, and confidentiality of the personal information of our clients, workers, suppliers, and the people who use our identity services, who provide us with information through various enabled channels (including websites, applications, API’s, physical documents, among others) and we are committed to the protection and adequate treatment of them, in accordance with the legal regime for the protection of personal data applicable to each country where we operate.

For KEYBE it is necessary to collect certain personal data to carry out the activities intrinsic to its commercial line of business. KEYBE has a legal and social obligation to implement adequate security measures to protect the personal data it has collected for the purposes specified in this Privacy and Personal Data Protection Agreement (“Policy”).

Therefore, the objective of this Policy is to communicate to our clients, workers, suppliers, users of the Website and, in general, to the owners of personal information (data subjects), the type of data, the purposes of the Treatment to make possible the provision of our service, the protection and rights that assist you as the data subject of the information and the procedures to exercise them.

In general, all the information and data that you provide us, or that we otherwise collect in the context, by any means or by reason of the ordinary course of your commercial activities, will be used by KEYBE in accordance with the Regulation (UE) 2016/679 (“GDPR”) and Law 1581 of 2012. The foregoing means that any form of processing of your personal data carried out by KEYBE will uphold the principles of legality, equity, transparency, purpose limitation, storage limitation, data minimization, accuracy, integrity and confidentiality.

8. DEFINITIONS AND CONCEPTS:

For the interpretation of this Policy, we ask you to take into account the following definitions:

• Authorization: prior, express and informed consent of the Data Subject to carry out the processing of personal data.
• Database: organized set of personal data that is subject to Treatment.
• Consent: it is a manifestation of the informed, free, and unequivocal will, through which the data subject of the personal data accepts that a third party uses their information.
• Queries: the Data Subjects or their successors in title may consult the Data Subject’s personal information that resides in any database, be it the public or private sector. The Data Controller or Data Processor must provide them with all the information contained in the individual record or that is linked to the identification of the Data Subject.
• Personal Data: refers to any information associated with an identified or identifiable natural person, relative to their identity, as well as their existence and occupations.
• Public Data: it is the data classified as such by the Constitution or the Law and all that is not semi-private or private, in accordance with this law. The data contained in public documents, gazettes and judicial bulletins, duly executed judicial decisions that are not subject to reserve, and those related to the civil status of people are public, among others.
• Semi-private data: The data that is not intimate, reserved, or public in nature, and which knowledge or disclosure may interest not only the data subject but also a certain sector or group of people or society in general is semi-private, such as financial and credit data of commercial activity or services.
• Private Data: It is the data that due to its intimate or reserved nature is only relevant to the data subject.
• Sensitive Data: For the purposes of this policy, sensitive data is understood to be anything that affects the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social or human rights organizations or that promote the interests of any political party or that guarantees the rights and warranties of opposition political parties as well as data related to health, sexual life, biometric data, passwords and financial data.
• Data Processor: Natural or legal person, public or private, that by themselves or in association with others, carries out the Treatment of personal data on behalf of the Data Controller.
• Habeas Data: It is the right that every owner of information (data subject) has to know, update, rectify or oppose the information concerning their personal data
• Data Processing Policy, or Policy: refers to this document as the personal data processing policy applied by the Company in accordance with the guidelines of current legislation on the matter.
• Provider: any natural or legal person that provides a service to the Company by virtue of a contractual or mandatory relationship.
• Claim: the Data Subject or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in this law, they may file a claim before the Data Controller or the Data Processor.
• Data Controller: natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of personal data.
• Treatment: any physical or automated operation or procedures that allow to capture, record, reproduce, conserve, organize, modify, and/or transmit personal data.
• Data Subject: is the natural person whose personal data is being processed by a third party, be it a client, supplier, employee, or any third party who, due to a legal or commercial relationship, provides personal data to the Company.
• Transmission: refers to the communication of personal data by the Responsible Party to the Manager, located within or outside the national territory, so that the Manager, on behalf of the Responsible Party, treats personal data.
• reatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.

To understand the terms that are not included in the previous list, you must refer to current legislation, especially Law 1581 of 2012 and chapters 25 and 26 of Decree 1074 of 2015 and Regulation (EU) 2016 / 679 (“GDPR”), giving the meaning used in said standards to the terms whose definition there is doubt.

9. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

At KEYBE we are committed to complying with the principles that govern the processing of personal data of our stakeholders and, in general, of any natural person whose personal data is in our databases and/or files, guaranteeing the application of the general principles for the treatment of this type of data, which are indicated below:

• Principle of Legality. The processing of personal data is a regulated activity and must obey a legitimate purpose, for which KEYBE will compulsorily comply with the provisions of Law 1581 and the other provisions that develop it.
• Principle of Purpose. KEYBE will treat personal data always obeying a legitimate purpose which will be previously informed to the data subject.
• Principle of Freedom. KEYBE will only process personal data when it has the prior, express and informed consent of the data subject. The Data Subject may, in any case, refuse the processing of their sensitive data.
• Principle of Veracity or Quality. The personal data processed by KEYBE must be truthful, complete, exact, updated, verifiable and understandable
• Principle of Transparency. KEYBE, will guarantee the owner of the personal data (data subject), at any time and without restrictions, to obtain information about the existence of data that concerns them.
• Principle of Access and Restricted Circulation. KEYBE, undertakes that the processing of personal data will be carried out by entities authorized by the data subject and/or by the persons provided for in Law 1581 of 2012. Personal data may not be available on the internet or other means of disclosure or massive communication, unless the access is technically controllable to provide restricted knowledge only to the data subjects or authorized third parties.
• Principle of Security. The information subject to treatment by KEYBE, will be handled with the technical, human and administrative measures necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Principle of Confidentiality. KEYBE, undertakes that the people who intervene in the processing of personal data that are not public in nature will be obliged to guarantee the reserving of the information, even after the end of their relationship with any of the tasks that comprise the treatment, being able to only supply or communicate personal data when this corresponds to the development of authorized activities.
• Principle of Demonstrated Responsibility (Accountability). One that is based on the approach of recognition and commitment of organizations in order to increase the standards of protection to ensure and guarantee people an adequate treatment of their personal data. This principle entails an obligation for KEYBE to be accountable for its activities regarding the protection of personal data, accept responsibility for them and disclose the results in a transparent manner.

10.DUTIES OF KEYBE AS PEROSNAL DATA CONTROLLER

KEYBE as Data Controller will fulfill the following duties, without prejudice to the other provisions provided in the law and in others that govern its commercial activity:

• Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data;
• Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject;
• Properly inform the Data Subject about the purpose of the collection and the rights that assist him by virtue of the authorization granted;
• Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
• Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable;
• Update the information, communicating in a timely manner to the Data Processor, all the updates regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to them is kept up-to-date;
• Rectify the information when it is incorrect and communicate the pertinent to the Data Processor;
• Provide the Data Processor, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of the law;
• Require the Data Processor, at all times, to respect the security and privacy conditions of the Data Subject’s information;
• Process the queries and claims formulated in the terms indicated in the present law;
• Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and complaints;
• Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been submitted and the respective procedure has not been completed;
• Inform at the request of the Data Subject about the use given to their data;
• Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Data Subjects.
• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

11.  TEMPORARY LIMITATIONS TO THE PROCESSING OF PERSONAL DATA

KEYBE will only collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified the treatment, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical information. Once the purpose or purposes of the treatment have been fulfilled and, without prejudice to legal regulations that provide otherwise, it will proceed to delete the personal data in its possession. However, KEYBE may keep your personal data when required to comply with a legal or contractual obligation.

Notwithstanding the foregoing, you as the Data Subject may, at any time, revoke the consent you have given for the processing of your personal data, unless legally or contractually KEYBE must process said information, by sending a communication and/or written request, through the contact channels contemplated in this Policy, providing a copy of your identification document or any other document that, in the opinion of KEYBE, allows you to prove your identity.

12. PURPOSES OF THE TREATMENT

KEYBE recognizes that the owner of personal data (Data Subject) has the right to have a reasonable expectation of their privacy, taking into account, in any case, their responsibilities, rights and obligations with KEYBE. By virtue of the relationship established between you and KEYBE, we inform you that your personal data will be treated with full respect for the principles defined in the applicable law and that the collection, use, circulation, transmission, transfer and, in general, any form of treatment on them, will be done in accordance with the following purposes that will be previously informed, corresponding, in any case, to the development of its corporate purpose and the ordinary course of its activities.

13. General Purposes:

The purposes described below will be applicable to all Data Subjects who have previously, in an express and informed way, authorized the processing of their personal data:

• Confirm, comply with and provide the services and/or products purchased, directly and/or with the participation of third party providers of products or services.
• Inform about substantial changes in the Policy adopted by KEYBE.
• Establish and manage the relationship, may it be pre-contractual and contractual, commercial, labor, civil, and of any other nature that arises by virtue of the fulfillment of a legal or contractual obligation in responsibility of KEYBE.
• Respond to requests, queries, claims and/or complaints made by the holders of personal information (Data Subjects) through any of the channels enabled by KEYBE for this purpose.
• Transfer or transmit your personal data to entities and/or judicial and/or administrative authorities, when these are required in relation to their purpose, and necessary for the fulfillment of their legal or contractual functions.

14. Shareholders:

The treatment of the personal data of KEYBE shareholders will be carried out in accordance with the provisions of the Commercial Code, and with any other rule that regulates this matter. The purposes applicable to the shareholders’ personal data are the following:

• Allow the exercise of the rights and duties derived from the function of shareholders.
• Make the payment of dividends.
• Collect, register and update your personal data in order to inform, communicate, organize, control, attend and accredit the activities in relation to their function of shareholders.
• Comply with judicial, administrative and legal decisions related to their function of shareholders.

15. Candidates for a Vacancy:

KEYBE will use the personal data of the candidates for a vacancy in accordance with the purposes listed below:

• Establish and manage the recruitment, selection and hiring process.
• Carry out selection, competencies and skills tests, home visits, psychosocial evaluations, and all other evaluations that are deemed convenient in order to identify the relevance of the candidate’s hiring.
• Store the personal data in a physical and/or digital file or folder that will be identified with the CANDIDATE’s name; the folder or file, may be accessed by KEYBE management or by whoever has been delegated for this purpose.
• KEYBE will keep the information that resides in the file or folder of the candidate for a vacancy for an indefinite period of time to meet the requirements of administrative authorities, and audit requirements.

16.  Employees:

KEYBE will use the personal data of its employees in accordance with the purposes listed below:

• Incorporate the personal data in the employment contract, and make modifications and additions to said contract, as well as in the other documents that are necessary to manage the employment relationship and obligations derived from it that are in care of KEYBE as Data Controller of their personal information.
• Carry out performance, competencies and skills tests, home visits, psychosocial evaluations and others that are deemed appropriate in order to identify the relevance of the person’s employment relationship.
• Develop proper management of the employment relationship that links the owner of the personal data (Data Subject) with KEYBE.
• To have the personal data of the collaborators to incorporate them appropriately in the active and historical labor files of KEYBE and keep them updated.
• Send internal communications related or not to your employment relationship.
• Manage personal data so that KEYBE, as an employer, correctly fulfills its obligations. For example: carry out the affiliations to which the worker is entitled by law before the Comprehensive Social Security System, family compensation funds and other matters related to social benefits, contributions, withholdings, taxes, labor disputes, as well as in the case of contributions or payments to other entities where the collaborator had previously authorized the processing of their data.
• Manage the personal data of the data subject and those of his family nucleus to carry out affiliation procedures with health promoting entities, family compensation funds, labor risk administrators, and others necessary for KEYBE to fulfill its duty as an employer.
• Respond to requests from the worker regarding the issuance of certificates, records and other documents requested from KEYBE in cause of the employment relationship.
• Promote the participation in programs developed by KEYBE aimed at well-being and a good work environment.
• Manage the personal data to guarantee a correct assignment of work tools (including IT tools such as email, computers, mobile devices, access to databases, etc.)
• Manage the personal data to ensure proper execution of the provisions of the Internal Work Regulations, including disciplinary processes and pertinent investigations.
• Monitor and use the images captured through video surveillance systems in order to control and evaluate the development and performance of work activities in the workplace.
• Manage the personal data to make the correct payroll payment, including making discounts for payments to third parties that the employee has previously authorized and making reports related to this process.

17. Suppliers and/or Contractors:

KEYBE will use the personal data of the suppliers and/or contractors in accordance with the purposes listed below:

• Develop proper management of the contractual relationship
• Collect, register and update the personal data in order to inform, communicate, organize, control, attend, and/or accredit the activities in relation to your status as provider and/or third party related to KEYBE and other associated procedures in charge of the Data Controller.
•  Manage the data to carry out the different payment processes, invoices and collection accounts presented to KEYBE, and collection management that are in their control.
• Evaluate the services offered or provided by the supplier and/or contractor.
• Comply with any other legal obligation that is in control of KEYBE.
• Analyze financial, technical and other aspects that allow KEYBE to identify the supplier’s compliance capacity.
• Fulfill the obligations derived from the commercial relationship established with the supplier or contractor.
• Provide assistance and/or information of general and/or commercial interest to the supplier or contractor.
• Develop and apply processes of selection, evaluation, and preparation of responses to a request for information, and prepare requests for quotation and proposal and/or award of contracts.
• Evaluate the quality of the products and services offered or provided to KEYBE.
• Use, in the event that it is necessary, the personal data of the supplier’s collaborator in order to establish access controls to the logical or physical infrastructure of KEYBE.
• Manage personal data to make payments to suppliers, including the administration of bank account numbers for the correct management of payments.
• Send or provide information to the competent authorities, when so requested, or in the course of contractual disputes.
• Transfer information to administrative authorities that, due to their functions, require it in order to comply with the legal obligations in our charge.
• KEYBE understands that your personal data and that of third parties that the supplier or contractor provides, such as workers authorized to carry out the management or service entrusted, references and commercial certifications, have the authorization of the data subjects to be delivered and processed in accordance with the purposes contemplated in this Policy.

18. Clients and Commercial Prospects:

KEYBE will use, directly or with the participation of third-party providers of products or services, the personal data of customers and commercial prospects in accordance with the purposes listed below:

• Evaluate them as a potential KEYBE customer.
• Register them as a KEYBE customer.
• Verify that the information provided is true.
• Show that their assets do not come from illegal activities.
•  Consult and report their information in risk and credit information centers.
• Provide information about the brands and products that we sell, as well as about the promotional activities that we carry out, all within the terms authorized by the respective legislation.
• Provide services in accordance with the needs of the Data Subject.
• Collect, register, and update the personal data in order to inform, communicate, organize, control, attend to, and/or accredit activities in relation to their status as a customer or business prospect.
• Respond to requests or requirements for information about our services.
• Send to physical or electronic mail, cell phone or mobile device, via text messages (SMS and/or MMS) or via WhatsApp or Facebook Messenger, or through any other analog and/or digital means of communication created or to be created, commercial information, advertising or promotional products and/or services, events and/or promotions of a commercial nature, in order to promote, invite, direct, execute, inform and, in general, carry out campaigns, promotions or contests of a commercial or advertising nature, carried out directly by KEYBE and/or by third parties.
• Develop loyalty programs.
• Carry out credit, collection and credit risk studies.
• Verification of data through consultations in public databases or risk centers.
• Evaluate the quality of our products or services and carry out satisfaction surveys.
• Prepare and carry out market studies and statistical analysis of trends, consumption habits, and consumer behavior.
• Keep accounting, financial and statistical records.
• Carry out statistical analysis of trends, consumption habits and consumer behavior.
• Share the information with third parties and/or allied managers for the fulfillment of the purposes described above.
• Other purposes determined by KEYBE in the information collection processes for its treatment and which are communicated to the Data Subjects at the time of personal data collection.

19. SPECIAL REQUIREMENTS FOR THE TREATMENT OF SENSITIVE DATA

KEYBE, in its capacity as Data Controller, will identify the sensitive data that it will eventually collect or process to meet the following objectives:

• Implement special attention and reinforce its responsibility for the treatment of this type of data, which translates into a greater demand in terms of compliance with the principles and duties established by current regulations on data protection.
• Establish technical, legal and administrative security levels to treat this information appropriately.
• Increase restrictions on access and use by the staff of KEYBE, in its capacity as employer, and third-party contractors or suppliers.

20. PERSONAL DATA OF GIRLS, BOYS AND ADOLESCENTS

The processing of personal data of children and adolescents by KEYBE will be carried out always respecting the following requirements:

• Respond to and respect the best interests of children and adolescents.
• Ensure, on behalf of the person in charge, the respect for their fundamental rights.
• Guarantee that the legal representative of the minor grants authorization, after exercising his right to be heard, an opinion that, as far as possible, should be valued taking into account the following factors:
• Maturity
• Autonomy
• Ability to understand the purpose of said treatment
• Explain the consequences of the treatment

IMPORTANT: The assessment of the above characteristics will not be carried out by KEYBE in a general way. Any person in charge, manager, or third party involved in the processing of the personal data of minors, must always ensure the adequate use of this type of personal data.

21. TRANSMISSION OF PERSONAL DATA TO THIRD PARTIES

If you provide us with Personal Data, this information will be used only for the purposes indicated in this Policy, and we will not proceed to sell, license, transmit or disclose it to third parties, unless, i) you expressly authorize us to do so; ii) it is necessary to enable our contractors or agents to provide the services we have entrusted to them; iii) it is necessary for the effective provision and fulfillment of the service acquired; iv) in order to provide our products or services to you; v) it is necessary to allow third parties to provide marketing services on our behalf or to other entities with which they have joint market agreements; vi) it is related to a merger, consolidation, acquisition, divestment or other restructuring process; vii) it is required to finalize administrative operations; or viii) it is required or permitted by law.

In order to implement the purposes described above, your personal data may be disclosed for the reasons indicated in this Policy to human resources personnel, managers, consultants, advisors and other persons and offices, as appropriate.

KEYBE may subcontract third parties for the processing of certain functions or information. When we effectively subcontract with third parties the processing of your personal information, or provide your personal information to third party service providers, we warn said third parties about the need to protect said personal information with appropriate security measures, we prohibit the use of your personal information for their own purposes and we prevent them from disclosing your personal information to others.

However, when KEYBE carries out a Transmission of Personal Data to third-party Managers located in Colombia or in other jurisdictions, it must prove (i) a prior, express and informed authorization by the Data Subject, or (ii) a contract for the transmission of Personal Data that contains the requirements contemplated in article 2.2.2.25.5.2 of Decree 1074 of 2015.

Similarly, KEYBE may transfer or transmit (as appropriate) your personal data to other companies abroad for reasons of security, administrative efficiency and better service, in accordance with the authorizations of each of these persons. Under this understanding, your data may be transmitted or transferred, as appropriate, for the completion of administrative operations in favor and under instructions of KEYBE or in favor of the global operation of KEYBE, Inc., its affiliates or subsidiaries.

22. PROCESSING OF PERSONAL DATA ON BEHALF OF A THIRD PARTY

KEYBE may act in certain events as in Data Processor of the data supplied or transmitted by some of its interest groups that have hired KEYBE, and by virtue of this contractual relationship, it commits to comply with the following duties:

• Verify that the Data Controller is authorized to supply the personal data that will be processed as Data Processor.
• Guarantee to the Data Subject, at all times, the full and effective exercise of the right to habeas data.
• Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Timely update, rectify or delete the data.
• Update the information reported by the Data Controller within five (5) business days from receipt.
• Process the queries and claims made by the data subjects by the terms indicated in this policy.
• Register in the database the caption “claim in process” in the form in which it is established in this policy.
• Insert in the database the caption “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
• Refrain from circulating information that is being controverted by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.
• Allow access to information only to persons authorized by the data subject or empowered by law for that purpose.
• Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the data subject.
• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

23. SECURITY, INTEGRITY AND CONFIDENTIALITY

In development of the security principle contemplated in Law 1581 of 2012, KEYBE has adopted and incorporated in its different processes the necessary and adequate technical, human and administrative measures to grant security to the records with personal information avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access. The personnel who process the personal data will execute the protocols established by KEYBE in order to guarantee the security of the information. The foregoing in accordance with the state of technology, the type and nature of the data found in our databases and the risks to which they are exposed.

The personal data that KEYBE obtains through any format, contract, physical or electronic communication, will be treated with total reserve and confidentiality, committing to keep due secrecy regarding them and guaranteeing the duty to store them by adopting necessary measures to avoid their alteration, loss, and unauthorized treatment or access, in accordance with the provisions of the applicable legislation.

24. RIGHTS OF PERSONAL DATA SUBJECTS

Personal Data Subjects may exercise the right to habeas data before KEYBE in order to:

• Know and access their personal data that has been subject to treatment.
• Update their personal data that has been subject to treatment.
• Rectify personal data that has been subject to treatment.
• Delete the authorization for the processing of their personal data, when the principles established in Law 1581 of 2012 have not been respected in the treatment thereof.
• Request proof of the authorization granted for the processing of their personal data.

These rights may be exercised directly by the Personal Data Subject, his attorney or his successor in title, as the case may be. If the Data Subject wishes to exercise their right to habeas data through a legal representative, they must present a duly authenticated general or special power of attorney.

The content and details of each of the rights that you, as the personal Data Subject, can exercise are described below:

• Right of access. Any natural person will have the right to know if their personal data has been subjected to any form of treatment by KEYBE in the terms expressed in the norm, in addition to exercising the right to know the origin of their data and if they have been transmitted or transferred or not to third parties and, therefore, the identification of those third parties.
• Right to update. Any natural person will have the right to update the information kept by KEYBE as personal data in the terms expressed in the norm.
• Rights of rectification. Any natural person has the right to verify before the data controller the accuracy and veracity of the personal data collected and request the rectification of it when it is inaccurate, incomplete or lead to error. The data subjects must indicate the data they request to correct and also accompany the documentation that justifies the request.
• Request for deletion or cancellation of the data. The personal data subject must indicate the data that must be canceled or rectified, providing, if necessary, the documentation or proof that justifies it. The cancellation will lead to the blocking of your data, being kept by the data controller, with the sole purpose of making it accessible to administrative or judicial authorities, always obeying the limitation period that exists on it. Once this period has elapsed, the data controller must proceed to the definitive cancellation of the personal information of the interested or affected party, which resides in our databases or files.

Likewise, the data subject may request the deletion or cancellation of their personal data when the treatment of these by the Data Controller or Data Processor is excessive or even inappropriate. The personal data of the data subjects will be kept for the time provided for in the applicable regulations and/or, depending on the case, of the contractual relations between the data subject and the data controller.

In any case, the request to delete the information and the revocation of the authorization will not proceed when the data subject has a legal or contractual duty to remain in the database.

25. FORMS TO EXERCISE THE RIGHT OF HABEAS DATA

The Data Subjects may exercise habeas data at any time and effectively to guarantee their right of access, rectification, deletion and proof of authorization before KEYBE through any of the following contact channels enabled:

• Email: you can contact us via email at  [email protected]
• Website: keybe.us

The following are the legally permitted ways to exercise the right to habeas data:

• On your own behalf: you, as the data subject of personal data that is stored in databases and/or files of KEYBE, will have the right to know, update, access, rectify, delete, and be informed about the use of your data, request proof of authorization granted, and revoke the authorization granted.
• Through a proxy: This right can be exercised by the duly identified interested party or by the proxy of the data subject of the personal information, for which the duly authenticated special or general power of attorney must be attached to the request.
• Exercise of the right of minors: Minors must exercise their right to habeas data through whoever proves their legal representation.

26. PROCEDURES FOR QUERIES AND COMPLAINTS

• Query Procedure: Data Subjects who wish to make queries, should bear in mind that KEYBE, as the Data Controller, will provide said persons with all the information contained in the individual record or that is linked to the data subject’s identification. The query will be made through the channels enabled by KEYBE and will be answered within a maximum term of ten (10) business days from the date of receipt of the request. When it is not possible to attend the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be attended, which in no case may exceed five (5) business days following expiration of the first term, notwithstanding the provisions contained in special laws or regulations issued by the National Government that may establish lower terms, taking into account the nature of the personal data.
• Claim Procedure: The Data Subject who considers that the information contained in a KEYBE database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may submit a claim before the Data Controller or the Data Processor, which will be processed under the following rules:
  • The claim will be formulated by means of a request addressed to the data controller or the data processor, with the identification of the data subject, the description of the facts that give rise to the claim, and the address, accompanying the documents that you want to enforce.
  • If the claim is incomplete, the interested party will be required within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that they have withdrawn the claim.
  • In the event that the person who receives the claim is not competent to resolve it, he or she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation
  • Once the complete claim has been received, within a period of no more than two (2) business days, a caption that says “claim in process” and the causes that motivated it will be included in the database. Said caption must be maintained until the claim is resolved in substance.
  • The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

27. MODIFICATIONS TO THIS POLICY

This policy can be adjusted or modified at any time, for which reason we recommend that you periodically review our corporate website, through which you will be notified of the change and the latest version of this Policy or the mechanisms to obtain a copy of it.

28. PERSONAL DATA PROTECTION OFFICER

KEYBE, in compliance with the principle of demonstrated responsibility, has internally designated [Daniel Agudelo] as Personal Data Protection Officer (“DPO”), who will be in charge of implementing the policies and procedures adopted by KEYBE to comply with the norm of personal data protection, as well as the implementation of good personal data management practices within the company.

The designated KEYBE DPO is internally responsible for updating and distributing the Policy, which is why any change made must be approved by them. If you, as the data subject, do not agree with the changes made to it, you can exercise your right to habeas data through the channels and in the manner established in this Policy.

At KEYBE the Data Protection Officer is [Daniel Agudelo [email protected]]

29. DATE OF ENTRY INTO EFFECT

This Policy became effective on [January 1, 2020]

30. ANNEX PRIVACY POLICY FOR DATA SUBJECTS WHO ARE IN COUNTRIES OF THE EUROPEAN UNION

For clients and users of our Website and, in general, any Personal Data Subject residing in a country of the European Union, as well as for clients who purchase KEYBE’s products or services in a country of the European Union, governs the provisions of this annex, which is applied in accordance with the Privacy and Protection of Personal Data Policy of our stakeholders and is an integral part of it.

31. METHOD OF OBTAINING YOUR PERSONAL DATA

KEYBE collects personal data from its customers and Website users each time they use our services, including when they use our Website or when they interact with us electronically or through our customer service contact channels.

32. DATA COLLECTED AND PROCESSED

KEYBE may collect information and personal data from customers and users of its Website, that may vary due to technological facilities, nature of the product or service to be supplied, among others. For that purpose, we may collect the following personal information:

• General identification data: Name and surname of the client or user, date of birth, identification or ID number, gender, marital status, profession or trade, postal and/or electronic address (personal and/or work), nationality and/or country of residence, landlines and mobile contact numbers (personal and/or work).
• Socio-economic content data: Personal data of the cardholder (names and surnames, type and identification number), billing address information, credit card information(s).
• Sensitive data: biometric data, including images, photographs, videos, voices and/or sounds, and fingerprints that identify or make identifiable our clients and users and/or any individual who is or transits in any place where KEYBE has installed video surveillance camera or georeferencing equipment.
• Other data: IP of the client, through cookies, and information about the location of your device if you have been browsing our website or using our mobile application.
• Information on purchasing channels (including representatives or agents, call centers, websites, mobile applications)
• Information and personal data collected through surveys, focus groups or other market research methods.
• Information required by officials or customer service representatives, such as sales and/or customer relations representatives, in order to attend to requests or claims.
• Certain categories of personal data, such as those related to racial origin, ethnicity, religion, health, sexual orientation or biometric data, constitute special categories of personal data that require additional protection in accordance with the data protection regulations of the European Union. Although at KEYBE we try to limit the circumstances in which we collect and process data of this nature, it is possible that we collect and process this data from customers and users in certain circumstances.

33. PURPOSES OF THE TREATMENT:

In addition to the purposes described in paragraph IX of the Privacy and Protection of Personal Data Policy, KEYBE will process your data for the following purposes:

• Celebration and management of the contractual relationship.
• Management of marketing activities.
• Compliance with legal and security obligations.
• Loyalty programs.
• Personalized communications.
• Personalization of content.
• Analysis and processing of data through Artificial Intelligence.

34. TIME OF CONSERVATION OF PERSONAL DATA:

The personal data provided by clients or users will be kept as long as the commercial or contractual relationship is in force. The foregoing, notwithstanding its conservation for the years necessary to comply with legal obligations, especially in accounting, fiscal and tax matters, and may be kept for a period of up to ten (10) years. For marketing purposes, we will keep your personal data until you ask us to delete or cancel it

35.  LEGITIMATION FOR THE PROCESSING OF PERSONAL DATA:

The fundamental legal basis that allows us to process the personal data of clients and users of our Website is the execution of any contract with KEYBE, from which rights and obligations are derived for the parties to the contractual relationship.

Also, there are legal obligations in tax and fiscal matters, among others, that oblige us to process your personal data in compliance with the procedures and requirements that KEYBE must comply with before the authorities and entities of control and surveillance of any jurisdiction in which these operate.

For the provision of the services acquired, as well as in compliance with certain legal requirements, certain essential data must be collected. The client or user is obliged to provide that personal data (truthful and updated) that is required by legal requirement, and that that is necessary to sign the contract. In case of not providing it or requesting its deletion prior to the total execution of the contract, we will not be able to manage and perfect the contractual relationship, and may even communicate inaccurate data.

On some occasions, the treatment we carry out is based on our legitimate business interest, such as fraud prevention, or the distribution by email of commercial communications about products and services similar to those contracted by you; provided that they do not prevail over the interests or the rights and freedoms of the clients.

The processing of personal data for the distribution of commercial communications and, where appropriate, the treatment of special categories of data is carried out by KEYBE based on the consent given by the client or user.

Whenever we request your consent for any treatment, we will inform you about it at that time. In any case, we inform you that you have the right to withdraw your consent at any time, without the withdrawal of that consent conditioning the execution of the contract. If you are a registered user of our services, you can change your privacy preferences at any time, modifying your online profile, and accessing your private area. In addition, all commercial communications that we send you by email, SMS, PUSH or WhatsApp, will have an option to “unsubscribe” that will allow you to stop receiving electronic communications of a commercial nature. Although we do everything possible to process requests to unsubscribe from commercial communications within a period of fifteen (15) business days from when we receive the request, it is possible that you will receive some commercial communication during that period.

36. RECIPIENTS TO WHOM WE COMMUNICATE PERSONAL DATA:

The data of the clients and users may be legitimately communicated to the following third parties:

• For the management of the contractual relationship.
• For marketing activities, although we may share your data with data processors or with commercial partners, we inform you that KEYBE will not sell your personal data to any third party.
• For the fulfillment of legal obligations.
• For loyalty programs.

In the event that data is transferred outside the European Economic Area, it will be done in accordance with the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of this Data, as well as the national laws of the Member States on the matter). For transfers outside the EEA, KEYBE uses contractual data protection clauses adopted by the European Commission and the EU – US Privacy Shield as a guarantee of those transfers made to countries that do not have an adequacy decision from the European Commission.

37. RIGHTS OF PERSONAL DATA SUBJECTS:

• You have the right to obtain confirmation on whether or not we are treating your personal data.
• You have the right to access your personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. Likewise, you will have the right to the portability of your data in the cases provided for in the regulations.
• n certain circumstances, you may request the limitation of the processing of your data, in which case, with the exception of its conservation, we will only treat it for the formulation, exercise or defense of claims or in the other cases provided for in the applicable legislation.
• In certain circumstances and for reasons related to your particular situation, you may object to the processing of your data. We will stop processing the data, except for compelling legitimate reasons, or for the formulation, exercise or defense of possible claims.
• Finally, regarding those treatments that you have voluntarily consented to, you may withdraw your consent at any time; but this withdrawal may not affect the fulfillment of the legal obligations in responsibility of KEYBE.

To exercise your rights, you must send a request through the means enabled by KEYBE, attaching the document that proves your identity, the passport for validation associated with international flights, the description of your request and the means of contact:

38. Enabled media:

Email:  [email protected]

If you wish to obtain more information about your rights, if you have not obtained satisfaction in the exercise of your rights, and/or wish to file a claim, you can do so by contacting the data protection control authority of the corresponding country.

39. RIGHTS OF PERSONAL DATA SUBJECTS:

KEYBE does not carry out direct marketing to minors, nor can they be users of the products or services we offer, unless they act through, or are duly authorized by, their parents or by those who have parental authority or legal representation of the minor.

40. SPECIFIC PRIVACY POLICY FOR THE KEYBE APP

Our App collects information from users through a registration form, a chat, and the option to upload files. The collected data includes: identity, address, phone number, email address, and identification document. Users also have the option to upload any other type of personal information of their own choice through the aforementioned file.

The collected information is used to provide a more personalized service and to improve the user experience on our app. This information will not be shared with third parties without the user's prior consent, unless required by law.

Users have the right to access, correct, and delete their personal data at any time. If you wish to exercise these rights, please contact us through our email or phone number provided in our privacy policy.

The security of user information is important to us, so we take measures to protect the information from unauthorized access, alteration, disclosure, or destruction. However, we cannot guarantee absolute security of information sent through the internet.

By using our App, users accept the terms of this privacy policy. If you do not agree with these terms, please do not use our App. This privacy policy may be updated at any time, so we recommend reviewing it periodically.

41. Limited Use Requirements

The use and transfer of information received from Google APIs by our App Keybe Green Mountain to any other application will comply with the Google API Services User Data Policy, including the Limited Use requirements.

42. Specific Information about AI Models

Our privacy policy details the use and sharing of data with third-party AI models to ensure transparency and user control over their data. Below is specific information provided and explicit user consent will be obtained:

• Third-party AI models used: We use AI models provided by third parties to improve our services.
• Data shared with these models: We share user data that may include, among other things, contact information, interactions within the application, and usage data.
• Purpose of sharing this data: Data is shared to improve the accuracy and efficiency of our AI-based services, offer personalized recommendations, and optimize the user experience.
• Use of data by AI models: AI models use this data to learn and continuously improve their capabilities, positively impacting the personalization and quality of the service offered to users.
• User control options: Users have the option to control or decline the sharing of their data with AI models through specific settings in the application.
• Responsible and ethical use of data: We ensure the responsible and ethical use of data shared with AI models, complying with all applicable regulations and protecting user privacy.

43. Explicit User Consent

Users are explicitly informed about the use of AI models and the potential data sharing involved through clear notices within the application and in this privacy policy. The application obtains explicit consent from users before sharing their data with any third-party AI models through a clear opt-in checkbox and detailed explanations. Consent is obtained in a clear and transparent manner, providing users with all the necessary information to make an informed decision.

44. VALIDITY

This annex is effective from the day of its publication.

ACCEPTABLE USE POLICY

This Acceptable Use Policy (“AUP”) describes the rules that apply to any party (“Customer”) that uses any product and service (“Services”) provided by Keybe, or any of its affiliates (collectively, “Keybe”), and any user of any software application or service made available by the Customer who interacts with the Services (“End User”). The examples described in this AUP are not exhaustive. The Client is responsible for compliance with this AUP by its End Users. If the Client or any End User violates this AUP, Keybe may suspend the use of the Services by the Client. This AUP may be updated by Keybe from time to time with reasonable notice, which may be provided through the customer’s account, email, or by posting an updated version of this AUP at https://keybe.us/legal/#service-agreement

The use of inappropriate content or users is not allowed. Do not use the Services to transmit or store any content or communication (commercial or otherwise) that is illegal, harmful, unwanted, inappropriate, objectionable, confirmed to be criminal misinformation, or poses a threat to the public. This prohibition includes the use of the Services by a hate group or the content or communications that come from a hate group or that are exploitative, abusive or inciting hatred.

Forbidden activities. Do not use the Services to participate in or promote any activity that is illegal, misleading, harmful, violates the rights of others, or detrimental to Keybe’s business operations or reputation, including:

• Violations of the laws. Violation of applicable laws, regulations, or industry or guidance standards (collectively, “Applicable Laws”). This includes the violation of applicable laws that require (a) the consent that is obtained before transmitting, recording, collecting, or monitoring the data or communications or (b) the fulfillment of requests to opt out of any data or communication.
• Interference with the services: Interfere with or negatively affect any aspect of the Services or any third-party network that is linked to the Services.
• Falsification of identity or origin: Creating a false identity or any attempt to deceive others as to the identity of the sender or the origin of any data or communication.

Do not violate the integrity of the Services, including:

• Bypass the limitations of the Services: Attempt to circumvent, exploit, defeat or deactivate the limitations or restrictions imposed on the Services.
• Security vulnerabilities: Find security vulnerabilities to exploit the Services or try to circumvent any security mechanism or filtering capacity.
• Disabling the Services: Any denial-of-service attack (DoS Attack) on the Services or any other conduct that attempts to interrupt, disable or overload the Services.
• Harmful code or bots: Transmitting code, files, scripts, agents or programs with the intention of doing harm, including viruses or malware, or using automated means, such as bots, to access or use the Services.
• Unauthorized Access: Attempting to gain unauthorized access to the Services.

Data Protection: The Client is responsible for determining whether the Services offer adequate safeguards for the Client’s use of the Services, including, but not limited to, any safeguards required by Applicable Laws, prior to transmitting or processing, or before allowing End Users to transmit or process any data or communication through the Services.

Violations of this AUP, including any prohibited content or communication, can be reported to [email protected]. The Client agrees to immediately report any violation of this AUP to Keybe and to provide cooperation, as requested by Keybe, to investigate and/or remedy such violation as soon as possible.

VULNERABILITY DISCLOSURE PROGRAM

Our Vulnerability Disclosure Program aims to minimize the impact that any security breach has on our tool or on users. To be eligible for the Program, the vulnerability must exist in the latest public version. You must remember that only security vulnerabilities will be scored.

Guidelines and scope limitations

Before reporting, please review the following information, including our vulnerability disclosure schedule, scope, and other guidelines. To encourage vulnerability investigation and avoid any confusion between good faith hacking and malicious attack, we ask that you:

1. Follow this Disclosure Program, as well as any other relevant agreements
2. Do not cause any damage, do not hinder the flow of the application or act against our Terms of Use Agreement
3. Do not intentionally access non-public Keybe data more than is necessary to demonstrate vulnerability.
4. Do not access, modify, destroy, save, transmit, alter, transfer, use or view data that belongs to someone other than you. If a vulnerability provides inadvertent access to data, stop testing, purge local information, and submit a report immediately.
5.  Avoid violating the privacy of others, disrupting our systems, destroying data and/or impairing the user experience.
6. Do not compromise the privacy or security of our customers or the operation of our services. Such activity will be treated as illegal.
7. Maintain the confidentiality of the details of any vulnerabilities discovered, in accordance with this Disclosure Schedule. Uncoordinated public disclosure of a vulnerability may result in disqualification from this program.
8. Comply with applicable laws and regulations.
9. Use only designated official channels to discuss vulnerability information with us.
10. By conducting a genuine vulnerability investigation in accordance with this Disclosure Program, we consider this investigation to be Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for good faith and accidental violations of this Disclosure Program when conducting a genuine vulnerability investigation.
11. Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a lawsuit against you for circumventing technology controls when conducting a genuine vulnerability investigation in accordance with this Disclosure Program.
12. Exempt from restrictions in our Terms of Use Agreement that could interfere with conducting a genuine vulnerability security investigation, and we waive those restrictions on a limited basis for genuine vulnerability investigation conducted under this Divulgation Program.
13. That it is legal, that it helps the general security of the Internet and that it is carried out in good faith.

We reserve the right not to act in the event of findings that do not have a real impact on the integrity and security of our data. Any investigation that violates the conditions of this Program, the Terms of Use Agreement, the documentation related to security and the GDPR, as well as the current legislation, will be treated as an act of bad faith and in an illegal manner. We are not required to provide remuneration, fees or rewards for the disclosure of a vulnerability; such action is at our sole discretion.

If at any time you are concerned or unsure whether your security investigation is consistent with this Disclosure Program, please submit a report through one of our official notification channels before proceeding further.

Scope of application

At this time, the following services and applications are in scope:

Application and web infrastructure:

• https://keybe.ai/
• https://keybe.co/
• https://keybe.mx/
• https://keybe.us/
• https://keybe.app
• https://app.keybe.ai
• https://kb.live
• https://kbe.ai
• Any of the third level subdomains keybe.ai
• Anything with a significant impact on our entire security or infrastructure posture

Outside the scope of application

We only accept manual or semi-manual tests. All findings from automated tools or scripts will be considered out of scope. Additionally, any issues that do not have a clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope.

These items are also considered outside the scope:

1. Attacks designed or likely to degrade, deny or negatively affect services or user experience (e.g. denial of service, distributed denial of service, brute force, password spraying, spam…).
2. Attacks designed or capable of destroying, corrupting, making unreadable (or attempting to do so) data or information that does not belong to you..
3. Attacks designed or capable of validating stolen credentials, credential reuse, accounting (ATO), hijacking, or other credential-based techniques.
4. Intentionally accessing data or information that does not belong to you beyond the minimum viable access necessary to demonstrate vulnerability.
5. Perform physical, social engineering, or electronic attacks against our staff, offices, wireless networks, or property.
6. Security issues in third-party applications, services or dependencies that integrate with Keybe’s products or infrastructure and that do not have a demonstrable proof of concept of vulnerability (e.g. libraries, SAAS services).
7. Security issues or vulnerabilities created or introduced by the informant (for example, modifying a library we trust to include a vulnerability for the sole purpose of receiving a reward).
8. Attacks made on any system not explicitly mentioned as authorized and within the scope of application.
9. Reports of lack of “best practices” or other guidelines that do not indicate a security problem.
10.  Attacks related to email servers, email protocols, email security (e.g. SPF, DMARC, DKIM) or spam.
11.  Lack of cookie indicators in non-sensitive cookies.
12. Reports on insecure SSL/TLS encryption (unless accompanied by a working proof of concept).
13. Reports on how you can find out if a certain customer can authenticate with an amoCRM product or service.
14.  Mapping reports between code names and customer names.
15.  Simple port or IP scan reports.
16. Missing HTTP headers (for example, missing HSTS).
17. Email security best practices or controls (e.g. SPF, DKIM, DMARC).
18. Banners, fingerprints, or software or infrastructure acknowledgments with no proven vulnerability.
19. Informes de clickjacking o autoXSS.
20.  Reports of DNS records that are publicly resolvable or accessible to internal hosts or infrastructure.
21. Phishing based on domains, typosquatting, punycodes, bitflips or other techniques.
22.  Violation of any law or breach of any agreement (or any report thereof).

Report

The results must be supported by clear and precise documentation, without speculative information. All findings should have an indication of relevance and impact. Remember to provide a detailed summary of the vulnerability, including the purpose, steps, tools, and artifacts used during the discovery that will allow us to reproduce the vulnerability.

To ensure that your observations are communicated correctly, you must use only approved channels, that is, you must communicate the discovered vulnerability by email to [email protected].

DESCRIPTION OF THE SECURITY OF THE SERVICES

1. 1. This Security Overview is incorporated into, and forms part of the Keybe Terms of Service, as set out in terms and conditions, which the Client has accepted, or a signed master sales Agreement, or other similar written agreement between Keybe and the Client which we call: “Contract.” In this Security Description of Keybe Services, (Security Description), references to “Keybe” will collectively refer to KEYBE INC., 2915 Biscayne Blvd. Suite 300 Miami, FL 33137, and its Affiliates. The terms “Customer” shall refer to you, the Customer and your Affiliates.

1. 2. Objective. Keybe is committed to maintaining the customer’s trust. The purpose of this Security Description is to describe the security program for the Keybe Services (“Services”). This Security Description describes the minimum security standards that Keybe maintains to protect Customer Data (as defined in the Agreement) from unauthorized use, access, disclosure, theft or manipulation. In addition to this Security Description, the security documentation for the Keybe API. As security threats change and evolve, Keybe continues to update its security program and strategy to help protect Customer Data. Keybe reserves the right to update this Security Description from time to time; always, however, any update will not materially reduce the general protections set forth in this Security Description. Any capitalized term not defined in this Security Description will have the meaning given in the Privacy Agreement
      

1. 3. Covered Services. This Security Description describes the architecture, administrative, technical, and physical controls, and third-party security audit certifications that are applicable to the Services. The Beta Offerings and any services provided by telecommunications providers involved in routing, providers of various services and the connection of Customer communications are not covered by this Security Description.

1. 4. Organization and security program. Keybe maintains a risk-based security assessment program. The framework for Keybe’s security program includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of customer data. Keybe’s security program is intended to be appropriate to the nature of the Services provided, the size, and complexity of Keybe’s business operations. Keybe has a team dedicated to managing the security program. This team facilitates and supports independent third party audits and evaluations. Keybe’s security framework is based on the ISO 27001 Information Security Management System, which is currently in the certification process, and includes programs that cover: Policies and Procedures, Asset Management, Access Management, Cryptography , Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Security of Third Parties, Vulnerability Management, as well as Security Supervision and Incident Response. Security is represented at the highest levels of the company, with Keybe’s Head of Trust and Safety meeting with the Board of Directors on an ongoing basis to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least once a year and are made available to all Keybe employees for consultation.

1. 1. 5. Confidentiality. Keybe has controls to maintain the confidentiality of the Client Data that the Client makes available to the Services, in accordance with the Agreement. All Keybe employees and contracted personnel are bound by internal policies and by a signed contract in relation to maintaining the confidentiality of customer data and are contractually bound to these obligations. In turn, Keybe conducts independent investigations of the behaviors and procedures of Keybe’s employees and suppliers.

1. 6. Security of people.
      1. 6. 1. Background verification of employees. Keybe conducts background checks on individuals who join Keybe in accordance with applicable local laws. Keybe currently verifies the individual’s education and previous employment, and also conducts referral checks. When permitted by local labor law or statutory regulations, and depending on the role or position of the prospective employee, Keybe may also carry out criminal, credit, immigration and security checks.
         6. 2. Training of employees. At least once a year, all Keybe employees must complete the security and privacy training that covers security policies, best security practices, and privacy principles. Licensed employees may have additional time to complete this annual training. Keybe’s dedicated security team also conducts phishing awareness campaigns and communicates emerging threats to employees. Keybe has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.

1. 7. Management of third-party providers
      1. 7. 1. Evaluation of suppliers. Keybe may use third party providers to provide Services. Keybe conducts a security risk-based assessment of prospective vendors prior to working with them to validate that prospective vendors meet security requirements. Keybe periodically reviews each provider in light of Keybe’s business continuity and security standards, including the type of access and classification of the data accessed, the controls necessary to protect the data, and legal/regulatory requirements. Keybe ensures that customer data is returned and/or deleted at the end of the relationship with the provider. To avoid doubt, telecommunications providers are not considered subcontractors of Keybe.
         7. 2. Agreements with suppliers. Keybe enters into written agreements with all its suppliers, that include confidentiality, privacy and security obligations that provide an adequate level of protection for the personal data contained in customer data that these suppliers may process. Keybe conducts ongoing research and evaluations of its providers’ practices at least once a year.

1. 8. Architecture and data segregation. The cloud communication platform for Keybe Services is hosted on Google Cloud Platform (“GCP”). The current location of the GCP data center infrastructure used to provide the Keybe Services is in the United States. More information about the security provided by GCP can be obtained on the security web page available at https://cloud.google.com/security. Keybe’s production environment within GCP, where customer data and customer-facing applications are located, is a logically isolated virtual private cloud (VPC).

1. 9. Infrastructure security design. Keybe is based on and uses the GCP security design. You can view the information at https://cloud.google.com/security/infrastructure/design

• • • Google has a global scale technical infrastructure designed to provide security for the entire information processing life cycle at Google. Provided through this infrastructure is a secure implementation of services, a secure storage of data with end-user privacy protections, secure communications between services, a secure and private communication between clients on the Internet, and a secure operation by the administrators.
    • Google uses this infrastructure to compile its Internet services, including user services, such as Search, Gmail, and Photos, and business services, such as G Suite and Google Cloud.
    • Infrastructure security is designed in progressive layers that begin with the physical security of the data centers, continue with the security of the hardware and software that support the infrastructure, and end with the technical constraints and processes in place to support the operational security.
    • Google invests heavily in protecting its infrastructure, with hundreds of dedicated security and privacy engineers spread across all Google divisions, many of whom are distinguished authorities in the industry.

1. 10. Access controls.
       1. 10. 1. Access Provisioning. To minimize the risk of data exposure, Keybe follows the principles of least privilege through a team-based access control model when provisioning access to the system. Keybe personnel is authorized to access customer data based on their job function, role and responsibilities, and such access requires the approval of the director of the area to which the employee belongs. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is quickly removed upon termination of employment. In order to access the production environment, an authorized user must have a unique username and password, multi-factor authentication, and be connected to the Keybe virtual private network (VPN). Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access, including training on the corresponding equipment systems. Keybe records high-risk actions and changes in the production environment. Keybe leverages automation to identify any deviations from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
          10. 2. Password Controls. Keybe’s current policy for managing employee passwords follows the NIST 800-63B, guide, and as such, our policy is to use longer passwords, with multi-factor authentication, but not requiring special characters or frequent changes. When a customer logs into their Keybe account, Keybe hashes the user’s credentials before storing them. A customer can also require their users to add another layer of security to their account by using two-factor authentication (2FA).
          10. 3. Change Management. Keybe has a formal change management process to manage changes to software, applications, and system software that will be deployed to the production environment. Change requests are documented using a formal and auditable system of record. Before a high-risk change is made, an assessment is performed to consider the impact and risk of a requested change, change recognition testing, approval of the deployment to production by the appropriate approvers, and procedures for reversion. Changes are reviewed and tested before going into production.

1. 11. Secure Socket Layer. Keybe uses SSL (Secure Socket Layer) which is the standard security technology to establish an encrypted link between Keybe’s web servers and a browser. This secure link ensures that all transferred data is private. Also called TLS (Transport Layer Security). You can find the complete information at: https://www.cloudflare.com/ssl/

1. 12. Web Application Firewall (WAF). Every request to the WAF is inspected with the rules engine and threat intelligence curated from the protection of approximately 25 million websites. Suspicious requests can be blocked, questioned or logged based on Keybe’s needs, while legitimate requests are directed to the destination regardless of whether they are on premises or in the cloud. Complete information on the service can be found at: https://www.cloudflare.com/waf/

1. 13. Vulnerability management. Keybe maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and business/operational requirements. Keybe uses a third-party classified tool to conduct regular vulnerability scans to assess vulnerabilities in Keybe’s cloud infrastructure and corporate systems. Critical software patches are proactively evaluated, tested, and applied. For Keybe services, operating system patches are applied through the rebuild of a base virtual machine image and are deployed to all nodes in the cluster according to a predefined schedule. For high-risk patches, Keybe will deploy directly to existing nodes through internally developed orchestration tools.

1. 14. Penetration testing. Keybe performs penetration testing and contracts with independent third-party entities to carry out penetration testing at the application level. Penetration test results are quickly prioritized, trialed, and remediated by Keybe’s security team.

1. 15. Security incident management. Keybe maintains security incident management policies and procedures in accordance with NIST SP 800-61.Keybe’s Security Incident Response Team assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. Keybe keeps security records for 360 days. Access to these security logs is limited to senior management only. Keybe uses third-party tools and services to detect, mitigate, and help prevent distributed denial of service (DDoS) attacks.

1. 16. Discovery, investigation and notification of a security incident. Upon discovery or notification of any security incident, Keybe:
       • 1. Will promptly investigate said Security Incident.
       • 2. To the extent permitted by applicable law, will promptly notify the Client. The Client will receive a notification by email associated with the Keybe account.
       • 3. Will take the necessary measures and corrective measures to resolve the incident as soon as possible.

1. 17. Resilience and continuity of service. Keybe’s infrastructure uses a variety of tools and mechanisms to achieve high availability and resilience. The infrastructure spans multiple fault-independent GCP Availability Zones in physically separated geographic regions. For Keybe services, there are manual or automatic capabilities to redirect and regenerate hosts within the Keybe infrastructure. The infrastructure is able to detect and route problems experienced by hosts or even entire data centers in real time and employ orchestration tools that have the ability to regenerate hosts, building them from the latest backup. Keybe uses specialized tools that monitor server performance, data, and traffic load capacity within each Availability Zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an Availability Zone or colocation data center, then these specialized tools will increase capacity or shift traffic to alleviate any suboptimal server performance or capacity overload. Keybe has notifications of different levels that work immediately and has the ability to take immediate action to correct the causes behind these problems if specialized tools cannot.

1. 18. Backup and recovery. Keybe regularly backs up account information, logs, recordings, chats, documents, and other critical data using GCP’s cloud storage. Backup data is preserved redundantly across Availability Zones and is encrypted in transit and at rest using Advanced Encryption Standard (AES-256) 256-bit server-side encryption.

INFORMATION SECURITY POLICY

Updated on 13 July 2023.

At Keybe, we understand the paramount importance of data security, and thus have implemented a series of measures aimed at preserving the integrity, confidentiality, and availability of our information. Our policy applies to every party involved with Keybe, from our own staff to third parties, interns, practitioners, suppliers, and the general public.

Our Aims

• Minimize risk in our most important functions.
• Comply with principles of information security and administrative functions.
• Foster trust among our customers, partners, and employees.
• Support technological innovation and protect technological assets.
• Establish robust policies, procedures, and instructions for information security.
• Enhance the culture of information security across all personnel and clients.
• Ensure business continuity in the face of incidents.

Our Approach

Keybe employs a continuously evolving Information Security Management System (ISMS), tailored to meet both the needs of our business and regulatory requirements. This system relies on the following principles:

Transparency: Responsibilities regarding information security are clearly defined, shared, published, and accepted by each of the employees, contractors, or third parties.

Protection: We safeguard the information generated, processed, or protected by our business processes and information assets.

Risk Mitigation: We actively work to minimize financial, operational, or legal impacts due to misuse of information.

Internal Security: We guard against threats originating from our own personnel.

Operational Control: We regulate our business processes, ensuring the security of technological resources.

Access Control: We implement rigorous controls to regulate access to information, systems, and network resources.

System Lifecycle Integration: Security is an integral part of our information systems lifecycle.

Incident Management: We ensure effective improvement of our security model through the proper management of security events and system weaknesses.

Business Continuity: We maintain the availability of our business processes and operational continuity based on the potential impact of events.

Legal Compliance: We strictly adhere to all established legal, regulatory, and contractual obligations.

Through these principles, Keybe seeks to uphold the highest standards of information security, providing a safe and reliable environment for our customers and partners.

KEYBE SUPPLIERS

Keybe brings together different global services and providers of cloud services, financial services and telecommunications services (Providers). By accepting the Service Agreement you are directly accepting the Terms and conditions of use of the Providers

The following is the list of Keybe providers and contains the link to their own Terms and Conditions of use of the service:

1. WhatsApp Business: https://www.whatsapp.com/legal/
2. Facebook: https://www.facebook.com/policies_center
3. Instagram: https://help.instagram.com/581066165581870
4. Google Cloud Platform: https://policies.google.com/terms?hl=es-419
5. IBM Watson: https://www.ibm.com/ar-es/legal?lnk=flg-tous-ares
6. Amazon Web Services: https://aws.amazon.com/es/terms/?nc1=h_ls
7. Mandrill: https://mailchimp.com/legal/terms/
8. CloudFlare: https://www.cloudflare.com/es-es/website-terms/
9. Mongo DB: https://www.mongodb.com/legal/legal-notices
10. Zendesk: https://www.zendesk.com.mx/company/customers-partners/terms-of-use/
11. Text messages (SMS): Depending on the country, we use different telecommunications providers (Carriers) that have different delivery rules. We make an effort to consolidate the best benefits and costs for you. The following should be taken into account:
    • Message prices vary depending on the territory, the number of messages sent and the number of characters used in the message.
    • The character limit allowed by Carriers in messages is 160 characters, we call this limit Parts.
    • If the number of characters exceeds 1 Part (160 characters), the message will be charged as 2 Parts, if it exceeds 360 characters it will be charged as 3 parts and so on.
    • In some countries we have Premium Messages that allow us to send some special characters and emojis.
    • Premium Messages have more characters, therefore it can increase the number of Parts of the message, therefore it can increase the price.
    • We recommend using this powerful communication channel in an efficient and effective way to achieve successful results. You can reach out to our support channels to help you make better decisions in this regard.

COOKIES POLICY

Updated on 13 July 2023.

This Cookies Policy explains what Cookies are and how We use them. You should read this policy so You can understand what type of cookies We use, or the information We collect using Cookies and how that information is used.

1. What are Cookies?

A cookie is a file that is downloaded onto your computer when you access certain websites. Cookies allow a website, among other things, to store and retrieve information about a user's browsing habits or their device, and depending on the information they contain and how you use your device, they can be used to recognize the user.

• What types of Cookies does this website use?

  This website uses the following types of Cookies:

  Analysis Cookies: These are Cookies that, whether processed by us or by third parties, allow us to quantify the number of users and thus carry out statistical measurement and analysis of the users' utilization of the offered service. To do this, we analyze your browsing on our website in order to improve the range of products or services we offer you.

  Technical Cookies: These are Cookies that allow the user to navigate through the restricted area and use its various features, such as completing the process of purchasing an item.

  Personalization Cookies: These are Cookies that allow the user to access the service with some predefined general characteristics based on a series of criteria on the user's device, such as the language or type of browser through which they connect to the service.

  Advertising Cookies: These are Cookies that, whether processed by this website or by third parties, allow us to manage the advertising spaces on the website as effectively as possible, tailoring the ad content to the requested service content or the use made of our website. To do this, we can analyze your internet browsing habits and show you advertising related to your browsing profile.

  Behavioral advertising Cookies: These are Cookies that allow the management, in the most efficient way possible, of the advertising spaces that, where appropriate, the publisher has included on a website, application, or platform from which the requested service is provided. This type of cookie stores information on the behavior of visitors obtained through the continuous observation of their browsing habits, which allows the development of a specific profile to display advertising based on that profile.

• Disabling Cookies

  You can allow, block, or delete the Cookies installed on your computer by configuring the options of the browser installed on your computer.

  Most web browsers offer the possibility to allow, block, or delete the Cookies installed on your device.

  Below, you can access the settings of the most common web browsers to accept, install, or disable Cookies:

  • Firefox
  • Chrome
  • Apple
• Third-Party Cookies

  This website uses third-party services to collect information for statistical purposes and website usage. Google Tag Manager Cookies are used to improve the advertising included on the website. They are used to target advertising based on the content that is relevant to a user, thus improving the quality of the experience when using it.

  Specifically, we use the services of Hotjar and Facebook Connect for our statistics and advertising. Some Cookies are essential for the operation of the site, for example, the built-in search engine.

• Warning about Deleting Cookies

You can delete and block all Cookies from this site, but parts of the site may not work or the quality of the website may be affected.

If you have any questions about our cookie policy, you can contact this website through our Contact channels.