Skip to content
MCP is now available! Connect with Claude or ChatGPT
Back to blog
Legal

Keen & GDPR: Who needs a DPA?

A practical guide to how GDPR roles and data processing agreements work when customers share leads with partners through Keen.

If your company shares or receives leads through Keen, one question comes up again and again from privacy and legal teams: "Do we have everything we need under GDPR, and how many data processing agreements are involved?"

It's a good question - and the answer is simpler than it first looks. The key is to stop counting companies and start counting relationships. This post explains how data flows through Keen, what role each party plays, and where a Data Processing Agreement (DPA) is actually required.

The one rule that decides everything

Under GDPR (Article 28), a Data Processing Agreement is only required between a data controller and a data processor - that is, whenever one party processes personal data on behalf of another and on their instructions.

Two parties who each decide for themselves why and how they use the data are both independent controllers. They do not need a DPA between them. They need a valid legal basis for sharing the data and clear information to the people whose data it is.

So the right question is never "how many companies touch this data?" It's "how many on-behalf-of relationships exist?" Each one of those needs a DPA. Everything else is governed differently.

The roles in a typical Keen setup

Take a common example: one company (let's call them the customer) shares leads through Keen to a partner who will follow up on them.

The customer is the data controller for the leads they share. They collected the personal data and they decide that it should be passed on.

Keen is the data processor. We move, store and manage that personal data on our customers' behalf and according to their instructions. We don't decide to repurpose anyone's data for our own ends.

The partner who receives a lead becomes an independent data controller the moment they start using it for their own sales or marketing. From that point, they answer for that data under their own privacy programme.

How data sharing works on Keen

Who holds a Data Processing Agreement (DPA) with whom under GDPR

Customer

Data Controller

DPA

Data Processor

DPA
Partner

Independent Data Controller

DPA

Keen → sub-processors

hosting · email · analytics

Customer ↔ Partner

Controller-to-controller — needs a legal basis, not a DPA

DPACovered by Keen’s standard DPA (accepted at signup)Controller-to-controller: your own legal basis applies
Read the Keen Standard Data Processing Agreement

Where the DPAs sit - and why you're already covered

Here's the part that saves everyone time: the processor relationships are covered automatically.

Everyone who creates an account on the Keen platform accepts our standard DPA as part of signing up. You can read it here: Keen Standard Data Processing Agreement.

That single agreement governs:

  • Customer -> Keen - we process the customer's lead data as their processor.
  • Keen -> Partner - where we also process personal data on the partner's behalf (for example, storing the leads they receive and managing their pipeline), that relationship is covered too.

Behind the scenes, Keen also maintains its own DPAs with the sub-processors it relies on - hosting, email delivery, analytics and similar services. These sub-processors are disclosed in the agreement above, so you always know who is in the chain.

In other words: by using Keen, the entire processor side of the picture is already documented. There is no separate DPA for you to chase, draft or sign with us - accepting the platform terms puts it in place.

The one relationship that is not a DPA

The relationship between the customer and the partner - the two companies at either end of the lead - is controller-to-controller. It's a disclosure of personal data between two independent controllers, and GDPR does not treat this as a processor relationship.

That means it isn't governed by a DPA. Instead, it relies on:

  • a valid legal basis for sharing the lead (most commonly the individual's consent, or legitimate interest where appropriate);
  • ideally a short data-sharing arrangement that makes each party's responsibilities clear; and
  • accurate information to the individual in each party's privacy policy about how their data is shared and used.

This is the piece each company owns for itself. Keen gives you the infrastructure and the processor-level agreements; the legal basis for two controllers to exchange data sits with those controllers.

The summary you can keep

  • A DPA is needed only where someone processes data on behalf of another party.
  • Customer -> Keen and Keen -> Partner: processor relationships, covered by Keen's standard DPA, accepted at signup.
  • Keen -> sub-processors: covered by Keen's own DPAs, disclosed in that agreement.
  • Customer <-> Partner: controller-to-controller - needs a legal basis, not a DPA.

If your team wants to map your specific configuration, the precise role of each party (processor versus joint controller, for instance) can vary with how a channel is set up, and it's always worth confirming with your own legal advisor.

This article is general information about how data sharing works on Keen and is not legal advice.