Data Processing Agreement (template)

Status: Template for B2B / team customers who require a GDPR Article 28-style agreement. Not executed. Complete bracketed fields and have qualified counsel finalize the instrument before signing.

This Data Processing Agreement (“DPA”) supplements the Terms of Service (the “Agreement”) between [Customer legal name] (“Customer”) and Knotr AI, LLC (“Knotr” or “Processor”) for the provision of the Knotr AI services (the “Services”). It applies only where Customer’s use of the Services involves processing of personal data subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection, or other data-protection laws that require the parties to enter into a written data processing agreement.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. Terms such as personal data, processing, controller, processor, sub-processor, data subject, and personal data breach have the meanings given to them in applicable data protection law (including the GDPR where applicable).

2. Roles of the parties

Each party will comply with its obligations under applicable data protection law. The parties acknowledge that, for the processing described in Annex A — Processing details:

  • Customer is the controller of personal data submitted to or generated by the Services.
  • Knotr is the processor of personal data processed on Customer’s behalf.
  • Where Customer is itself a processor for a third-party controller (for example, where Customer’s end users are the underlying data subjects of another organization), Knotr acts as a sub-processor under the Agreement.

3. Scope and instructions

Knotr will process personal data only:

  1. To provide the Services as described in the Agreement and any documentation Knotr publishes for the Services;
  2. On Customer’s documented instructions, including instructions reasonably given through the Services’ user interface, configuration settings, MCP / API endpoints, and support requests; and
  3. As required by applicable law, in which case Knotr will inform Customer of that requirement before processing, unless the law prohibits doing so.

Knotr will inform Customer if Knotr becomes aware that an instruction infringes applicable data protection law.

4. Confidentiality

Knotr ensures that personnel authorized to process personal data are bound by appropriate written or statutory confidentiality obligations, and that access to personal data is limited to personnel who need it to perform their work for Knotr.

5. Security

Knotr will implement and maintain appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, damage, or unauthorized disclosure or access. A current summary of those measures is in Annex B — Security measures.

Knotr may update its security measures from time to time, provided the updates do not materially decrease the overall level of protection.

6. Sub-processors

6.1. Authorization. Customer authorizes Knotr to engage the sub-processors listed at /subprocessors (the “Subprocessor List”) to perform processing in connection with the Services.

6.2. New sub-processors. Knotr will give Customer at least 30 days’ prior notice of any new sub-processor by updating the Subprocessor List and (where Customer has subscribed) sending an email notification. Customer may reasonably object to a new sub-processor on data protection grounds within that notice period. If the parties cannot resolve the objection, Customer may, as its sole remedy, terminate the affected portion of the Services.

6.3. Sub-processor obligations. Knotr will impose data protection obligations on its sub-processors that are no less protective than those in this DPA, and will remain liable to Customer for the acts and omissions of its sub-processors.

7. Data subject rights

Knotr will, taking into account the nature of the processing, provide reasonable assistance to Customer through appropriate technical and organizational measures (including the self-service tools available in the Services) to enable Customer to fulfill its obligations to respond to requests from data subjects exercising their rights under applicable data protection law.

If Knotr receives a request from a data subject directly, Knotr will refer the data subject to Customer, unless required by law to respond.

8. Personal data breach notification

Knotr will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide Customer with the information reasonably necessary for Customer to comply with its breach-notification obligations under applicable data protection law.

This notification is not an acknowledgment by Knotr of fault or liability with respect to the breach.

9. Data protection impact assessments

Knotr will provide Customer with the information reasonably necessary to enable Customer to conduct data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Services and the information available to Knotr.

10. Deletion or return

On expiration or termination of the Agreement, Customer can export its User Content from the Services for 30 days, during which the Services may be operated in a read-only mode for that purpose. Knotr will, at Customer’s choice, delete or return the personal data within the same 30-day period, after which the personal data will be deleted from active systems and (within an additional 30 days) from routine backups, except where Knotr is required by law to retain personal data (in which case Knotr will continue to protect it under this DPA).

11. Audit

11.1. Information. Knotr will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including the security summary in Annex B and any third-party audit reports or certifications Knotr has obtained.

11.2. Audits. Where Customer requires an additional audit to satisfy a specific data-protection obligation, the parties will agree on scope, timing, duration, and cost in advance. Audits must be performed during business hours, with reasonable notice, and in a manner that does not unreasonably interfere with Knotr’s operations or compromise the confidentiality of other customers’ data.

12. International transfers

12.1. Mechanism. Where Customer’s use of the Services involves a transfer of personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision, the parties incorporate the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum by reference, with module selection, optional clauses, and annexes as completed in Annex C.

12.2. Other transfer tools. Knotr may rely on other valid transfer mechanisms (for example, an adequacy decision, the EU-U.S. Data Privacy Framework, or alternative safeguards) to the extent permitted by applicable law.

13. Annex A — Processing details

  • Subject matter. Provision of Knotr AI as configured by Customer.
  • Duration. For the term of the Agreement and for any retention period set out in this DPA.
  • Nature and purpose. Hosting Customer-configured profiles, knowledgebases, skills, MCP and API endpoints; authentication; embeddings and AI-feature execution; support; billing.
  • Categories of data subjects. Customer’s authorized users (administrators and members of Customer’s workspace) and any individuals whose personal data Customer chooses to upload or process through the Services.
  • Categories of personal data. Account identifiers (email, hashed password, role, workspace membership), content uploaded by Customer (documents, prompts, profiles, skills, knowledgebases), usage and security logs, billing metadata. Customer shall not submit special categories of personal data (for example, health data, government identifiers, payment card numbers) unless expressly agreed in writing.
  • Frequency. Continuous, for the duration of the Agreement.
  • Retention. As set out in this DPA and the Privacy Policy.

14. Annex B — Security measures

Knotr maintains administrative, technical, and physical safeguards designed to protect personal data, including:

  • Access control. Production access is limited to personnel who need it; credentials are unique per person, rotated when staffing changes, and protected by multi-factor authentication where supported.
  • Authentication. End-user passwords are stored using a one-way hashing function (Devise + bcrypt). API and MCP credentials are scoped to a single profile and revocable from the user interface.
  • Encryption in transit. All traffic between end users, Knotr, and our subprocessors is encrypted using TLS.
  • Encryption at rest. Database backups are encrypted. Production object storage uses provider-managed encryption at rest.
  • Logging. Performance traces and error reports collected by Scout APM are retained for up to 30 days to support security monitoring and incident response. Application stdout logs from our hosting provider follow that platform’s default retention and are typically shorter than 30 days.
  • Software development. Code is reviewed before deployment. We run static analysis (Brakeman) and dependency vulnerability checks (Bundler Audit) before shipping.
  • Backups. Routine encrypted backups of the production database, with documented restore procedures.
  • Incident response. Documented incident-response process aligned with the breach-notification commitments in Section 8.

A current detailed security summary is available to Customer on request.

15. Annex C — Standard Contractual Clauses (where applicable)

  • Module selection. Module 2 (controller-to-processor) and Module 3 (processor-to-sub-processor) are both incorporated. The applicable Module is determined by Customer’s role with respect to the personal data in question: Module 2 applies where Customer is the controller, and Module 3 applies where Customer is itself a processor for a third-party controller (in which case Knotr acts as a sub-processor).
  • Optional clauses. Clause 7 (docking clause, allowing additional parties to accede to the SCCs over time) and Clause 18(c) (option for data subjects to bring an action before the courts of the EU member state of their habitual residence) are incorporated.
  • Annex I.A — Parties. Customer (data exporter) and Knotr (data importer) as identified in the signature block.
  • Annex I.B — Description of transfer. As described in Annex A.
  • Annex I.C — Competent supervisory authority. Determined under Clause 13 of the Standard Contractual Clauses by reference to Customer’s establishment in the EEA or, where Customer is not established in the EEA, the supervisory authority of the EU member state where Customer has appointed an Article 27 GDPR representative. Customer shall identify the competent authority on signature. If Customer has no EEA establishment and no Article 27 representative, the parties will agree on a competent authority in writing before transfer.
  • Annex II — Technical and organizational measures. Annex B above.
  • Annex III — Sub-processors. The Subprocessor List at /subprocessors.
  • UK Addendum. Where personal data is transferred from the UK, the parties incorporate the UK International Data Transfer Addendum, with Tables 1, 2, and 3 completed by reference to this DPA.

Order of precedence. In case of a conflict, the Standard Contractual Clauses (where applicable) prevail over this DPA, and this DPA prevails over the Agreement with respect to subject matter governed by data protection law.

Signatures

Customer Knotr
[Customer legal name] Knotr AI, LLC
Signature: ______ Signature: ______
Name: ________ Name: ________
Title: _________ Title: _________
Date: _________ Date: _________

Knotr-specific template; not adapted from the Basecamp open-source policies (which do not include a DPA template).