This Data Processing Addendum ("DPA") amends and is part of the Terms of Service (the “Agreement”) between Knock Labs, Inc. (“Company”), and the customer ("Customer"). This DPA prevails over any conflicting term of the Agreement, but does not otherwise modify the Agreement.
1. Definitions
In this DPA:
a. "Business”, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, "Service Provider" and “Supervisory Authority” have the meaning given to them in Data Protection Law;
b. “Customer Personal Data” means any Customer data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Company as part of providing the Services;
c. "Data Protection Law" means (i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), (ii) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, (iii) the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) and their national implementations in the European Economic Area (“EEA”) and the United Kingdom; and (iv) the California Consumer Privacy Act as amended by the California Privacy Rights Act (California Civil Code § 1798.100) (“CCPA”), each as applicable, and as may be amended or replaced from time to time;
d. “Data Subject Rights” means Data Subjects’ rights as set out in Data Protection Law
e. “International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
f. “Sell” means to sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Customer Personal Data to a third party for monetary or other valuable consideration;
g. “Services” means the services provided by Company to Customer under the Agreement;
h. “Share” means to share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Customer Personal Data to third parties for targeted advertising to an individual based on Personal Data obtained from the individual’s activity across non-affiliated or distinctly-branded websites, applications, or services;
i. “Subprocessor” means a Processor engaged by Company to Process Customer Personal Data
j. “Standard Contractual Clauses" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time;
k. “Third-Party Controller” means a Controller for which Customer acts as a Processor; and
l. “UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office, in force as of 21 March 2022, available at international-data-transfer-addendum.pdf (ico.org.uk)
2. Scope and applicability
2.1 This DPA applies to Processing of Customer Personal Data by the Company to provide the Services.
2.2 The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I.
2.3 Customer is a Controller and appoints Company as a Processor and, with respect to CCPA, a Service Provider, on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
2.4 Customer acknowledges that Company may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller and, with respect to CCPA, a Business for such Processing and will Process such data in accordance with Data Protection Law.
3. Instructions
3.1 Company will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions and applicable Data Protection Law.
3.2 It is the parties’ intent that Company is a Service Provider, and Company certifies that it will not (i) Sell or Share Customer Personal Data; (ii) Process Customer Personal Data outside the direct business relationship between the parties or for any purpose other than to provide the Services in accordance with the Agreement, unless required or authorized by Data Protection Law; or (iii) combine the Personal Data that Company receives from or on behalf of Customer with Personal Data that Company collects or receives from another person.
3.3 Customer’s or Third Party Controller’s instructions are documented in this DPA, the Agreement and the Terms of Service. Customer and Third Party Controller may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions.
3.4 Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s or Third Party Controller’s documented instructions.
3.5 Company will notify Customer after it makes a determination that it can no longer meet its obligations under Data Protection Law. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Company’s unauthorized use of Customer Personal Data and to ensure that Company uses the Customer Personal Data that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under Data Protection Law.
4. Personnel
4.1 Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
5. Security and Personal Data Breaches
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
5.2 Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer’s intended Processing, and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate.
5.3 Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
6. Subprocessing
6.1. Customer hereby authorizes Company to engage Subprocessors. A list of Company’s current Subprocessors is available at https://knock.app/legal/subprocessors.
6.2. Company will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.
6.3. Company will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection. If Company chooses to retain the Subprocessor, Company will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
7. Assistance
7.1. Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
7.2. Company may charge a reasonable fee for assistance under this Section 7. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.
8. Audit
8.1. Upon reasonable request, Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once a year by Customer and performed by an independent auditor as agreed upon by Customer and Company. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data, and shall be conducted during normal business hours and in a manner that causes minimal disruption.
8.2. Company will inform Customer if Company believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection, or withhold requested information until Company has modified or confirmed the lawfulness of the instructions in writing. Company and Customer each bear their own costs related to an audit.
8.3. Company is required by any applicable laws to retain some or all of the Customer Personal Data.
9. International Data Transfers
9.1. Customer hereby authorizes Company to carry out International Data Transfers with respect to Customer Personal Data in accordance with Data Protection Law.
9.2. To the extent required under Data Protection Law for the International Data Transfer of Customer Personal Data from Customer to Company, by signing this DPA, Customer and Company hereby enter into Module 2 (Controller to Processor) or Module 3 (Processor to Processor) of the Standard Contractual Clauses, as applicable, which are hereby incorporated by reference and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty 30 days; the optional redress clause in Clause 11(a) is struck; Clause 17 option 1 is implemented and the governing law is the law of Ireland; the court in Clause 18(b) are the Courts of Ireland; Annex 1 and 2 of the Standard Contractual Clauses are Annex I and II to this DPA respectively.
9.3. The UK Addendum will be applicable to any International Data Transfers originating in the United Kingdom and is completed as follows: for the purpose of table 1 of part 1, the exporter is Company and the importer is Customer and the table is deemed to be completed with the information set out in Annex I. For the purpose of table 2 of part 1, the “Approved EU SCCs” which the UK Addendum is appended to are the Standard Contractual Clauses incorporated into this DPA and completed as set out in Section 9.2. For the purpose of table 3 of part 1, the information requested in Annex 1 and 2 of the Standard Contractual Clauses is provided in Annex I and II to this DPA respectively and the list of Subprocessors is available at https://knock.app/legal/subprocessors. For the purpose of table 4 of part 1, the importer may end the UK Addendum as set out in section 19 of the UK Addendum.
9.4. If Company’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Company’s control, including circumstances affecting the validity of an applicable legal instrument, Company and Customer will work together in good faith to reasonably resolve such non-compliance.
10. Notifications
10.1. Customer will send all notifications, requests and instructions under this DPA to [email protected]. Company will send all notifications under this DPA to Customer’s registered email address.
11. Liability
11.1. Subject to any limitation of liability set out in the Agreement, to the extent permitted by applicable law, where Company has paid damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines.
12. Termination and return or deletion
12.1. This DPA is terminated upon the termination of the Agreement. Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
13. Modification of this DPA
13.1. This DPA may only be modified by a written amendment by Company with notice given to the Customer.
14. Invalidity and severability
14.1. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Annex I
DETAILS OF PROCESSING
A. LIST OF PARTIES
Name of Data Importer: | The party identified as the "Company" in this DPA |
Address: | 140 W 86 St, 7A, New York, NY, 10024 USA |
Contact person’s name, position, and contact details: | Will be provided upon request. |
Activities relevant to the data transferred under these Clauses: | See Annex 1(B) below and the Agreement. |
Signature and date: | This Annex I shall automatically be deemed executed when the DPA is executed by Company. |
Role (controller/processor): | Processor |
Name of Data Exporter: | The party identified as the “Customer” in this DPA. |
Address: | Reference is made to the Agreement. |
Contact person’s name, position, and contact details: | Reference is made to the Agreement. |
Activities relevant to the data transferred under these Clauses: | See Annex 1(B) below and the Agreement. |
Signature and date: | This Annex I shall automatically be deemed executed when the DPA is executed by Customer. |
Role (controller/processor): | Controller |
B. DESCRIPTION OF PROCESSING/ TRANSFER
Categories of Data Subjects whose Personal Data is transferred | The Data Subjects whose Personal Data is Processed by Company when providing the Services to Customer. |
Categories of Personal Data transferred | The categories of Personal Data that is Processed by Company when providing the Services to Customer. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards | No sensitive data is processed under the Agreement. |
Frequency of Transfer | Continuous. |
Nature and purpose(s) of the data transfer and Processing | Company will process Personal Data as necessary to provide the Services under the Agreement, including the provision of an API to engage users, power cross-channel workflows, and manage notification preferences. |
Retention period (or, if not possible to determine, the criterial used to deter- mine the period) | Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law. |
For transfers to (sub-)processors, also specify subject matter, nature, and duration of the processing | Company will restrict the onward Subprocessor’s access to Customer Personal Data only to what is strictly necessary to provide the Services and Company will prohibit the Subprocessor from Processing the Customer Personal Data for any other purpose. |
Identify the competent supervisory authority/ies in accordance with Clause 13 |
Where the EU GDPR applies, the competent authority will be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where the UK GDPR applies, the UK Information Commissioner's Office. |
Annex II
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The technical and organizational measures the Company has implemented are available at https://docs.knock.app/security, including adherence to SOC 2 Type II controls.