← Back to Knockhaus
// LEGAL

Data Processing Addendum.

Last updated · April 21, 2026
// TL;DR
Standard DPA for GDPR/UK-GDPR/Swiss FADP. You're the controller, we're the processor, here are the rules and the SCCs apply to EU→US transfers. Counter-sign a copy by replying to legal@knockhaus.app if your procurement team needs it on paper.

1. Background

This Data Processing Addendum (the “DPA”) supplements the Knockhaus Terms of Service between Knockhaus, Inc.(“Processor”) and the Customer (“Controller”). It governs the processing of Personal Data to which the GDPR, UK-GDPR, or Swiss FADP applies.

2. Roles

Controller determines the purposes and means of processing Personal Data. Processor processes Personal Data only on Controller's documented instructions, which for the purposes of this DPA consist of the Agreement, these Terms, and any features Controller enables in the admin console.

3. Subject matter + duration

Subject matter: provision of the Knockhaus platform. Duration: term of the Agreement plus any post-termination export window (30 days). Nature: hosting, processing, and transmitting Controller-submitted data. Purpose: to provide the service.

4. Categories of data + subjects

Categories of Personal Data: names, email addresses, phone numbers, job titles, organization affiliations, IP addresses, approximate and (with consent) precise location, audio or text notes taken at a door, and any additional data Controller configures the platform to collect.

Categories of data subjects: Controller's employees, contractors, and the prospects/customers they interact with in the field.

5. Processor obligations

  • Process Personal Data only on documented instructions.
  • Ensure personnel with access are bound by confidentiality.
  • Implement the technical + organizational measures described in the security policy.
  • Assist Controller with data-subject rights requests, DPIAs, and breach notifications.
  • Delete or return Personal Data after termination.
  • Make available all information necessary to demonstrate compliance and allow audits on reasonable notice.

6. Subprocessors

Controller grants general authorization to engage subprocessors listed on the subprocessors page. Processor will give at least 14 days' notice of any new or replacement subprocessor via email to the org owner. Controller may object on reasonable grounds; if unresolved, Controller may terminate the affected service.

Each subprocessor is bound by a data-protection contract no less protective than this DPA.

7. International transfers

Personal Data is primarily hosted in the United States. For transfers from the EEA, UK, or Switzerland to the United States, the parties rely on:

  • The European Commission's Standard Contractual Clauses (2021/914) incorporated by reference.
  • The UK's International Data Transfer Addendum.
  • The Swiss FDPIC-approved SCCs where applicable.
  • Our subprocessors' Data Privacy Framework (DPF) certifications where in force.

Module 2 (controller-to-processor) applies; Controller is the data exporter, Processor is the data importer.

8. Data-subject requests

If a data subject contacts Processor with a rights request relating to Controller's instance, Processor will forward it to Controller without substantive response, then assist Controller in fulfilling the request at no additional charge.

9. Security incidents

Processor will notify Controller without undue delay — and in any case within 72 hours — after becoming aware of a Personal Data Breach, per Art. 33 GDPR. Notification includes the nature of the breach, approximate scope, remediation steps, and contact info for the incident lead.

10. Audits

Once per 12 months and on reasonable notice, Controller may request evidence of compliance. Today that means a written questionnaire response and, on request under NDA, specific evidence from our security program. If and when we obtain a third-party attestation such as SOC 2 Type II, that report will become the primary vehicle. Onsite audits are permitted where documentation is insufficient and are at Controller's cost.

11. Return + deletion

Upon termination, Processor will make Personal Data available for export for 30 days via the in-app export tool or on request. After the export window, Processor deletes Personal Data within 30 days, except where retention is required by law.

12. Order of precedence

In the event of a conflict, the SCCs prevail over this DPA, this DPA prevails over the Terms, and the Terms prevail over any order form.

13. How to counter-sign

This DPA is effective automatically when Controller accepts the Terms. To receive a counter-signed PDF copy, email legal@knockhaus.app with your org name + registered address.

Questions about this document? Email legal@knockhaus.app. For privacy-specific requests (access, deletion, correction), use privacy@knockhaus.app.