1. Parties
This DPA is entered into between the customer (“Controller”) and MIKPA LLC, a Wyoming limited liability company with mailing address 169 Madison Ave STE 11534 Unit 337, New York, NY 10016, United States (“Processor”, “Knoku”).
2. Scope and roles
This DPA applies to processing of personal data by Knoku on behalf of the Controller in connection with the Service, including conversation data submitted by Visitors through the embedded widget. Each party will comply with applicable data protection laws including, where relevant, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).
For account information that the Controller provides directly to Knoku (such as billing contact and dashboard user accounts), Knoku acts as an independent controller as described in the Privacy Policy.
3. Subject matter, nature, and purpose
- Subject matter: provision of the Knoku documentation chat assistant.
- Duration: for as long as the Controller’s account or project exists, plus the retention periods set out in Section 8.
- Nature and purpose: hosting documentation, generating answers from documentation, providing analytics, and supporting the Controller.
- Categories of data subjects: the Controller’s employees and authorised dashboard users; Visitors who interact with the embedded widget on the Controller’s site.
- Categories of personal data: identifiers (email, name, optional Visitor user ID), authentication metadata, conversation content (questions, answers, citations, timestamps), session identifiers, and usage metrics.
- Sensitive data: the Service is not designed for special categories of data; the Controller agrees not to submit such data unless expressly agreed in writing.
- Children’s data: the Controller represents that it will not knowingly submit personal data of children under 16 (EEA/UK) or under 13 (United States) through the Service.
4. Controller instructions
Knoku will process personal data only on the Controller’s documented instructions, including as set out in the Terms of Service, the dashboard configuration, and this DPA. Knoku will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
5. Confidentiality
Knoku ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations and have access on a need-to-know basis.
6. Security measures
Knoku implements technical and organisational measures appropriate to the risk, including:
- TLS for all network traffic between clients, the API, and sub-processors;
- encryption of personal data at rest at the database level, provided by our managed database provider;
- session cookies signed and encrypted with authenticated encryption (AES-GCM);
- password storage as bcrypt hashes only;
- least-privilege access to production systems with audit logging of administrative actions;
- scoped API keys per project and allowed-domain enforcement for the widget;
- error logs and alerting on Knoku’s own infrastructure, with no third-party error monitoring vendor in the data path;
- regular review of sub-processors and access controls.
7. Sub-processors
The Controller authorises Knoku to engage the sub-processors listed below. Knoku will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.
| Sub-processor | Purpose | Region |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | United States |
| Resend, Inc. | Transactional email delivery (verification, password reset, receipts) | United States / EU |
| Anthropic, PBC | Large language model inference used to generate answers | United States |
| OpenRouter, Inc. | Routing of requests to language and embedding model providers | United States |
| OpenAI, L.L.C. | Embedding model inference (when configured) | United States |
| Fly.io (Hydrobyte, Inc.) | Application hosting and managed PostgreSQL database | European Union (Frankfurt) by default |
Knoku will give the Controller reasonable advance notice of any new sub-processor by updating this page or by direct communication. The Controller may object on reasonable data-protection grounds within thirty (30) days; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service for convenience.
Data sources (not sub-processors)
Knoku uses the MaxMind GeoLite2 City database to derive an approximate geographic location (country and, optionally per project setting, city) from the Visitor’s IP address at session creation. The IP address itself is not stored; only the derived metadata is persisted on the session record. The database is shipped inside the Knoku application image, so no network request is made to MaxMind at processing time and MaxMind is not a sub-processor for the purposes of this DPA. This product includes GeoLite2 data created by MaxMind, available from maxmind.com.
8. International transfers
Where the transfer of personal data outside of the EEA, the United Kingdom, or Switzerland is necessary, the parties rely on the European Commission Standard Contractual Clauses (Module 2 or Module 3 as applicable) and the UK Addendum, and implement supplementary measures as appropriate. Sub-processor transfers are covered by the same mechanisms.
9. Data subject requests
Taking into account the nature of the processing, Knoku will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests from data subjects exercising rights under applicable data protection law. If Knoku receives a request directly from a Visitor, it will refer the Visitor to the Controller and notify the Controller without undue delay.
10. Personal data breaches
Knoku will notify the Controller without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a personal data breach affecting the Controller’s data, and will provide information reasonably necessary for the Controller to comply with its notification obligations.
11. Audits
Knoku will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. On reasonable advance written request and no more than once per year (except after a personal data breach), the Controller may conduct an audit through a qualified independent auditor, subject to reasonable confidentiality and security restrictions and at the Controller’s cost.
12. Return and deletion
On termination or expiration of the Service, Knoku will, at the Controller’s choice, delete or return all Customer Content, except to the extent retention is required by applicable law. Backups containing Customer Content are rotated and purged within 35 days.
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
14. Order of precedence
In case of conflict, this DPA prevails over the Terms of Service with respect to the processing of personal data. The Standard Contractual Clauses, where incorporated, prevail over this DPA.
15. Contact
Privacy and DPA matters: [email protected]. MIKPA LLC, 169 Madison Ave STE 11534 Unit 337, New York, NY 10016, United States.