Data Processing Agreement

Last updated: May 9, 2026

This Data Processing Agreement (DPA) forms part of the Terms of Service between MIKPA LLC and the customer using Knoku, and applies whenever Knoku processes personal data on the customer's behalf.

1. Parties

This DPA is entered into between the customer (“Controller”) and MIKPA LLC, a Wyoming limited liability company with mailing address 169 Madison Ave STE 11534 Unit 337, New York, NY 10016, United States (“Processor”, “Knoku”).

2. Scope and roles

This DPA applies to processing of personal data by Knoku on behalf of the Controller in connection with the Service, including conversation data submitted by Visitors through the embedded widget. Each party will comply with applicable data protection laws including, where relevant, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

For account information that the Controller provides directly to Knoku (such as billing contact and dashboard user accounts), Knoku acts as an independent controller as described in the Privacy Policy.

3. Subject matter, nature, and purpose

  • Subject matter: provision of the Knoku documentation chat assistant.
  • Duration: for as long as the Controller’s account or project exists, plus the retention periods set out in Section 8.
  • Nature and purpose: hosting documentation, generating answers from documentation, providing analytics, and supporting the Controller.
  • Categories of data subjects: the Controller’s employees and authorised dashboard users; Visitors who interact with the embedded widget on the Controller’s site.
  • Categories of personal data: identifiers (email, name, optional Visitor user ID), authentication metadata, conversation content (questions, answers, citations, timestamps), session identifiers, and usage metrics.
  • Sensitive data: the Service is not designed for special categories of data; the Controller agrees not to submit such data unless expressly agreed in writing.
  • Children’s data: the Controller represents that it will not knowingly submit personal data of children under 16 (EEA/UK) or under 13 (United States) through the Service.

4. Controller instructions

Knoku will process personal data only on the Controller’s documented instructions, including as set out in the Terms of Service, the dashboard configuration, and this DPA. Knoku will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

5. Confidentiality

Knoku ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations and have access on a need-to-know basis.

6. Security measures

Knoku implements technical and organisational measures appropriate to the risk, including:

  • TLS for all network traffic between clients, the API, and sub-processors;
  • encryption of personal data at rest at the database level, provided by our managed database provider;
  • session cookies signed and encrypted with authenticated encryption (AES-GCM);
  • password storage as bcrypt hashes only;
  • least-privilege access to production systems with audit logging of administrative actions;
  • scoped API keys per project and allowed-domain enforcement for the widget;
  • error logs and alerting on Knoku’s own infrastructure, with no third-party error monitoring vendor in the data path;
  • regular review of sub-processors and access controls.

7. Sub-processors

The Controller authorises Knoku to engage the sub-processors listed below. Knoku will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.

Sub-processorPurposeRegion
Stripe, Inc.Payment processing and subscription billingUnited States
Resend, Inc.Transactional email delivery (verification, password reset, receipts)United States / EU
Anthropic, PBCLarge language model inference used to generate answersUnited States
OpenRouter, Inc.Routing of requests to language and embedding model providersUnited States
OpenAI, L.L.C.Embedding model inference (when configured)United States
Fly.io (Hydrobyte, Inc.)Application hosting and managed PostgreSQL databaseEuropean Union (Frankfurt) by default

Knoku will give the Controller reasonable advance notice of any new sub-processor by updating this page or by direct communication. The Controller may object on reasonable data-protection grounds within thirty (30) days; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service for convenience.

Data sources (not sub-processors)

Knoku uses the MaxMind GeoLite2 City database to derive an approximate geographic location (country and, optionally per project setting, city) from the Visitor’s IP address at session creation. The IP address itself is not stored; only the derived metadata is persisted on the session record. The database is shipped inside the Knoku application image, so no network request is made to MaxMind at processing time and MaxMind is not a sub-processor for the purposes of this DPA. This product includes GeoLite2 data created by MaxMind, available from maxmind.com.

8. International transfers

Where the transfer of personal data outside of the EEA, the United Kingdom, or Switzerland is necessary, the parties rely on the European Commission Standard Contractual Clauses (Module 2 or Module 3 as applicable) and the UK Addendum, and implement supplementary measures as appropriate. Sub-processor transfers are covered by the same mechanisms.

9. Data subject requests

Taking into account the nature of the processing, Knoku will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests from data subjects exercising rights under applicable data protection law. If Knoku receives a request directly from a Visitor, it will refer the Visitor to the Controller and notify the Controller without undue delay.

10. Personal data breaches

Knoku will notify the Controller without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a personal data breach affecting the Controller’s data, and will provide information reasonably necessary for the Controller to comply with its notification obligations.

11. Audits

Knoku will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. On reasonable advance written request and no more than once per year (except after a personal data breach), the Controller may conduct an audit through a qualified independent auditor, subject to reasonable confidentiality and security restrictions and at the Controller’s cost.

12. Return and deletion

On termination or expiration of the Service, Knoku will, at the Controller’s choice, delete or return all Customer Content, except to the extent retention is required by applicable law. Backups containing Customer Content are rotated and purged within 35 days.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

14. Order of precedence

In case of conflict, this DPA prevails over the Terms of Service with respect to the processing of personal data. The Standard Contractual Clauses, where incorporated, prevail over this DPA.

15. Contact

Privacy and DPA matters: [email protected]. MIKPA LLC, 169 Madison Ave STE 11534 Unit 337, New York, NY 10016, United States.