Data Processing Agreement

This Data Processing Agreement (“Agreement”) is between you (“Customer”) and Knowcode Ltd (“we,” “us,” or “our”) about how we handle your personal data when providing our services.

1. What This Agreement Covers

In this Agreement:

1.1 “Data Protection Laws” means all laws about personal data protection that apply to our services, including the General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA).

1.2 “Personal Data” means any information about an identifiable person that we process for you.

1.3 “Processing” means anything we do with Personal Data, such as collecting, storing, using, or deleting it.

1.4 “Data Subject” means the person the Personal Data is about.

1.5 “Services” means the backup and related services we provide to you.

1.6 “Sub-processor” means any third party we use to help process your Personal Data.

2. How We'll Handle Your Data

2.1 Our Roles. You are the data controller (you decide why and how the data is processed), and we are the data processor (we process the data on your behalf).

2.2 Our Promises. We will:

  1. Only process Personal Data based on your written instructions, unless the law requires otherwise. If the law requires us to process data differently, we'll tell you first (unless the law doesn't allow us to).
  2. Make sure anyone who accesses the Personal Data keeps it confidential.
  3. Keep your data secure using appropriate technical and organisational measures.
  4. Only use approved Sub-processors as outlined in Section 3.
  5. Help you respond to requests from Data Subjects who want to exercise their rights.
  6. Help you comply with your security, data breach, and assessment obligations under Data Protection Laws.
  7. Either delete or return all Personal Data to you after our services end, unless the law requires us to keep it.
  8. Provide information to show we're following this Agreement and support audits you conduct or arrange.

2.3 Details of Processing. Appendix 1 explains what data we process, why, and for how long.

2.4 AWS S3 Bucket.Where we use your AWS S3 Bucket, you are the controller of that AWS S3 Bucket. It is your choice to configure the Bucket location — whether in EU or US AWS regions. You are responsible for ensuring that your chosen Bucket location complies with your data protection requirements.

2.5 Client-Selected Backup Content. You have complete control over what data you choose to backup using our Services. We do not have visibility into the specific content of your backed-up data, nor do we monitor what you choose to backup. You are solely responsible for:

  1. Ensuring you have appropriate legal basis for collecting and processing any Personal Data that you choose to backup;
  2. Not backing up special categories of Personal Data (sensitive data) unless you have implemented appropriate additional safeguards as required by Data Protection Laws;
  3. Implementing your own encryption for highly sensitive data before backing it up through our Services;
  4. Properly classifying your data according to your internal data governance policies;
  5. Ensuring that your use of our Services for your selected backup content complies with all applicable Data Protection Laws.

2.6 Data Deletion and Removal. You maintain full control over your data at all times. You can delete or remove any or all of your backed-up data at your discretion through the controls provided in our Services. This ability to delete data at any time gives you ongoing control over your Personal Data in accordance with Data Protection Laws. Any deletion actions you take are immediate and cannot be reversed, so please ensure you have alternative copies of any important data before deletion.

3. Using Other Companies to Process Data

3.1 General Permission. You give us general permission to use Sub-processors to help us provide the Services.

3.2 Current Sub-processors. You can find our current Sub-processors in Appendix 2.

3.3 New Sub-processors.We'll tell you before we add or change Sub-processors. You can object within 30 days if you have reasonable concerns. If you object, we'll work together to find a solution.

3.4 Sub-processor Agreements.We'll make sure our Sub-processors follow the same data protection rules that we do.

4. International Data Transfers

4.1 Data Location Control. You have direct control over where your data is stored through your selection of AWS S3 Bucket region (EU or US). This choice determines the geographic location of your backed-up data.

4.2 Our Service Components.For the components of our service that we control (as listed in Appendix 2), we won't transfer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland to countries without adequate data protection unless we have appropriate safeguards in place, such as Standard Contractual Clauses.

4.3 Your Responsibility. You are responsible for ensuring that your choice of AWS S3 Bucket region complies with your own data transfer obligations under applicable Data Protection Laws.

5. Data Security

5.1 Security Measures.We'll implement appropriate security measures, including:

  1. Disguising and encrypting Personal Data where appropriate;
  2. Ensuring our systems remain confidential, intact, available, and resilient;
  3. Being able to restore data quickly after a technical issue;
  4. Regularly testing and evaluating our security measures.

5.2 Detailed Security. Appendix 3 describes our specific security measures in detail.

6. Data Breach Notification

6.1 If There's a Breach. If Personal Data is breached, we will:

  1. Tell you promptly after we discover it;
  2. Give you enough information to meet your obligations to report the breach to authorities or inform Data Subjects;
  3. Take necessary steps to address the breach and keep you informed.

6.2 What We'll Tell You. Our notification will include:

  1. What happened, who was affected, and what data was involved (if we know);
  2. Who to contact for more information;
  3. Likely consequences of the breach;
  4. What we're doing about it and how we're preventing future breaches.

8. Data Subject Rights

8.1 Helping with Requests.We'll help you respond to Data Subjects who want to exercise their rights under Data Protection Laws.

9. Liability Limits

9.1 Limits on Liability. Our liability under this Agreement is subject to the limitations in our main service agreement.

10. Length of Agreement

10.1 How Long It Lasts. This Agreement starts when our service agreement begins and ends when it ends.

10.2 What Happens to Data When It Ends. When our service agreement ends, it is your responsibility to download all your data. We will delete all Personal Data after the termination of the agreement unless the law requires us to keep it. You must ensure that you have retrieved all necessary data prior to termination.

11. Other Important Points

11.1 If There's a Conflict. If this Agreement conflicts with our main service agreement, this Agreement wins for data processing matters.

11.2 Changes to the Agreement. Changes to this Agreement must be in writing and signed by both of us.

11.3 If Part Is Invalid. If any part of this Agreement is found to be invalid, the rest remains in effect.

Appendix 1: Details of Processing

What We Process: Personal Data related to providing backup and related services.

How Long: For the duration of our service agreement.

Why: To provide backup, storage, retrieval, and related services to you.

Types of Personal Data: May include:

  • Contact information (names, emails, phone numbers)
  • Login information (usernames, passwords)
  • Device information (IP addresses, device types, operating systems)
  • Any personal data contained in the content you back up
  • Information about how you use our services

Whose Data: May include:

  • Your employees, contractors, and authorised users
  • Your clients and customers
  • Anyone else whose Personal Data is in the content you back up

Appendix 2: List of Sub-processors

Company NameWhat They DoWhere They're Located
AWSCloud infrastructure providerEU and US regions
Bubble.ioCDN Provider & Application HostingUS
GoogleAnalytics ProviderUS & EU
Stripe, Inc.Payment processing (subscription billing). Data processed: customer email, card BIN, subscription state. Retention per Stripe's data retention policy. US (Data Privacy Framework certified).US
Postmark (ActiveCampaign)Transactional email (sign-up, billing, backup notifications). Data processed: recipient email address and message content. Retention: 45 days (Postmark default).US / EU
OpenRouter / AnthropicLLM inference for failure-resolution suggestions and onboarding nudge content. Data processed: customer name, app URL, and failure context excerpts. Retention: zero — every request sets provider_preferences.data_collection: 'deny' which Anthropic respects.US
SupabaseManaged PostgreSQL database, authentication, and object storage. Data processed: all customer account data, backup metadata, and Supabase-hosted artifacts. Retention: for the duration of the customer's plan.EU (Frankfurt)
CloudflareCDN, DDoS mitigation, and DNS proxy. Data processed: HTTP request logs and client IP addresses. Retention: 30 days.Global edge network
Tawk.toLive chat support widget. Data processed: chat transcripts, page URL during a chat session, and (for logged-in users) customer email. Retention: 30 days per Tawk.to policy.EU & US

Appendix 3: Security Measures

1. Physical Security

  • Controls who can access our data centres
  • Protects against environmental threats
  • Uses video surveillance
  • Safely disposes of hardware

2. System Security

  • Secures networks (firewalls, encryption, intrusion detection)
  • Keeps servers updated and secured
  • Protects against malware
  • Regularly tests for vulnerabilities

3. Data Security

  • Encrypts data when it's being transferred and when it's stored
  • Backs up data securely
  • Keeps customer data separate
  • Strictly controls access to your data

4. Access Control

  • Gives access based on job roles
  • Requires multiple factors for authentication
  • Uses unique user IDs
  • Monitors system logs
  • Regularly reviews who has access

5. Availability

  • Regularly backs up data
  • Uses redundant systems
  • Has plans for business continuity and disaster recovery
  • Regularly tests recovery procedures

6. Organisation

  • Maintains security policies and procedures
  • Provides regular security training
  • Documents how to handle security incidents
  • Conducts regular compliance checks