Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement ("MSA") between KnoxCall Limited ("Processor", "KnoxCall") and Customer ("Controller"). It governs the processing of Personal Data by KnoxCall on behalf of the Customer in connection with the KnoxCall service.

If you have signed our MSA without explicitly excluding this DPA, this DPA applies. To execute a counter-signed version, email [email protected].

1. Definitions

• Personal Data, Controller, Processor, Processing, and Data Subject carry their meanings from the EU General Data Protection Regulation (GDPR), the UK GDPR, and analogous terms in the NZ Privacy Act 2020 ("Personal Information") and the California Consumer Privacy Act.
• Sub-processor means any processor engaged by KnoxCall to process Personal Data on Customer's behalf.
• Standard Contractual Clauses (SCCs) means the EU SCCs (Commission Decision 2021/914) or the UK Addendum thereto, as applicable.

2. Roles

• Customer is the Controller of Personal Data processed by the KnoxCall service.
• KnoxCall is the Processor.
• Customer remains responsible for the lawful basis on which Personal Data is collected and pushed through the KnoxCall service.

3. Scope and Duration

KnoxCall processes Personal Data only on Customer's documented instructions, namely:

• The MSA, this DPA, and the service configuration set by Customer in the admin UI / API
• Lawful requests from Customer's authenticated users
• Compulsory legal process directed at KnoxCall

Processing continues for the term of the MSA plus any retention period in the Privacy Policy.

4. Subject Matter and Categories

We do not knowingly process special-category data unless Customer pushes it through the service; in that event Customer remains the Controller and warrants their lawful basis.

5. Sub-processors

KnoxCall may engage sub-processors. The current list is published at /legal/sub-processors. Customer authorises the addition of sub-processors on 30 days' prior notice (by email or in-app notification) and may object in writing within 14 days. If the parties cannot agree on a substitute, Customer may terminate the affected portion of the service for cause.

All sub-processors are bound by data-protection terms no less protective than this DPA.

6. Security

KnoxCall maintains the security measures described in:

• The Trust Center
• Our ISO/IEC 27001 Statement of Applicability (available under NDA — [email protected])
• Our shared-responsibility matrix (available on request)

These include encryption at rest (AES-256-GCM envelope, per-tenant master keys, BYOK option), encryption in transit (TLS 1.2+), tamper-evident audit logging, MFA on every admin-UI user, RBAC + RLS for tenant isolation, vulnerability management, and an annual independent penetration test.

7. Personnel

KnoxCall personnel processing Personal Data are bound by confidentiality obligations surviving termination and complete security & privacy training annually. Access is on the principle of least privilege and is reviewed quarterly.

8. Data Subject Rights (GDPR Arts. 15–22; NZ Privacy Act Principles 6, 7)

KnoxCall provides self-service endpoints for the Controller's data subjects (data subject access requests and right-to-be-forgotten). Where Customer requires KnoxCall's assistance with a specific request, KnoxCall will respond within 10 business days; the 30-day GDPR clock remains the Controller's responsibility to manage end-to-end.

9. Data Breach Notification

KnoxCall will notify Customer within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, providing:

• Nature of the breach and categories / approximate number of data subjects and records concerned
• Likely consequences
• Measures taken or proposed
• KnoxCall contact for further information

10. Audit Rights

Customer may, no more than once per year and on 30 days' notice, audit KnoxCall's compliance with this DPA. KnoxCall may satisfy the audit obligation by providing:

• Most recent SOC 2 Type II report
• Most recent ISO/IEC 27001 certificate and Statement of Applicability
• Pentest summary
• Written responses to a reasonable security questionnaire (CAIQ, SIG-Lite, etc.)

On-site audits at KnoxCall infrastructure require mutual agreement and are at the auditing Customer's cost.

11. International Transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country, the SCCs apply. The Module is selected based on the parties' roles; the EU SCCs Module 2 (Controller-to-Processor) is the default when KnoxCall is processing on Customer's behalf. The UK IDTA applies for UK transfers; the Swiss FDPIC requirements apply for Swiss transfers.

Region pinning: Customer selects a primary region (us / eu / nz) at signup; data is stored and processed in that region except for resilience replicas as documented in the Trust Center.

12. Return and Deletion

On termination of the service, KnoxCall will, at Customer's choice and subject to reasonable export charges:

• Return Customer Personal Data in a structured, commonly used, machine-readable format, OR
• Delete Customer Personal Data per our tenant offboarding procedure, subject to the retention overrides for tamper-evident audit logs and legal obligations.

Cryptographic erasure for BYOK key material is irreversible.

13. Liability

Liability under this DPA is governed by the limitations of liability in the MSA.

14. Order of Precedence

In the event of conflict: MSA → this DPA → Privacy Policy.

15. Changes

Material changes to this DPA require 30 days' notice. Editorial / non-material updates may be made on notice via email or the admin UI.

16. Contact