Knorra Data Processing Agreement

Effective date: [STAGE_17_SHIP_DATE] Last updated: 2026-05-15

The short version

When you use Knorra, your organisation is the "data controller" for the personal data in the systems you connect, and we are your "data processor." This document is the contract that governs that relationship. UK GDPR (and EU GDPR, where applicable) requires it. The key commitments:

• We only process your data on your written instructions. Knorra's core function — detecting duplicates, stale docs, recurring questions — counts as your instruction by default. We don't do anything else with the data.
• We don't sub-contract without telling you. Our sub-processors are listed publicly and we give you 30 days' notice before adding new ones.
• We help you respond to data subject rights requests. If your employee asks for their data, we'll help you retrieve it.
• We tell you about breaches without delay. Within 48 hours of confirmation in any normal case.
• You can audit our compliance. Enterprise customers get more detailed rights; everyone else gets the security page and our compliance documentation.

This DPA is automatically part of your Terms of Service when you subscribe. You don't need to sign it separately. If you need a counter-signed copy for procurement, write to legal@knorra.ai.

1. The agreement

This Data Processing Agreement (DPA) is entered into between:

• NEXTGEN SOFTWARE LTD, a company registered in England and Wales (company number 14613977, registered office: 85 Great Portland Street, London, England, W1W 7LT), trading as Knorra (the Processor, "we," "us"); and
• The legal entity that subscribes to Knorra (the Controller, "you").

This DPA forms part of, and is governed by, the Terms of Service. In the event of conflict between this DPA and the Terms of Service in relation to the processing of personal data, this DPA prevails.

2. Definitions

Terms used in this DPA have the meanings given in UK GDPR and EU GDPR. For convenience:

| Term | Meaning | |---|---| | Personal Data | Any information relating to an identified or identifiable natural person, as defined in UK GDPR Art. 4(1) | | Processing | Any operation performed on personal data, including collection, storage, use, retrieval, transmission, deletion | | Controller | The entity that determines the purposes and means of processing — you | | Processor | The entity that processes personal data on behalf of the Controller — us | | Sub-processor | A third party engaged by the Processor to assist in processing the Controller's personal data | | Data Subject | The individual whose personal data is being processed | | Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data | | UK GDPR | The UK General Data Protection Regulation, the retained EU law version of Regulation (EU) 2016/679 | | EU GDPR | Regulation (EU) 2016/679 (the General Data Protection Regulation) | | Standard Contractual Clauses | The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Agreement / UK Addendum |

Other terms (including Customer Content, Member, Source) have the meanings given in the Terms of Service.

3. Subject matter, duration, nature, and purpose

| Element | Details | |---|---| | Subject matter | Our processing of Personal Data contained in Customer Content as necessary to provide the Knorra service to the Controller | | Duration | For as long as the Controller has an active subscription, plus any post-termination retention periods specified in the Privacy Policy and Terms of Service | | Nature | Collection, storage, organisation, structuring, retrieval, transmission, analysis (including AI-based analysis for duplicate / staleness / recurring-question detection), and erasure of Personal Data | | Purpose | To provide the Knorra service: surfacing duplicate documents, stale documents, recurring customer questions, and other Findings, and ancillary functions (notifications, billing, support) |

A more detailed description of the processing activities is set out in Annex I.

4. Categories of personal data and data subjects

The Controller determines which Sources to connect, and therefore which Personal Data is processed. The following categories are typical (Annex I has the detailed breakdown):

4.1 Data subjects

• The Controller's employees, contractors, and other Members
• Individuals (including the Controller's customers, suppliers, partners) whose data appears in the connected Sources
• Senders, recipients, and people referenced in connected email accounts

4.2 Categories of personal data

• Identification data (name, email address, employee ID, profile photo)
• Contact data (work email, phone)
• Professional data (job title, team, manager, project assignments)
• Activity data (documents created or edited, tickets assigned, messages sent, timestamps)
• Content data (text content of documents, tickets, messages, emails, comments)
• Technical data (IP address, device identifiers, OAuth tokens — encrypted)

4.3 Special category data

The Controller is not authorised to use Knorra to process special category personal data under UK GDPR Art. 9 (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation) or criminal-offence data under UK GDPR Art. 10, except where the Source content incidentally contains such data and the Controller has its own lawful basis.

We do not knowingly target, categorise, or analyse special-category data. If we discover that a Source connection is being used to systematically process special-category data, we will notify the Controller and may suspend processing until the Controller confirms its own lawful basis.

5. Our obligations as processor

In addition to the obligations elsewhere in this DPA, we will:

5.1 Process only on instructions

Process Personal Data only on the Controller's documented instructions, including with regard to transfers of Personal Data to a third country, unless we are required to process the data by UK or EU law (in which case we will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).

The Controller's documented instructions include:

• The Terms of Service and this DPA
• The Controller's use of features within the Knorra product (e.g., connecting a Source, configuring a notification, exporting data)
• Any written instructions the Controller provides to support@knorra.ai or via the in-product support channel

If we believe an instruction infringes UK GDPR, EU GDPR, or other applicable data-protection law, we will inform the Controller without delay.

5.2 Ensure confidentiality

Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Implement security measures

Take all measures required pursuant to UK GDPR Art. 32, as set out in Annex II.

5.4 Engage sub-processors only with authorisation

Engage sub-processors only with the Controller's general authorisation in line with §6 below.

5.5 Assist with data subject rights

Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as is possible, in fulfilling the Controller's obligations to respond to Data Subject requests under Chapter III of UK GDPR (rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

In practice, this means we provide:

• Self-service tools for the Controller's administrators to export, modify, and delete Customer Content
• Support for fulfilling requests that can't be handled by self-service tools, subject to reasonable assistance and to the extent the Controller can't fulfil them itself

We may charge reasonable fees for assistance that goes substantially beyond routine support, but only where (a) the assistance is unusually time-intensive, (b) we notify the Controller of the fee before starting work, and (c) the Controller agrees to it. Routine data subject support is included in the subscription.

5.6 Assist with controller's other obligations

Assist the Controller in ensuring compliance with the obligations pursuant to UK GDPR Articles 32 to 36 (security, breach notification, data protection impact assessment, prior consultation) taking into account the nature of the processing and the information available to us.

5.7 Return or delete at end

At the choice of the Controller, delete or return all the Personal Data to the Controller at the end of the provision of services, and delete existing copies unless UK or EU law requires storage of the Personal Data.

By default, we will delete Personal Data per the retention schedule in the Privacy Policy. The Controller can request return of data (via the Settings → Export feature, or by emailing privacy@knorra.ai) at any point during the subscription or within 30 days of termination.

5.8 Make information available

Make available to the Controller all information necessary to demonstrate compliance with our obligations under UK GDPR Art. 28 and this DPA, and allow for and contribute to audits — see §10.

6. Sub-processors

6.1 General authorisation

The Controller gives us general authorisation to engage sub-processors, subject to the conditions in this section.

6.2 Current sub-processors

Our current sub-processors are listed at knorra.ai/legal/sub-processors and are summarised in Annex III. By accepting this DPA, the Controller approves these sub-processors.

6.3 Notification of new sub-processors

Before adding a new sub-processor or replacing an existing one with a sub-processor that materially changes the nature of processing (e.g., new region, new category of processing), we will give the Controller at least 30 days' notice.

Notice is given by:

• Updating the public sub-processor list
• Emailing every Owner of the Controller's organisation
• Posting in the in-product notification feed

6.4 Right to object

The Controller may object to a new sub-processor on reasonable grounds related to data protection within the 30-day notice period. If the Controller objects:

• We will work with the Controller in good faith to find a resolution (e.g., excluding the Controller from the new sub-processor's scope, where technically feasible)
• If no resolution is possible within a further 30 days, the Controller may terminate the Terms of Service without penalty, and we will refund any prepaid fees for the period after termination

Objection on grounds unrelated to data protection (e.g., commercial preference, competitive concerns about the sub-processor) is not grounds for termination without penalty under this section.

6.5 Sub-processor obligations

We impose on each sub-processor data-protection obligations no less protective than those in this DPA, including with respect to security, confidentiality, and the limitations on sub-processing further. We remain fully liable to the Controller for the performance of our sub-processors.

7. International transfers

7.1 Default location

Personal Data is processed primarily in the United Kingdom and European Economic Area. Specific sub-processors process data in the United States and other jurisdictions as set out in Annex III.

7.2 Transfer mechanisms

Where Personal Data is transferred outside the United Kingdom or the European Economic Area to a country not subject to an adequacy decision, the transfer is governed by:

• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, for transfers originating from the United Kingdom
• The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), for transfers originating from the EEA
• An applicable data bridge or adequacy decision (e.g., the UK-US Data Bridge, the EU-US Data Privacy Framework), where the sub-processor is certified

By executing this DPA, the parties agree to the SCCs / IDTA as incorporated by reference, on the following terms:

• Module 2 (Controller to Processor) of the EU SCCs applies between the Controller (as data exporter) and Knorra (as data importer) where the Controller is established in the EEA
• The UK IDTA, or the UK Addendum to the EU SCCs, applies where the Controller is established in the UK
• We sign separate SCCs / IDTAs as data exporter with each onward-transferring sub-processor

The Controller can request a copy of the executed SCCs / IDTA from privacy@knorra.ai.

7.3 Transfer impact assessments

We have conducted transfer impact assessments for each significant onward transfer, including assessment of the laws and practices of the destination country relevant to the protection of Personal Data. Summaries are available to enterprise customers under NDA.

8. Personal data breach

8.1 Notification

We will notify the Controller of any Personal Data Breach affecting the Controller's Personal Data without undue delay, and in any event within 48 hours of confirmation of the breach in any normal case.

A "confirmed breach" is one we have verified after initial investigation. We will not delay notification while completing a full forensic investigation; we will give the Controller what we know promptly and update as the picture clarifies.

8.2 Content of notification

Notification will include, to the extent then known:

• The nature of the breach, including categories and approximate numbers of Data Subjects and Personal Data records affected
• The likely consequences of the breach
• The measures we have taken or propose to take to address the breach and mitigate its effects
• The name and contact of our privacy point of contact for follow-up

8.3 Cooperation

We will cooperate with the Controller in good faith, including by:

• Providing reasonable information needed for the Controller to assess its own notification obligations (to the ICO under UK GDPR Art. 33, to Data Subjects under Art. 34)
• Assisting with the Controller's investigation and any remediation steps

8.4 Breach record

We maintain an internal log of all Personal Data Breaches in line with UK GDPR Art. 33(5). The log is available to enterprise customers under NDA.

8.5 No admission of liability

A breach notification under this section is not an admission of fault or liability. Fault and liability are determined separately under the Terms of Service and applicable law.

9. Liability

Liability under this DPA is governed by §13 (Limitation of liability) of the Terms of Service, subject to the following:

• The liability cap in the Terms of Service applies to claims under this DPA in aggregate with claims under the Terms of Service
• Nothing in this DPA excludes liability that cannot be excluded under UK or EU data-protection law

10. Audits

10.1 Right to audit

The Controller has the right to audit our compliance with this DPA, subject to the following.

10.2 Audit methods

Audits may be conducted by:

• Reviewing our compliance documentation — security page, certifications (when achieved), sub-processor list, executed SCCs / IDTA, breach log summaries — all available on request to enterprise customers under NDA
• Submitting written questions to privacy@knorra.ai; we will respond within 30 days
• On-site or virtual inspection — limited to enterprise-tier and bespoke-contract customers, subject to (a) at least 30 days' advance notice, (b) a mutually agreed scope, (c) the auditor signing our standard NDA, (d) the audit being conducted during normal business hours and in a manner that doesn't disrupt our operations, and (e) the Controller bearing its own costs (we don't charge for routine audit support, but we may charge for unusual scope at reasonable rates)

The Controller may audit no more than once per twelve-month period, except after a confirmed Personal Data Breach affecting the Controller, in which case additional audits are reasonable.

10.3 Audit findings

If an audit identifies a material compliance issue, we will remediate within a reasonable period (typically 30 days, depending on severity). If we fail to remediate, the Controller may terminate the Terms of Service without penalty.

10.4 Third-party audits

For Controllers that are not in the enterprise or bespoke tier, audit rights are exercised primarily through our compliance documentation. When we achieve SOC 2 Type II or ISO 27001 certifications, we will provide our certification reports to all customers on request, in lieu of on-site audits.

11. Term and termination

This DPA takes effect on the same date as the Terms of Service and remains in force for as long as we process Personal Data on the Controller's behalf, plus any survival periods specified.

The following sections survive termination of the Terms of Service for as long as we retain any Personal Data on the Controller's behalf: §5.7 (return / deletion), §8 (breach notification), §10 (audit rights), and §11 itself.

12. General

12.1 Conflict

In case of conflict between this DPA and the Terms of Service in relation to processing of Personal Data, this DPA prevails. In case of conflict between this DPA and a counter-signed enterprise DPA negotiated separately, the negotiated DPA prevails for the customer to which it applies.

12.2 Governing law

This DPA is governed by the laws of England and Wales.

12.3 Changes to this DPA

We may update this DPA to reflect changes in applicable law or our processing activities. For material changes (changes that adversely affect the Controller's rights or our obligations), we will give 30 days' notice in accordance with the change-of-terms procedure in the Terms of Service.

12.4 Counter-signing

By accepting the Terms of Service at sign-up, the Controller accepts this DPA on behalf of the Controller's organisation. The Controller may request a counter-signed copy at privacy@knorra.ai; we will counter-sign and return within 10 working days.

Annex I — Description of Processing

A. Categories of Data Subjects

• The Controller's employees and contractors who are Members of the Controller's organisation in Knorra
• Other employees and contractors of the Controller whose data appears in connected Sources but who are not Members
• The Controller's customers, partners, suppliers, and other third parties whose data appears in connected Sources

B. Categories of Personal Data

| Category | Examples | |---|---| | Identity | Name, email, employee ID, profile photo, user ID | | Contact | Work email, phone number, address (where present in Sources) | | Professional | Job title, team, manager, project assignments, employment status | | Activity | Documents created, tickets assigned, messages sent, comments, timestamps of activity | | Content | Text of documents (Confluence pages, Google Docs), tickets (Jira issues), messages (Slack), comments. | | Technical | IP address (truncated for application logs), device identifiers, OAuth tokens (encrypted), session identifiers | | Aggregated / derived | Embeddings (mathematical representations of content), AI-generated summaries, AI-generated Findings |

C. Processing Operations

| Operation | Purpose | |---|---| | Collection | Reading from connected Sources via the Source's API or webhook | | Storage | Encrypted storage in our database, encrypted at rest | | Organisation / structuring | Indexing, classification, entity extraction | | Analysis | Similarity search, AI-based duplicate / staleness / recurring-question detection | | Use | Generating Findings, sending notifications, supporting search and exploration in the dashboard | | Disclosure (within authorised scope) | Surfacing Findings to authorised Members; allowing Owners and Admins to view org-level Findings | | Erasure | Per the retention schedule in the Privacy Policy, or on request by the Controller |

D. Duration

For the duration of the Controller's subscription, plus the post-termination retention periods specified in the Privacy Policy.

E. Lawful basis (Controller's responsibility)

The Controller is responsible for identifying and documenting its own lawful basis for processing Personal Data through Knorra. Typical bases for a B2B customer:

• Legitimate interests (UK GDPR Art. 6(1)(f)) for processing employee work product to identify duplicates, staleness, recurring questions, with a documented legitimate interests assessment
• Contract (Art. 6(1)(b)) where the processing is necessary for the Controller's contract with the data subject

The Controller is responsible for ensuring that data subjects are appropriately notified about the use of Knorra in line with UK GDPR Articles 13 and 14.

Annex II — Technical and Organisational Measures

The following are the technical and organisational measures we apply. Detail is summarised; the live posture is at knorra.ai/security.

A. Pseudonymisation and Encryption

• All data at rest is encrypted using industry-standard symmetric encryption (AES-256-GCM)
• Per-tenant key derivation: each Controller's data is encrypted with keys derived from a tenant-specific salt
• All data in transit uses TLS 1.2 or higher
• OAuth tokens are stored encrypted with an authenticated encryption mode (AES-GCM); only the application can decrypt, and only when needed for API calls
• Database backups are encrypted at rest
• AI requests are routed through Vercel AI Gateway with team-wide Zero Data Retention enabled at the Gateway dashboard level. ZDR ensures requests are only routed to AI providers with contractual zero-retention and no-prompt-training agreements with Vercel. Vercel itself does not retain prompts or outputs after request completion. Each response includes routing metadata identifying which providers were considered and which were filtered, providing an audit trail of policy enforcement.

B. Confidentiality, Integrity, Availability, and Resilience

• Logical multi-tenancy with row-level security enforced at the database layer
• Row-level security policies separately enforced for personal-source data (data visible only to the connecting Member)
• Background job isolation prevents one Controller's processing from interfering with another's
• Per-Controller rate limiting and token quotas prevent resource exhaustion attacks

C. Restoring Availability

• Database is hosted on Neon Postgres with point-in-time recovery (PITR)
• Application is hosted on Vercel with multi-region failover for static content
• Critical background-job queues (Inngest) are multi-region

D. Testing and Evaluation

• Automated dependency vulnerability scanning on every build
• Periodic penetration testing (annual at minimum, more frequent for high-risk changes)
• Internal code review required for changes to authentication, authorisation, encryption, and data retention paths
• Annual review of these technical and organisational measures

E. User Identification and Authorisation

• Knorra staff access to production systems is via SSO with required multi-factor authentication
• Principle of least privilege: staff access to customer data is restricted to operationally necessary roles
• All access to customer data is logged in an audit log with a retention period of at least 2 years
• Quarterly access reviews

F. Protection of Data During Transmission and Storage

See Section A.

G. Ensuring Physical Security of Locations Where Personal Data is Processed

Knorra does not operate its own datacentres. Physical security is ensured by our sub-processors (Neon for the database, Vercel for application hosting, etc.), each of which operates from datacentres with industry-standard physical security controls (typically ISO 27001-certified or SOC 2 Type II audited).

H. Events Logging

• All authentication events (sign-ins, OAuth grants, failures) are logged
• All access by Knorra staff to customer data is logged
• All Source connection events (connect, disconnect, scope changes) are logged
• All data exports and deletion events are logged
• Logs are retained for at least 2 years (security and breach investigation) or 90 days (operational logs)

I. System Configuration, Including Default Configuration

• Production systems are configured-as-code; manual configuration changes are not permitted
• Secrets are stored in encrypted environment variables, never in source code

J. Internal IT and IT Security Governance and Management

• Designated privacy point of contact (privacy@knorra.ai)
• Documented incident response plan
• Documented vendor risk management procedure
• Annual review of security and privacy posture

K. Certification / Assurance of Processes and Products

• ICO data-protection fee registration (currently active)
• SOC 2 Type II readiness in progress (target: P3 of product roadmap)
• Sub-processor selection requires evidence of equivalent or higher security standards (most sub-processors hold SOC 2 Type II or ISO 27001)

L. Ensuring Data Minimisation

• Source connections request only the minimum scopes needed for the relevant Knorra feature
• AI processing operates on summaries and embeddings where possible, not full content, to minimise the volume of data flowing through AI providers
• Documents older than the relevant retention threshold are purged automatically

M. Ensuring Data Quality

• Source data is read from authoritative source systems; we do not transform or correct customer content
• Findings are AI-generated and surfaced with confidence scores; the Controller is responsible for validating before acting

N. Ensuring Limited Data Retention

• Default retention schedule per the Privacy Policy
• Configurable per-Controller retention for content snapshots (default 90 days)
• Automated deletion jobs run daily

O. Ensuring Accountability

• This DPA, the Privacy Policy, and the security page document our commitments
• Internal accountability via the audit log, quarterly access reviews, annual security review
• Customer accountability via this DPA, the audit rights in §10, and breach notification under §8

P. Allowing Data Portability and Ensuring Erasure

• Self-service data export in the product (Settings → Export)
• Self-service organisation deletion (Settings → Delete Organisation)
• Manual support via privacy@knorra.ai

Annex III — Sub-processors

The current list of authorised sub-processors is maintained at knorra.ai/legal/sub-processors and is incorporated by reference into this DPA. The list at the time this DPA takes effect is:

| Sub-processor | Purpose | Region | |---|---|---| | Vercel Inc. | Hosting (application, serverless functions) AND AI request routing via Vercel AI Gateway with team-wide Zero Data Retention enforced | EU and US | | Neon Inc. | Database (Postgres, including vector embeddings) | EU (Frankfurt); UK on request | | Anthropic PBC | AI inference (Claude models) — routed via Vercel AI Gateway with ZDR | US and EU | | OpenAI, LLC | AI embeddings — routed via Vercel AI Gateway with ZDR | US | | Inngest, Inc. | Background job orchestration | US | | Resend Inc. | Transactional and notification email; double opt-in confirmation for launch-notification capture | EU | | Stripe Payments Europe Ltd | Payment processing | UK and EU | | Better Stack | Status page (status.knorra.ai) and critical incident SMS / on-call alerting | EU (Czech Republic) | | Functional Software, Inc. (Sentry) | Error tracking | EU | | Axiom Cloud Inc. | Logs and observability | EU | | Cloudflare, Inc. | CDN, DNS, DDoS protection | Global edge | | Google LLC (Google Workspace) | Email aliases at @knorra.ai for staff inboxes | EU and US | | Plausible Insights OÜ | Cookieless aggregate website analytics on knorra.ai | EU (Estonia / Frankfurt) |

The Controller approves these sub-processors by accepting this DPA. New sub-processors are added per §6 above.

End of Data Processing Agreement.

Knorra (NEXTGEN SOFTWARE LTD) Company number 14613977 85 Great Portland Street, London, England, W1W 7LT ICO registration: ZC148593 privacy@knorra.ai