Data Privacy Agreement

This Data Processing Agreement and its Annexes reflect the parties’ agreement with respect to the Processing of Personal Data on behalf of _______ (“Customer”) in connection with the Services provided by Knostic, Inc. and its Affiliates (“Knostic”) under the terms of the agreement signed between Knostic and Customer (the “Agreement”).

This DPA is supplemental to the Agreement and is incorporated into it by reference. In case of any conflict or inconsistency with the terms of the Agreement, the terms of this DPA will take precedence. The duration of this DPA will follow the Term of the Agreement. Defined terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

1.   Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with another entity. For purposes of this definition, “control” means direct or indirect ownership or control of more than 50% of the voting interests of the entity.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Privacy Framework" means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws, and the data protection and privacy laws of Australia, Singapore, and Japan, in each case as amended, repealed, consolidated or replaced from time to time.

“Data Subject” means the individual to whom Personal Data relates.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); EU Directive 95/64/EC as transposed into the legislation of each EU Member State in its current form, and other applicable national implementations in the European Economic Area (EEA), including the UK and Switzerland.

“Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded or replaced.

“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations under the Agreement.

2. Data Processing

2.1.  Role of the Parties

1. 1. The Parties hereby acknowledge and agree that for the purposes defined in the Agreement, the Customer is the Controller and Knostic is a Processor. 
   2. Knostic agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA, and will follow Customer’s Instructions for Processing.
   3. If Customer is acting on behalf of a third party and handles Personal Data as a Processor, then the Knostic shall be a Sub-Processor. Where Customer is a Processor, Customer warrants to Company that Customer’s instructions and actions with respect to the Personal Data, including its appointment of Company as Sub-Processor and concluding the Standard Contractual Clauses, have been authorized by the relevant Controller. 

2.2.  Compliance With Laws

1. 1. Each party to this DPA shall comply with its respective obligations under the Data Protection Laws applicable to the Agreement.
   2. Without derogation from the general instruction set in this section, Customer shall be responsible for complying with all requirements that apply to it with respect to its Instructions regarding the Processing of Personal Data. In particular, and without prejudice to the generality of this sub-section, Customer will be solely responsible for: 
      1. The accuracy, quality, and legality of possession of the Customer Data and the means by which Customer acquired the Personal Data. Without derogation from the above, Customer is also responsible for protecting the security of Personal Data in transit to and from the Knostic, and independently determining whether Knostic’s data security arrangements adequately meets Customer’s obligations under applicable Data Protection Laws
      2. Complying with all necessary transparency and lawfulness requirements under the applicable Data Protection Laws, including obtaining necessary consent and authorizations from any Data Subject included in Customer’s data sets;
      3. Ensuring Customer has the rights to transfer, provide access to or confer by other means the Personal Data to Knostic for Processing; and
      4. Ensuring that Customer’s Instructions regarding the Processing of Personal Data comply with any and all applicable laws, with an emphasis on compliance with the applicable Data Protection Laws.

Customer shall inform Knostic without delay if it is unwilling or unable for any reason to comply with its responsibilities under this section or applicable Data Protection Laws, and inform Knostic of what measures it will undertake to remedy the non-compliance. If Customer is unable or unwilling to remedy this non-compliance, Knostic reserves the right to terminate this DPA or the Agreement as a result, and this termination shall be deemed as “for cause.”

c. Without derogation from the general instruction set in this section, Knostic shall:

1. 1. 1. Provide Customer with reasonable cooperation and assistance in relation to the processing of Personal Data, so as to allow the Customer to comply with the requirements Customer has a Data Controller under applicable Data Protection Laws;
      2. Comply with the Processing Instructions, maintain and enforce reasonable security measures and policies, as defined in the sections below;
      3. If Knostic becomes aware of circumstances in which the Customer’s Processing Instructions are incompatible with a legal requirement under any applicable law, Knostic will promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and where necessary, cease all Processing (except for storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions that are compatible with the applicable Data Protection Laws.Knostic reserves the right to cease the provision of services until such alternative instructions are issued, and Knostic shall bear no liability of any kind for failure by Customer to Provide Knostic with alternative instructions in accordance to this section. Cessation of services under this section does not suspend any payment due in accordance to the Agreement and does not extend the term of the services.

2.3.  Processing Purposes and Instructions

1. 1. 1. The Customer may disclose Personal Data to Knostic only for the performance of the Agreement, and acknowledges and agrees that this constitutes a valid business purpose for the processing of such data. The parties further acknowledge and agree that the disclosure of this information by Customer to Knostic does not form part of any monetary or other valuable consideration exchanged between the parties.
      2. Customer agrees that the terms of the Agreement, including the terms of this DPA and its annexes as incorporated by reference, constitute the Processing Instructions given by the Controller to the Processor. Customer may provide to Knostic additional written instructions that are consistent with the Agreement and the natural and lawful use of Knostic’s products.
      3. Knostic shall Process Personal Data only for the purpose of the performance of the Agreement, in accordance to Customer Instructions, to the extent permissible by applicable Data Protection Laws.
      4. Customer further acknowledges that Knostic shall have the right to Process certain Personal Data collected in the context of providing the Services, for its legitimate business purposes as a Controller, such as: incorporating the data into its AI-systems, the provision and operation of its services, administrating the business and/or contractual relationship with the Customer, billing, audit and recordkeeping purposes, as well as for account management, security, establishment or exercise of legal claims and protection against fraudulent or illegal activity. Knostic may also process Personal Data for the purpose of improving customers’ threat protection. Knostic may also use aggregated and/or anonymized information for any purpose, including AI-related uses, subject to the confidentiality obligation in the Main Agreement. For the avoidance of doubt, non-aggregated and non-anonymized data referred to in this section shall be retained for the same period as the Personal Data.

3.   Security

3.1.  Security Measures

Knostic will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, Knostic reserves the right to modify, update or otherwise reconfigure the Security Measures at its sole discretion, provided that such modifications or updates do not result in a material degradation in the protection offered by the Security Measures. If Knostic determines, in its sole discretion, that a material change in Security Measures is required, it will provide Customer with notice of the anticipated change, if circumstances permit, at least 10 days in advance of the implementation. 

3.2.  Compliance Assessments and Audits

1. 1. Knostic represents that it audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted either internally or by third party auditors engaged by Knostic, at its sole discretion.
   2. Knostic may satisfy the requirements set out in this section by providing Customer with a redacted SOC Type II report, so that Customer can reasonably verify Knostic complies with its obligations under this DPA. This report will serve as evidence of proper information security practices and Customer acknowledges it has no additional auditing or inspections rights, unless such rights are specifically granted to Customer under applicable law. This report may be provided to Customer no more than once a year.
   3. The limitation of auditing rights listed above shall not apply solely in the case of a Personal Data Breach resulting in a material business impact to Customer or in connection to a Supervisory Authority specific request. In such event, Customer shall provide Company with 30 days prior written notice and the details of any 3rd party auditor acting on Customer’s behalf, for approval. Without derogation from the generality of this section, Knostic shall bear no costs resulting from the independent auditing process requested by Customer, and Customer agrees to reimburse Knostic for any expenses it incurs during this auditing process. 

3.3.  Confidentiality

Knostic will employ reasonable efforts to ensure that any Knostic personnel authorized to access or Process Personal Data is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data. 

3.4.  Personal Data Breaches

If Knostic becomes aware of any Personal Data Breach, it will notify Customer without undue delay and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. If Customer is required by applicable Data Protection Laws to issue notices of Personal Data Breaches, Knostic will, at Customer’s request, provide reasonable assistance as necessary to enable the notification of relevant competent authorities or affected Data Subjects of the Personal Data Breach.

3.5.  Deletion or Return of Personal Data

Knostic will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of the Agreement. This term will apply except where Knostic is required by applicable law to retain some or all of the Data, or where Knostic has archived Data on back-up systems, which are securely isolated and protected from any further Processing, and will be deleted in accordance with Knostic’s deletion practices.

4.   Data Subject and Competent Authority Requests

1. 1. If Knostic receives any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under applicable Data Protection Laws, Knostic will promptly redirect the request to the Customer, and will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. The Customer is responsible for verifying the identity of the requestor and that the requestor is either the Data Subject whose information is being sought or a duly authorized representative thereof. Knostic bears no responsibility for information provided in good faith to Customer in reliance on this subsection.
   2. If Knostic receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, it shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. Customer agrees to reply to this legally binding request as soon as possible. If Customer fails to provide Knostic with a response within three business days (or any other shorter time-period required by applicable Data Protection Laws) from receipt of the request, Customer acknowledges that Knostic may provide the information requested and shall bear no responsibility for disclosure of information provided in good faith in reliance on this subsection.
   3. Without derogation from the above, Knostic will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data and provide reasonable technical assistance in complying with such requests. Customer shall pay Knostic for the actual costs it incurs in connection with its provision of such assistance.

5. Sub-Processors

1. 1. Customer hereby provides Knostic with a general authorization to appoint Sub Processors of information, in accordance to the provisions of this DPA, for the purposes of fulfilment of the Agreement.
   2. The Sub Processors may include, among other legitimate uses, Sub-Processors that assist Knostic with hosting and infrastructure, support product features and integrations, and Knostic Affiliates.
   3. Knostic’s list of Sub-Processors are listed in Annex 3 to this DPA. Knostic will give Customer the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notification. Such objections will be reviewed by Knostic and Knostic will undertake reasonable efforts to discuss the concerns in good faith, and attempt to resolve the matter with a commercially reasonable resolution. If no such resolution can be reached, Knostic will, at its sole discretion, decide to either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the Agreement in accordance with the termination provisions of the Agreement without liability to either party, but without prejudice to any fees or payments due by Customer prior to the termination of the Agreement. 
   4. Knostic will impose on its Sub-Processors contractual terms that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors.
   5. Knostic will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause breaches of any of its obligations under this DPA.

6. Data Transfers

1. 1. Customer acknowledges and agrees that Knostic may access, transfer and Process Personal Data on a global basis including the transfer of European Data, as necessary to fulfil the terms of the Agreement. In particular Customer accepts and agrees that Personal Data may be transferred to and Processed by Knostic, Inc. in the United States, and to other jurisdictions where Knostic Affiliates and Sub-Processors have operations.Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws, and in accordance to the principles of the Data Privacy Framework for Europe to United States transfers
   2. In particular, Company shall not sell the Personal Data without prior consent of Customer, nor shall it share the Personal Data or disclose it for any commercial purpose other than (i) the fulfilment of the terms of the Agreement with the Customer and (ii) its own legitimate uses, as defined in this DPA.

7. General Provisions

1. 1. Knostic reserves the right to modify the terms of this DPA, in order to comply with changes to Data Protection Laws, court orders, guidance issues by competent authorities (including but not limited to data protection agencies, competent governments, or regulatory agencies), provided that such changes do not have a material adverse impact on the Customer, as reasonably determined by Knostic at its sole discretion (“Material Changes”), including but not limited to -
      1. A change in the categorization of Knostic as a data Processor (or Sub Processor, where Customer is a Processor);
      2. Expansion of the scope of the permitted Processing;
      3. Removal of limitations or restrictions imposed on the Processing of Personal Data.
   2. If Knostic intends to introduce Material Changes to this DPA, Knostic shall inform Customer at least 10 business days prior to the implementation of the Material Changes. Customer may object to the implementation of the Material Change on reasonable grounds relating to the protection of Personal Data within 10 business days of notification. Such objections will be reviewed by Knostic, and Knostic will undertake reasonable efforts to discuss the concerns in good faith, and attempt to resolve the matter with a commercially reasonable resolution. If no such resolution can be reached, Knostic will, at its sole discretion, decide to either not implement the Material Changes, or permit Customer to suspend or terminate the Agreement in accordance with the termination provisions of the Agreement without liability to either party, but without prejudice to any fees or payments due by Customer prior to the termination of the Agreement.
   3. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
   4. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Agreement and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). In no event will either party's liability be limited with respect to any individual's data protection rights under this DPA (including any other DPAs between the parties and the Standard Contractual Clauses, where applicable) or otherwise.
   5. This DPA will be governed by and construed in accordance with the applicable law of the Agreement and subject to the competence of the courts defined in the Agreement, unless explicitly required otherwise by applicable Data Protection Laws.

Annex 1 - Details of Processing

1. List of Parties

2. Description of Transfer

2.1. Categories of Data Subjects whose Personal Data is Transferred

The Personal Data transferred by Customer to Knostic concern the following categories of Data Subjects:

1. 1. Individuals whose personal data is on Customer's systems or environments, including Generative AI technologies used by the Customer, that are monitored or accessed by Knostic’s product(s).
   2. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customers’ end users.

2.2. Categories of Personal Data Transferred

1. 1. Personal Data that is included in the data and meta-data scanned by Knostic software, such as: names, email addresses, IP, contact information, organizational role or position, etc.
   2. Links to and information regarding file paths or directory addresses of Personal Data that is accessible to Generative AI technologies deployed by Customer on its systems, as monitored by Knostic’s product(s).
   3. Any other Personal Data submitted by, sent to, or received by Customer that is actively transmitted to Knostic in the pursuit of fulfilment of the Agreement.

2.3 Sensitive Data transferred and applied restrictions or safeguards

The processing of Sensitive Data is subject to the scope limitations, restrictions, and safeguards mutually agreed upon by the parties, as reflected in the Agreement.

2.4. Frequency of the transfer

Continuous

2.5. Nature of the Processing

Personal Data will be Processed in accordance with the Agreement (including this DPA). The parties may mutually agree, in writing, to amend this Annex.

2.6. Purpose of the transfer and further processing

Personal Data will be Transferred and further Processed in accordance with the Agreement (including this DPA). The parties may mutually agree, in writing, to amend this Annex.

2.7. Period for which Personal Data will be retained

Personal Data will be retained (and disposed of) in accordance with the Agreement (including this DPA). The parties may mutually agree, in writing, to amend this Annex.

Annex 2 - Security Measures

We currently observe the Security Measures described in this Annex.

1. Information Security Policy

We maintain and adhere to an internal, written Information Security Policy.

2. Access Control

2.1. Preventing Unauthorized Product Access

Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems.

Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using Oauth authorization or private app tokens.

2.2. Preventing Unauthorized Product Use

We implement industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.

Endpoint Security: Endpoints are hardened in accordance with industry standard practice. Workstations are protected using anti-malware and endpoint detection & response tools, receiving regular definition and signature updates.

2.3. Limitations of Privilege & Authorization Requirements

Privileged Access Management: Privileged access in our product environment is controlled, monitored, and removed in a timely fashion through just in time access (JITA) controls. Non-personal accounts used for system access are stored in a secure vault with additional controls governing privilege elevation and account check out processes.

3. Transmission Control

In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces. Our HTTPS implementation uses industry standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. We take a layered approach of at-rest encryption technologies to ensure Customer data and Customer-identified Permitted Sensitive Data are appropriately encrypted.

4. Incident Management, Logging, and Monitoring

Incident Response Plan: We maintain a written Incident Response Plan and other necessary processes and procedures to fulfill the standards and obligations reflected in said plan.

Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement. 

5. Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary instance. All databases are backed up and maintained using at least industry standard methods.

Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes.

6. Vulnerability Management Program

Vulnerability Remediation Schedule: We maintain a vulnerability remediation schedule aligned with industry standards. We take a risk-based approach to determining a vulnerability’s applicability, likelihood, and impact in our environment. 

Vulnerability scanning: We perform daily vulnerability scanning on our products using technology and detection standards aligned with industry standards.

Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing at least annually. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.

7. Personnel Management

We staff qualified personnel to develop, maintain, and enhance our security program. We train all employees on security policy, processes, and standards relevant to their role and in accordance with industry practice.

Background checks: Where permitted by applicable law, Knostic employees undergo a background or, at a minimum, a reference check. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

Annex 3 - Third Party Sub-Processors List

Knostic relies on various Sub-Processors to enable access to the following for proper execution: 

Version 1.0 – August 2024