Data Processing Addendum.

This Data Processing Addendum (DPA) forms part of the Terms of Service between you (the customer, "Controller") and Blue Dog Digital trading as Knave AI ("Processor", "we"). It applies whenever we process personal data on your behalf.

By accepting our Terms you accept this DPA. If your procurement team needs a counter-signed version with both names on it, email legal@knave.app and we'll get one back to you within two business days.

"Personal data", "controller", "processor", "data subject", "processing" and "supervisory authority" have the meanings set out in UK GDPR and the Data Protection Act 2018. "Data Protection Laws" means UK GDPR, the EU GDPR where applicable, and the Data Protection Act 2018.

We process the personal data your workspace contains, for the purpose of providing the Knave platform, for as long as your account is active plus the 44-day deletion window described in the Terms.

Storage, retrieval, generation of content, sending of email through your connected providers, analytics on platform usage, security logging. Always on documented instructions from you. We don't process your data for our own commercial purposes.

Data subjects: your customers, leads, subscribers, and other contacts whose data you upload or sync. Also your own staff where they appear in the brand brief, calendar feeds or support messages.

Personal data: name, email, postal address where provided, phone where provided, marketing preferences, segmentation tags, behavioural metadata from connected analytics, social handles, custom fields you choose to send.

Special category data: not expected. Don't send it. If your vertical genuinely requires it (rare for SMB marketing), contact legal@knave.app first so we can document the lawful basis and put extra safeguards in place.

You confirm that:

• You have a lawful basis for processing the personal data you upload to Knave.
• Your privacy notice tells data subjects that a service like Knave is involved.
• You'll respond to data subject requests yourself, with our help where you need it.
• You'll keep your account credentials and integration tokens secure.

We will:

• Process personal data only on your documented instructions, including for international transfers.
• Make sure everyone with access to the data is bound by confidentiality.
• Apply the security measures in section 9.
• Help you respond to data subject requests, where you need our help to do so.
• Help you with Articles 32-36 (security, breach notification, impact assessments) where the help reasonably falls to us.
• Delete or return personal data at the end of the contract (section 12).
• Make available the information you need to demonstrate compliance with Article 28.

You give us general authorisation to use sub-processors. The current list is in the privacy policy. We give 30 days written notice before adding or replacing a sub-processor.

You can object to a new sub-processor on reasonable data protection grounds within that 30-day window. If we can't address the objection, you can cancel the affected portion of the service and get a pro-rata refund on any prepaid period.

Each sub-processor is bound by data protection terms at least as strong as those in this DPA.

Where personal data leaves the UK or EU, the transfer is covered by the relevant Standard Contractual Clauses (UK International Data Transfer Addendum or EU SCCs) executed between us and the sub-processor, with us as data exporter and the sub-processor as data importer. Copies of executed SCCs are available on request.

Where you (the customer) are based outside the UK and EU and transfer personal data to us, the SCCs in our Terms cover that flow, with you as exporter and us as importer.

• TLS 1.2 or 1.3 in transit, AES-256-GCM at rest.
• Postgres row-level security as the default isolation model. Every workspace lives in its own RLS-scoped row set.
• Secrets management via 1Password Connect with quarterly rotation and a dual-key window.
• Sentry for application errors, Inngest for workflow failure alerts.
• Daily Postgres snapshots to encrypted cold storage with 30-day retention. Monthly restore drill.
• MFA on admin access. Separate roles for production database access vs application access.
• Business continuity and disaster recovery plan tested at least annually.

Full posture in the security overview.

If we become aware of a personal data breach affecting your data, we'll tell you within 72 hours with the information available at that point: what happened, what data was involved, what we've done so far, what we're still doing, who to contact for more. We'll keep you updated as the picture clarifies.

You stay responsible for any notification to a supervisory authority or to data subjects, since you're the controller. We'll give you what you need to do that.

You can audit our compliance with this DPA once a year, or after a security incident materially affecting your data, on 30 days written notice. The audit can be a written questionnaire, a video walkthrough, or (where genuinely needed) an on-site review limited to the systems that process your data.

Audits run during UK business hours, don't disrupt other customers, and you cover your own costs. Where you have the right to a third-party auditor's report (ISO 27001, SOC 2 once we have one), we'll share that instead by default.

On termination, you have 30 days to export your data from the dashboard. After that, we delete production copies within 14 days and backup copies within 30 days of the next backup rotation cycle. We confirm deletion in writing on request.

Where law requires us to keep certain records (tax, accounting), we keep only those records and only for the legally required period.

If anything in this DPA conflicts with the Terms, the DPA wins for matters of personal data processing. The Terms govern everything else.

Email legal@knave.app with your company details. We'll send a countersigned PDF (DocuSign or signed scan, your call) within two business days.

• Terms of service
• Privacy policy
• Security overview
• Cookie policy