Legal

Data Processing Addendum

Last updated 5 July 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between KnoxGuard Limited ("Processor") and the customer ("Controller") and reflects the parties' agreement on the processing of Personal Data under UK GDPR Article 28.

1. Subject-matter & duration

Processing of Personal Data submitted by the Controller to the KnoxGuard Service, for the duration of the subscription plus 30 days.

2. Nature & purpose

Hosting, storing, transmitting and displaying evidence, submissions, incidents and training records to enable the Controller's cybersecurity and compliance workflows.

3. Types of data & data subjects

  • Controller staff and end users (name, work email, role, activity logs).
  • Content chosen by the Controller which may include incidental special category data governed by Art. 9(2)(g) & (h).

4. Obligations of the Processor

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Annex A).
  • Assist the Controller with data subject requests, DPIAs and Art. 32-36 obligations.
  • Notify the Controller without undue delay and within 24 hours of a Personal Data breach.
  • On termination, delete or return Personal Data as instructed.
  • Make available all information necessary to demonstrate compliance, and allow audits.

5. Sub-processors

The Controller authorises the sub-processors listed at knoxguard.co.uk/subprocessors. We will give at least 30 days' notice of new sub-processors and impose materially equivalent obligations.

6. International transfers

Any transfer outside the UK/EEA is protected by the UK International Data Transfer Addendum, the EU Standard Contractual Clauses or an adequacy decision, with a documented transfer risk assessment.

7. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

Annex A — Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with MFA for privileged accounts.
  • Audit logging and 24h security incident triage.
  • ISO/IEC 27001:2022 aligned ISMS; annual pen-tests.
  • UK/EEA data residency; least-privilege service accounts.