Data Processing Agreement (DPA)

Last Updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions or Enterprise Master Services Agreement between Knoq Ltd ("Data Processor") and the Client ("Data Controller") to reflect the parties' agreement with regard to the processing of personal data.

1. Definitions and Interpretation

For the purposes of this DPA, the terms "Data Controller", "Data Processor", "Personal Data", "Processing", and "Data Subject" shall have the meanings given to them under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Subject Matter and Nature of Processing

The Processor processes Personal Data on behalf of the Controller solely to deliver the Knoq HRMS platform services. The processing involves storing and transmitting workforce data, payroll summaries, and onboarding details as configured by the Controller.

3. Obligations of the Processor

The Processor shall:

• Process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation.
• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality.
• Take all security measures required pursuant to Article 32 of the UK GDPR (encryption, pseudonymisation, access control).
• Not engage another processor (Sub-processor) without prior specific or general written authorisation of the Controller.

4. Sub-Processors

The Controller provides general authorisation to the Processor to engage sub-processors (e.g., cloud hosting providers AWS/Azure). The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object within 30 days.

5. Breach Notification

The Processor shall notify the Controller without undue delay (and strictly within 48 hours) after becoming aware of a personal data breach, providing sufficient information to allow the Controller to meet any obligations to report under the UK GDPR.

6. Return or Deletion of Data

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller and delete existing copies unless UK law requires storage of the Personal Data.