Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is entered into between Burrow Studio LLC ("Knobot", "we", "us"), the operator of the Knobot platform, and the entity or individual that has accepted the Knobot Terms of Service ("Customer"). This DPA forms part of, and is incorporated into, the Knobot Terms of Service. It governs the processing of personal information that Knobot receives from or on behalf of Customer in the course of providing the Service.

• Personal Data / Personal Information (PI). Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in Cal. Civ. Code §1798.140(v).
• Sensitive Personal Information (SPI). PI as defined in Cal. Civ. Code §1798.140(ae), including but not limited to health information, racial or ethnic origin, religious beliefs, and content of communications.
• Sub-processor. Any third party engaged by Knobot to process PI on Customer's behalf.
• Service Provider. Knobot's role as defined in Cal. Civ. Code §1798.140(ag): an entity that receives PI from a business for a business purpose pursuant to a written contract that prohibits the entity from selling the PI, retaining, using, or disclosing the PI for a commercial purpose other than providing the services specified in the contract.
• Business / Controller. Customer, who determines the purposes and means of processing PI.
• Processing. Any operation performed on PI, whether or not by automated means.

Knobot acts as a Service Provider (and, where applicable under other privacy frameworks, a Processor) with respect to PI that Customer provides to Knobot or that Knobot collects on Customer's behalf in the course of providing the Service. Customer acts as the Business (and, where applicable, the Controller). Each party will comply with its obligations under applicable privacy law in its respective role.

Pursuant to Cal. Code Regs. tit. 11 §7051, this DPA contains the following mandatory Service Provider contract terms:

1. Sale/share prohibition (§7051(a)(1)). Knobot shall not sell or share PI received under this DPA.
2. Specified-purpose-only (§7051(a)(2)). Knobot shall not retain, use, or disclose PI received under this DPA for any purpose other than: (a) generating AI chat responses for Visitors; (b) capturing voluntary contact data and delivering it to Customer; (c) operating, securing, and improving the Service for Customer; and (d) detecting and preventing abuse and rate-limit violations. Knobot shall not retain, use, or disclose PI outside of the direct business relationship between Knobot and Customer.
3. No retention/use/disclosure outside business purpose (§7051(a)(2)). Knobot shall not retain, use, or disclose PI received pursuant to this DPA outside of the direct business relationship between Knobot and Customer, except as permitted by applicable law.
4. No commercial purposes outside contracted relationship (§7051(a)(3)). Knobot shall not use PI received under this DPA for any commercial purpose other than providing the services specified in the Terms of Service and this DPA.
5. No combining with other-source data (§7051(a)(4)). Knobot shall not combine PI received under this DPA with PI received from or about consumers from other sources or collected from its own interaction with consumers, except as permitted by 11 CCR §7050(c).
6. CCPA compliance and security (§7051(a)(5)). Knobot shall comply with applicable CCPA provisions, including the obligation to implement and maintain reasonable security procedures and practices appropriate to the nature of the PI it receives, as required by Cal. Civ. Code §1798.100(e). Knobot's current security measures are described in Annex II to this DPA.
7. Audit rights (§7051(a)(6)). Customer has the right to conduct an assessment of Knobot's data-handling practices once per calendar year, on 30 business days' prior written notice to support@knobot.org, at Customer's expense. Knobot will satisfy the audit request by providing a completed security questionnaire (CAIQ-Lite or equivalent) within 20 business days of the request. If Customer elects an on-site audit, Knobot will make relevant personnel and documentation available at a mutually agreed time, provided that Customer signs a confidentiality agreement and the audit does not unreasonably disrupt Knobot's operations.
8. Notification of inability to comply (§7051(a)(7)). If Knobot determines that it can no longer meet its obligations under the CCPA with respect to PI received under this DPA, Knobot will notify Customer in writing within 10 business days of making that determination. Customer may direct Knobot to take reasonable and appropriate steps to stop and remediate the unauthorized use of PI.
9. Remediation rights (§7051(a)(8)). Upon Customer's written instruction identifying unauthorized use of PI, Knobot shall take reasonable and appropriate steps to stop and remediate such unauthorized use. Knobot's contracts with Sub-processors impose equivalent CCPA service-provider obligations, and Knobot will exercise its rights under those contracts on Customer's behalf where applicable.

The current list of Sub-processors Knobot uses to process PI on Customer's behalf is published at /sub-processors (list version 2026-06-06), which includes each vendor's name, processing purpose, region, DPF certification status, and DPA execution status.

Change notice. Knobot will provide at least 30 days' prior written notice (by email to the owner-user email on file) before any new Sub-processor begins processing PI under this DPA.

Objection. Customer may object to a new Sub-processor on reasonable data-protection grounds within 30 days of the notice. If the parties cannot resolve the objection within 15 days, Customer may terminate the affected portion of the Service for convenience with a pro-rated refund of pre-paid fees for the remaining term.

AI Sub-processors used to generate Service outputs (currently Google Vertex AI / Gemini and Voyage AI) are contractually or by-default prohibited from using Customer Personal Data — including conversation transcripts, knowledge-base content, and lead data — to train, fine-tune, evaluate, or improve their generalized AI models. Knobot will maintain documentation evidencing the contractual basis or opt-out status for each AI Sub-processor and will make such documentation available to Customer on request.

We will notify you without undue delay upon discovery of a security incident affecting your data. The notification will include, to the extent then known: (a) a description of the nature of the incident; (b) the categories and approximate number of data subjects and PI records concerned; (c) the likely consequences of the incident; and (d) the measures taken or proposed to address the incident. Knobot will provide further information as it becomes available. Customer is responsible for notifying data subjects and regulators as required by applicable law.

Upon termination, we delete your data promptly upon your request. You may export your data at any time prior to termination. Deletion applies to all PI received under this DPA from Knobot's systems (including those of Sub-processors), except: (i) the clickwrap acceptance archive, retained for 7 years from acceptance as legal-records evidence of consent; and (ii) to the extent Knobot is required to retain PI by applicable law. Knobot's dashboard provides export tooling for leads, conversations, and account data. Knobot will provide written confirmation of deletion on request.

Knobot will assist Customer in responding to data subject rights requests (including requests to know, delete, correct, or limit processing) relating to PI processed under this DPA, where such requests cannot be fulfilled by Customer without Knobot's assistance. Customer should submit such requests to support@knobot.org with subject line "DSAR Assistance Request." We respond to verifiable consumer requests within the period required by applicable law. Customer is solely responsible for verifying the identity of the requesting data subject and for any communications with that data subject.

Knobot shall process PI only on Customer's documented instructions, as set out in this DPA and the Terms of Service. Knobot may refuse instructions from Customer that Knobot reasonably believes would violate applicable privacy law or this DPA; such refusal is not a breach of the Terms of Service or this DPA. Knobot will promptly notify Customer of any refusal and the reasons for it.

Knobot implements and maintains the following technical and organizational measures to protect PI received under this DPA:

• In transit. TLS 1.2+ enforced at every endpoint; HSTS on knobot.org and api.knobot.org.
• At rest. AES-256 encryption at rest via cloud-infrastructure providers (MongoDB Atlas storage encryption).
• Access control. Identity-based access via Google Workspace SSO; principle of least privilege; per-environment API keys; founder-only access to production databases at launch.
• Network security. Vercel WAF; Cloudflare DDoS mitigation; rate-limiting on widget endpoints.
• Vulnerability management. Dependabot for dependency updates; quarterly review of security advisories for Sub-processors.
• Incident response. Documented breach SOP; customer notification without undue delay upon discovery of a security incident.
• Employee training. All personnel with PI access are briefed on data-handling obligations and acknowledged this DPA's Annex II controls before access is provisioned.
• Data minimization. Visitor IP addresses appear only in (a) short-lived infrastructure access logs (truncated to /24 for IPv4, /48 for IPv6); (b) widget session tokens (in memory for the session duration); and (c) abuse and rate-limit event records (full IP retained up to 30 days then automatically deleted). Full IP addresses are not stored persistently in conversation, lead, or analytics records.
• Logging. Application logs retained 30 days; security events retained 180 days.
• Sub-processor oversight. Sub-processor contracts require equivalent security standards. Annual review of Sub-processor security posture.

Knobot's aggregate liability to Customer under or in connection with this DPA — whether in contract, tort (including negligence), or otherwise — shall not exceed the greater of: (a) two times (2x) the annual fees paid by Customer to Knobot in the 12 months preceding the claim; or (b) USD $100. Nothing in this DPA limits either party's statutory liability to data subjects under applicable privacy law. This liability cap is separate from, and in addition to, the liability cap set forth in the Knobot Terms of Service.

Knobot may update this DPA from time to time. Knobot will provide at least 30 days' prior email notice of material changes to the owner-user email on file. Continued use of the Service after the effective date of any update constitutes acceptance of the updated DPA. The current version of this DPA is always available at /dpa.

For privacy and data protection inquiries related to this DPA, contact Knobot at privacy@knobot.org or support@knobot.org. Mailing address: Burrow Studio LLC, 7901 4th St N, Suite 300, St. Petersburg, FL 33702, USA.