Data Processing Agreement
Last updated: 23 April 2026
Incorporated into the KnowledgeScout Terms of Service
Effective Date: 23 April 2026
Entity: KnowledgeScout Pty Ltd
ABN: 24 696 430 627
Location: Sydney, Australia
Recitals
This Data Processing Agreement (DPA) forms part of the Agreement between KnowledgeScout Pty Ltd (ABN 24 696 430 627) (KnowledgeScout, Processor, we, us or our) and the Client that accepts the Agreement (Client, Controller, you or your).
This DPA is incorporated into, and forms part of, the Agreement and becomes binding on the Parties when the Client accepts the Terms of Service. This DPA applies where, and to the extent that, KnowledgeScout Processes Personal Data on behalf of the Client as a processor, service provider, or equivalent role under Applicable Data Protection Laws in connection with the Service.
1. Definitions and Interpretation
1.1 Definitions
In this DPA, unless the context otherwise requires, the following terms shall have the meanings set out below:
| Term | Definition |
|---|---|
| Applicable Data Protection Laws | All data protection and privacy laws applicable to the processing of Personal Data under this DPA, including: (a) the Privacy Act 1988 (Cth) and the Australian Privacy Principles; (b) the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; (c) the Texas Data Privacy and Security Act (TDPSA); (d) any other applicable data protection laws as amended from time to time. |
| Personal Data | Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Agreement. |
| Processing | Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, storage, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction. |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. |
| Sub-processor | Any third party engaged by the Processor (or by any other Sub-processor of the Processor) to process Personal Data on behalf of the Controller. |
| Data Region | The geographic region selected by the Controller for the storage of their Client Content, being one of: Australia (Sydney), United Kingdom (London), or United States (Dallas). |
| Agreement | The Terms of Service, together with the Privacy Policy, this DPA, and any applicable order form or other written subscription terms agreed between KnowledgeScout and the Client. |
1.2 Interpretation
Unless the context otherwise requires: (a) headings are for convenience only and do not affect interpretation; (b) the singular includes the plural and vice versa; (c) a reference to a document includes that document as amended, updated, or replaced from time to time in accordance with its terms; and (d) "including" and similar words do not limit what else might be included.
1.3 Order of Precedence
In the event of any inconsistency between this DPA, the Terms of Service, and the Privacy Policy, the terms of this DPA shall prevail to the extent of such inconsistency solely in relation to the processing of Personal Data, unless expressly stated otherwise.
2. Scope, Roles, and Processing Details
2.1 Applicability
This DPA applies where, and to the extent that, KnowledgeScout Processes Personal Data on behalf of the Client as a processor or service provider in connection with the Agreement.
2.2 Data Controller and Processor Roles
As between the Parties, the Client is the controller of Personal Data and KnowledgeScout is the processor of Personal Data in respect of Processing to which this DPA applies. The Client determines the purposes and means of that Processing. KnowledgeScout will Process Personal Data only on the documented instructions of the Client, except where otherwise required by Applicable Data Protection Laws. The documented instructions of the Client are deemed to include the Agreement, this DPA, and the Client's configuration and use of the Service.
2.3 Processing Details
| Element | Detail |
|---|---|
| Subject Matter | Provision of the KnowledgeScout knowledge management platform. |
| Duration | The term of the Agreement, plus 30 days post-termination (cancelled period for data export), and thereafter until relevant Personal Data is deleted from production systems and backup copies are overwritten or deleted in the ordinary course in accordance with the Processor's retention practices. |
| Nature & Purpose | Storage, indexing, retrieval, analysis, search, serving of content via APIs and embedded components, analytics, audit logging, and related platform services. |
| Categories of Data Subjects | The Controller's employees, agents, contractors, customers, end users, and any other natural persons whose personal data is contained in Client Content or platform interactions. |
| Types of Personal Data | Names, email addresses, job titles, interaction data (including queries, conversations, clicks, session data), content created via programmatic access or embedded components, and any other personal data contained within or derived from Client Content or platform usage. |
| Data Region | Client Content and Personal Data will be primarily stored within the selected Data Region. Limited processing, access, routing, support, security, backup, and operational activities may occur outside the Data Region where reasonably necessary to provide the Service, as described in the Privacy Policy. AI processing may occur outside the Data Region as described in Section 6. |
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions of the Controller, including as set out in the Agreement, this DPA, and as necessary to provide, secure, support, and improve the Service;
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as described in Schedule 2, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing;
- Maintain an audit trail of all programmatic access (APIs, agent integrations) that processes Personal Data, and provide logs on request;
- Respect the conditions for engaging Sub-processors as set out in Section 5;
- Assist the Controller, by appropriate technical and organisational measures, insofar as is possible, to fulfil the Controller's obligations to respond to requests for exercising data subject rights under Applicable Data Protection Laws;
- Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor, to the extent reasonably required and proportionate, and subject to reimbursement of reasonable costs where such assistance exceeds standard Service functionality;
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Applicable Data Protection Laws require storage of the Personal Data;
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Laws, and make available reasonable information necessary to demonstrate compliance, including summaries, certifications, and documentation. On reasonable notice, and only where required by applicable law or following a material security incident, the Controller may conduct a limited audit, subject to confidentiality, security restrictions, and reimbursement of reasonable costs.
4. Controller Obligations
The Controller shall:
- Ensure that it has all necessary rights, consents, and lawful bases to provide the Personal Data to the Processor for Processing in accordance with this DPA and the Agreement;
- Provide documented processing instructions to the Processor and ensure that such instructions comply with Applicable Data Protection Laws;
- Be responsible for the accuracy, quality, and legality of Personal Data and the means by which it was obtained;
- Acknowledge that the platform is designed for business knowledge management content (articles, guides, procedures, FAQs, and training materials) and that tenant databases are not intended as repositories for personal data. The Controller should not use the platform to systematically store personal data such as customer records, health information, financial details, or government identifiers, unless incidental to knowledge content;
- Ensure that it does not upload Sensitive Personal Data as defined under Applicable Data Protection Laws to the platform unless the Controller has implemented appropriate safeguards and obtained required consents, and has notified KnowledgeScout in writing of the sensitivity classification;
- If enabling third-party agent access to the platform, ensure that the Controller has appropriate data processing agreements in place with such agents covering their handling of Personal Data;
- Ensure that if the Controller enables embedded components (widgets) that are accessed by end users, the Controller has provided appropriate privacy disclosures to those end users regarding the collection and processing of their personal data;
- Respond to data subject requests received directly, and promptly notify the Processor if assistance is required;
- Comply with all Applicable Data Protection Laws in respect of its use of the platform and its collection and provision of Personal Data to the Processor.
5. Sub-processors
5.1 General Authorisation
The Controller provides general written authorisation for the Processor to engage Sub-processors to perform specific processing activities on behalf of the Controller, subject to the conditions set out in this Section 5.
5.2 Current Sub-processors
The Processor's current Sub-processors are listed in the KnowledgeScout Sub-processor List. The Controller acknowledges and approves the engagement of these Sub-processors as at the date of this DPA.
5.3 Changes to Sub-processors
The Processor shall inform the Controller in writing of any intended changes to the list of Sub-processors (including the addition or replacement of Sub-processors) by updating the Sub-processor List and, where practicable, providing prior notice. The Controller may subscribe to notifications.
If the Controller reasonably objects to the engagement of a new Sub-processor on data protection grounds, the Processor shall use reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable alternative. If no alternative is available within thirty (30) days, the Controller may terminate the affected portion of the Agreement without penalty.
5.4 Sub-processor Contracts
The Processor shall impose on each Sub-processor, by way of a written contract or other legally binding instrument, data protection obligations no less onerous than those set out in this DPA, particularly with regard to guarantees in relation to international data transfers. The Processor shall remain responsible for the performance of its Sub-processors, subject to the limitations of liability set out in the Agreement.
5.5 Third-Party Agents and BYOK Providers
For the avoidance of doubt: BYOK AI providers (such as Anthropic, OpenAI, Microsoft Azure OpenAI Service) and third-party agents accessed via the platform are not Sub-processors of KnowledgeScout. When the Controller enables such integrations and provides their own API credentials, the Controller has a direct contractual relationship with that provider. The Controller bears direct responsibility for that provider's handling of Personal Data and compliance with applicable laws.
6. International Data Transfers and AI Processing
Personal Data will be primarily stored within the Data Region selected by the Controller at signup. Limited processing, access, routing, support, security, backup, and operational activities may occur outside that Data Region where reasonably necessary to provide the Service and as otherwise described in this DPA and the Privacy Policy. Nightly backups are encrypted using AES-256 with per-tenant derived encryption keys and stored in Cloudflare R2 within the same geographic region as the Controller's chosen Data Region.
6.1 AI Processing
When AI features are enabled, relevant data (such as search queries and document excerpts) may be transmitted to AI providers. The Controller may configure:
- Default providers (e.g., Anthropic) operating under Commercial Terms (no model training on inputs/outputs), in which case KnowledgeScout is responsible for the transfer and Anthropic is a Sub-processor; or
- Bring Your Own API Key (BYOK) providers (including Anthropic, OpenAI, Microsoft Azure OpenAI Service, or self-hosted/custom LLMs), in which case the Controller has a direct relationship with the chosen provider and bears responsibility for that provider's data handling and international transfer compliance.
6.2 Conversation Logging
Conversation logging (when enabled) stores logs in the tenant's Data Region. Disabling AI features prevents all AI provider transfers except locally stored conversations.
6.3 Embedded Components and Widget Data
End user data accessed or collected through embedded components (widgets) and similar integrations leaves the KnowledgeScout platform and is subject to the Controller's own data governance and international transfer compliance obligations.
6.4 Standard Contractual Clauses
For transfers of Personal Data from the UK or EEA to the Data Region where the Data Region is outside the UK/EEA, the Parties agree to rely on Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented by any additional protective measures required by Applicable Data Protection Laws.
For transfers of Personal Data where the Data Region is Australia, both Parties acknowledge that personal data is protected under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP 8) applies to outbound transfers.
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction) through platform administrative features (including export, edit, delete accounts, and view audit logs) and by providing point-in-time recovery from backups where necessary.
8. Data Breach Notification
The Processor shall notify the Controller, without undue delay and, where practicable, within a reasonable period having regard to the nature of the Data Breach and applicable law, of a Data Breach, including a description of the breach, affected categories of Personal Data, likely consequences, and mitigation measures taken or proposed. The Processor shall send breach notifications to the Controller's designated emergency contact email as configured in the Controller's tenant settings. Notifications will be sent from privacy@knowledgescout.io.
9. Data Deletion and Return
Upon termination or cancellation, the Controller's account enters a cancelled state for 30 days, during which the Controller may log in and export all Client Content in standard formats. After the 30-day cancelled period, all Personal Data is permanently deleted from production databases. Backup copies will be deleted or overwritten in the ordinary course in accordance with the Processor's backup retention practices, subject to technical constraints and applicable legal obligations. Written confirmation of deletion shall be provided within 5 business days of completion.
Account and billing information may be retained for up to 7 years after account closure to comply with applicable tax and accounting obligations as described in the Privacy Policy. This retention does not extend to Client Content or Personal Data processed under this DPA.
10. Audit Rights
Upon reasonable written request, the Processor will provide reasonable information necessary to demonstrate compliance with this DPA, including summaries, certifications, and relevant documentation. On reasonable notice, and only where required by applicable law or following a material security incident, the Controller may conduct one limited audit in any 12-month period, subject to the Processor's reasonable confidentiality, security, and operational requirements, and reimbursement of the Processor's reasonable costs. Any audit materials and findings shall be treated as Confidential Information.
11. Liability
This DPA forms part of and is subject to the limitations of liability, exclusions, and risk allocation set out in the Agreement.
12. Governing Law
This DPA forms part of the Agreement and is governed by, and construed in accordance with, the governing law and jurisdiction provisions set out in the Terms of Service.
13. Schedule 1: Sub-processors
Refer to the KnowledgeScout Sub-processor List.
14. Schedule 2: Technical and Organisational Measures
| Measure | Detail |
|---|---|
| Infrastructure | Multi-tenant on Vultr VPS in Sydney (AU), London (UK), Dallas (US); customer data stays in selected region. |
| Encryption at Rest | Tenant databases: AES-256 with per-tenant keys. Object storage: AES-256 at rest. |
| Encryption in Transit | TLS 1.2+. |
| Access Control | Role-based (Reader/Editor/Admin), application-level enforcement. |
| Audit Logging | Comprehensive logs of administrative actions, data changes, and programmatic access, stored in tenant database. |
| Backups | Nightly to Cloudflare R2 (stored in-region, AES-256 at rest, 7 daily/4 weekly/3 monthly retention). Backup copies are deleted or overwritten in the ordinary course in accordance with retention practices, subject to technical constraints and applicable legal obligations. |
| Vulnerability Management | Regular OS and dependency updates, container scanning. |
| Network Security | Cloudflare DDoS/WAF, internal-only database access. |
| Monitoring | Continuous health and log monitoring. |
15. Schedule 3: Controller Processing Instructions
The Controller instructs the Processor to process Personal Data, including but not limited to:
- Store, manage, and organise knowledge base content, documents, and materials
- Index and search content to enable discovery and retrieval
- Process queries and transmit to AI providers when AI features are enabled
- Track and log interactions and conversations (when enabled)
- Track user progress through knowledge paths and assigned content
- Generate usage analytics and reports
- Maintain audit logs of administrative actions and data changes
- Process data necessary for billing and subscription management
- Serve content via APIs and embedded components
- Enable programmatic access for agents and third-party integrations
All processing shall be performed in accordance with the documented instructions and the terms of this DPA.
This DPA is incorporated into and forms part of the Agreement and takes effect on the date the Client accepts the Terms of Service.
For questions or to exercise rights under this DPA, contact: privacy@knowledgescout.io
Version: 3.1