KnockIQ ← Back to site

KnockIQ Data Processing Addendum

Effective Date: June 8, 2026 Last Updated: June 8, 2026

This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the KnockIQ Terms of Service (the "Agreement") between KnockIQ, LLC ("KnockIQ") and the customer that has accepted the Agreement ("Customer"). It governs KnockIQ's processing of Personal Information on Customer's behalf in connection with the Service. Capitalized terms not defined here have the meaning given in the Agreement or the KnockIQ Privacy Policy.

If there is any conflict between this DPA and the Agreement with respect to the processing of Personal Information, this DPA controls.


1. Definitions


2. Roles of the Parties

The roles of the parties depend on the category of data, consistent with Section 2 of the KnockIQ Privacy Policy:

Data category KnockIQ's role Customer's role
Rep account, geolocation, and performance data Service Provider / Processor Business / Controller
Customer account, billing, and configuration data KnockIQ is the Business / Controller
Visited Person data (address, coordinates, contact info, notes, photos, roof insights) Controller, jointly with Customer Joint Controller

For Personal Information where KnockIQ acts as a Service Provider or Processor, KnockIQ Processes that data only on behalf of Customer and subject to the obligations in this DPA. For Visited Person data, the parties acknowledge their joint-controller posture; KnockIQ nonetheless applies the protections in this DPA to that data and assists Customer with its obligations.


3. Scope and Roles; Processing Details

Annex A sets out the subject matter, duration, nature and purpose of Processing, the categories of Personal Information, and the categories of data subjects.

KnockIQ will Process Personal Information only to provide, secure, maintain, and improve the Service, to comply with law, and as otherwise instructed by Customer through the Service's features and configuration. The Agreement, this DPA, and Customer's use and configuration of the Service constitute Customer's complete and final documented instructions.


4. KnockIQ's Obligations as a Service Provider / Processor

KnockIQ makes the following commitments with respect to Personal Information it Processes on Customer's behalf. These provisions satisfy the contractual requirements of 11 CCR § 7051 under the CCPA and the equivalent processor-contract requirements of the other Applicable Privacy Laws.

4.1 Purpose limitation. KnockIQ will Process Personal Information only for the specific, limited business purposes of providing the Service as described in the Agreement and Annex A, and will not Process it for any other purpose.

4.2 No sale, no share, no use outside the direct business relationship. KnockIQ will not Sell or Share Personal Information. KnockIQ will not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement, including not for any commercial purpose other than providing the Service, and will not retain, use, or disclose Personal Information outside the direct business relationship between KnockIQ and Customer. KnockIQ certifies that it understands and will comply with these restrictions.

4.3 No combining. KnockIQ will not combine Personal Information it receives from, or on behalf of, Customer with Personal Information it receives from, or on behalf of, any other person, or that it collects from its own interactions with the Consumer, except as permitted under Applicable Privacy Law to perform a business purpose.

4.4 Same level of protection. KnockIQ will provide the same level of privacy protection as is required of businesses by Applicable Privacy Law.

4.5 Notice of inability to comply. KnockIQ will notify Customer if it determines that it can no longer meet its obligations under Applicable Privacy Law, and on such notice Customer may take reasonable and appropriate steps to stop and remediate unauthorized Processing.

4.6 Right to monitor; audit. Customer has the right to take reasonable and appropriate steps to ensure that KnockIQ uses Personal Information in a manner consistent with Customer's obligations under Applicable Privacy Law, as further described in Section 8 (Audits).

4.7 Confidentiality. KnockIQ ensures that personnel authorized to Process Personal Information are bound by written confidentiality obligations and are trained on the proper handling of Personal Information.


5. Sub-processors

5.1 Authorization. Customer provides general authorization for KnockIQ to engage Sub-processors to Process Personal Information. The current list of Sub-processors is published at https://www.getknockiq.com/sub-processors.

5.2 Flow-down. KnockIQ enters into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA and requires the Sub-processor to provide the same level of protection for Personal Information as required of KnockIQ. KnockIQ remains responsible for each Sub-processor's performance.

5.3 Notice of changes. KnockIQ will provide notice of the addition or replacement of a Sub-processor by updating the Sub-processor page and, for Customers who subscribe to notifications (by emailing privacy@knockiq.com), by email, at least ten (10) days before the new Sub-processor begins Processing Personal Information. Customer may object in writing on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service.


6. Assistance with Data-Subject Rights

Taking into account the nature of the Processing, KnockIQ will provide reasonable assistance to Customer (through appropriate technical and organizational measures, insofar as possible) to enable Customer to respond to requests from Consumers exercising their rights under Applicable Privacy Law, including rights to know/access, correct, delete, obtain a copy of, opt out of Sale/Share, opt out of profiling, and limit the use of Sensitive Personal Information.

Where KnockIQ receives a Consumer request directly (including from a Visited Person), KnockIQ may, consistent with its controller role for Visited Person data and Applicable Privacy Law, respond to and act on the request, and will coordinate with Customer where the request concerns data within Customer's control. KnockIQ will not be required to act on a request in a manner that would violate Applicable Privacy Law.


7. Security

7.1 Security measures. KnockIQ will implement and maintain appropriate technical and organizational measures designed to protect Personal Information, as described in Annex B. KnockIQ may update these measures provided the updates do not materially reduce the overall level of protection.

7.2 Security Incident notification. KnockIQ will notify Customer without undue delay, and in any event within the timeframe required by Applicable Privacy Law, after becoming aware of a Security Incident affecting Personal Information Processed on Customer's behalf. The notification will describe, to the extent known, the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. KnockIQ will provide reasonable cooperation to assist Customer in meeting its own breach-notification obligations.


8. Audits

Upon Customer's reasonable written request, and no more than once per twelve (12) months (unless required more frequently by a regulator or following a Security Incident), KnockIQ will make available information reasonably necessary to demonstrate compliance with this DPA. This may take the form of KnockIQ's then-current security documentation, summaries of independent assessments, or written responses to a reasonable security questionnaire. On-site audits, where required by Applicable Privacy Law, will be conducted on reasonable advance notice, during business hours, subject to confidentiality, and in a manner that does not disrupt KnockIQ's operations or the security of other customers' data.


9. International and Cross-Border Transfers

KnockIQ Processes and stores Personal Information primarily in the United States and, for map and fallback geocoding services, in the European Union (Germany), as described in the Privacy Policy and on the Sub-processor page. Where a Customer enables an outbound integration, Personal Information may be transmitted to the destination the Customer configures. KnockIQ relies on contractual protections with each Sub-processor in connection with cross-border transfers.


10. Return and Deletion of Personal Information

On expiry or termination of the Agreement, KnockIQ will, at Customer's election, return and/or delete Personal Information Processed on Customer's behalf in accordance with Section 7.5 of the Agreement (30-day export window followed by deletion within 60 days; 90 days total), except to the extent retention is required by law or for the limited periods set out in the retention schedule in Section 12 of the Privacy Policy. KnockIQ will delete or de-identify Personal Information in accordance with that schedule, which is enforced automatically.


11. Canadian Provisions

Where Customer or a data subject is subject to PIPEDA, Quebec Law 25, or the Alberta or British Columbia PIPA, KnockIQ will Process Personal Information consistently with those laws, including by limiting Processing to the purposes authorized by Customer, maintaining safeguards appropriate to the sensitivity of the information, assisting Customer with access and correction requests, and notifying Customer of confirmed breaches of security safeguards involving a real risk of significant harm so that Customer can meet its reporting obligations.


12. General

This DPA is governed by the same law and dispute-resolution provisions as the Agreement. Except as amended by this DPA, the Agreement remains in full force. If any provision of this DPA is held invalid, the remainder continues in effect. This DPA may be updated by KnockIQ from time to time on notice as provided in the Agreement; material changes that reduce data-protection commitments will not apply retroactively.


Annex A — Details of Processing

Subject matter. KnockIQ's provision of the door-to-door canvassing-coordination Service to Customer.

Duration. For the term of the Agreement, plus the post-termination return/deletion periods in Section 10.

Nature and purpose of Processing. Hosting, storage, transmission, display, organization, geocoding, analytics, and deletion of Customer Data in order to provide the Service (logging canvassing activity, mapping, lead routing, performance reporting, optional roof insights, billing, and account communications).

Categories of data subjects. Customer's sales representatives and managers ("Reps"); Customer's administrators and billing contacts; and Visited Persons (homeowners and other prospects recorded during canvassing).

Categories of Personal Information.

Sensitive Personal Information. Precise geolocation (Reps and Visited Persons); photographs that may incidentally depict identifiable persons. KnockIQ does not collect audio, government identifiers, or special-category data.


Annex B — Technical and Organizational Security Measures


Version: 1.0

This Data Processing Addendum is provided for general informational purposes and does not constitute legal advice. KnockIQ recommends review by qualified counsel before publication and periodically thereafter.