Data Processing Addendum

Effective: May 24, 2026. Version 1.0.

Who needs this. If you use SocialScalr to process personal data about people other than yourself (your prospects, leads, contacts), and you are subject to GDPR, UK GDPR, CCPA/CPRA, or a comparable law that requires a controller-processor agreement, this DPA forms part of your contract with us. By using the Service you accept this DPA. Enterprise customers may sign a countersigned PDF version by emailing [email protected].

1. Roles

For personal data you upload to SocialScalr about third parties (lead names, business emails, LinkedIn URLs, message threads), you are the Controller and SocialScalr is the Processor within the meaning of GDPR Article 4. For personal data you create as part of your own SocialScalr account (your email, billing details), SocialScalr is the Controller and the Privacy Policy applies.

2. Subject matter and duration

Subject matter: provision of the SocialScalr Service per the Terms of Service. Duration: for as long as you have an active SocialScalr account, plus any retention period required by law or these terms.

3. Nature, purpose, and types of data

4. Processor obligations

SocialScalr will:

  1. Process personal data only on documented instructions from you, including with regard to transfers, except where required by Union or Member State law.
  2. Ensure that persons authorised to process the personal data have committed to confidentiality.
  3. Implement appropriate technical and organisational measures (see Annex A) to ensure a level of security appropriate to the risk.
  4. Engage sub-processors only as described in Section 7.
  5. Taking into account the nature of processing, assist you with appropriate measures to fulfil obligations to respond to data subject rights requests.
  6. Assist you in ensuring compliance with Articles 32 to 36 (security, breach notification, impact assessments) taking into account information available to us.
  7. At your choice, delete or return all personal data after end of services, and delete existing copies unless law requires storage.
  8. Make available all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits.

5. Controller obligations

You represent that:

6. Security measures

See Annex A below. We may update Annex A over time so long as the level of security is not materially reduced.

7. Sub-processors

You authorise SocialScalr to engage the sub-processors listed in the Privacy Policy as of the effective date above. We will give you 30 days' email notice before adding or replacing a sub-processor that processes Customer Data. You may object to a new sub-processor on reasonable, documented data-protection grounds within 30 days; if we cannot accommodate your objection, you may terminate the Service for the affected processing and receive a pro-rata refund of any prepaid unused fees.

We remain liable for the acts and omissions of our sub-processors to the same extent as if performed by us.

8. International transfers

Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses (2021/914, Module Two: controller-to-processor) are hereby incorporated by reference and apply between you and SocialScalr. The UK International Data Transfer Addendum (IDTA) and the Swiss equivalent apply where applicable. A signed copy is available on request.

9. Data subject requests

We will not respond directly to requests from your data subjects without your prior written consent, except to confirm the request relates to you. We will, taking into account the nature of the processing, assist you by appropriate technical and organisational measures in fulfilling your obligation to respond to such requests. The Settings -> Privacy & Data export and delete endpoints, and the public API, give you the tools to fulfil access, portability, and erasure requests yourself.

10. Breach notification

SocialScalr will notify you without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting your Customer Data. The notification will include, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

11. Audits

We will respond to reasonable customer audit requests by providing relevant third-party certifications (SOC 2, ISO 27001 once obtained), documentation of our security measures, and written responses to security questionnaires. For Enterprise customers, on-site audits may be arranged on 30 days' notice no more than once per year (or more frequently if required by a supervisory authority), subject to mutually agreed scope and cost-sharing.

12. Return or deletion

On termination, you may export your data via Settings -> Privacy & Data or the API for 30 days. After 30 days we will delete all Customer Data per the retention schedule in the Privacy Policy, except where law requires retention.

13. Order of precedence

In case of conflict between this DPA and the Terms of Service with respect to processing of personal data subject to GDPR, this DPA controls.

Annex A - Technical and organisational measures

A.1 Confidentiality, integrity, availability

A.2 Resilience and recovery

A.3 Access control

A.4 Monitoring and incident response

A.5 Personnel

A.6 Vendor management

Companion policies: Privacy Policy - Terms of Service - Cookie Policy - Acceptable Use