Data Processing Addendum
Effective: May 24, 2026. Version 1.0.
1. Roles
For personal data you upload to SocialScalr about third parties (lead names, business emails, LinkedIn URLs, message threads), you are the Controller and SocialScalr is the Processor within the meaning of GDPR Article 4. For personal data you create as part of your own SocialScalr account (your email, billing details), SocialScalr is the Controller and the Privacy Policy applies.
2. Subject matter and duration
Subject matter: provision of the SocialScalr Service per the Terms of Service. Duration: for as long as you have an active SocialScalr account, plus any retention period required by law or these terms.
3. Nature, purpose, and types of data
- Nature and purpose: hosting, storage, transmission, retrieval, analysis, and display of Customer Data so you can run outreach, content, and CRM workflows.
- Categories of data subjects: your business prospects, contacts, and any other individuals whose personal data you upload.
- Categories of personal data: name, business email, business phone, employer, job title, public LinkedIn URL, public profile data, message thread history you have with them, custom fields you add. We do not require sensitive categories (Article 9 data); do not upload them.
4. Processor obligations
SocialScalr will:
- Process personal data only on documented instructions from you, including with regard to transfers, except where required by Union or Member State law.
- Ensure that persons authorised to process the personal data have committed to confidentiality.
- Implement appropriate technical and organisational measures (see Annex A) to ensure a level of security appropriate to the risk.
- Engage sub-processors only as described in Section 7.
- Taking into account the nature of processing, assist you with appropriate measures to fulfil obligations to respond to data subject rights requests.
- Assist you in ensuring compliance with Articles 32 to 36 (security, breach notification, impact assessments) taking into account information available to us.
- At your choice, delete or return all personal data after end of services, and delete existing copies unless law requires storage.
- Make available all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits.
5. Controller obligations
You represent that:
- You have a valid legal basis under GDPR Article 6 (or equivalent law) for the personal data you upload to SocialScalr.
- You have provided all required transparency notices to your data subjects.
- You will not instruct SocialScalr to process personal data in a way that would violate applicable law.
- You will respond to data subject requests directly. We will forward to you any request received directly from one of your data subjects and assist you in responding.
6. Security measures
See Annex A below. We may update Annex A over time so long as the level of security is not materially reduced.
7. Sub-processors
You authorise SocialScalr to engage the sub-processors listed in the Privacy Policy as of the effective date above. We will give you 30 days' email notice before adding or replacing a sub-processor that processes Customer Data. You may object to a new sub-processor on reasonable, documented data-protection grounds within 30 days; if we cannot accommodate your objection, you may terminate the Service for the affected processing and receive a pro-rata refund of any prepaid unused fees.
We remain liable for the acts and omissions of our sub-processors to the same extent as if performed by us.
8. International transfers
Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses (2021/914, Module Two: controller-to-processor) are hereby incorporated by reference and apply between you and SocialScalr. The UK International Data Transfer Addendum (IDTA) and the Swiss equivalent apply where applicable. A signed copy is available on request.
9. Data subject requests
We will not respond directly to requests from your data subjects without your prior written consent, except to confirm the request relates to you. We will, taking into account the nature of the processing, assist you by appropriate technical and organisational measures in fulfilling your obligation to respond to such requests. The Settings -> Privacy & Data export and delete endpoints, and the public API, give you the tools to fulfil access, portability, and erasure requests yourself.
10. Breach notification
SocialScalr will notify you without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting your Customer Data. The notification will include, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
11. Audits
We will respond to reasonable customer audit requests by providing relevant third-party certifications (SOC 2, ISO 27001 once obtained), documentation of our security measures, and written responses to security questionnaires. For Enterprise customers, on-site audits may be arranged on 30 days' notice no more than once per year (or more frequently if required by a supervisory authority), subject to mutually agreed scope and cost-sharing.
12. Return or deletion
On termination, you may export your data via Settings -> Privacy & Data or the API for 30 days. After 30 days we will delete all Customer Data per the retention schedule in the Privacy Policy, except where law requires retention.
13. Order of precedence
In case of conflict between this DPA and the Terms of Service with respect to processing of personal data subject to GDPR, this DPA controls.
Annex A - Technical and organisational measures
A.1 Confidentiality, integrity, availability
- TLS 1.2+ for all data in transit (HSTS enabled).
- AES-256 encryption at rest (Supabase + Cloudflare managed).
- Passwords stored as bcrypt hashes only.
- API keys and webhook secrets stored as Cloudflare encrypted environment variables.
- Row-level security on the database; service-role keys never exposed to clients.
- Optional TOTP two-factor authentication on every customer account.
- Optional IP allowlisting for Enterprise customers.
A.2 Resilience and recovery
- Encrypted daily backups with 30-day retention.
- RPO target: 24 hours. RTO target: 4 hours.
- Disaster-recovery runbook tested at least annually.
- Multi-region edge delivery via Cloudflare.
A.3 Access control
- Principle of least privilege for staff. Access provisioned only when needed for support or operations.
- All staff access is logged and reviewed.
- Staff use SSO with mandatory two-factor authentication.
- Customer impersonation (when a customer authorises support to look at their account) is logged in the customer-visible audit log.
A.4 Monitoring and incident response
- Centralised error capture and alerting.
- Documented incident-response procedure with named on-call.
- Annual incident-response tabletop.
A.5 Personnel
- All staff sign confidentiality agreements as a condition of employment.
- Security training on hire and annually.
- Background checks where permitted by local law.
A.6 Vendor management
- All sub-processors are vetted for security and signed to data-protection terms at least as strong as those in this DPA.
- Sub-processor list is published at /privacy and updated with 30 days' notice for changes.
Companion policies: Privacy Policy - Terms of Service - Cookie Policy - Acceptable Use