Data Processing Agreement
Last updated: 2026-06-23
Discover how we protect your data. This document is an appendix to the General Conditions between the Customer (hereinafter the "Processing Manager") and Wism Corp Ltd (company number 15297767, registered office 24-26 Arcadia Avenue, Fin009, London, N3 2JU, United Kingdom) trading as Scrupp (hereinafter the "Subcontractor"). Each party is referred to as a "Party" and together the "Parties".
For the purposes hereof, capitalized terms and expressions shall have the same meaning as that attributed to them in the General Terms and Conditions.
I. Subject
The purpose of these clauses is to define the conditions under which the Subcontractor undertakes to carry out, on behalf of the Data Controller, the personal data processing operations defined below.
Within the framework of their contractual relations, the parties undertake to comply with the applicable regulations on the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the General Data Protection Regulation").
II. Description of the outsourced processing
Scrupp is an all-in-one B2B outreach platform. The Subcontractor is authorised to process, on behalf of the Controller, the personal data necessary for the provision of the following services: (i) lead scraping — collecting, cleaning, correcting, organising and directing business contact details (for example, names, job titles, employers, business email addresses and phone numbers) of the Data Controller's customers, prospects and suppliers from sources such as LinkedIn, Sales Navigator and Apollo, and automatically detecting and merging duplicates; (ii) enrichment — finding and verifying business email addresses and phone numbers and appending firmographic data (such as company size, industry and location).
Additionally, the Subcontractor is authorised to provide (iii) cold-email outreach and sending services, namely: sending email on the Data Controller's behalf to the Persons through mailboxes connected by the Data Controller (including Gmail / Google Workspace and Outlook / Microsoft 365 mailboxes connected via OAuth, as well as pre-warmed sending inboxes provisioned through the Subcontractor); executing multi-step outreach sequences; performing mailbox warmup; monitoring deliverability; and receiving, storing, organising and presenting inbound replies in a unified reply inbox, including AI-assisted drafting and categorisation of those replies (hereinafter together the "Services").
The categories of data subjects are the customers, prospects and suppliers of the Data Controller, the recipients of the Data Controller's outreach, the senders of inbound replies, and the Data Controller's own employees or users whose mailboxes are connected to the Services (hereinafter the "Persons").
The nature of the operations carried out on the data is the collection, processing, storage and transmission of the personal data of the Persons for the performance of the Services, including the sending of email on the Controller's behalf, mailbox warmup, deliverability monitoring, and the processing of inbound replies.
The purpose of the processing is the performance of the Services.
The personal data processed include: data identifying the Persons and data relating to their professional situation (such as names, job titles, employers, business email addresses, phone numbers, and professional profile and firmographic data); the content, subject lines, metadata and engagement events (such as opens, clicks, replies and bounces) of outbound messages and inbound replies handled through the Services; and the credentials, OAuth access and refresh tokens, and configuration of the mailboxes connected by the Data Controller. For the performance of the Services referred to herein, the Data Controller shall provide the Subcontractor with the necessary information, including the connection of the relevant mailboxes.
The Subcontractor does not sell, rent, or lease the data to any third party. Any engagement of further sub-processors to perform specific processing activities is governed by section 6 below and by the safeguards described in the Controller's Privacy Policy.
III. The Subcontractor's obligations towards the Controller
The Subcontractor undertakes to :
1. process the data solely for the purpose covered by this subcontract;
2. process the data in accordance with the documented instructions of the Data Controller. The parties agree that any use or parameterization of the Subcontractor's solution by the Data Controller will be recorded and considered as a documented instruction. Where the Subcontractor considers that an instruction infringes the General Data Protection Regulations or any other legal provision of the Union or the Member States relating to data protection, it must immediately inform the Data Controller.
In addition, where the Subcontractor is required to transfer personal data to a third country or to an international organisation under the law of the Union or the law of the Member States to which it is subject, the Subcontractor must inform the Controller of this legal obligation before carrying out the processing, unless that law prohibits the disclosure of such information on important public interest grounds. Notwithstanding the foregoing, the Subcontractor is expressly authorised by the Data Controller to process the data in order to improve the Subcontractor's technology and services and to provide such services as described in Section II.
3. to guarantee the confidentiality of the personal data processed hereunder;
4. ensure that persons authorised to process personal data under this :
- are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality;
- receive the necessary training in the protection of personal data.
5. take into account, with regard to its tools, products, applications or services, the principles of data protection by design and default protection.
6. Sub-processors: The Data Controller acknowledges and agrees to the engagement by the Subcontractor of the following sub-processors in connection with the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Primary production hosting, databases, off-site backups | Germany (EU) |
| Amazon Web Services, Inc. (AWS) | Cloud hosting and object storage (including contact avatars, exports and attachments) | European Union / United States (SCC) |
| Stripe, Inc. | Payment processing and billing | Ireland (EU) / United States (SCC) |
| Spaceship / Spacemail | Transactional and account email delivery | European Union |
| Google LLC (Workspace & Gmail, OAuth, Analytics) | Connected Gmail / Google Workspace mailboxes via OAuth (sending and reading mail on the Controller's behalf), Workspace integration, optional analytics | United States (SCC + Data Privacy Framework) |
| Microsoft Corporation (Microsoft 365 / Outlook, OAuth) | Connected Outlook / Microsoft 365 mailboxes via OAuth (sending and reading mail on the Controller's behalf) | European Union / United States (SCC + Data Privacy Framework) |
| Third-party SMTP / email-sending providers (e.g. cold-email sending and relay services) | Sending outbound email on the Controller's behalf and delivery routing | European Union / United States (SCC) |
| Third-party mailbox-warmup and deliverability providers (incl. pre-warmed inbox suppliers) | Mailbox warmup, deliverability monitoring and provisioning of pre-warmed sending inboxes | European Union / United States (SCC) |
| OpenAI, L.L.C. | AI-powered content generation, reply drafting and reply categorisation (optional, opt-in) | United States (SCC) |
| Google Gemini (Google Cloud) | AI-powered content generation, reply drafting and reply categorisation (optional, opt-in) | United States (SCC + Data Privacy Framework) |
| OpenRouter, Inc. | AI model routing for content generation, reply drafting and reply categorisation (optional, opt-in) | United States (SCC) |
| PostHog, Inc. | Product analytics and usage measurement | European Union / United States (SCC) |
The Subcontractor may engage additional sub-processors to perform specific processing activities. In such a case, the Subcontractor shall inform the Controller in writing at least 30 days in advance of any planned change concerning the addition or replacement of sub-processors. The notice will identify the processing activities subcontracted, the name, location, and contact details of the new sub-processor, and the date the new Subcontracting Contract takes effect. The Controller may object to any such change within 30 days of receiving the notice.
The Data Controller shall have a minimum of 30 (thirty) days from the date on which he receives the said information to object to it. The subsequent subcontracting contract is only possible if the Data Controller has not objected to it within the agreed time limit.
The Subsequent Subcontractor is required to comply with these obligations on behalf of and in accordance with the instructions of the Data Controller. It is the Subcontractor's responsibility to ensure that the Subcontractor provides the same sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the European Data Protection Regulation.
Where the Further Processor fails to fulfil its data protection obligations, the Subcontractor shall remain fully liable to the Controller for the performance of its obligations by the Further Processor.
7. Exercise of data subjects' rights: the Subcontractor shall assist the Controller, as far as possible, in fulfilling its obligation to respond to requests to exercise the data subject's rights: right of access, rectification, erasure and objection, right to limit processing, right to data portability, right not to be subject to automated individual decision making (including profiling).
When the data subjects send the Subcontractor requests to exercise their rights, the Subcontractor must forward these requests as soon as they are received by e-mail to the Controller.
8. Notification of personal data breach: the Subcontractor must notify the Controller of any personal data breach no later than 72 (seventy-two) hours after becoming aware of it and by e-mail. This notification must be sent with all the documentation necessary to enable the Controller, where appropriate, to notify the competent supervisory authority of the violation.
9. Assistance provided by the Subcontractor to the Data Controller with regard to compliance with its obligations: the Subcontractor shall assist the Data Controller in carrying out data protection risk analyses and with a view to prior consultation of the supervisory authority.
10. Security measures: the Subcontractor undertakes to implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including:
- Encryption in transit: all network traffic between clients, servers, and sub-processors is encrypted using TLS 1.2 or higher.
- Encryption at rest: production databases and backups are encrypted at rest using AES-256 (or equivalent) at the storage layer.
- Access controls: role-based access to production systems, least-privilege principle, multi-factor authentication required for all administrator and engineer accounts.
- Network isolation: production databases are not exposed to the public internet; administrative access requires VPN or bastion host.
- Audit logging: access to production systems and personal data is logged; logs are retained for at least 90 days and reviewed on a regular cadence.
- Secret management: credentials and API keys are stored in a dedicated secret manager, rotated regularly, and never committed to source control.
- Backups: encrypted, within the EU, with restore tested periodically. Backups are destroyed in line with the retention schedule.
- Vulnerability management: dependencies are monitored for known vulnerabilities and patched on a risk-based schedule; production systems receive security updates without undue delay.
- Employee training: personnel with access to personal data receive data-protection training and are bound by confidentiality obligations.
- Incident response: documented process to detect, investigate, contain, and notify on data-security incidents. Breaches affecting personal data are notified to the Controller within 72 hours as required by Article 33 GDPR.
Sort of the data: at the end of the Services relating to the processing of this data, the Subcontractor undertakes to destroy all personal data, no later than one month after the end of the Services.
11. Register of categories of processing activities: the Subcontractor declares that it keeps a written register of all categories of processing activities carried out on behalf of the Controller.
12. Documentation: the Subcontractor shall make available to the Controller the documentation necessary to demonstrate that it complies with all its obligations and to enable the Controller or any other auditor it has authorised to carry out audits, including inspections, and to contribute to such audits.
During these audits, the Controller or the auditor it has engaged for this purpose is not authorised to have access to business secrets, strategic information or any information that the Subcontractor has undertaken to keep confidential. The Subcontractor shall have the right to object to any inspections and/or verifications by the Controller or its auditor which might allow it to access such information, without the Controller being able to assert any right in this respect.
In any event, the Controller shall ensure that the auditor and, more generally, its staff carrying out such audits are subject to appropriate confidentiality obligations.
IV. Obligations of the Controller
1. Right to information and consent of the data subjects: it is the responsibility of the Controller to inform the data subjects of the processing operations at the time the data are collected. More specifically, insofar as the Controller is not aware of (i) the data subjects of the processing operation, (ii) the possible contractual relationship between the Controller and the data subjects and the purpose of the data processing and (iii) the settings decided and made by the Controller, it is incumbent on the Controller to define the appropriate legal basis for the processing.
Where appropriate, the Controller must obtain the consent of the data subjects with regard to the processing.
2. Connection of mailboxes for sending and reply handling: where the Data Controller connects mailboxes to the Services (including Gmail / Google Workspace and Outlook / Microsoft 365 mailboxes connected via OAuth, or pre-warmed sending inboxes provisioned through the Subcontractor) so that the Subcontractor may send email on the Data Controller's behalf, warm up those mailboxes, monitor deliverability and retrieve inbound replies, it is the responsibility of the Data Controller:
-- to inform its employees and users that the Subcontractor will be granted access to the connected mailboxes in order to send and read mail and synchronise replies on the Controller's behalf;
-- to ensure that it is entitled to send outreach to the intended recipients and to determine and document the appropriate legal basis for such sending (including any required consent), as well as to honour unsubscribe and suppression requests;
-- to decide whether or not acceptance of this connection is mandatory for its employees and users.
The Subcontractor's use and transfer of information collected from Google APIs are in accordance with the Google API Services User Data Policy, including the Limited Use requirements, and its use of Microsoft APIs is in accordance with the applicable Microsoft API terms.
The Controller furthermore undertakes to :
3.1 provide the Subcontractor with the data mentioned in point II of this document;
3.2 record in writing any instructions relating to the processing of data by the Subcontractor. More specifically, the Subcontractor has developed a solution taking into account the principles of privacy by design and by default the least intrusive. Other settings can be added by the Data Controller: it is up to him to define the intended use and the corresponding settings of the solution. As in the situation previously indicated, any setting made by the Data Controller is considered as an instruction from the Data Controller to the Subcontractor;
3.3 ensure, before and during processing, compliance with the obligations of the Data Controller under the European Data Protection Regulation;
3.4 supervise processing, including conducting audits and inspections with the Subcontractor.