Data Processing Agreement
Last updated: 2026-04-21
Discover how we protect your data. This document is an appendix to the General Conditions between the Customer (hereinafter the "Processing Manager") and Scrupp (hereinafter the "Subcontractor"). Each party is referred to as a "Party" and together the "Parties".
For the purposes hereof, capitalized terms and expressions shall have the same meaning as that attributed to them in the General Terms and Conditions.
I. Subject
The purpose of these clauses is to define the conditions under which the Subcontractor undertakes to carry out, on behalf of the Data Controller, the personal data processing operations defined below.
Within the framework of their contractual relations, the parties undertake to comply with the applicable regulations on the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the General Data Protection Regulation").
II. Description of the outsourced processing
The Subcontractor is authorised to process, on behalf of the Controller, the personal data necessary for the provision of the following services: (i) cleaning, correcting, synchronising, enriching, organising and directing the contact details — for example, business email addresses and phone numbers — of the Data Controller's customers, prospects and suppliers, (ii) automatically detecting and merging duplicates.
Additionally, the Subcontractor is authorised to (iii) update the contact details of the Data Controller's customers, prospects and suppliers with regard to erroneous e-mails, in particular by synchronising the mailboxes of the Data Controller's employees (hereinafter together the "Services").
The categories of data subjects are the customers, prospects and suppliers of the Data Controller (hereinafter the "Persons").
The nature of the operations carried out on the data is the collection, processing and storage of the personal data of the Persons for the performance of the Services.
The purpose of the processing is the performance of the Services.
The personal data processed are data identifying the Individuals and data relating to the Individual's professional situation. For the performance of the Services referred to herein, the Data Controller shall provide the Subcontractor with the following necessary information: information and data identifying the Persons.
The Subcontractor does not sell, rent, or lease the data to any third party. Any engagement of further sub-processors to perform specific processing activities is governed by section 6 below and by the safeguards described in the Controller's Privacy Policy.
III. The Subcontractor's obligations towards the Controller
The Subcontractor undertakes to :
1. process the data solely for the purpose covered by this subcontract;
2. process the data in accordance with the documented instructions of the Data Controller. The parties agree that any use or parameterization of the Subcontractor's solution by the Data Controller will be recorded and considered as a documented instruction. Where the Subcontractor considers that an instruction infringes the General Data Protection Regulations or any other legal provision of the Union or the Member States relating to data protection, it must immediately inform the Data Controller.
In addition, where the Subcontractor is required to transfer personal data to a third country or to an international organisation under the law of the Union or the law of the Member States to which it is subject, the Subcontractor must inform the Controller of this legal obligation before carrying out the processing, unless that law prohibits the disclosure of such information on important public interest grounds. Notwithstanding the foregoing, the Subcontractor is expressly authorised by the Data Controller to process the data in order to improve the Subcontractor's technology and services and to provide such services as described in Section II.
3. to guarantee the confidentiality of the personal data processed hereunder;
4. ensure that persons authorised to process personal data under this :
- are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality;
- receive the necessary training in the protection of personal data.
5. take into account, with regard to its tools, products, applications or services, the principles of data protection by design and default protection.
6. Sub-processors: The Data Controller acknowledges and agrees to the engagement by the Subcontractor of the following sub-processors in connection with the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Primary production hosting, databases, off-site backups | Germany (EU) |
| Stripe, Inc. | Payment processing and billing | Ireland (EU) / United States (SCC) |
| Spaceship / Spacemail | Transactional and account email delivery | European Union |
| Google LLC (Workspace Marketplace, Analytics, OAuth) | Google Sheets / Workspace integration, optional analytics, OAuth | United States (SCC + Data Privacy Framework) |
| OpenAI, L.L.C. | AI-powered content generation features (optional, opt-in) | United States (SCC) |
| Google Gemini (Google Cloud) | AI-powered content generation features (optional, opt-in) | United States (SCC + Data Privacy Framework) |
The Subcontractor may engage additional sub-processors to perform specific processing activities. In such a case, the Subcontractor shall inform the Controller in writing at least 30 days in advance of any planned change concerning the addition or replacement of sub-processors. The notice will identify the processing activities subcontracted, the name, location, and contact details of the new sub-processor, and the date the new Subcontracting Contract takes effect. The Controller may object to any such change within 30 days of receiving the notice.
The Data Controller shall have a minimum of 30 (thirty) days from the date on which he receives the said information to object to it. The subsequent subcontracting contract is only possible if the Data Controller has not objected to it within the agreed time limit.
The Subsequent Subcontractor is required to comply with these obligations on behalf of and in accordance with the instructions of the Data Controller. It is the Subcontractor's responsibility to ensure that the Subcontractor provides the same sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the European Data Protection Regulation.
Where the Further Processor fails to fulfil its data protection obligations, the Subcontractor shall remain fully liable to the Controller for the performance of its obligations by the Further Processor.
7. Exercise of data subjects' rights: the Subcontractor shall assist the Controller, as far as possible, in fulfilling its obligation to respond to requests to exercise the data subject's rights: right of access, rectification, erasure and objection, right to limit processing, right to data portability, right not to be subject to automated individual decision making (including profiling).
When the data subjects send the Subcontractor requests to exercise their rights, the Subcontractor must forward these requests as soon as they are received by e-mail to the Controller.
8. Notification of personal data breach: the Subcontractor must notify the Controller of any personal data breach no later than 72 (seventy-two) hours after becoming aware of it and by e-mail. This notification must be sent with all the documentation necessary to enable the Controller, where appropriate, to notify the competent supervisory authority of the violation.
9. Assistance provided by the Subcontractor to the Data Controller with regard to compliance with its obligations: the Subcontractor shall assist the Data Controller in carrying out data protection risk analyses and with a view to prior consultation of the supervisory authority.
10. Security measures: the Subcontractor undertakes to implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including:
- Encryption in transit: all network traffic between clients, servers, and sub-processors is encrypted using TLS 1.2 or higher.
- Encryption at rest: production databases and backups are encrypted at rest using AES-256 (or equivalent) at the storage layer.
- Access controls: role-based access to production systems, least-privilege principle, multi-factor authentication required for all administrator and engineer accounts.
- Network isolation: production databases are not exposed to the public internet; administrative access requires VPN or bastion host.
- Audit logging: access to production systems and personal data is logged; logs are retained for at least 90 days and reviewed on a regular cadence.
- Secret management: credentials and API keys are stored in a dedicated secret manager, rotated regularly, and never committed to source control.
- Backups: encrypted, within the EU, with restore tested periodically. Backups are destroyed in line with the retention schedule.
- Vulnerability management: dependencies are monitored for known vulnerabilities and patched on a risk-based schedule; production systems receive security updates without undue delay.
- Employee training: personnel with access to personal data receive data-protection training and are bound by confidentiality obligations.
- Incident response: documented process to detect, investigate, contain, and notify on data-security incidents. Breaches affecting personal data are notified to the Controller within 72 hours as required by Article 33 GDPR.
Sort of the data: at the end of the Services relating to the processing of this data, the Subcontractor undertakes to destroy all personal data, no later than one month after the end of the Services.
11. Register of categories of processing activities: the Subcontractor declares that it keeps a written register of all categories of processing activities carried out on behalf of the Controller.
12. Documentation: the Subcontractor shall make available to the Controller the documentation necessary to demonstrate that it complies with all its obligations and to enable the Controller or any other auditor it has authorised to carry out audits, including inspections, and to contribute to such audits.
During these audits, the Controller or the auditor it has engaged for this purpose is not authorised to have access to business secrets, strategic information or any information that the Subcontractor has undertaken to keep confidential. The Subcontractor shall have the right to object to any inspections and/or verifications by the Controller or its auditor which might allow it to access such information, without the Controller being able to assert any right in this respect.
In any event, the Controller shall ensure that the auditor and, more generally, its staff carrying out such audits are subject to appropriate confidentiality obligations.
IV. Obligations of the Controller
1. Right to information and consent of the data subjects: it is the responsibility of the Controller to inform the data subjects of the processing operations at the time the data are collected. More specifically, insofar as the Controller is not aware of (i) the data subjects of the processing operation, (ii) the possible contractual relationship between the Controller and the data subjects and the purpose of the data processing and (iii) the settings decided and made by the Controller, it is incumbent on the Controller to define the appropriate legal basis for the processing.
Where appropriate, the Controller must obtain the consent of the data subjects with regard to the processing.
2. Synchronization of the employees' mailboxes: it is the responsibility of the Data Controller:
-- to inform its employees that the Subcontractor will request access to their mailboxes in order to synchronise the data of the persons concerned (via Google Connect).
-- to decide whether or not acceptance of this synchronisation is mandatory.
The subcontractor's use and transfer of information collected from Google APIs are in accordance with the Google API Services User Data Policy, including the Limited Use requirements.
The Controller furthermore undertakes to :
3.1 provide the Subcontractor with the data mentioned in point II of this document;
3.2 record in writing any instructions relating to the processing of data by the Subcontractor. More specifically, the Subcontractor has developed a solution taking into account the principles of privacy by design and by default the least intrusive. Other settings can be added by the Data Controller: it is up to him to define the intended use and the corresponding settings of the solution. As in the situation previously indicated, any setting made by the Data Controller is considered as an instruction from the Data Controller to the Subcontractor;
3.3 ensure, before and during processing, compliance with the obligations of the Data Controller under the European Data Protection Regulation;
3.4 supervise processing, including conducting audits and inspections with the Subcontractor.