Data Processing Agreement

Last updated: November 26, 2024

This Data Processing Agreement ("DPA") is between ScopeLock (based in Ljubljana, Slovenia, European Union) and you, the customer. It forms part of our Terms of Service and governs how we handle personal data on your behalf when you use our Services.

This DPA applies when ScopeLock processes personal data as a "processor" (or "service provider") on your behalf. You, as the customer, are the "controller" (or "business") who determines what data to collect and how to use it.

1. Key Terms (Plain English)

  • Controller (That's You): You decide what personal data to collect and why. When you use ScopeLock to create scopes of work that may contain personal information about your clients or projects, you are the controller.
  • Processor (That's Us): We, ScopeLock, process the data only to provide you with our Services. We follow your instructions and don't use your data for our own purposes.
  • Subprocessor: Third-party vendors we use to help process data (e.g., hosting providers, payment processors, AI services).
  • Personal Data: Any information relating to an identified or identifiable person, such as names, email addresses, or other identifying information you may include in your project data.

2. Scope of Processing

2.1 What Data We Process

When you use ScopeLock, we process the following types of data on your behalf:

  • Project descriptions and client requirements you submit
  • Generated scope of work documents
  • Any edits or modifications you make to generated content
  • Project metadata (creation date, status, etc.)
  • Any personal information you choose to include in the above

2.2 How We Process Data

We process this data only to:

  • Provide you with AI-powered scope generation
  • Store and retrieve your projects
  • Enable PDF export and other features
  • Provide customer support when you request it
  • Maintain and improve the Services (using aggregated, anonymized data)

Important: We never use your specific Customer Data to train AI models accessible to other users. We never sell or share your data with third parties for their marketing purposes.

2.3 Your Responsibilities

As the controller, you are responsible for:

  • Ensuring you have a lawful basis to collect and process any personal data you submit to ScopeLock
  • Obtaining necessary consent from your clients or data subjects
  • Complying with applicable data protection laws (GDPR, CCPA, etc.)
  • Not submitting sensitive personal data (health, financial, biometric data) unless absolutely necessary

3. Data Subject Rights

If your clients or data subjects exercise their rights (e.g., right to access, deletion, or portability), you are responsible for responding to these requests.

ScopeLock will assist you in meeting these obligations by providing you with the ability to:

  • Access and export your data (via PDF export and data download)
  • Delete specific projects or your entire account
  • Update or correct information in your projects

For assistance with data subject requests, contact us at scopelockapp@gmail.com.

4. Data Retention

We retain Customer Data according to the following schedule:

Active Customers

Data is retained for as long as your account is active and you maintain the data in your account.

After Account Deletion

When you delete your account, we delete all Customer Data within 30 days, except as required by law or as necessary to resolve disputes.

Backups

Deleted data may persist in backups for up to 90 additional days before being permanently removed.

You can request deletion of specific projects or your entire account at any time through your account settings or by contacting us.

5. Subprocessors

We use the following trusted third-party vendors ("subprocessors") to help provide the Services:

SubprocessorPurposeLocation
Google Cloud Platform / FirebaseDatabase hosting, authentication, storageUnited States
Google AI (Gemini)AI-powered scope generationUnited States
StripePayment processingUnited States
VercelApplication hosting and deploymentUnited States

We carefully select subprocessors that provide adequate data protection safeguards. All subprocessors are contractually obligated to protect your data and use it only to provide services to us.

We may add or replace subprocessors as necessary to improve the Services. We will update this page when we make changes to our subprocessor list. For material changes, we will notify you via email.

6. International Data Transfers

ScopeLock is based in Ljubljana, Slovenia, which is part of the European Union. This means we are directly subject to GDPR and EU data protection regulations.

However, some of our subprocessors (Google Cloud, Stripe, Vercel) may transfer and process data outside the EU, including in the United States.

6.1 Safeguards for International Transfers

For any data transfers outside the EU, we rely on:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our subprocessors for any transfers outside the EU/EEA.
  • Data Processing Agreements: Our subprocessors (Google Cloud, Stripe, Vercel) provide GDPR-compliant data processing agreements.
  • Technical and Organizational Measures: We implement encryption, access controls, and other security measures to protect transferred data.

6.2 EU Data Protection

As an EU-based company, ScopeLock is directly subject to GDPR. This provides strong protection for all personal data we process, regardless of where our customers are located. EU customers benefit from the full protections of GDPR, and non-EU customers benefit from our compliance with these high standards.

7. Security Measures

We implement the following technical and organizational measures to protect Customer Data:

7.1 Technical Measures

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Encryption at Rest: Sensitive data is encrypted when stored in our databases.
  • Access Controls: Role-based access controls ensure that only authorized personnel can access Customer Data.
  • Secure Authentication: We use Firebase Authentication with industry-standard OAuth protocols.
  • Regular Updates: We keep our systems and dependencies up to date with the latest security patches.

7.2 Organizational Measures

  • Employee Training: Our team members are trained on data protection best practices.
  • Confidentiality Agreements: All personnel with access to Customer Data are bound by confidentiality obligations.
  • Incident Response: We have procedures in place to detect, respond to, and notify you of security incidents.
  • Regular Audits: We regularly review and test our security controls.

7.3 Data Breach Notification

In the event of a data breach that affects Customer Data, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach, unless prohibited by law enforcement.

8. Roles & Responsibilities

8.1 Your Responsibilities (as Controller)

  • Ensure you have a lawful basis to collect and process personal data
  • Obtain necessary consents from data subjects
  • Comply with applicable data protection laws (GDPR, CCPA, etc.)
  • Implement appropriate privacy notices and disclosures
  • Respond to data subject requests (with our assistance)
  • Not submit unlawful, harmful, or sensitive personal data to the Services

8.2 Our Responsibilities (as Processor)

  • Process Customer Data only on your instructions and as necessary to provide the Services
  • Maintain confidentiality and security of Customer Data
  • Assist you in responding to data subject requests (within reason)
  • Assist you in ensuring compliance with data protection obligations
  • Delete or return Customer Data upon termination (as requested)
  • Notify you of data breaches affecting your data
  • Maintain records of processing activities

9. Audit Rights

Upon reasonable notice, you have the right to audit our compliance with this DPA. In most cases, we will provide you with:

  • Copies of relevant security certifications
  • Responses to reasonable information requests
  • Documentation of our security and privacy practices

For on-site audits, please contact us at least 30 days in advance. We may charge reasonable fees to cover our costs for extensive audits.

10. Term & Termination

This DPA remains in effect for as long as you use the Services and we process Customer Data on your behalf.

10.1 Effect of Termination

Upon termination of your account or our Services:

  • We will delete or return Customer Data within 30 days, as you instruct
  • We will certify in writing that we have deleted your data (upon request)
  • We may retain certain data as required by law or for legitimate business purposes (e.g., dispute resolution)

11. Governing Law & Jurisdiction

This DPA is governed by the laws of Slovenia and is subject to the General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts in Ljubljana, Slovenia.

In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

Agreement

By using ScopeLock, you acknowledge that you have read and agree to this Data Processing Agreement.

Contact Us

For questions about this Data Processing Agreement or our data practices, please contact:

Email: scopelockapp@gmail.com

General inquiries: scopelockapp@gmail.com

Last updated: November 29, 2025