Data Processing Agreement
Last updated: 2026-06-22
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Scouti ("we", "us") and the organization that holds the account ("Customer", "you"). It applies whenever we process personal data on the Customer's behalf in connection with the Service. If there is any conflict between this DPA and the rest of the Terms on the subject of data protection, this DPA controls.
1. How this agreement is entered into
This DPA is between Scouti and the Customer organization — not between Scouti and each individual user. When a person accepts the Terms on behalf of an organization, they confirm that they are authorized to bind that organization, and that single acceptance brings this DPA into effect for the whole account.
One DPA governs the entire organization: all of its projects, and every team member invited into it, are covered by that one agreement. Inviting additional members — or a member accepting the Terms in order to use the dashboard — does not create additional or separate data-processing agreements. If your procurement process requires a countersigned copy, email us; the executed document is still a single agreement with the organization.
2. Definitions
- Applicable Data Protection Law — the EU GDPR, the UK GDPR, the Swiss FADP, and U.S. state privacy laws including the CCPA (as amended by the CPRA), each to the extent it applies to the processing.
- Customer Personal Data — personal data contained in Customer Content and End-User Data that we process on the Customer's behalf under the Terms.
- Controller, Processor, Sub-processor, Data Subject, Personal Data, Processing, and Personal Data Breach — have the meanings given in Applicable Data Protection Law.
Other capitalized terms have the meaning given to them in the Terms or the Privacy Policy.
3. Roles and instructions
For Customer Personal Data, the Customer is the Controller (or is itself a Processor acting for its own customers) and Scouti is the Processor (or Sub-processor). We process Customer Personal Data only on the Customer's documented instructions. The Terms, this DPA, the project and widget settings the Customer configures in the dashboard, and the Customer's use of the Service together make up those instructions.
We will inform the Customer if, in our opinion, an instruction infringes Applicable Data Protection Law. We do not process Customer Personal Data for our own purposes, and we do not sell it.
4. Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access the data only on a need-to-know basis.
5. Security
We maintain technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256), per-project isolation enforced by database row-level security, access controls with multi-factor authentication, and logging. These measures are described in Section 10 of the Privacy Policy and summarized in Annex B. We may update them provided the level of protection is not materially reduced.
6. Sub-processors
The Customer gives Scouti general written authorization to engage the Sub-processors listed in Annex A to process Customer Personal Data. We impose data-protection obligations on each Sub-processor that are no less protective than this DPA, and we remain responsible for their performance.
We will give advance notice of any new Sub-processor by updating Annex A and, for material changes, notifying account owners. If the Customer has a reasonable, data-protection-based objection, it may raise it within 30 days; we will work in good faith to address it, and if we cannot, the Customer may terminate the affected part of the Service.
7. Assistance to the Customer
Taking into account the nature of the processing, we will assist the Customer — by appropriate technical and organizational measures, and insofar as possible — to respond to requests from Data Subjects exercising their rights, and to meet the Customer's own obligations around security, breach notification, data-protection impact assessments, and prior consultation. Most End-User Data is accessible to the Customer directly through the dashboard, which lets the Customer fulfil many such requests itself.
If we receive a request directly from a Data Subject relating to Customer Personal Data, we will not respond on its merits but will forward the request to the Customer without undue delay.
8. Personal data breaches
We will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and we will provide the information the Customer reasonably needs to meet its own notification obligations (including, where Article 33 GDPR applies, within the required timeframe). We will take reasonable steps to mitigate and remediate the breach.
9. International transfers
We store Customer Personal Data only in the United States (our database, files, and backups are hosted in AWS us-west-2). To generate replies and transcribe voice, we transmit the Customer Personal Data needed for a given request to the AI Sub-processors listed in Annex A, which process it only transiently to return a response and do not retain it; that processing may occur in the United States or in another region outside mainland China. In no case do we store or process Customer Personal Data in mainland China.
Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (together with the UK Addendum and Swiss adaptations, as applicable), which are incorporated into this DPA by reference. The same safeguards flow down to Sub-processors.
10. Return and deletion
On termination of the Service, or on the Customer's request, we will delete or return Customer Personal Data and delete existing copies within 30 days, except to the extent retention is required by law or is held in backups that are deleted on a rolling schedule. This mirrors Section 8 of the Privacy Policy.
11. Audits
We will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. No more than once per year and on reasonable prior notice, the Customer may request additional information or an audit limited to our processing of that Customer's Customer Personal Data, conducted during business hours, subject to confidentiality, and in a manner that does not compromise other customers' data. We may satisfy audit requests by providing existing reports or completed security questionnaires.
12. California (CCPA / CPRA)
To the extent we process personal information subject to the CCPA on the Customer's behalf, we act as a "service provider". We will not sell or share that personal information; we will not retain, use, or disclose it except to provide the Service or as otherwise permitted by the CCPA; and we will not combine it with personal information from other sources except as the CCPA allows. See Your Privacy Choices.
13. Liability and precedence
This DPA forms part of the Terms. Each party's liability under it is subject to the limitations and exclusions of liability in the Terms. Except as expressly amended here, the Terms remain in full force and effect.
14. Changes and contact
We may update this DPA in line with Section 14 of the Privacy Policy; the "Last updated" date above reflects the current version. For DPA questions or to request a countersigned copy, email hello@scouti.chat.
Annex A — Details of the processing and sub-processors
Subject matter and duration
Provision of the Service (AI-assisted feedback collection through the widget and dashboard), for the term of the Terms plus the deletion period in Section 10.
Nature and purpose of processing
Collecting, transcribing, storing, generating replies to, and summarizing feedback conversations so the Customer can gather and review feedback from its end-users.
Categories of data subjects
The Customer's end-users and site visitors who interact with the widget, and the Customer's own dashboard users.
Types of personal data
Session and device identifiers; technical data such as a coarse (truncated) IP address, the browser user-agent, language, and screen size; interaction and diagnostic events about how the widget is used (for example which prompts were shown, panel open/close, text vs. voice input, message length, and errors — never message content); any end-user identifier the Customer passes to the widget; the content of conversations (text and voice transcripts), which may contain whatever personal data a Data Subject chooses to provide; and dashboard account details such as name and email. The Service is not intended for, and the Customer must not use it to collect, special categories of personal data.
Sub-processors
- Supabase — application database, authentication, and file storage
- Vercel — hosting of the dashboard and APIs
- Cloudflare — DNS, CDN, and bot protection
- Stripe — billing and payment processing
- Resend — transactional email
- Fireworks, Alibaba Cloud, Google, Groq, OpenAI — AI model providers for reply generation and voice transcription
Our storage and platform Sub-processors (Supabase, Vercel, Cloudflare, Stripe, Resend) process Customer Personal Data in the United States. The AI Sub-processors (Fireworks, Alibaba Cloud, Google, Groq, OpenAI) process it only transiently to generate a response — in the United States or another region outside mainland China — and do not retain it beyond what is necessary. No Sub-processor stores or processes Customer Personal Data in mainland China.
Annex B — Technical and organizational measures
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
- Per-project data isolation enforced by database row-level security.
- Access restricted to authorized personnel, protected by multi-factor authentication, and logged.
- Infrastructure hosted on platforms that maintain recognized security certifications (for example, SOC 2).
- Regular backups, deleted on a rolling schedule.