Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the agreement entered into between the Client identified in the Order Form and Scope Inspection Ltd ("Scope") for the provision of the Scope Service, comprising the terms of service at https://www.getscope.ai/terms and any Order Form or such other terms as the parties may agree (the "Agreement"), in relation to the transfer and processing of Covered Data in connection with the provision of the Scope Service.
DEFINITIONS
1.1 Capitalised terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalised terms used in this DPA will be defined as follows:
"Adequate Jurisdiction" means the UK, EEA or a country or territory deemed to provide adequate protection for the rights and freedoms of individuals, as set out in: (a) the Data Protection Act 2018 or regulations made by the UK Secretary of State under the Data Protection Act 2018; and (b) with respect to Data Subjects in the EEA, a decision of the European Commission.
"Anonymised Data" means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
"Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR and the US Data Protection Laws.
"Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK
Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
"CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.
"Controller Purposes" means: (a) undertaking internal research and development to develop, test, improve and alter the functionality of the Scope Service and machine learning model performance; (b) creating anonymised datasets for training or evaluation of the Scope Service; and (c) administering the Client's relationship with Scope under the Agreement.
"Covered Data" means Personal Data that is: (a) contained in the Client Data and the Outputs; or (b) obtained, developed, produced or otherwise Processed by Scope, or its agents or subcontractors, for the purposes of providing the Scope Service, in each case as further described in Schedule 1.
"Data Subject" means a natural person whose Personal Data is Processed.
"EEA" means the European Economic Area.
"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR", as defined in section 3 of the Data Protection Act 2018.
"Personal Data" means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under Applicable Data Protection Laws.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means. "Process", "Processes" and "Processed" will be interpreted accordingly.
"Prohibited Personal Data" means: (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and any other special categories of Personal Data identified in Article 9 of the GDPR or Personal Data that is otherwise sensitive Personal Data under Applicable Data Protection Laws; (b) biometric identifiers or templates; (c) financial information (including, without limitation, billing information and cardholder or sensitive authentication data, as those terms are defined under the Payment Card Industry Data Security Standard); (d) personally identifiable financial information, as defined by and subject to the Gramm-Leach-Bliley Financial Modernization Act of 1999; (e) national identification numbers (including, without limitation, Social Security Numbers, Social Insurance Numbers, driver's license or passport numbers or other governmentally-issued identification numbers); (f) information relating to individuals under the age of 13; (g) education records, as defined under the Family Educational Rights and Privacy Act of 1974; (h) protected health information as defined by, and subject to, the Health Insurance Portability and Accountability Act.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to (including unauthorised internal access to), Covered Data.
"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
"Sub-processor" means a Processor appointed by another Processor to Process Personal Data on its behalf.
"US Data Protection Laws" means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).
1.2 The terms "controller", "processor", "business" and "service provider" have the meanings given to them in the Applicable Data Protection Laws.
INTERACTION WITH THE AGREEMENT
2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.
ROLE OF THE PARTIES
The parties acknowledge and agree that:
save as set out in paragraph 3(b), Scope acts as a processor or service provider in the performance of its obligations under the Agreement and this DPA and Client acts as a controller or business; and
for the purposes of the GDPR, Scope acts as a controller with respect to any Processing of Covered Data for the Controller Purposes.
PROCESSING OF PERSONAL DATA
4.1 The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
4.2 Scope shall:
comply with its obligations under Applicable Data Protection Laws and any restrictions on Processing Covered Data in the Agreement;
only Process the Covered Data:
for the Controller Purposes; and
otherwise on behalf of and under the instructions of Controller, unless processing is required to comply with applicable law in the UK (in which case Scope shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest).
The Agreement and this DPA shall constitute Client's instructions for the Processing of Covered Data. Client may issue further written instructions in accordance with this DPA.
Without limiting the foregoing, Scope is prohibited from:
selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
sharing Covered Data with any third party for cross-context behavioural advertising;
retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement;
retaining, using, or disclosing Covered Data outside of the direct business relationship between the parties; and
combining Covered Data with Personal Data that Scope receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
4.5 Scope will:
provide Client with information to enable Client to conduct and document any data protection assessments required under Applicable Data Protection Laws; and
promptly inform Client if, in its opinion, an instruction from Client infringes Applicable Data Protection Laws.
CLIENT OBLIGATIONS
5.1 Client shall comply with its obligations as a controller, business or equivalent term under the Applicable Data Protection Laws, and shall:
provide such information to Data Subjects regarding the Processing of their Covered Data in connection with the Client's use of the Scope Service as required under Applicable Data Protection Laws; and
to the extent required for the lawful Processing of Covered Data under Applicable Data Protection Laws, obtain valid consents from Data Subjects for such Processing in the form required under Applicable Data Protection Laws.
Client shall not (and shall ensure that Authorised Users do not) include any Prohibited Personal Data in the Client Data.
Scope will not be liable to Client, whether in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation, or otherwise, for any loss arising under or
in connection with Scope's Processing of Covered Data to the extent such loss was caused (in whole or in part) by Client's failure to comply with its obligations under paragraph 5.1 or paragraph 5.2.
CONFIDENTIALITY AND DISCLOSURE
6.1 Scope shall:
limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and
ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.
SUB-PROCESSORS
7.1 Scope may Process Covered Data anywhere that Scope or the Authorised Sub-processors maintain facilities, subject to the remainder of this paragraph 7.
7.2 Client grants Scope general authorisation to engage any of the Sub-processors listed in Schedule 3, as amended in accordance with clause 7.4 (the "Authorised Sub-processors"), to Process Covered Data.
7.3 Scope shall:
enter into a written agreement with each Authorised Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Scope's obligations under this DPA; and
remain liable for each Authorised Sub-processor’s compliance with the obligations under this DPA.
Scope shall provide Client with at least thirty (30) days’ notice of any proposed changes to the Authorised Sub-processors. Client shall notify Scope if it objects to the proposed change to the Authorised Sub-processors by providing Scope with written notice of the objection within thirty (30) days after Scope has provided notice to Client of such proposed change (an "Objection").
In the event Client submits an Objection to Scope, Scope and Client shall work together in good faith to find a mutually acceptable resolution to address such Objection. If Scope and Client are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, Client may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to Scope. If Scope cannot provide sufficient evidence that a new sub-processor complies with the obligations under this Agreement and Applicable Data Protection Laws, Scope shall refrain from engaging such sub-processor.
DATA SUBJECT RIGHTS REQUESTS
8.1 Scope will notify Client without undue delay of any request received by Scope or any Authorised Sub-processor from a Data Subject to assert their rights in relation to Covered Data under Applicable Data Protection Laws (a "Data Subject Request").
8.2 Other than in respect of any Processing of Covered Data for the Controller Purposes, Client will have sole discretion in responding to the Data Subject Request, and Scope shall not respond to the Data Subject Request, save that Scope may advise the Data Subject that their request has been forwarded to Client.
8.3 Scope will provide Client with reasonable assistance as necessary for Client to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.
SECURITY
9.1 Scope will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorised or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.
9.2 When assessing the appropriate level of security, Scope shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Covered Data.
9.3 The Provider shall implement and maintain the following security measures:
Regular encrypted backups of all Customer Data with secure off-site storage;
Industry-standard encryption for Customer Data, both at rest and in transit;
Up-to-date malware and virus protection systems across all relevant infrastructure components; and
Regular security awareness training for all personnel with access to Customer Data, covering data protection, security best practices, and threat identification.
9.4 The Provider shall review and update these security measures at least annually to ensure they remain appropriate and effective.
INFORMATION AND AUDITS
10.1 Scope shall notify Client promptly if Scope determines that it can no longer meet its obligations under Applicable Data Protection Laws.
10.2 Client may take reasonable and appropriate steps to:
ensure that Scope uses Covered Data in a manner consistent with Client's obligations under Applicable Data Protection Laws; and
upon reasonable notice, stop and remediate unauthorised use of Covered Data.
SECURITY INCIDENTS
11.1 Scope shall notify Client in writing without undue delay, and in any event within forty-eight
(48) hours, after becoming aware of any Security Incident.
11.2 Scope shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Client timely information about the Security Incident, to the extent known to Scope or as the information becomes available to Scope, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.
11.3 Scope shall provide reasonable assistance with Client's investigation of any Security Incidents and any of Client's obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.
11.4 Scope's notification of or response to a Security Incident under this paragraph 11 shall not be construed as an acknowledgement by Scope of any fault or liability with respect to the Security Incident.
TERM, DELETION AND RETURN
12.1 This DPA shall commence on the Commencement Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Scope's deletion or anonymisation of all Covered Data as described in this DPA.
12.2 Scope shall:
if requested to do so by Client within fifteen (15) days of expiry of the Agreement (the "Retention Period"), provide a copy of all Covered Data in such commonly used format as requested by Client, or provide a self-service functionality allowing Client to download such Covered Data; and
on expiry of the Retention Period, delete all copies of Covered Data Processed by Scope or any Authorised Sub-processors, other than any Covered Data Processed for the Controller Purposes.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
13.1 Scope shall not transfer any Covered Data to a recipient outside of the UK unless:
the recipient is in an Adequate Jurisdiction; or
the transfer is governed by an agreement incorporating:
standard data protection clauses approved under Section 119A of the Data Protection Act 2018; and
with respect to Data Subjects in the EEA, the Standard Contractual Clauses.
The Approved Addendum shall, as further set out in Error! Reference source not found., apply to the transfer of any Covered Data from Scope to Client, and form part of this DPA, to the extent that the Client is not in an Adequate Jurisdiction.
The parties agree that execution of the Agreement shall have the same effect as signing the Approved Addendum.
ANONYMISED DATA
If Scope receives Anonymised Data from or on behalf of Client, Scope shall:
take reasonable measures to ensure the information cannot be associated with a Data Subject;
publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and
contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
GENERAL
15.1 The parties hereby certify that they understand the requirements in this DPA and will comply with them.
15.2 The parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.
SCHEDULE 1 – DETAILS OF PROCESSING
Categories of Data Subjects
• Authorised Users
• End Customers (individual purchasers, subscribers or other consumers of the Controller’s goods and services)
Categories of Personal Data
• Name and contact details (email address and phone number)
• Role and position at Client
• Content of communications from Personnel to Scope (including requests and responses relating to IT support)
• Data relating to the Authorised User’s use of the Scope Service (including log data)
Special categories of Personal Data
• None
Frequency of transfers (where applicable)
• Continuous
Nature of the Processing
• Collection, storage, deletion, rectification, aggregation
Purposes of the Processing
Provision of the Scope Service for the client, namely receiving and processing AI Inputs and generating and providing access to Outputs.
Retention period
The duration of the Agreement
Sub-processors
SCHEDULE 2 APPROVED ADDENDUM
SCHEDULE 2 – APPROVED ADDENDUM
1. Approved Addendum
With respect to any transfers referred to in clause 13, the Approved Addendum shall be completed as follows:
Exporter
• Parties’ details: Scope Inspection Ltd
• Contact person: Jonathan Low
Importer
• Parties’ details: The Client (as further identified in the Order Form)
• Contact person: The Client Contact identified in the Order Form
Addendum EU SCCs
The Approved EU SCCs, including the Appendix Information, and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
• Module: 4
• Module in operation: Yes
• Clause 7 (Docking Clause): Yes
• Clause 11 (Option): No
• Clause 9a (Prior Authorisation or General Authorisation): —
• Clause 9a (Time period): —
• Is personal data received from the Importer combined with personal data collected by the Exporter? Yes
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
• Annex 1A: List of Parties
• Annex 1B: Description of Transfer – as set out in Schedule 1 to this DPA
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19: neither Party
AUTHORISED SUB-PROCESSORS
Name of Subprocessor - Description of Processing
Google Cloud - Document Storage and Processing
Amazon Web Services - Document Storage and Processing
Anthropic - Document Processing
Microsoft Azure - Document Processing
Use data, grow revenue
