Legal

Data Processing Addendum

Last updated: May 7, 2026

This Data Processing Addendum (“DPA”) supplements the Scaler Pro Terms of Service and applies when Customer Data includes personal data subject to GDPR, UK GDPR, or other applicable data protection laws.

1. Roles

You are the Data Controller. Scaler Pro acts as Data Processor and processes personal data only on documented instructions from you (which include using our service for its intended purpose).

2. Sub-processors

We engage the following sub-processors:

  • Stripe — payment processing (USA, EU)
  • Resend / Postmark — transactional email (USA, EU)
  • Anthropic — AI inference for Sonnet, Opus, and ModelForge (USA)
  • Cloudflare — DNS, DDoS protection, edge caching (Global)
  • Hosting infrastructure provider — virtual servers, storage, networking

We will notify you at least 30 days before adding new sub-processors. You may object to a new sub-processor; if we cannot reasonably accommodate the objection, you may terminate the affected service for a pro-rata refund.

3. Security Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Per-tenant logical isolation; client-id scoped queries
  • Role-based access control with mandatory two-factor authentication for production access
  • Audit logs for all administrative actions
  • Annual penetration tests; SOC 2 Type II audit in progress
  • Defense-in-depth: WAF, rate limiting, anomaly detection

4. International Transfers

For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by additional safeguards.

5. Data Subject Rights

You retain full responsibility for responding to data subject requests. We will provide reasonable assistance — including data export tools and deletion features — to help you meet these obligations within applicable timelines.

6. Breach Notification

We will notify you of any personal data breach within 72 hours of discovery, with available facts and an action plan. We will assist you with regulatory and data-subject notifications as required.

7. Audits

Once per year, you may request an audit summary or a copy of our most recent SOC 2 report (subject to NDA). On-site audits are available for Enterprise customers, on reasonable advance notice.

8. Deletion / Return on Termination

On termination, we will delete or return Customer Data within 90 days, subject to legal retention obligations. Backup copies are deleted on the regular backup rotation schedule (max 30 additional days).

9. Term

This DPA is effective for as long as we process personal data on your behalf and survives termination of the underlying service to the extent we retain such data.

Contact

DPO / Privacy contact: privacy@scalerpro.app