Data Processing Addendum

1. DEFINITIONS

• "Customer Data": Any data, content, or information submitted by Customer to the ScopeStack platform.
• "Data Controller": The entity determining the purpose and means of processing personal data (Customer).
• "Data Processor": The entity processing data on behalf of the Data Controller (ScopeStack).
• "Personal Data": Any information relating to an identified or identifiable individual.
• "Processing": Any operation performed on Personal Data, including collection, storage, transfer, or deletion.
• "Subprocessor": Any third-party entity engaged by ScopeStack to process Customer Data.

2. SCOPE AND APPLICABILITY

2.1 Roles of the Parties

ScopeStack acts as a Data Processor, processing Customer Data on behalf of the Data Controller (Customer).

2.2 Scope of Processing

ScopeStack processes Customer Data only as necessary to provide its cloud-based scoping and pricing services in accordance with the Agreement. Processing includes storage, retrieval, transmission, and deletion of Customer Data.

3. CUSTOMER OBLIGATIONS

3.1 Compliance with Laws

Customer is responsible for ensuring its collection and use of Customer Data complies with applicable data protection laws.

3.2 Data Accuracy & Legality

Customer represents that it has obtained all necessary rights, permissions, and consents to provide Customer Data to ScopeStack.

4. SCOPESTACK OBLIGATIONS

4.1 Data Processing Restrictions

ScopeStack will process Customer Data only as directed by Customer and not for any other purposes, except where required by law.

4.2 Confidentiality & Access Control

ScopeStack restricts access to Customer Data only to authorized personnel who need access to perform their duties.

4.3 Security Measures

ScopeStack implements industry-standard security measures to protect Customer Data from unauthorized access, including:

• Encryption in transit and at rest
• Access controls and authentication measures
• Secure data disposal practices (as defined in the Data Management Policy)

4.4 Incident Response

ScopeStack will notify Customer without undue delay if it becomes aware of any unauthorized access, use, or disclosure of Personal Data.

4.5 Subprocessors

ScopeStack may engage third-party subprocessors to process Customer Data. ScopeStack will ensure all subprocessors comply with obligations equivalent to those outlined in this DPA. A list of subprocessors is available upon request.

4.6 Third Party Subprocessors

ScopeStack may engage third-party subprocessors to assist in providing the Services. A list of current subprocessors is available in Appendix B. By using the Services, Customer acknowledges and agrees to the use of subprocessors as necessary to fulfill ScopeStack's obligations under this Agreement.

ScopeStack shall ensure all subprocessors:

• Comply with obligations equivalent to those set forth in this Agreement.
• Maintain appropriate security measures to protect Customer Data.
• Process Customer Data only for the purposes outlined in this Agreement.

5. DATA SUBJECT REQUESTS

5.1 Handling Requests

If ScopeStack receives a Data Subject Request (e.g., request for access, correction, or deletion), ScopeStack will:

• Promptly notify Customer (unless legally prohibited).
• Provide reasonable assistance in responding to such requests.

6. DATA RETENTION & DELETION

6.1 Retention Periods

Customer Data is retained as long as necessary to provide the Service, or as required by applicable law. Upon contract termination, Customer Data is deleted within 90 days, except where legal or contractual obligations require longer retention (as outlined in the Data Management Policy).

6.2 Data Disposal

ScopeStack ensures secure deletion of Personal Data when no longer needed. Physical media and devices storing Customer Data are securely wiped or destroyed.

APPENDIX B – SUBPROCESSORS

ScopeStack uses the following subprocessors for service delivery:

(ScopeStack will update this list as needed.)

Contact Information

If you have any questions about this Data Processing Addendum, please contact us at: