Legal

Data Processing Agreement

The ScopeDeck Data Processing Agreement: how we process the client personal data you upload, as your processor under UK GDPR. A draft for legal review.

No card needed. 2 clients and 5 quotes free forever. Unlimited teammates.

TEMPLATE DRAFT, review with a qualified lawyer before publishing. This Data Processing Agreement is a starting point drafted for a UK/GDPR context and is not legal advice. Complete every [PLACEHOLDER], tailor it to how ScopeDeck actually processes data, and have it reviewed by a qualified solicitor before relying on it.

Last updated: [DATE]

This DPA forms part of the Terms of Service between [COMPANY LEGAL NAME] ("ScopeDeck", "Processor", "we") and the customer ("Controller", "you"). It governs our processing of personal data that you upload or generate about your own clients and their contacts when you use the Service ("Client Personal Data").

Roles: For Client Personal Data, you are the Controller and ScopeDeck is the Processor. (For your own account data, ScopeDeck is the Controller, see the privacy policy.)

1. Subject matter and duration

We process Client Personal Data to provide the Service to you, for the duration of your subscription and until deletion under clause 8.

2. Nature and purpose of processing

Hosting, storing, organising, displaying, generating documents from, enabling collaboration and e-signature on, and exporting the scopes, quotes, specifications and related content you create.

3. Types of personal data and data subjects

  • Data subjects: your clients and their contacts, and any individuals named in your scopes.
  • Types of data: names, business contact details, and any personal data you choose to include

in a Scope (for example, project stakeholders and signatory details for e-signature).

  • You must not upload special category data unless strictly necessary and lawful.

4. Our obligations as Processor

We will:

  • process Client Personal Data only on your documented instructions, including the Service's normal

operation, unless required by law (in which case we will tell you where permitted);

  • ensure persons authorised to process data are bound by confidentiality;
  • implement appropriate technical and organisational security measures (clause 6);
  • assist you, taking account of the nature of processing, with data subject requests and with your

obligations under Articles 32–36 UK GDPR;

  • make available information needed to demonstrate compliance and allow for audits under clause 9.

5. Sub-processors

You authorise us to engage sub-processors to provide the Service. Current sub-processors include:

  • [HOSTING PROVIDER, e.g. Supabase / PostgreSQL hosting], application database and hosting,

[REGION].

  • [CDN / SECURITY, e.g. Cloudflare], content delivery and protection, [REGION].
  • [PAYMENT PROVIDER], billing, [REGION].
  • [EMAIL PROVIDER], transactional and support email, [REGION].

We impose data protection obligations on sub-processors no less protective than this DPA, and remain responsible for their performance. We will give you notice of any intended change of sub-processor so you may object on reasonable data-protection grounds.

6. Security

We maintain appropriate technical and organisational measures, including: encryption in transit and at rest; tenant isolation between customer Spaces; role-based access control; regular backups; and audit logging. Further detail is on the security page. Measures may be updated provided protection is not reduced.

7. Personal data breach

We will notify you without undue delay after becoming aware of a personal data breach affecting Client Personal Data, and provide information reasonably available to help you meet your notification obligations.

8. Return and deletion

On termination or on your request, we will delete or return Client Personal Data and delete existing copies within [RETENTION PERIOD, e.g. 30–90 days], unless retention is required by law. You can export your content before deletion.

9. Audits

We will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, on reasonable notice, subject to confidentiality and not unreasonably disrupting the Service.

10. International transfers

Where processing involves transferring Client Personal Data outside the UK/EEA, we will rely on an appropriate transfer mechanism, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures required.

11. Liability and precedence

Liability under this DPA is subject to the limitations in the Terms of Service. If there is a conflict between this DPA and the Terms regarding processing of Client Personal Data, this DPA prevails.

12. Contact

Data protection matters: [SUPPORT EMAIL], or [COMPANY LEGAL NAME], [ADDRESS]. ICO registration number [ICO NUMBER].