Data Processing Addendum (DPA)

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between ScopeSage ("Processor") and users of our services ("Controller"). This DPA outlines our roles and responsibilities regarding the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Controller (you) is responsible for:

• Determining the lawful basis for processing Personal Data
• Ensuring data subjects are informed of processing activities
• Handling data subject rights requests
• Ensuring data accuracy and relevance
• Implementing appropriate security measures

3.2 Processor Responsibilities

ScopeSage (Processor) is responsible for:

• Processing Personal Data only on documented instructions from the Controller
• Implementing appropriate technical and organizational security measures
• Assisting the Controller in fulfilling data subject rights
• Notifying the Controller of any Data Breaches
• Ensuring confidentiality of processing activities

4. Data Processing Details

4.1 Nature and Purpose of Processing

ScopeSage processes Personal Data for the following purposes:

• Providing change order management services
• Facilitating client communications and approvals
• Generating and storing documents and audit trails
• Processing payments and financial transactions
• Providing customer support and service improvements

4.2 Types of Personal Data Processed

• Account Information: Names, email addresses, company details
• Business Data: Client contact information, project details
• Change Order Content: Project specifications, pricing, timelines
• Approval Data: Client decisions, timestamps, IP addresses
• Communication Data: Email content, notifications, support requests

4.3 Data Subjects

• Your employees and authorized users
• Your clients and business contacts
• Individuals referenced in change orders or project materials

5. Security Measures

ScopeSage implements the following technical and organizational security measures:

5.1 Technical Security

• 256-bit SSL encryption for data in transit
• AES encryption for data at rest
• Multi-factor authentication support
• Regular security audits and penetration testing
• Automated backup and disaster recovery

5.2 Organizational Security

• Role-based access controls
• Employee background checks and training
• Regular access reviews and updates
• Monitoring and logging of all access
• Incident response procedures

6. Sub-processors

ScopeSage uses the following sub-processors to provide our services:

Sub-processor Changes: We will notify you of any intended changes concerning the addition or replacement of sub-processors, thereby giving you the opportunity to object to such changes.

7. Data Subject Rights

ScopeSage will assist you in fulfilling data subject rights requests:

• Access: Providing information about processing activities
• Rectification: Correcting inaccurate or incomplete data
• Erasure: Deleting Personal Data when requested
• Portability: Exporting data in structured format
• Restriction: Limiting processing activities
• Objection: Handling objections to processing

8. Data Breach Procedures

In the event of a Data Breach, ScopeSage will:

• Notify you without undue delay after becoming aware of the breach
• Provide detailed information about the nature of the breach
• Assist in notifying relevant supervisory authorities
• Implement remedial measures to mitigate the breach
• Document all breach-related activities and decisions

9. International Data Transfers

ScopeSage may transfer Personal Data internationally. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms
• UK International Data Transfer Agreement (IDTA): For UK data transfers
• Adequacy decisions: From regulatory authorities for approved countries
• Binding Corporate Rules: Where applicable for corporate transfers

10. Data Retention and Deletion

Personal Data will be retained only as long as necessary to:

• Provide our services and fulfill contractual obligations
• Comply with legal and regulatory requirements
• Resolve disputes and enforce agreements
• Maintain audit trails for compliance purposes

Upon termination of services or at your request, we will delete or return all Personal Data, except where retention is required by law or for legitimate business purposes.

11. Audit and Compliance

ScopeSage will:

• Make available to you all information necessary to demonstrate compliance with GDPR Article 28
• Allow for and contribute to audits, including inspections, conducted by you or your authorized auditor
• Immediately inform you if we believe an instruction infringes applicable data protection law
• Maintain records of all processing activities as required by GDPR Article 30

12. Contact Information

For questions about this DPA or data protection matters, please contact us at:

• Email: privacy@scopesage.app
• Address: ScopeSage Privacy Officer, Dublin, Ireland