Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Scale APIs and the customer entity that enters into the applicable ScaleAPIs Terms of Service, order form, or other written services agreement (the "Agreement").

This DPA applies only to the extent that Scale APIs processes Customer Personal Data on behalf of Customer in connection with the covered services.

For purposes of this DPA:

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

To the extent Scale APIs processes Customer Personal Data on behalf of Customer in connection with the covered services, Customer acts as controller or equivalent business and Scale APIs acts as processor or equivalent service provider.

This DPA does not apply where Scale APIs acts as an independent controller for its own purposes, such as for:

Those controller activities are governed by the ScaleAPIs Privacy Policy and the Agreement rather than this DPA.

The subject matter, duration, nature, purpose, categories of data subjects, and categories of personal data for the covered processing are described in Schedule 1 and, where relevant, the product-specific notes in Schedule 2.

Scale APIs will process Customer Personal Data only for the duration of the Agreement and any limited post-termination period reasonably required to complete deletion, legal compliance, security handling, backup cycling, or other narrowly related operational obligations.

Scale APIs will process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, this DPA, and Customer's use of the covered services and related configuration choices, unless otherwise required by applicable law.

If Scale APIs is required by applicable law to process Customer Personal Data other than on Customer's instructions, Scale APIs will inform Customer of that legal requirement before the processing unless applicable law prohibits that notice.

Scale APIs may decline or suspend instructions that would require unlawful processing or would materially compromise the security or integrity of the services.

Scale APIs will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

Scale APIs will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the processing, the services provided, and the state of implementation.

Those measures may include, as appropriate to the covered services:

The specific measures used by Scale APIs may evolve over time, provided that the overall security posture for the covered processing is not materially diminished.

Customer grants Scale APIs general written authorization to use Subprocessors in connection with the covered services.

Scale APIs will maintain a current public subprocessor list at the applicable ScaleAPIs subprocessor page. That list may identify the Subprocessors used for hosting, storage, infrastructure, and related operational purposes.

Where required by applicable law, Scale APIs will use commercially reasonable efforts to provide advance notice of material changes to the Subprocessor list through an updated public list, customer notice, or another reasonable method.

If Customer has a reasonable data protection objection to a new Subprocessor required for the covered services, the parties will work in good faith to address the concern. If the concern cannot reasonably be resolved, Customer may stop using the affected service in accordance with the Agreement.

Scale APIs will impose data protection obligations on Subprocessors that are appropriate to the nature of the processing performed for the covered services.

Taking into account the nature of the processing and the information available to Scale APIs, Scale APIs will provide commercially reasonable assistance to Customer with respect to:

Customer remains responsible for determining whether a request, incident, or assessment triggers an obligation under Data Protection Law.

Scale APIs will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data processed under this DPA, to the extent required by applicable law.

Scale APIs may provide information in phases as it becomes available.

Upon termination or expiration of the covered services, Scale APIs will delete or render inaccessible Customer Personal Data processed under this DPA, unless retention is required or permitted by applicable law, reasonably required for security, fraud prevention, dispute resolution, backup cycling, or other narrow and legitimate post-termination operational purposes, or technically infeasible within the requested timeframe.

Customer is responsible for retrieving any data or outputs it wishes to retain before termination of the relevant covered services.

Scale APIs will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

Where required by applicable law and where the information otherwise made available is not sufficient, Customer may request a reasonable audit or inspection of the relevant processing activities, subject to appropriate confidentiality obligations, reasonable advance notice, proportionate scope, security protections, and limits designed to avoid disruption to other customers or the services.

Unless a material compliance failure is identified, Customer will bear its own audit costs and any reasonable third-party costs incurred by Scale APIs in connection with the audit.

Customer acknowledges that Scale APIs and its Subprocessors may process Customer Personal Data in countries other than the country in which Customer or the relevant data subjects are located.

Where Data Protection Law requires safeguards for cross-border processing, the parties will rely on commercially reasonable and legally appropriate transfer mechanisms or safeguards applicable to the covered services.

This DPA is subject to the liability limitations, exclusions, and allocation of risk set out in the Agreement, unless Data Protection Law requires otherwise.

If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA will control to the extent of that conflict. Otherwise, the Agreement will remain in full force and effect.

Subject Matter

Processing of Customer Personal Data by Scale APIs in order to provide the covered services under the Agreement.

Duration

For the term of the Agreement, plus any limited post-termination period reasonably required for deletion, legal compliance, backup cycling, fraud prevention, security, or other narrow operational purposes described in this DPA.

Nature And Purpose

Providing API-based rendering, capture, generation, delivery, account-support, and related operational services requested by Customer through the covered services.

Categories Of Data Subjects

Depending on Customer's use of the covered services, data subjects may include:

Categories Of Personal Data

Depending on Customer's use of the covered services, Customer Personal Data may include:

Sensitive or highly regulated personal data should not be submitted unless Customer has assessed the workflow appropriately and the parties have agreed that the covered service is suitable for that use.

ProdaPic

For ProdaPic workflows, Customer Personal Data may include:

ProdaDoc

For ProdaDoc workflows, Customer Personal Data may include: