Data Processing Addendum
Effective Date: July 14, 2026
This Data Processing Addendum ("DPA") applies when Scanopy LLC ("Scanopy", "we", "us") processes personal data on your behalf in the course of providing our Services. It forms part of, and is incorporated by reference into, our Terms of Service. In case of any conflict between this DPA and the rest of the Terms of Service, this DPA prevails with respect to the processing of personal data. This DPA applies to Scanopy Cloud; self-hosted deployments are operated entirely within your own infrastructure.
1. Scope and Roles
For the purpose of this DPA, you are the "Data Controller" and we are the "Data Processor" as those terms are defined in applicable data protection laws. We process personal data only to provide and support the Services.
2. Processing Obligations
We will:
- Process personal data only on your documented instructions, including with regard to transfers of personal data to a third country or international organization
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing
- Assist you, taking into account the nature of processing, in responding to requests from data subjects
- Assist you in ensuring compliance with security, breach notification, impact assessment, and consultation obligations under applicable data protection laws
- At your choice, delete or return all personal data to you after the end of the provision of services relating to processing
- Make available to you all information necessary to demonstrate compliance with these obligations and contribute to audits, including inspections, conducted by you or an auditor mandated by you
3. Subprocessors
You provide general authorization for us to engage subprocessors to process personal data on your behalf. We will inform you of any intended changes concerning the addition or replacement of subprocessors, giving you the opportunity to object to such changes.
We will impose data protection terms on all subprocessors to provide at least the same level of data protection required by this DPA. A current list of the subprocessors we use is maintained in our Privacy Policy.
4. Data Transfers
We will only transfer personal data to countries outside the European Economic Area (EEA) or other protected jurisdictions where appropriate safeguards are in place. These safeguards may include:
- Adequacy decisions by relevant authorities
- Standard contractual clauses approved by relevant authorities
- Binding corporate rules
- Other valid transfer mechanisms
5. Data Breach Notification
We will notify you without undue delay after becoming aware of a personal data breach affecting the personal data we process on your behalf. Our notification will include, to the extent possible:
- The nature of the breach
- The categories and approximate number of data subjects concerned
- The categories and approximate number of personal data records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate possible adverse effects
6. Records of Processing
We will maintain records of our processing activities as required by applicable data protection laws. Upon your reasonable request, we will make these records available to you to demonstrate our compliance with this DPA.
7. Signed Copy
If your organization requires a countersigned copy of this DPA, email [email protected].