Data Processing Agreement
Last Updated: 25 February 2026
This Data Processing Agreement ("DPA") sets out the terms and conditions for the processing of Personal Data under and in connection with the Agreement. This DPA forms an inseparable part of the Agreement.
The Parties acknowledge that the provision of the Service involves Processing of Personal Data. To the extent Personal Data is processed in connection with the Service, the Parties acknowledge that the Customer is a Controller and Scale is a Processor processing Personal Data on behalf of the Customer.
In the event of any discrepancy between this DPA and the Terms of Service, this DPA prevails.
Definitions
1.1
The terms used in this DPA, such as "Controller", "Processor", "Data Subject", "Special Categories of Personal Data", "Processing", "Data Protection Impact Assessment" and "Personal Data Breach", shall have the meanings as defined in the applicable Data Protection Regulation.
1.2
"Personal Data" means any information relating to an identified or identifiable natural person, which Scale processes on behalf of the Customer or its Affiliates under the Agreement.
1.3
"Data Protection Regulation" means all applicable laws relating to the protection of Personal Data, including without limitation the CCPA, the GDPR, and the national laws supplementing the GDPR, including the Finnish Data Protection Act (1050/2018), and the laws implementing EU Directive 2002/58/EC.
1.4
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended by the California Privacy Rights Act (CPRA), including any implementing regulations thereto that become effective on or after the effective date of this DPA.
1.5
"GDPR" means the EU General Data Protection Regulation (EU) 2016/679 and any amendments thereto.
1.6
"Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021, or any subsequent decision of the Commission, and any amendments thereto.
1.7
"Customer Data" means all electronic data or information submitted by or for Customer to the Service, or collected and processed by or for Customer using the Service, including documents, project data, and any Personal Data contained therein.
1.8
"Service" means the AI-powered innovation intelligence platform and related cloud-based services provided by Scale to the Customer under the Agreement.
1.9
“Agreement" means the agreement between Scale and the Customer for the provision of the Service, including the Terms of Service, any Order Form(s), the Privacy Policy, and this DPA
Scope and Roles
2.1
The Customer is the Controller and Scale is the Processor with respect to Personal Data processed in connection with the Service. Scale processes Personal Data solely on behalf of and under the instructions of the Customer.
2.2
This DPA applies to all Processing of Personal Data carried out by Scale in connection with the provision of the Service. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1 (Description of Processing).
2.3
For the purposes of the CCPA, the Parties acknowledge and agree that Scale will act as a "Service Provider" as defined in the CCPA, in its performance of its obligations pursuant to this DPA and the Agreement. The Customer will act as a "Business" as defined in the CCPA. The Customer will act as a single point of contact for its Affiliates with respect to CCPA compliance. Any claims in connection with the CCPA under this DPA will be brought by Customer, whether acting for itself or on behalf of an Affiliate.
Description of Processing
3.1
Scale processes Personal Data under the Agreement for the purpose of providing the Service to the Customer. Processing of Personal Data in this context refers to hosting, storing, analyzing (including AI-powered document analysis), and transmitting data provided by the Customer in connection with the provision of the Service.
3.2
Data Subjects are employees, contractors, and collaborators of the Customer, or other individuals whose Personal Data the Customer has provided to Scale in connection with the provision of the Service, including individuals whose Personal Data may be incidentally contained in documents uploaded to the platform.
3.3
Categories of Personal Data include:
User profile data: Names, work email addresses, and login credentials of individuals who access the Service.
Customer-uploaded content: Documents (such as PDFs, spreadsheets, and presentations) uploaded to the platform, which may incidentally contain Personal Data such as names, email addresses, job titles, or other information about team members, collaborators, or other individuals.
Project data: Team member names and email addresses added to projects by users in connection with project management and collaboration features.
Access and technical data: IP addresses, browser type, operating system, device identifiers, date and time of access, error logs, and usage metrics.
3.4 Use of Artificial Intelligence
The Service uses artificial intelligence models to analyze Customer-uploaded documents and generate innovation insights and recommendations. By default, the AI engine is powered by Google Vertex AI. Where the Customer configures a third-party AI provider, processing by that provider is subject to that provider's terms.
AI may encounter Personal Data incidentally present in uploaded documents. It does not extract, profile, or store Personal Data separately from the documents themselves. AI outputs are advisory only and do not have legal or similarly significant effects on individuals. All business decisions based on AI outputs remain the responsibility of human users at the Customer.
Scale's default AI provider (Google Vertex AI) is contractually prohibited from using Customer Data to train or optimize its general AI models. Where the Customer configures a third-party AI provider, the Customer is responsible for reviewing that provider's data use terms.
All AI processing occurs within EU infrastructure by default (Google Cloud Platform, europe-north1 and europe-west3 regions). Where the Customer configures a third-party AI provider, the processing location is determined by that provider's terms.
3.5 Anonymized Benchmarking Data
Scale may derive anonymized and aggregated operational metrics from the use of the Service (such as project velocity and adoption statistics) for the purpose of providing benchmarking features that allow Customers to compare their usage patterns against anonymized cross-platform averages. Such metrics are stripped of all information that could identify the Customer, its projects, or individual Data Subjects, and do not constitute Personal Data. Benchmarking features are enabled by default and the Customer may opt out at any time through the Service settings. Anonymized metrics that have already been aggregated are retained by Scale regardless of termination of the Agreement.
Customer Obligations
4.1
The Customer shall comply with the obligations applicable to it as a Controller under the Data Protection Regulation and this DPA.
4.2
The Customer is responsible for ensuring that there is a lawful basis for the Processing of Personal Data by Scale in accordance with the Agreement, and for providing all necessary notices to, and obtaining all necessary consents from, Data Subjects as required by the Data Protection Regulation.
4.3
The Customer's documented instructions to Scale on the Processing of Personal Data are set out in this DPA and the Agreement. Additional instructions require prior written agreement between the Parties.
4.4
The Customer shall be solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data, and for providing appropriate access rights to Scale limited to what is strictly necessary for the purpose of the Service.
4.5
For the purposes of the CCPA, the Customer is responsible for compliance with the CCPA as a "Business" in connection with the collection, use, and storage of Personal Data, and will ensure that it provides all necessary notices for the lawful Processing of Personal Data by Scale in accordance with the Agreement.
Scale's Obligations as Processor
5.1 Processing Instructions
Scale shall process Personal Data only as permitted under this DPA, the Agreement, or applicable Data Protection Regulation. Scale shall promptly inform the Customer if, in Scale's opinion, an instruction from the Customer infringes the Data Protection Regulation.
5.2 Confidentiality
Scale shall ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.
5.3 Security Measures
Scale shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, to protect Personal Data against unauthorized access, loss, destruction, damage, alteration, or disclosure, or against other unlawful Processing. The current security measures are described in Annex 2 (Technical and Organizational Measures).
5.4 Personal Data Breach Notification
Scale shall notify the Customer of a Personal Data Breach without undue delay after becoming aware of the breach, and shall take reasonable steps to mitigate any damage resulting from such breach. The notification shall contain at least the following information:
A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
The name and contact details of the point of contact from whom more information can be obtained;
A description of the likely consequences of the Personal Data Breach;
A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
If it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. Scale shall document all Personal Data Breaches and provide the documentation to the Customer upon request.
Scale shall, to a reasonable extent, assist the Customer in fulfilling its obligations to notify the competent supervisory authority (pursuant to GDPR Art. 33) and, where required, to communicate the Personal Data Breach to affected Data Subjects (pursuant to GDPR Art. 34).
5.5 Data Subject Requests
Scale shall, upon the Customer's written request and to a reasonable extent, assist the Customer by appropriate technical and organizational measures in fulfilling the Customer's obligations to respond to Data Subject requests to exercise their rights under the Data Protection Regulation. If Scale receives a request directly from a Data Subject, Scale shall promptly redirect the request to the Customer.
5.6 Data Protection Impact Assessment
Scale shall, upon the Customer's detailed written request, to a reasonable extent assist the Customer in carrying out Data Protection Impact Assessments and, where required, prior consultations with supervisory authorities, as required by Articles 35 and 36 of the GDPR. The Customer shall reimburse Scale's reasonable costs and expenses incurred from such assistance.
5.7 Compliance Demonstration
Scale shall, to a reasonable extent, assist the Customer in demonstrating compliance with the Data Protection Regulation, and for such purposes make available to the Customer all information reasonably required and necessary for the Customer to demonstrate its compliance.
5.8 Restrictions on Use
Scale will not, under any circumstances, sell, share, retain, use, or otherwise process Personal Data for any purpose not related to providing the Service as specified in this DPA and the Agreement. Scale will refrain from taking any action that would cause any transfer of Personal Data to or from Scale to qualify as "selling personal information" or "sharing personal information" as those terms are defined under the CCPA.
5.9 AI Model Training Prohibition
Scale shall ensure that its default AI provider (Google Vertex AI) does not use Customer Data to train, retrain, or otherwise optimize its general-purpose AI models. Where the Customer configures a third-party AI provider, the Customer is responsible for ensuring that the provider's terms prohibit the use of Customer Data for AI model training. Scale shall not be liable for the data practices of customer-configured AI providers.
5.10 CCPA-Specific Obligations
For the purposes of the CCPA, Scale shall:
Not sell or share the Personal Data of Consumers;
Not retain, use, or disclose Personal Data for any purpose other than providing the Service as specified in the Agreement, or as otherwise permitted by the CCPA;
Not combine Personal Data received from or on behalf of Customer with Personal Data received from other sources, except as permitted by the CCPA;
Comply with applicable obligations under the CCPA and grant the Customer the right to take reasonable steps to ensure that Scale uses Personal Data in a manner consistent with the Customer's obligations under the CCPA.
Sub-processors
6.1
The Customer hereby provides general written authorization for Scale to engage sub-processors to process Personal Data in connection with the Service. Scale shall ensure that its sub-processors comply with obligations equivalent to those set out in this DPA, including security and confidentiality requirements.
6.2
The current list of sub-processors is set out in Annex 3 (Sub-processor List) and is also maintained at the Scale Trust Center (trust.scale-company.com).
6.3
Scale shall notify the Customer in writing (including by email to the Customer's designated administrator) at least fourteen (14) days prior to the appointment or replacement of a sub-processor. The notification shall include the identity of the new sub-processor, the processing activities to be carried out, and the location of processing.
6.4
The Customer may, on reasonable grounds related to the protection of Personal Data, object to the appointment of a new sub-processor by notifying Scale in writing within the fourteen (14) day notice period. In such case, Scale shall use reasonable efforts to find and implement an alternative solution that does not involve engaging the objected-to sub-processor.
6.5
If no alternative solution is reasonably available and the objection remains unresolved, the Customer may terminate the Agreement with immediate effect by providing written notice to Scale. Scale shall refund any prepaid fees covering the remainder of the Subscription Term following the effective date of termination.
6.6
Scale remains fully liable for the acts and omissions of its sub-processors as if they were Scale's own acts and omissions.
6.7
Scale shall ensure that each sub-processor with access to Personal Data is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA.
International Transfers
7.1
The Service is hosted within the European Economic Area ("EEA") on Google Cloud Platform (europe-north1 and europe-west3 regions). Platform data, including Customer-uploaded content and user accounts, is stored and processed within the EEA by default.
7.2
The Customer acknowledges that some sub-processors are located in, or may have access to Personal Data from, outside the EEA (as indicated in Annex 3). To the extent Personal Data is processed outside the EEA by sub-processors, the Customer hereby approves such processing subject to the safeguards described in this Section 7.
7.3
Whenever Personal Data is transferred to, or accessed from, locations outside the EEA, Scale shall ensure that such transfers are protected by appropriate safeguards in accordance with Chapter V of the GDPR, including:
Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Decision (EU) 2021/914; and/or
The EU-U.S. Data Privacy Framework (DPF), where the recipient is certified under the DPF.
7.4
Where the Customer configures a third-party AI provider that processes data outside the EEA, the Customer acknowledges that the transfer safeguards for such processing are determined by that provider's terms. The Customer is responsible for ensuring that appropriate transfer mechanisms are in place for any customer-configured AI provider.
7.5 Transfer Impact Assessments
Before engaging a new sub-processor that involves a transfer of Personal Data outside the EEA, Scale shall carry out a documented assessment of the impact of the planned transfer, taking into account the laws and practices of the destination country, the nature of the data transferred, and the supplementary measures in place. Scale shall make the results of such assessments available to the Customer upon request.
7.6 Non-Compliant Transfers
If Scale becomes aware that a transfer of Personal Data to a location outside the EEA fails to comply with the safeguards required under this Section 7 or Chapter V of the GDPR, Scale shall immediately suspend the transfer and notify the Customer. Scale shall not resume the transfer until appropriate safeguards have been implemented or the Customer provides documented instructions to proceed.
Auditing
8.1
At the Customer's written request and at the Customer's sole cost and expense, the Customer, or a qualified third-party auditor appointed by the Customer, is entitled to audit Scale's compliance with this DPA once every twelve (12) months.
8.2
The Customer shall notify Scale in writing at least thirty (30) days prior to conducting the audit, unless a shorter notice period is required by applicable law or a supervisory authority decision.
8.3
The scope of the audit shall be limited to Scale's compliance with the obligations set out in this DPA. Scale shall cooperate with the audit and provide reasonable access to relevant facilities, systems, and documentation.
8.4
All audit reports and related information shall at all times be treated as Scale's confidential information. The auditor, if a third party, must be bound by appropriate confidentiality obligations and must not be a competitor of Scale.
8.5
Where Scale has obtained relevant third-party certifications or audit reports (such as ISO 27001 or SOC 2), Scale may provide these to the Customer as an alternative to an on-site audit, provided they adequately address the Customer's audit requirements.
Term, Termination, and Data Deletion
9.1
This DPA shall become effective upon the effective date of the Agreement and shall continue in force until the termination or expiry of the Agreement, or as long as Scale processes Personal Data on behalf of the Customer.
9.2
Upon termination or expiry of the Agreement, Scale shall, at the Customer's written election, either return or delete all Personal Data processed under this DPA within one hundred and twenty (120) days, unless retention is required by applicable law or regulation.
9.3
Where the Customer requests the return of Personal Data, Scale shall return the data in a structured, commonly used, and machine-readable format to the Customer or to a third party designated by the Customer in writing.
9.4
Scale shall certify the deletion of Personal Data in writing upon the Customer's request.
9.5 Surviving Obligations
The obligations of Scale under Sections 5.2 (Confidentiality), 5.4 (Personal Data Breach Notification), 5.8 (Restrictions on Use), 9.2–9.4 (Data Deletion and Return), and 10 (Liability) shall survive the termination or expiry of this DPA and the Agreement, and shall continue in force for as long as Scale retains any Personal Data.
Liability
10.1
Each Party's liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
10.2
Nothing in this DPA shall limit either Party's liability for damages caused by a breach of its obligations under the Data Protection Regulation to the extent such limitation is not permitted by applicable law.
Governing Law
11.1
This DPA and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of Finland, without regard to its conflict of laws rules.
11.2
Any dispute arising out of or relating to this DPA that cannot be resolved amicably shall be settled in accordance with the dispute resolution mechanism set out in the Agreement.
Changes
12.1
Scale may update this DPA from time to time to reflect changes in applicable Data Protection Regulation, sub-processors, or processing activities. Scale shall notify the Customer of any material changes to this DPA at least thirty (30) days prior to such changes taking effect.
12.2
Changes to Annex 3 (Sub-processor List) shall follow the notification and objection procedure set out in Section 6.
Annex 1: Description of Processing
Attribute
Description
Subject matter
Processing of Personal Data in connection with the provision of the AI-powered innovation intelligence platform.
Duration
For the term of the Agreement, plus the post-termination deletion period (120 days).
Nature of processing
Hosting, storage, retrieval, AI-powered analysis of documents, authentication, access logging, backup, and transmission of data.
Purpose of processing
To provide the Customer with the Service, including AI-driven innovation insights and recommendations based on Customer-uploaded documents.
Types of Personal Data
(a) User profile data: names, work email addresses, login credentials. (b) Customer-uploaded content: documents that may incidentally contain names, email addresses, job titles, and other Personal Data. (c) Project data: team member names and email addresses. (d) Access and technical data: IP addresses, browser type, operating system, device identifiers, timestamps, error logs, usage metrics.
Categories of Data Subjects
Employees, contractors, and collaborators of the Customer; individuals whose Personal Data is incidentally contained in documents uploaded to the platform.
Processing location
EU/EEA (Google Cloud Platform, europe-north1 and europe-west3 regions) by default. Sub-processors outside the EEA as listed in Annex 3, subject to appropriate transfer safeguards.
Annex 2: Technical and Organizational Measures
Scale maintains the following technical and organizational measures to protect Personal Data. These measures are reviewed and updated periodically to reflect changes in technology, threats, and applicable requirements.
1. Encryption and Pseudonymisation
All data is encrypted in transit using TLS 1.2 or higher.
All data at rest is encrypted using AES-256 or equivalent, managed through Google Cloud Platform's default encryption and key management services.
Pseudonymisation is applied where appropriate, including the use of opaque user identifiers in system logs and analytics, so that log data cannot be attributed to a specific individual without access to separate identity records.
2. Access Control
Access to the Service is authenticated through the identity provider (currently Auth0).
Role-based access control (RBAC) is implemented to restrict access to Personal Data based on business need.
Administrative access to production systems is limited to authorized personnel and requires multi-factor authentication (MFA).
Access rights are reviewed regularly and revoked promptly upon role changes or termination.
3. Network Security
The Service is hosted on Google Cloud Platform with network segmentation using Virtual Private Cloud (VPC) configurations.
Traffic filtering and firewall rules restrict inbound and outbound network traffic.
DDoS protection is provided by the cloud infrastructure provider.
4. Logging and Monitoring
Access to Personal Data and critical system events are logged.
Logs are retained and monitored for unauthorized access attempts and anomalies.
Alerting mechanisms are in place for security-relevant events.
5. Backup and Recovery
Regular automated backups of Customer Data are maintained.
Recovery procedures are documented and tested periodically through disaster recovery drills.
Backups are encrypted and stored within the EU/EEA.
6. Personnel Security
All personnel with access to Personal Data are subject to confidentiality obligations.
Security awareness training is provided to all personnel.
Background checks are conducted in accordance with applicable law.
7. Incident Response
A documented incident management procedure is maintained for identifying, reporting, and resolving Personal Data Breaches.
Roles and responsibilities for incident response are defined.
Post-incident reviews are conducted to prevent recurrence.
8. Sub-processor Management
Sub-processors are assessed for data protection compliance before engagement.
Sub-processors are bound by written agreements with data protection obligations equivalent to this DPA.
Sub-processor compliance is reviewed periodically.
9. Physical Security
Production infrastructure is hosted in Google Cloud Platform data centers, which maintain ISO 27001, SOC 2, and other relevant certifications.
Scale operates as a remote-first organization with no physical office or on-premises data center. Endpoint security controls are enforced on all devices used to access production systems.
10. Data Separation
Customer Data (including project names, document content, user identities, and other identifiable information) is logically separated from the data of other customers through tenant-level isolation mechanisms in the application and database layers.
Customer Data is not commingled with Scale's own operational data or data belonging to other customers in a way that would permit unauthorized cross-tenant access.
Anonymized and aggregated operational metrics (such as project velocity and adoption statistics) may be derived from Customer Data and pooled across tenants for the purpose of providing optional benchmarking features, as described in Section 3.5. Such metrics are stripped of all information that could identify the Customer, its projects, or individual Data Subjects.
Annex 3: Sub-processor List
The following sub-processors are authorized to process Personal Data in connection with the Service. This list is also maintained at the Scale Trust Center (trust.scale-company.com).
Sub-processor
Purpose
Processing Activities
Location
Google Cloud Platform (incl. Vertex AI)
Cloud hosting, AI-powered document analysis
Hosting, storage, AI processing of Customer-uploaded documents, backup
EU (Finland / Frankfurt)
Auth0 (Okta, Inc.)
Platform authentication
User authentication, session management, login credential processing
EU
Slack (Salesforce, Inc.)
Customer communication channel
Delivery of platform notifications and customer communications
EU
Stripe Technology Europe, Limited
Payment processing
Processing of Customer billing data, payment card transactions, invoicing
EU (Ireland) / US
Sendinblue SAS (trading as Brevo)
Customer communication
Delivery of platform-related communications to Customer users
EU (France)
Where the Customer configures enterprise single sign-on (SSO) via their own identity provider (such as Microsoft Entra), that provider processes authentication data under the Customer's own agreement with the provider. Scale integrates with customer-configured identity providers but does not engage them as sub-processors.
Stripe processes payment data in the EU (Ireland) and may transfer certain data to the United States for fraud prevention and regulatory compliance purposes, subject to the EU-U.S. Data Privacy Framework and Standard Contractual Clauses. Scale does not store payment card data directly; card data is tokenized and held by Stripe.
Scale Company Oy
Business ID: 3193447-1
Fenixinrinne 4 C 34,
00580 Helsinki,
Finland
Email: gdpr@scale-company.com
