Legal

Data Processing Agreement

Last updated: 2026-04-29 · Effective from the same date
Plain English summary

When you upload customer data through Scarif One, you stay the data controller — we’re your processor. This document sets out our obligations under UK GDPR Article 28: what we do with your data, who we share it with, how we secure it, what happens if there’s a breach, and how you exercise audit rights. Need redlines or a signed copy? Email privacy@scarifone.com.

Privacy PolicyTerms of ServiceData Processing AgreementCookie Policy

1. Parties

This Data Processing Agreement (“DPA”) supplements the Scarif One Terms of Service. It’s entered into between you (the “Controller”) and Scarif One Ltd (the “Processor”) and applies whenever you submit personal data through the service.

2. Roles + scope

For Customer Content (e.g. uploaded customer lists, brand profile content, generated content tied to identifiable individuals), the Controller is the data controller and Scarif One is the data processor. For account / billing / telemetry data described in our Privacy Policy, Scarif One is itself the controller.

3. Subject-matter, duration, and nature

  • Subject-matter: processing personal data on the Controller’s behalf to provide the Scarif One marketing platform.
  • Duration: the term of the Terms of Service plus any data-retention period.
  • Nature + purpose: hosting, AI generation, integration sync, analytics, support — all in service of operating the platform.
  • Categories of data: contact details, marketing-engagement data, brand assets, customer transaction summaries (where the Controller chooses to upload them).
  • Categories of data subjects: the Controller’s customers, leads, employees, and contacts.

4. Processor obligations

The Processor will:

  • Process personal data only on documented Controller instructions, including transfers to third countries (the Terms of Service and the configured integrations constitute such instructions).
  • Ensure persons authorised to process are bound by confidentiality.
  • Implement appropriate technical + organisational measures (the security controls described in the Privacy Policy and at /trust).
  • Engage sub-processors only as listed at /trust; provide 30 days’ notice of any material change. The Controller may object for objectively justifiable reasons; if we can’t accommodate the objection, the Controller may terminate.
  • Assist the Controller (taking into account the nature of the processing) with data subject requests, security obligations, breach notifications, and DPIAs.
  • Notify the Controller within 48 hours of becoming aware of a personal data breach.
  • Make available all information necessary to demonstrate compliance with this DPA, and allow audits by the Controller or an auditor mandated by the Controller (subject to reasonable conditions on cost, frequency, and confidentiality).
  • On termination, delete or return all Controller personal data per the Controller’s choice and these Terms (subject to legal retention requirements).

5. Sub-processors

The Controller authorises the engagement of the sub-processors listed at /trust as of the effective date of this DPA. The Processor will impose data-protection obligations on each sub-processor at least as protective as those in this DPA.

6. International transfers

Where data is transferred outside the UK or EEA, the Processor uses approved transfer mechanisms — UK International Data Transfer Agreements, the EU Standard Contractual Clauses (with UK Addendum), or adequacy decisions. Documentation available on request.

7. Security measures

See our Trust Center for the full list. Summary: TLS 1.3 in transit, encrypted-at-rest databases, Argon2id password hashing, per-tenant data isolation, audit logging, role-based access, pen-tested annually (post-launch — pre-launch baseline only at this stage), 24/7 monitoring + incident response.

8. Breach notification

We notify the Controller without undue delay (and in any case within 48 hours) of becoming aware of a personal data breach affecting Controller data. Notification will include, to the extent known: nature of the breach, categories + approximate numbers of affected data subjects + records, likely consequences, and measures taken or proposed.

9. Data subject rights

We provide tools (one-click export, deletion via /security in the dashboard) to help the Controller respond to data subject requests within UK GDPR statutory timelines (1 month, extensible by 2 months for complex requests). For requests that require Processor action beyond self-service tools, we’ll respond within 14 days.

10. Liability

Each party’s liability under this DPA is subject to the liability cap in the Terms of Service, except where mandatory law (UK GDPR fines, in particular) overrides this.

11. Order of precedence

Where this DPA conflicts with the Terms of Service or Privacy Policy, this DPA prevails on data-protection matters.

12. Term + termination

This DPA has the same term as the Terms of Service. On termination, Processor obligations relating to deletion or return of personal data survive until completed.

13. Signed-copy requests

Need a counter-signed PDF version for your records, or a redlined custom DPA? Email privacy@scarifone.com. Standard turnaround for signed PDFs: 2 business days. Custom redlines available on Pro plans and above.

14. Governing law

This DPA is governed by English law and is subject to the exclusive jurisdiction of the courts of England and Wales.

Questions about this document? Email privacy@scarifone.com for privacy / DPA questions, hello@scarifone.com for everything else. Tom replies within a few hours during UK office hours.