Data Processing Agreement

1. Definitions

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Sub-processor” and “Supervisory Authority” have the meanings given to them in the GDPR. “Affected Data Subject” means a Data Subject whose Personal Data is Processed under this DPA. “Standard Contractual Clauses” means Commission Implementing Decision (EU) 2021/914 Module Two (Controller-to-Processor) or its UK equivalent (the UK International Data Transfer Addendum).

2. Subject Matter, Duration, Nature and Purpose

Scano Processes Personal Data on behalf of the Controller solely to provide and support the Service, including: ingesting publicly available social media content matching Controller-defined queries, performing analytics (sentiment, language detection, named-entity recognition, topic clustering), generating reports and dashboards, sending notifications and scheduled emails, and providing technical support. Processing continues for the duration of the underlying subscription and the limited retention period thereafter set out in Section 9.

• Categories of Data Subjects: the Controller’s authorised users; individuals identified in publicly available social media content ingested through Controller-defined queries; recipients of notifications and reports.
• Categories of Personal Data: account data (name, email, role, hashed credentials, IP address, device data, login history), user-generated content from public sources (post text, author handle, public profile metadata, timestamps, public engagement metrics), and metadata derived by the Service (sentiment, language, entities, tags).
• Special categories of Personal Data: not requested by Scano. Should the Controller’s queries incidentally surface such data, the Controller remains responsible for the legality of processing.
• Frequency: continuous for the term of the subscription.
• Retention: as set out in Section 9.

3. Roles and Instructions

dpa.3_content

• Scano will not Process Personal Data for any other purpose, including its own product analytics, AI model training on Controller content, advertising, or onward sale.
• Scano will not combine Controller Personal Data with data from other controllers except for aggregated, fully anonymised platform statistics.
• Scano will promptly inform the Controller if it becomes legally required to disclose Personal Data, unless prohibited from doing so by law.
• The Controller warrants that it has a valid legal basis for the Processing it instructs Scano to perform, including for any social media content ingested.
• Where required by applicable U.S. state privacy laws, Scano qualifies as a “service provider” (CCPA/CPRA) or “processor” (Virginia, Colorado, Connecticut, Utah, Texas) and the restrictions in this Section apply correspondingly.
• Scano will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

4. Confidentiality

Scano ensures that all personnel authorised to Process Personal Data are subject to a written or statutory obligation of confidentiality, are trained on data-protection responsibilities, and only have access to Personal Data on a strict need-to-know basis. Access logs are retained for not less than twelve (12) months.

• Background screening of personnel with production access, where permitted by local law.
• Role-based access controls and least-privilege provisioning, reviewed at least every six (6) months.
• Immediate revocation of access on role change or termination.
• Mandatory annual security and privacy training.

5. Security of Processing

Scano implements appropriate technical and organisational measures pursuant to Article 32 GDPR. A current summary is published in Scano’s Security Overview and reviewed at least annually. Measures include, at minimum:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256) for production data stores and backups.
• Network segmentation, mandatory MFA for administrative access, hardened cloud baselines, and continuous vulnerability scanning.
• Documented incident-response and business-continuity plans, tested at least annually.
• Logical separation of each tenant’s data and regular restoration tests of backups.

6. Sub-processors

The Controller grants Scano a general authorisation to engage Sub-processors to assist in Processing Personal Data, subject to the conditions in this Section. A current list of Sub-processors is available on request and is also published at the Scano trust page.

• Scano will impose on each Sub-processor data-protection obligations no less protective than those in this DPA, by way of a written contract.
• Scano remains fully liable to the Controller for the performance of each Sub-processor’s obligations.
• Scano will give the Controller at least thirty (30) days’ prior notice of the addition or replacement of any Sub-processor, by email or in-product notice.
• The Controller may object on reasonable data-protection grounds within fourteen (14) days of such notice. If the objection cannot be resolved, the Controller may terminate the affected portion of the Service without penalty.
• Sub-processors as of the last-updated date include cloud-infrastructure providers, transactional email providers, error-monitoring providers, and the customer-support helpdesk vendor — each subject to written data-protection terms.

7. Data Subject Rights

Taking into account the nature of the Processing, Scano shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to Data Subject requests under Chapter III GDPR or analogous rights under CCPA/CPRA and other applicable laws (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, opt-out of sale/sharing, opt-out of targeted advertising).

• If a Data Subject contacts Scano directly, Scano will, without undue delay, forward the request to the Controller and will not respond on the merits unless authorised by the Controller or required by law.
• Scano will provide self-service capabilities in the Service for the Controller to access, export, correct, and delete Personal Data of its users.
• Reasonable assistance is provided at no additional cost up to a level commensurate with the subscription; beyond that, time-and-materials fees may apply, agreed in advance.
• Scano honours opt-out signals such as Global Privacy Control where technically feasible for marketing surfaces.

8. Personal Data Breach Notification

Scano will notify the Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification will include, to the extent then known: the nature of the breach, categories and approximate numbers of Affected Data Subjects and records, likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

• Scano will cooperate with the Controller and provide reasonably requested information to enable the Controller to comply with its own notification obligations to Supervisory Authorities and Data Subjects.
• Notifications are not an acknowledgement by Scano of fault or liability.
• Initial notice will be sent to the Controller’s designated security contact; the Controller is responsible for keeping this contact current in the Service.

9. Data Localisation, International Transfers, and Retention

Scano stores Personal Data in regional data centres selected per the Controller’s subscription tier (EU, U.S., or Kazakhstan). Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, transfers are made pursuant to the Standard Contractual Clauses, which are deemed incorporated into this DPA by reference. The Controller authorises Scano to enter into the Standard Contractual Clauses with Sub-processors on the Controller’s behalf.

• Active account Personal Data is retained for the duration of the subscription.
• On termination, Personal Data is, at the Controller’s choice, returned or deleted within thirty (30) days, subject to legal retention obligations. Backups are purged within ninety (90) days.
• Audit logs and security records may be retained for up to twenty-four (24) months for security and legal-defence purposes.

10. Audits

Scano makes available to the Controller all information necessary to demonstrate compliance with this DPA, including the most recent third-party audit reports (e.g., SOC 2 Type II once available) under NDA. On reasonable prior written notice (not more than once per twelve-month period, except following a Personal Data Breach or as required by a Supervisory Authority), the Controller may conduct audits of the Processing activities, subject to confidentiality, security, and operational-impact constraints agreed in advance.

11. Liability

Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement. Nothing in this DPA limits a Data Subject’s rights under applicable Data Protection Laws.

12. Order of Precedence

In the event of any conflict between this DPA and the underlying subscription agreement, this DPA prevails for matters of personal-data Processing. Where the Standard Contractual Clauses apply, the Standard Contractual Clauses prevail over conflicting terms of this DPA.

Contact

For privacy or DPA-related matters, please contact Infinity Enterprises LLP, Nursar-2, 29/4, 1st block, 160000, Shymkent, Kazakhstan.

• Email: legal@scano.io
• Data Protection Officer: dpo@scano.io