SCALE2REV, LLC – DATA PROCESSING ADDENDUM (DPA)
Last Updated: May 19, 2026
Effective Date: May 19, 2026
Location: scale2rev.com/legal/data-processing-addendum
This Data Processing Addendum ("DPA") supplements the Scale2Rev, LLC Terms of Service (scale2rev.com/legal/terms-of-service) or other master commercial agreement ("Agreement") between Scale2Rev, LLC ("Company") and the customer entity executing the agreement ("Client").
This DPA governs the automated processing of Personal Data captured, transmitted, or cached by Company's automated systems and cloud artificial intelligence architecture on behalf of Client. By utilizing the Services, the parties agree to comply with the terms of this DPA.
1. DEFINITIONS & SCOPE
1.1. Privacy Frameworks: means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and other state, federal, or international privacy statutes.
1.2. "Controller" and "Processor": have the meanings defined under applicable Privacy Frameworks. For the purposes of this DPA, Client is the Data Controller (the entity directing the collection of leads) and Company is the Data Processor (processing the data on Client's behalf).
1.3. "Personal Data" or "Personal Information": means any information collected, cached, or transmitted via Company's conversational or digital software interfaces that identifies, relates to, or can reasonably be linked with an individual website visitor or prospective business lead of Client.
2. ROLES, INSTRUCTIONS, & PROCESSING RULES
2.1. Compliance with Instructions. Company shall process Personal Data strictly in accordance with Client's documented instructions, which include the operational setup chosen within the administrative dashboard (e.g., caching lead parameters or establishing live API synchronization routing to Client's CRM). Company shall not process Personal Data for any other purpose unless mandated by applicable state or federal laws.
2.2. Data Customization Boundaries. Company is strictly prohibited from selling, retaining, using, or disclosing Client's captured Personal Data outside the direct business relationship established by the Agreement, or combining Client's data pools with datasets extracted from other corporate accounts.
3. TECHNICAL & ORGANIZATIONAL SECURITY MEASURES
3.1. Standard of Protection. Company shall implement and maintain industry-standard administrative, physical, and technical safeguards designed to protect Personal Data against unauthorized access, loss, alteration, or disclosure. These measures include:
- Encryption of data in transit and data at rest using strong cryptographic protocols (e.g., AES-256 and TLS 1.3).
- Network security filters, access logs, and multifactor authentication for all internal administrative systems.
3.2. Personnel Confidentiality. Company shall ensure that all employees or authorized engineering personnel granted access to Client's operational data pipelines are bound by binding contractual confidentiality obligations.
4. SUBPROCESSORS
4.1. General Authorization. Client grants Company general written authorization to engage third-party infrastructure and technology providers (such as cloud hosting environments and enterprise API managers like Google Cloud / Vertex AI) to assist in executing the Services ("Subprocessors").
4.2. Subprocessor Obligations. Company shall ensure that any engaged Subprocessor enters into a written agreement that imposes data protection obligations no less restrictive than those outlined within this DPA. Company remains liable to Client for the performance of its Subprocessors' compliance duties.
5. DATA BREACH NOTIFICATION
5.1. Rapid Notification Lifecycle. In the event Company discovers a verified security incident resulting in the unauthorized access, acquisition, or disclosure of Client's cached Personal Data on Company's infrastructure (a "Personal Data Breach"), Company shall notify Client without undue delay, and in no event later than seventy-two (72) hours after becoming aware of the breach.
5.2. Content of Notice. To the extent available, the notification will outline the nature of the security incident, the estimated categories of affected individuals, and the remediation actions being deployed by Company. Company shall cooperate with Client's reasonable investigations to mitigate the operational impact.
6. DATA SUBJECT RIGHTS & COOPERATION
6.1. Assisting Controller Responses. If a website visitor or individual prospect contacts Company directly to exercise their privacy rights (such as data deletion or access requests), Company shall route such inquiries to Client. Company shall provide Client with reasonable technical cooperation within the administrative dashboard to enable Client to fulfill its legal duties under Privacy Frameworks.
7. DATA RETENTION, EXTRACTION, & TERMINATION
7.1. Post-Termination Erasure. Upon termination or expiration of the commercial relationship, Company's rights to process Client's data pipeline terminate. Company shall preserve cached data parameters for a maximum window of thirty (30) calendar days to allow Client manual export. Following this extraction window, Company shall systematically execute its database destruction lifecycle, completely wiping all associated Personal Data traces from its active production environments, unless back-up storage mandates require longer retention under applicable law.
Annex 1: Description of Data Processing Operations
- Categories of Data Subjects: Client's website visitors, corporate prospects, end-users, and individuals interacting with Client's deployed automated conversational interfaces.
- Categories of Personal Data processed: First and last names, corporate email addresses, phone numbers, geographic metadata, business job descriptions, and customized conversational text transcript logs provided during interactive sessions.
- Nature and Purpose of Processing: The real-time capture, caching, automated sorting, display, and direct API transmission routing of sales leads to optimize Client's B2B marketing funnel.
- Duration of Processing: The duration of the active Subscription Term plus a maximum thirty (30) day post-termination manual extraction lifecycle.