Data Processing Agreement (DPA)
Document type: template for business customers (B2B). Not legal advice. Have qualified counsel review and adapt before signature.
Version: 1.0 · Template date: 30 April 2026
This template assumes ScrumDesk (“Processor”) provides Sculptor (the “Service”) to ScrumDesk s r.o. (“Controller”), where Controller determines the purposes and means of processing of personal data relating to its end users, employees, or other data subjects, and Processor processes such data on Controller’s instructions.
Schedule A — Parties and contacts
| Role | Legal name | Address | Primary contact (email) |
|---|---|---|---|
| Controller | ScrumDesk s r.o. | ScrumDesk s r.o., Hviezdoslavova 6, 082 71 Lipany, Slovakia | support@scrumdesk.com |
| Processor | ScrumDesk | ScrumDesk s r.o., Hviezdoslavova 6, 082 71 Lipany, Slovakia | privacy requests via scrumdesk.com |
1. Definitions
- “Agreement” — the commercial agreement (order form, subscription, or equivalent) under which Processor provides the Service to Controller.
- “Applicable Data Protection Law” — (i) Regulation (EU) 2016/679 (“GDPR”) where it applies; and (ii) other laws relating to privacy and processing of personal data that apply to the processing under this DPA.
- “Personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach” — as defined in Applicable Data Protection Law.
- “Sub-processor” — an entity engaged by Processor to process Personal Data on Controller’s behalf.
Capitalised terms not defined here have the meaning given in the Agreement or the GDPR, as applicable.
2. Subject matter, nature, purpose, and duration
Subject matter: Processing of Personal Data in connection with Controller’s use of the Service (including account, workspace, collaboration, security, and support features described in product documentation).
Nature of processing: Electronic collection, storage, organisation, retrieval, disclosure by transmission, adaptation, restriction, erasure, and related operations performed through the Service and Processor’s hosting, logging, and security tooling.
Purpose of processing: Providing the Service to Controller in accordance with the Agreement; security and abuse prevention; compliance with law; and improvements that do not involve training third-party AI models on Controller Personal Data unless separately agreed in writing.
Duration: For the term of the Agreement and until Processor has deleted or returned Personal Data in accordance with Section 9, unless Applicable Data Protection Law requires longer retention.
3. Types of Personal Data and categories of data subjects
Controller determines the categories of data subjects and Personal Data. Typical categories may include (non-exhaustive):
| Categories of data subjects | Examples of Personal Data types |
|---|---|
| Controller’s users | Name, email, account identifiers, authentication data, profile and preference fields |
| Controller’s personnel (if applicable) | Contact details, role, identifiers used in directory or invitation flows |
| Content subjects (if Controller uploads or references them) | Data contained in free-text, attachments, or imports supplied by Controller |
Controller is solely responsible for the lawfulness of processing and for notices to data subjects.
4. Processor obligations
Processor shall:
4.1 Instructions. Process Personal Data only on documented instructions from Controller, including those in the Agreement and this DPA, unless Union or Member State law requires otherwise; in that case Processor shall inform Controller of that legal requirement before processing (unless prohibited from informing).
4.2 Confidentiality. Ensure persons authorised to process Personal Data are bound by confidentiality or are under an appropriate statutory obligation.
4.3 Security. Implement appropriate technical and organisational measures as described in Schedule B (or in the Agreement / security documentation incorporated by reference).
4.4 Sub-processors. Not engage a Sub-processor without Controller’s general authorisation (which Controller grants by entering this DPA) combined with specific requirements in Section 5. Where required by Applicable Data Protection Law, Processor shall notify Controller of intended changes to Sub-processors and allow a reasonable objection period before the change takes effect.
4.5 Data subject rights. Assist Controller, by appropriate technical and organisational measures, in responding to requests from data subjects to exercise their rights under Applicable Data Protection Law.
4.6 Assistance. Assist Controller with DPIAs and prior consultation with supervisory authorities, taking into account the nature of processing and information available to Processor.
4.7 Breach notification. Notify Controller without undue delay after becoming aware of a Personal Data breach affecting Controller Personal Data, and provide information reasonably required for Controller’s breach assessment and reporting.
4.8 Deletion or return. At the end of the Service relationship (or on Controller’s written request where agreed), delete or return Personal Data in line with Section 9, except where retention is required by law.
4.9 Demonstration of compliance. Make available information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as set out in Section 10.
5. Sub-processors
5.1 Controller generally authorises Processor to engage the Sub-processors in Section 5.5 (and replacements of substantially equivalent function) to operate the hosted Sculptor service for organisation cloud workspaces and related platform features.
5.2 Processor maintains the list in this DPA and the Privacy policy. Processor will notify Controller of material additions or replacements where required by Applicable Data Protection Law (for example by updating the published list and, where the Agreement provides, email or in-app notice).
5.3 Where Controller has a reasonable, documented objection to a new Sub-processor (where the law provides a right to object), the parties shall discuss in good faith. If no resolution is reached, either party may terminate the affected portion of the Service as sole remedy, if the Agreement provides for it.
5.4 Processor shall impose data protection terms on Sub-processors that are substantially equivalent to this DPA.
5.5 Current Sub-processors (platform operations — as of the template date):
| Sub-processor | Role | Typical personal data | When used |
|---|---|---|---|
| Contabo GmbH | VPS / infrastructure hosting for the production App (sculptor.scrumdesk.com) | Controller Personal Data at rest and in transit on production systems | Production deployment |
| PostgreSQL (on Processor-controlled infrastructure) | Primary application database (Prisma) | Accounts, org/workspace membership, conversations, library assets, agent runs, encrypted credential blobs where configured | Organisation cloud workspaces when DATABASE_URL is set |
| Redis (on Processor-controlled infrastructure) | Caching, org presence, SSE fan-out, MCP concurrency, OAuth authorisation-code replay protection | Presence signals, ephemeral session-adjacent metadata, rate-limit counters | Recommended in production when REDIS_URL / SCULPT_REDIS_URL is set |
| Resend, Inc. | Transactional email (account verification, password reset) | Email address; message content and security links | When RESEND_API_KEY is configured |
| SMTP relay (Processor-configured) | Project and team invitation email (nodemailer) | Email address; invitation metadata and join URLs | When SMTP_* variables are configured |
| Optional Google OAuth sign-in; optional Google Analytics 4 on public pages | OAuth: account identifiers, name, email. Analytics: usage and technical data (IP anonymised in GA config) | OAuth when AUTH_GOOGLE_* is set. Analytics only after cookie banner Accept all and when NEXT_PUBLIC_GA_MEASUREMENT_ID is set | |
| Microsoft | Optional Microsoft Entra ID OAuth sign-in | Account identifiers, name, email | When AUTH_MICROSOFT_ENTRA_ID_* is configured |
Processor may use additional subprocessors of substantially equivalent function (for example a different EU hosting region or email provider) if listed under Section 5.2.
5.6 LLM and MCP integrations (Controller-directed, not universal Sub-processors). The Service allows Controller and its users to select AI model backends — for example OpenRouter, OpenAI, Anthropic, Google Gemini, Ollama Cloud, or local Ollama — and optional HTTP MCP servers (organisation-configured or user overrides). When enabled, prompts, attachments, and workspace context may be sent to those providers under their terms, either with bring-your-own-key credentials or via Processor’s same-origin API proxy when the workspace or organisation configures that provider. Those providers are engaged only when Controller or its users turn them on; they are not used for all customers. Controller is responsible for assessing provider policies before enabling them for its organisation. Processor does not use Controller Personal Data to train third-party foundation models unless separately agreed in writing (see Section 2).
6. International transfers
Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not recognised as adequate, Processor shall implement appropriate safeguards (for example EU Standard Contractual Clauses, UK Addendum, or Swiss adaptations) as described in Processor’s privacy documentation or a separate transfer exhibit, unless another valid mechanism applies.
7. Controller obligations
Controller shall:
7.1 Have a lawful basis for processing and, where required, obtain valid consents or fulfil employment-law conditions.
7.2 Provide accurate instructions and not instruct Processor to process in a way that violates law.
7.3 Conduct its own assessment of the Service’s suitability for any particular category of sensitive or high-risk data.
8. Technical and organisational measures (summary)
Details are in Schedule B or incorporated security documentation. Measures shall be appropriate to the risk and shall address confidentiality, integrity, availability, and resilience.
9. Return and deletion of data
On termination or expiry of the Agreement (or as otherwise agreed), Processor shall delete Controller Personal Data from production systems within 30 business days, except backups that roll off on a 90-day rolling backup retention cycle, and except where law requires retention (in which case data shall be isolated and not used for any other purpose).
10. Audit
10.1 Annual / risk-based questionnaire: Processor may satisfy audit requests by providing completed security questionnaires and third-party certifications where available.
10.2 On-site / deep audit: Where Applicable Data Protection Law requires deeper audit rights, audits shall be once per twelve months (unless a supervisory authority requires more), on 30 days’ notice, during business hours, without disrupting operations, and subject to confidentiality. Controller bears its own costs unless the audit reveals a material breach by Processor.
11. Liability
Liability for breach of this DPA is subject to the liability caps and exclusions in the Agreement, except where Applicable Data Protection Law prohibits such limitations for damages arising from Processor’s breach of processor obligations.
12. Order of precedence and changes
12.1 If the Agreement contains a DPA or data protection addendum, conflicting terms shall be resolved as stated in the Agreement; otherwise this DPA supplements the Agreement.
12.2 Processor may update Schedules or security descriptions to reflect non-material improvements. Material changes to processing shall follow the change process in the Agreement or require an amendment to this DPA.
13. Governing law and jurisdiction
Laws applicable to Processor's principal place of business, without regard to conflict-of-law rules, except where mandatory law requires otherwise · courts (or arbitration, if agreed in the commercial contract) with jurisdiction over Processor's principal place of business, unless non-waivable consumer rights apply in the data subject's country
Schedule B — Security measures
The following describes typical Sculptor production controls on Processor infrastructure (organisation cloud workspaces). Deployment-specific details (cloud region, sub-processors, dedicated resources) may be recorded in the commercial agreement or a security appendix.
- Access control: Role-based access to workspaces and projects; least privilege for Processor staff; multi-factor authentication for administrative access where supported.
- Encryption: TLS in transit between clients and the Service; encryption at rest for Controller Personal Data in Processor-managed databases and storage (hosting-provider encryption); application-level encryption for selected secrets (for example OAuth tokens using AES-256-GCM).
- Segregation: Logical separation of customer tenants (organisation-scoped data in PostgreSQL); dedicated resources where agreed in writing.
- Logging and monitoring: Security and operational logging with retention aligned to the backup cycle (up to 90 days, or longer where required for incident investigation); alerting for availability and security-relevant events on production systems.
- Business continuity: Automated backups on a regular schedule with a 90-day rolling retention cycle (see Section 9); restore testing at least annually or after material infrastructure changes.
- Incident management: Documented security incident response; personal data breach notification per Section 4.7.
- Personnel: Confidentiality obligations for personnel with access to Controller Personal Data; background screening for roles with administrative access where required by applicable law.