Data Processing Addendum
Last updated: June 29, 2026
Effective date: June 27, 2026 · Version 1.0
Terms governing ScaleIQ’s processing of personal data on your behalf.
This Data Processing Addendum (“DPA”) forms part of the agreement between ScaleIQ LLC and Customer when ScaleIQ processes personal data on Customer’s behalf.
1. Roles
For Customer Data containing personal data, Customer is the controller (or a processor acting on a third party’s instructions) and ScaleIQ is the processor (or sub-processor). Each party complies with applicable Data Protection Laws, including the EU GDPR, UK GDPR, Swiss FADP, and US state privacy laws.
2. Scope & purpose
- Subject matter: processing of personal data to provide the Service.
- Nature and purpose: reading Microsoft 365 tenant metadata under administrator consent, and hosting, processing, and generating assessment results to operate, secure, and support the Service per Customer’s instructions.
- Data subjects: Customer’s authorized users and personnel whose metadata appears in the tenant signals assessed.
- Categories of data: identifiers, professional information, configuration and usage metadata, and system-generated metadata. Customer should not submit special-category data unless agreed in writing.
3. Customer instructions
ScaleIQ processes personal data only on documented instructions from Customer, including the Agreement, this DPA, and Customer’s configurations and consent within the Service.
4. Confidentiality & security
Personnel authorized to process personal data are bound by confidentiality. ScaleIQ implements the technical and organizational measures in Annex II and the Security Overview, appropriate to the risk.
5. Sub-processors
Customer authorizes ScaleIQ to engage the sub-processors listed at /legal/subprocessors. ScaleIQ gives at least 30 days’ notice of additions or replacements via that page, imposes data-protection obligations no less protective than this DPA, and remains liable for sub-processors’ acts and omissions.
6. Data subject rights & breach
ScaleIQ provides functionality enabling Customer to respond to data-subject requests and will forward any request received directly. ScaleIQ will notify Customer without undue delay, and within 72 hours, after becoming aware of a personal data breach affecting Customer Data.
7. Audits & assurance
ScaleIQ makes available the information necessary to demonstrate compliance with this DPA. SOC 2 Type II — examination in progress and ISO 27001 certification is targeted; when issued, those reports will be available under NDA. Where information is insufficient and Customer has a documented basis, the parties will agree on the scope and timing of an audit, no more than once per year except following a breach or as required by a regulator.
8. International transfers
Where Customer Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2 or 3), the UK IDTA, and Swiss-equivalent clauses.
9. Return or deletion
On termination, ScaleIQ returns or deletes Customer Data per the Retention Policy. Customer can export data for at least 30 days following termination.
Annex II — Technical & organizational measures
- Encryption: in transit (TLS 1.2+) and at rest (AES-256) using Azure Key Vault-managed keys; customer-managed keys available on enterprise plans.
- Access control: Microsoft Entra ID, SSO, MFA, role-based access, least-privilege, just-in-time elevation, quarterly access reviews.
- Tenant isolation: Customer Data is logically separated per tenant; access is scoped at the application and database layers; AI inference is request-scoped and not pooled across customers.
- Network security: Azure private networking, Web Application Firewall, DDoS protection, centralized logging.
- Application security: secure SDLC, mandatory code review, static and dependency scanning on every build, third-party penetration testing.
- Monitoring: Azure Monitor / Application Insights, anomaly detection, on-call response.
- Resilience: daily encrypted backups, tested restoration, defined RTO/RPO.
- Incident response: documented playbook, post-incident review, customer notification per Section 6.
Contact
To execute a signed DPA, email trust@scale-iq.ai.