Data Processing Agreement

Last updated: June 14, 2026

1. Introduction

This Data Processing Agreement (DPA) forms part of, and is incorporated by reference into, the Terms of Service between Aigentifyable LLC (“ScoutSocial”, Processor) and the Customer (as defined in § 1.5 of the ToS, Controller). It applies whenever, in the course of providing the ScoutSocial platform, ScoutSocial processes Personal Data on the Customer's behalf. Where the Customer is itself a natural person using ScoutSocial for personal purposes (not on behalf of an organisation), this DPA applies only to the extent the Customer is acting as controller of third-party Personal Data (e.g. data of social-platform Members it is processing through ScoutSocial).

2. Definitions

  • “Personal Data” means any data relating to an identified or identifiable natural person
  • “Processing” means any operation performed on personal data
  • “Controller” means the entity that determines the purposes and means of processing
  • “Processor” means the entity that processes personal data on behalf of the Controller
  • “Sub-processor” means any third party engaged by the Processor to process personal data

“Connected Platform” means a third-party social-media service whose account the Customer has connected to ScoutSocial via OAuth (currently Facebook, Instagram, LinkedIn, X, TikTok and YouTube). “Platform Data” means any data ScoutSocial accesses, stores or processes through a Connected Platform's API — including raw API responses, derived analytics, and aggregated outputs — within the meaning of each platform's developer terms (e.g. “Platform Data” under Meta Platform Terms; “Marketing Data” / “Member Data” under LinkedIn API Terms; “YouTube API Data” under YouTube API Services ToS; “X Content” under the X Developer Agreement; “TikTok Information” under the TikTok Developer ToS). “Authorised Client” has the meaning given in the LinkedIn Marketing API Terms. “Tech Provider” means a third-party developer providing services on behalf of an end-user under Meta's, LinkedIn's or Google's developer programs, in which capacity ScoutSocial acts when it manages a Page, organisation or channel on the Customer's behalf.

3. Scope and Roles

3.1 Customer as Controller. With respect to (a) account data of the Customer and its workspace users, (b) content the Customer or its users create or upload in ScoutSocial, and (c) Platform Data the Customer instructs ScoutSocial to process on its behalf, the Customer is the data Controller and ScoutSocial is the data Processor, and the processing is limited to providing the service as described in the Terms of Service.

3.2 Independent controller for certain Platform Data. For Platform Data ScoutSocial receives from certain Connected Platforms (notably X under the X Controller-to-Controller Data Protection Addendum, and TikTok under TikTok's C2C Data Terms), ScoutSocial receives that data as an independent Controller alongside the source platform. The Customer acknowledges this dual relationship; ScoutSocial's obligations under this DPA continue to apply to such data in addition to its obligations as independent controller.

3.3 Sub-Processor relationships. ScoutSocial's sub-processors (§ 5) act as processors of ScoutSocial under written terms; their relationship with the Customer is governed by this DPA.

4. Processing Purposes

ScoutSocial processes personal data solely for:

  • Providing and maintaining the platform
  • Social media content management and publishing
  • AI-powered content generation and analysis
  • Analytics and performance reporting
  • Account and subscription management

4.1 EU/UK Lawful-Basis Mapping

For customers and data subjects in the EU/EEA/UK, ScoutSocial's processing activities map to the following GDPR/UK GDPR lawful bases:

  • Performance of contract (Art. 6(1)(b)): authentication, social publishing/scheduling, analytics retrieval, AI content generation, and subscription operations necessary to deliver the contracted service.
  • Legitimate interests (Art. 6(1)(f)): platform security, abuse prevention, service reliability, and observability (including optional tracing).
  • Legal obligation (Art. 6(1)(c)): mandatory compliance logging, tax/accounting records, and responses to lawful regulatory requests.
  • Consent (Art. 6(1)(a)): optional analytics cookies and optional marketing communications.

ScoutSocial maintains internal legitimate-interest balancing assessments for Art. 6(1)(f) processing activities.

Where any feature would involve processing of GDPR Article 9 special-category data, ScoutSocial will obtain explicit consent under Art. 9(2)(a) or rely on another Art. 9 condition explicitly identified before processing. ScoutSocial does not currently process Article 9 data in its standard service. A per-activity lawful-basis mapping is also maintained in our Privacy Policy § 4 and the two must be read consistently.

Public-interest and vital-interest lawful bases are not used for ordinary ScoutSocial service processing.

5. Sub-Processors

ScoutSocial engages the sub-processors listed at scoutsocial.ai/legal/sub-processors, which is the authoritative current list and is updated whenever sub-processors are added, replaced or removed. Each sub-processor is engaged under a written processor agreement that imposes data-protection obligations no less protective than those in this DPA. For sub-processors processing Personal Data outside the EEA, the relevant SCCs (Module Two, controller-to-processor) and the UK IDTA are incorporated by reference into this DPA. ScoutSocial's contracts with OpenAI and Anthropic prohibit those providers from training their models on Customer Personal Data, content, prompts or outputs. ScoutSocial will give Customer at least 30 days' prior notice by email or in-app of any addition, replacement or change of sub-processor that processes Customer Personal Data. The Customer may object to the change on reasonable data-protection grounds; if the objection cannot be resolved, the Customer may terminate the affected service for convenience.

Schedule S-1 — sub-processor categories

ScoutSocial engages sub-processors in the following categories: authentication and identity; payments and billing (merchant of record); cloud infrastructure, hosting, storage, content delivery and transactional email; AI/LLM inference and related tooling (under no-training contractual terms); web search/retrieval for AI features; product analytics and bot/abuse protection (consent-gated where applicable); and the Connected Platform APIs (Meta, LinkedIn, X, TikTok, YouTube/Google) accessed under the Customer's authorisation. The authoritative, current list of named sub-processors — with data categories, locations and transfer mechanisms — is maintained at the Sub-Processors page and is incorporated into this DPA by reference.

5.1 Note on X-side records

Note on X-side records. X retains records of the OAuth grants you make to ScoutSocial — including the ScoutSocial developer-app identifier, grant timestamp and scopes requested — as described in X's Privacy Policy § 1.3. This is X-side processing, separate from ScoutSocial's processing under this DPA.

6. Data Security

ScoutSocial implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures include encryption of data in transit (TLS 1.2+) and at rest, role-based access controls, encrypted storage of OAuth access and refresh tokens, regular security assessments, vulnerability management, employee confidentiality and training, and documented incident-response procedures. ScoutSocial does not collect or store Connected Platform login credentials directly — only OAuth tokens granted through the platform's authorisation flow. The full description of measures is published at scoutsocial.ai/legal/security and aligns with widely recognised frameworks (ISO/IEC 27001, NIST CSF, SOC 2 principles); to the extent required by a specific Connected Platform's developer terms, ScoutSocial implements that platform's prescribed Technical and Organisational Measures (TOMs) for incoming Platform Data.

Tenant isolation. All Customer Personal Data and Platform Data is logically isolated by organisation; ScoutSocial does not permit access to one organisation's data by another, and every data-access path is scoped to the organisation that owns the data.

Emergency platform kill switch. ScoutSocial maintains a per-platform kill switch that allows it to immediately halt all outbound API calls to a Connected Platform in response to a compliance or security event; when a platform is disabled, requests are blocked before any data is transmitted.

7. Data Subject Rights

ScoutSocial will assist the Customer (taking into account the nature of the processing and the information available to ScoutSocial) in responding to data-subject requests for access, rectification, erasure, portability, restriction and objection, including by providing a self-service data export in Settings → Workspace & Preferences → Privacy & Cookies. Where a Connected Platform forwards a data-subject request relating to a Customer account to ScoutSocial (notably Meta and LinkedIn — see § 7.2 below), ScoutSocial will notify the Customer within 24 hours. For platform-side data, ScoutSocial routes data subjects to the platform's own rights channel (TikTok webform, Google account permissions, LinkedIn Help, Meta Help, X privacy form) — see Privacy Policy § 9. Standard response SLA: ScoutSocial will fulfil verified data-subject requests within one calendar month (extendable to three months for complex requests, with notification).

DPIAs and prior consultations (Art. 28(3)(f)). Taking into account the nature of the processing and the information available to it, ScoutSocial will provide reasonable assistance to the Customer with data-protection impact assessments and with prior consultations of supervisory authorities under GDPR Articles 35–36.

7.2 Tech Provider obligations

Where ScoutSocial acts as a Tech Provider for the Customer under Meta's Platform Terms or LinkedIn's API Terms, ScoutSocial undertakes to:

  • (a) process Platform Data only at the direction of the specific Customer;
  • (b) maintain strict per-Customer data segregation, with no cross-tenant access;
  • (c) maintain a list of all Customer organisations producible to the platform on its request;
  • (d) promptly terminate the Customer's access to the affected platform's data on the platform's request, in the platform's stated timeframe;
  • (e) notify the affected Customer within 24 hours of any data-subject request the platform forwards to ScoutSocial concerning the Customer's accounts.

YouTube Authorized Data is confined within each Customer's workspace and is exposed only to users the authorising individual has approved.

8. Data Breach Notification

ScoutSocial will notify the Controller of any personal data breach without undue delay and no later than 72 hours after becoming aware. Notification will include:

  • Nature of the breach
  • Categories and number of data subjects affected
  • Likely consequences
  • Measures taken to address the breach

Where the breach involves Platform Data from a Connected Platform, ScoutSocial will additionally notify the Connected Platform within its required timeframe and through its required channel — including, for LinkedIn, written notification to security@linkedin.com within 24 hours of discovery, and for Meta, submission via the Meta incident form. ScoutSocial will coordinate with the Customer before any public statement to honour platform-specific public-statement embargoes (e.g. LinkedIn requires prior written permission).

9. International Transfers

Where Personal Data is transferred outside the European Economic Area or the United Kingdom to a country not subject to an adequacy decision, ScoutSocial relies on:

  • (a) the European Commission's Standard Contractual Clauses (Module One controller-to-controller, or Module Two controller-to-processor, as applicable), incorporated by reference into this DPA and into ScoutSocial's contracts with each non-adequate sub-processor;
  • (b) for UK Personal Data, the UK International Data Transfer Addendum (IDTA);
  • (c) supplementary technical measures, including encryption in transit and at rest, key management, and identifier redaction before transmission to AI sub-processors.

As an additional safeguard for X-sourced Personal Data transferred to X Corp. (USA), ScoutSocial relies on X's certification under the EU-US Data Privacy Framework, the Swiss-US DPF and the UK Extension. Transfer documentation is available to the Customer on request.

9.5 Government Requests

ScoutSocial will not disclose Customer Personal Data to a government authority unless required by law. Where legally permitted, we will notify the Customer, attempt to redirect the requesting authority to the Customer, and disclose only the minimum information legally required.

10. Audit Rights

10.1 Customer audits. The Customer may, on reasonable prior written notice and no more than once per year (unless required by a supervisory authority or following a confirmed material breach), audit ScoutSocial's compliance with this DPA. ScoutSocial may discharge audit obligations primarily through any third-party certifications or reports it holds (such as SOC 2 or ISO/IEC 27001, if and when obtained); on-site audits are reserved for situations where third-party reports are insufficient to address a documented concern.

10.2 Platform audits. The Customer acknowledges that several Connected Platforms (notably Meta, with at least 10 business days' notice; YouTube via API Compliance Audits) may audit ScoutSocial's processing of Platform Data. ScoutSocial will cooperate with such audits, including by providing test accounts and documentation, and will inform the Customer of the outcome to the extent permitted.

11. Data Deletion

11.1 Standard deletion. On termination of the service or on the Customer's written request within 30 days after termination, ScoutSocial will, at the Customer's choice, return or securely delete Customer Personal Data (except where ScoutSocial is required by law to retain a copy). The Customer may also trigger deletion at any time via Settings → Workspace & Preferences → Privacy & Cookies → Request Data Deletion; deletion is completed within 30 days unless platform-specific overrides apply. The 30-day period operates as a grace period during which a pending deletion may be cancelled; once it elapses, ScoutSocial performs a permanent hard deletion (including media stored in object storage) that is irreversible.

11.2 Platform-specific deletion overrides. Where a Connected Platform requires earlier or differently scoped deletion, that requirement prevails over § 11.1:

  • LinkedIn Member Data and OAuth tokens — immediate on Member request;
  • LinkedIn Stored Marketing Data — within 10 days of Customer cessation;
  • YouTube API Data on user revocation via Google permissions — within 7 days;
  • YouTube and TikTok on API-termination — full deletion in all forms across all storage systems, with signed deletion certification provided to Google where YouTube so requires;
  • Meta API-fetched content propagating source deletion — within 90 days.

Until deletion is complete, the data remains protected under this DPA. To cancel a pending deletion request, contact privacy@scoutsocial.ai before the deletion deadline.

11.3 Agency / multi-client offboarding

Where the Customer is an agency operating multiple end-clients inside a single ScoutSocial workspace, the Customer warrants that:

  • (a) it has the authority to act as data controller (or to bind the end-client as controller) for each end-client's data;
  • (b) within its workspace, ScoutSocial-side per-client segregation is enforced through workspace, project and access-control settings the Customer configures;
  • (c) on offboarding of an individual end-client, the Customer is responsible for triggering deletion of that client's data via the in-product tools, which ScoutSocial will execute within 30 days subject to platform-specific overrides under § 11.2.

12. Term

This DPA is effective for the duration of the service agreement. Obligations regarding data protection survive termination.

13. Contact

For DPA inquiries:

Email: privacy@scoutsocial.ai

13.1 LinkedIn-specific addendum

Customers using ScoutSocial's LinkedIn integration as part of an enterprise contract may request a LinkedIn-specific addendum to this DPA which describes in detail (a) the LinkedIn Content ScoutSocial accesses on the Customer's behalf, (b) the purposes and retention applied, (c) the Member-data deletion and storage rules, and (d) the Customer's rights to audit and to require deletion. This addendum is available on request to legal@scoutsocial.ai and is required for compliance with the LinkedIn Marketing API Terms where ScoutSocial acts as an Authorised Developer on the Customer's behalf.

Annex A — Subject Matter and Details of Processing

A.1 Subject matterScoutSocial's provision of the social media management platform to the Customer.
A.2 DurationFor the term of the Terms of Service.
A.3 Categories of data subjectsCustomer personnel (workspace users); Customer end-clients where the Customer is an agency; end-users of Connected Platforms (followers, commenters, etc.) whose data is exposed through the platform APIs.
A.4 Categories of Personal DataIdentifiers (name, email, organisation, platform user IDs/handles); authentication credentials (OAuth access and refresh tokens); content (drafts, posts, AI prompts and outputs, media files); analytics and metrics; usage and device data; billing identifiers (full card data handled by Paddle).
A.5 Special-category dataNone expected.
A.6 Processing purposesAs set out in § 4 of this DPA.
A.7 RetentionAs set out in § 11 of this DPA and the Privacy Policy retention table.

Annex B — Technical and Organisational Measures

A summary of the TOMs implemented by ScoutSocial is published at scoutsocial.ai/legal/security and is incorporated by reference into this DPA. Customers requiring an executed copy of the SCCs or a copy of TOMs in a signed appendix format may request one at privacy@scoutsocial.ai.

© 2026 ScoutSocial. All rights reserved.

Home