ScoutSocial← Back

Data Processing Agreement

Last updated: April 24, 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer (“Controller”) and ScoutSocial (“Processor”) for the provision of the ScoutSocial platform.

2. Definitions

  • “Personal Data” means any data relating to an identified or identifiable natural person
  • “Processing” means any operation performed on personal data
  • “Controller” means the entity that determines the purposes and means of processing
  • “Processor” means the entity that processes personal data on behalf of the Controller
  • “Sub-processor” means any third party engaged by the Processor to process personal data

3. Scope and Roles

The Customer acts as Controller. ScoutSocial acts as Processor. Processing is limited to providing the ScoutSocial platform as described in the Terms of Service.

4. Processing Purposes

ScoutSocial processes personal data solely for:

  • Providing and maintaining the platform
  • Social media content management and publishing
  • AI-powered content generation and analysis
  • Analytics and performance reporting
  • Account and subscription management

4.1 EU/UK Lawful-Basis Mapping

For customers and data subjects in the EU/EEA/UK, ScoutSocial's processing activities map to the following GDPR/UK GDPR lawful bases:

  • Performance of contract (Art. 6(1)(b)): authentication, social publishing/scheduling, analytics retrieval, AI content generation, and subscription operations necessary to deliver the contracted service.
  • Legitimate interests (Art. 6(1)(f)): platform security, abuse prevention, service reliability, and observability (including optional tracing).
  • Legal obligation (Art. 6(1)(c)): mandatory compliance logging, tax/accounting records, and responses to lawful regulatory requests.
  • Consent (Art. 6(1)(a)): optional analytics cookies and optional marketing communications.

ScoutSocial maintains internal legitimate-interest balancing assessments for Art. 6(1)(f) processing activities.

Public-interest and vital-interest lawful bases are not used for ordinary ScoutSocial service processing.

5. Sub-Processors

ScoutSocial uses the sub-processors below. Social network APIs (LinkedIn, X, Meta, TikTok, YouTube/Google), Vercel, Redis, and other infrastructure providers are listed in full on the Sub-Processors page.

  • Clerk (US) — authentication and identity management
  • Stripe (US) — payment processing
  • Amazon Web Services (US/EU) — cloud infrastructure and hosting
  • OpenAI (US)
  • Anthropic (US)
  • Google (Gemini / Google AI Studio)
  • LangChain (LangSmith) (US) — LLM tracing and observability when enabled
  • PostHog (EU) — product analytics (with user consent)
  • Google Analytics (US) — website and product analytics (with user consent)

We will notify customers before adding new sub-processors. The Sub-Processors table is the authoritative full list.

6. Data Security

ScoutSocial implements:

  • Encryption of data at rest and in transit (TLS 1.2+)
  • Access controls and role-based permissions
  • Encrypted storage of OAuth tokens and API keys
  • Regular security assessments
  • Incident response procedures
  • Employee access controls and training

Our security program aligns with widely recognized frameworks (e.g., ISO/IEC 27001, NIST Cybersecurity Framework, SOC 2 principles).

7. Data Subject Rights

ScoutSocial will assist the Controller in responding to data subject requests including: access, rectification, erasure, portability, restriction, and objection. The platform provides a self-service data export feature in Settings.

8. Data Breach Notification

ScoutSocial will notify the Controller of any personal data breach without undue delay and no later than 72 hours after becoming aware. Notification will include:

  • Nature of the breach
  • Categories and number of data subjects affected
  • Likely consequences
  • Measures taken to address the breach

9. International Transfers

Where personal data is transferred outside the EEA, ScoutSocial relies on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Adequacy decisions where applicable
  • Supplementary measures where required

9.5 Government Requests

ScoutSocial will not disclose Customer Personal Data to a government authority unless required by law. Where legally permitted, we will notify the Customer, attempt to redirect the requesting authority to the Customer, and disclose only the minimum information legally required.

10. Audit Rights

The Controller may audit ScoutSocial's compliance with this DPA. Audits will be conducted with reasonable notice, during business hours, and no more than once per year unless required by a supervisory authority.

11. Data Deletion

Upon termination of the service agreement and upon written request within 30 days:

  • ScoutSocial will return Customer Personal Data; or
  • ScoutSocial will securely delete Customer Personal Data
  • unless retention is required by law

Organization administrators can submit a self-service deletion request in the product by going to Settings → Privacy & Cookies, selecting Request Data Deletion, and confirming with the organization name.

After submission, the organization is scheduled for permanent deletion and data is removed within 30 days. To cancel a pending deletion request, contact info@scoutsocial.ai.

Until deletion occurs, ScoutSocial will continue to protect the data under this DPA.

12. Term

This DPA is effective for the duration of the service agreement. Obligations regarding data protection survive termination.

13. Contact

For DPA inquiries:

Email: info@scoutsocial.ai