Record of Processing Activities
Last updated: March 28, 2026
This document describes the processing activities carried out by ScoutSocial as both Controller (for our own data) and Processor (on behalf of our customers), in accordance with Article 30 of the GDPR.
Processing Activities
| Purpose | Data Categories | Data Subjects | Recipients | Retention | Legal Basis |
|---|---|---|---|---|---|
| Account management | Name, email, organization info | Registered users | Clerk (auth) | Duration of account + 30 days | Contract |
| Social media publishing | Social account credentials, post content, media | Users, social audiences | Social platforms (LinkedIn, X, etc.) | Duration of account | Contract |
| AI content generation | User prompts, content drafts | Users | OpenAI, Anthropic | Not retained by providers beyond processing | Contract / Legitimate interest |
| Analytics and insights | Usage data, engagement metrics, performance data | Users | Google Analytics (with consent) | 24 months (aggregated) | Legitimate interest / Consent |
| Billing and subscriptions | Payment method, billing address | Account owners | Paddle (merchant of record) | Duration of account + tax retention period | Contract / Legal obligation |
| Customer support | Support tickets, communication | Users | Internal team | 24 months | Legitimate interest |
| Security and fraud prevention | IP addresses, access logs, audit trails | Users | Internal, AWS | 12 months | Legitimate interest / Legal obligation |
| Email communications | Email address, preferences | Users | Internal | Until unsubscribed | Consent (marketing) / Contract (transactional) |
Technical and Organizational Measures
- Encryption at rest and in transit (TLS 1.2+)
- Role-based access controls
- Encrypted storage of OAuth tokens and API keys
- Regular security assessments
- Employee access controls and training
- Incident response procedures
- Data backup and disaster recovery
Data Protection Officer
For inquiries about these processing activities: info@scoutsocial.ai