Legal — Data Processing Agreement

How we process personal data for you

When ScaleBridger handles personal data on your behalf — leads, contacts, CRM records, booking or payment details — this Data Processing Agreement sets the processor terms. It is executed before any such processing begins.

Version v0.1
Last updated July 6, 2026
Governing law Texas, USA

This Data Processing Agreement (“DPA”) forms part of, and is governed by, the ScaleBridger Terms & Conditions (the “Terms”) between ScaleBridger and the Client. It applies whenever ScaleBridger processes personal data on the Client’s behalf in the course of providing the Services. Capitalized terms not defined here have the meaning given in the Terms.

ScaleBridger and the Client shall execute this DPA before ScaleBridger processes any personal data on the Client’s behalf. Execution occurs as part of the Order Form, signed agreement, or portal acceptance for an engagement; once executed, this DPA controls over the “Data, Privacy, and Security” section of the Terms for personal-data processing. Where the Client is subject to data-protection law, this DPA is intended to satisfy the processor-terms requirement of that law (including Article 28 of the EU/UK GDPR and the service-provider requirements of the CCPA/CPRA).

Contents
  1. 01Purpose and Scope
  2. 02Definitions
  3. 03Roles of the Parties
  4. 04Subject Matter, Duration, Nature, and Purpose of Processing
  5. 05Processing on Documented Instructions
  6. 06Confidentiality
  7. 07Security of Processing
  8. 08Sub-processors
  9. 09Assistance with Data-Subject Rights
  10. 10Assistance with Security, Breach, and Impact Assessments
  11. 11Personal-Data Breach Notification
  12. 12Deletion or Return of Personal Data
  13. 13Records and Audits
  14. 14International Data Transfers
  15. 15CCPA / US State Privacy Terms
  16. 16Client's Obligations
  17. 17Liability and Order of Precedence
  18. 18Term, Execution, and Effect
  19. 19Governing Law
  20. 20Contact
01

Purpose and Scope

This DPA sets out the terms on which ScaleBridger, acting as a processor (and, under the CCPA/CPRA, a service provider), processes personal data on behalf of the Client, who acts as the controller (and, under the CCPA/CPRA, the business). It applies to personal data that ScaleBridger processes in order to provide audits, implementation, digital infrastructure, automations, CRM configuration, payment-flow setup, and related Services under an Order Form or SOW.

This DPA does not apply to personal data for which ScaleBridger is itself the controller — for example, ScaleBridger’s own website visitors, prospects, and business contacts — which is addressed by the ScaleBridger Privacy Policy.

02

Definitions

“Personal Data” means any information relating to an identified or identifiable natural person that ScaleBridger processes on the Client’s behalf under the Terms. “Processing” means any operation performed on Personal Data. “Data Subject” means the individual to whom Personal Data relates. “Sub-processor” means a third party engaged by ScaleBridger to process Personal Data in connection with the Services.

“Applicable Data Protection Law” means the privacy and data-protection laws that apply to the Client’s processing of the Personal Data, which may include the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and US state privacy laws such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”). “Controller,” “Processor,” “Business,” “Service Provider,” “Sale,” and “Share” have the meanings given in the relevant Applicable Data Protection Law.

03

Roles of the Parties

As between the parties, the Client is the controller (business) and determines the purposes and means of processing the Personal Data. ScaleBridger is the processor (service provider) and processes the Personal Data only on the Client’s behalf. The Client is responsible for establishing a lawful basis for the processing, providing all required privacy notices to Data Subjects, and obtaining and maintaining all required consents and opt-outs.

Under the CCPA/CPRA, ScaleBridger receives Personal Data solely to perform the Services for the business purpose set out in the Terms and the Order Form. ScaleBridger does not sell or share the Personal Data, does not retain, use, or disclose it for any purpose other than performing the Services (or as otherwise permitted by law), and does not combine it with Personal Data received from other sources except as permitted by the CCPA/CPRA.

04

Subject Matter, Duration, Nature, and Purpose of Processing

Subject matter. ScaleBridger’s processing of Personal Data as necessary to provide the Services described in the Terms and the applicable Order Form or SOW.

Duration. For the term of the engagement, and thereafter only as needed to return or delete the Personal Data or as required by law, after which processing ends.

Nature and purpose. Configuring, operating, and supporting digital infrastructure — such as websites, lead capture, CRM records, pipelines, booking flows, payment-flow setup, automations, follow-up, dashboards, and reporting — on the Client’s behalf.

Types of Personal Data. As determined by the Client and the systems it asks ScaleBridger to configure — typically contact identifiers (such as name, business name, email address, and phone number), lead and customer records, communication and message content, appointment and booking details, and payment metadata. The Client is responsible for not routing special-category or otherwise sensitive data into the Services except where the engagement expressly authorizes it with appropriate safeguards.

Categories of Data Subjects. As determined by the Client — typically the Client’s own leads, customers, guests, owners, tenants, contacts, and personnel.

05

Processing on Documented Instructions

ScaleBridger processes Personal Data only on the Client’s documented instructions, including with regard to international transfers, unless required to do otherwise by law that applies to ScaleBridger — in which case ScaleBridger informs the Client of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

The Terms, the applicable Order Form or SOW, this DPA, and the Client’s ordinary use and configuration of the Services together constitute the Client’s documented instructions for processing. If ScaleBridger considers that an instruction infringes Applicable Data Protection Law, it will inform the Client, and may pause the affected processing until the instruction is confirmed or corrected.

06

Confidentiality

ScaleBridger ensures that persons authorized to process the Personal Data are bound by an appropriate obligation of confidentiality — whether contractual or statutory — and that access to Personal Data is limited to personnel and contractors who need it to perform the Services.

07

Security of Processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, ScaleBridger implements reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures may include, as appropriate: access controls and least-privilege access; use of reputable platforms that support encryption of data in transit; careful handling of credentials and administrative access; segregation of client environments where feasible; and logging of relevant activity for security and enforcement.

The Client acknowledges that security is a shared responsibility and that no system, platform, or method of transmission or storage is completely secure; ScaleBridger does not guarantee absolute security. The Client is responsible for the security of accounts, credentials, and systems under its control, for configuring appropriate settings in third-party platforms, and for following ScaleBridger’s security recommendations. ScaleBridger makes no certification, seal, or audited-standard representation on this page.

08

Sub-processors

The Client grants ScaleBridger general authorization to engage sub-processors to process Personal Data in order to provide the Services. ScaleBridger’s current sub-processors are listed, by category and purpose, on the Subprocessors page. Many Services also rely on platforms and accounts that the Client itself owns or is required to hold (for example, its own CRM, payment processor, hosting, booking, or PMS accounts); those are the Client’s own arrangements, and the Client is responsible for their terms.

ScaleBridger imposes on each sub-processor data-protection obligations that are, in substance, no less protective than those in this DPA, to the extent applicable to the sub-processor’s role. ScaleBridger remains responsible to the Client for a sub-processor’s performance of its data-protection obligations to the same extent ScaleBridger would be responsible if performing the service itself.

ScaleBridger will update the Subprocessors page when it adds or replaces a sub-processor that processes Personal Data, and, where required by Applicable Data Protection Law, will provide a mechanism for the Client to receive notice of, and reasonably object to, a new sub-processor. If the Client reasonably objects on data-protection grounds, the parties will work in good faith to address the objection; if it cannot be resolved, the Client may terminate the affected Services as provided in the Terms.

09

Assistance with Data-Subject Rights

Taking into account the nature of the processing, ScaleBridger provides reasonable assistance to the Client, by appropriate technical and organizational measures and insofar as this is possible, to help the Client respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (such as access, correction, deletion, restriction, portability, objection, or opt-out).

If ScaleBridger receives a request or communication from a Data Subject relating to Personal Data processed on the Client’s behalf, it will not respond directly except to confirm that the request should be directed to the Client, and will forward the request to the Client without undue delay, unless the Client has instructed otherwise or law requires otherwise.

10

Assistance with Security, Breach, and Impact Assessments

Taking into account the nature of the processing and the information available to ScaleBridger, ScaleBridger provides reasonable assistance to the Client with the Client’s obligations relating to the security of processing, notification of personal-data breaches, data-protection impact assessments, and prior consultation with a supervisory authority, where such obligations apply to the Client under Applicable Data Protection Law.

11

Personal-Data Breach Notification

ScaleBridger notifies the Client without undue delay after becoming aware of a personal-data breach affecting Personal Data processed on the Client’s behalf. Consistent with the Terms, the notification will describe, to the extent then known and as information becomes available, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it. ScaleBridger cooperates reasonably with the Client’s investigation and response.

A notification or assistance under this section is not an acknowledgment by ScaleBridger of fault or liability. The Client is responsible for any notifications it is required to make to Data Subjects, regulators, or others.

12

Deletion or Return of Personal Data

On termination or completion of the Services, and at the Client’s choice, ScaleBridger deletes or returns the Personal Data it processes on the Client’s behalf and deletes existing copies, unless retention is required by law or the Personal Data resides in third-party platforms or accounts that the Client owns or controls. Return, export, migration, or handoff assistance may be subject to the fees described in the Terms.

ScaleBridger may retain Personal Data to the extent, and for the period, required by applicable legal, accounting, backup, or security obligations, and only for those purposes, after which it deletes or de-identifies it within a reasonable period. ScaleBridger is not responsible for data that remains in third-party Services after the Client’s access, subscription, or relationship with those providers ends.

13

Records and Audits

ScaleBridger makes available to the Client information reasonably necessary to demonstrate compliance with this DPA and, where required by Applicable Data Protection Law, allows for and contributes to reasonable audits or inspections conducted by the Client or an auditor it mandates.

Audits are conducted on reasonable prior written notice, no more than once in any twelve-month period (except where required by a supervisory authority or following a personal-data breach), during business hours, in a manner that does not unreasonably disrupt ScaleBridger’s operations, subject to appropriate confidentiality obligations, and without requiring ScaleBridger to disclose another client’s data, trade secrets, or information that would compromise security. Where available, ScaleBridger may satisfy an audit request by providing existing documentation or third-party reports.

14

International Data Transfers

ScaleBridger and its sub-processors are located primarily in the United States, and Personal Data may be processed there. Where Personal Data originating from a jurisdiction with cross-border transfer requirements (such as the EU, UK, or Switzerland) is transferred to a country that does not provide an adequate level of protection, the parties will put in place an appropriate transfer mechanism recognized under Applicable Data Protection Law — such as the applicable Standard Contractual Clauses (and any UK Addendum or Swiss variant) — which, once executed, form part of this DPA for the affected transfers.

The specific transfer mechanism is confirmed for an engagement before Personal Data subject to those requirements is onboarded.

15

CCPA / US State Privacy Terms

To the extent the CCPA/CPRA or a comparable US state privacy law applies, ScaleBridger acts as a service provider (or processor) and certifies that it understands and will comply with the applicable restrictions. ScaleBridger does not sell or share the Personal Data; does not retain, use, or disclose it outside the direct business relationship or for any purpose other than the business purposes specified in the Terms and Order Form (or as otherwise permitted by law); and does not combine it with Personal Data from other sources except as permitted by law.

ScaleBridger will notify the Client if it determines it can no longer meet its obligations under Applicable Data Protection Law, and the Client may take reasonable steps to stop and remediate unauthorized use of the Personal Data.

16

Client's Obligations

The Client warrants that it has, and will maintain, a lawful basis for the processing; that it has provided all required privacy notices and obtained all required consents and opt-outs from Data Subjects; that its instructions to ScaleBridger comply with Applicable Data Protection Law; and that the Personal Data it provides or routes through the Services is accurate, lawfully collected, and authorized for the intended processing. The Client is responsible for its own compliance obligations as controller/business.

17

Liability and Order of Precedence

Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA supplements the Terms; for the processing of Personal Data on the Client’s behalf, this DPA controls over the “Data, Privacy, and Security” section of the Terms in the event of a conflict. In all other respects the order of precedence in the Terms applies. A signed Order Form or SOW, and any executed Standard Contractual Clauses, prevail over this page to the extent of a conflict.

18

Term, Execution, and Effect

This DPA takes effect when executed as part of the engagement and remains in effect for as long as ScaleBridger processes Personal Data on the Client’s behalf. Execution of this DPA is a condition precedent to ScaleBridger processing any personal data on the Client’s behalf; ScaleBridger will not begin such processing until the DPA is in effect. Sections that by their nature should survive termination — including confidentiality, deletion/return, and liability — survive.

To execute this DPA, or to request a countersigned copy for an engagement, use the contact method on the ScaleBridger website or your Order Form.

19

Governing Law

This DPA is governed by the law of the State of Texas, consistent with the Terms, without prejudice to any mandatory requirement of Applicable Data Protection Law or to the governing-law terms of any executed Standard Contractual Clauses.

20

Contact

Questions about this DPA, or requests to execute it for an engagement, can be sent through the contact method on the ScaleBridger website or your Order Form. ScaleBridger, Austin, Texas, United States.

This DPA is a v0.1 document pending counsel review; it supplements and forms part of the ScaleBridger Terms. Where ScaleBridger processes personal data on a client's behalf, this DPA controls over the Data, Privacy, and Security section of the Terms. Current sub-processors are listed on the Subprocessors page.