Last updated: 2026-06-02
This Data Processing Agreement (“DPA”) forms part of the agreement (“Agreement”) between the Customer (“Controller”) and Reworks AI Labs AB (“Scape”, “Processor”), and applies when Scape processes Personal Data on behalf of the Customer in connection with the Service.
Terms used in this DPA have the meanings given in the Agreement or under the GDPR, including: “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Processing”, “Personal Data Breach”, and “Standard Contractual Clauses” (“SCCs”). “Subprocessor” means a third party engaged by Scape to process Personal Data to help provide the Service.
The Customer is the Controller of Personal Data processed under this DPA. Reworks AI Labs AB (Scape) is the Processor.
Where the Customer is itself a Processor acting on behalf of a third-party Controller, Scape acts as a Subprocessor, and the Customer's instructions are deemed to reflect those of the ultimate Controller.
Scape also acts as an independent Controller for limited data it processes for its own business purposes, such as account administration, billing, security, and product analytics. That processing is governed by the Scape Privacy Policy.
Purpose: To deliver the Scape Service, including email summarization, drafting, meeting notes, transcription, search, and related features.
Duration: Scape processes Personal Data for the term of the Agreement and only for as long as necessary to provide the Service and fulfil the purposes set out in this DPA.
Type of Personal Data:
Data Subjects: The Customer's employees and users, and any individuals whose Personal Data appears in their emails, calendars, or meetings.
Scape will:
Scape does not use Customer Data to train or improve machine-learning models. All LLM inference is performed within the EU through Google Cloud Vertex AI, and all meeting transcription is performed within the EU through ElevenLabs. Scape uses these third-party AI providers only through their APIs, under their API terms, which prohibit those providers from training their models on data submitted through the API, and Scape has disabled optional training-related features. Both providers (Vertex AI and ElevenLabs) operate under zero-retention arrangements for the content submitted and the AI output generated.
The Customer provides general authorization for Scape to engage Subprocessors to process Personal Data in order to provide the Service. Before engaging a Subprocessor, Scape carries out appropriate due diligence and ensures the Subprocessor is bound by data-protection obligations no less protective than those in this DPA, whether under a written agreement with Scape or under the Subprocessor's published data processing terms, which Scape has reviewed and accepted. Scape remains responsible for its Subprocessors' performance.
Scape maintains a current list of its Subprocessors in the Scape Trust Center at https://trust.scape.app/subprocessors and informs Customers of any intended change concerning the addition or replacement of a Subprocessor by updating that list. Scape provides a mechanism to subscribe to notifications of changes to the list. If the Customer does not wish to consent to the use of a new Subprocessor, the Customer may notify Scape, within twenty (20) business days of Scape notifying the Customer of the change, that it objects on reasonable grounds relating to the protection of Personal Data. The parties will then work together in good faith to find a mutually acceptable resolution. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Customer may, as its sole and exclusive remedy, terminate the affected part of the Service by providing written notice to Scape and receive a refund of any prepaid fees covering the terminated portion of the Service for the period after the effective date of termination.
Scape hosts and processes all Customer Personal Data within the European Economic Area (EEA). This includes the content of emails and calendar data, and meeting audio, transcripts, and summaries, as well as meeting transcription and all AI and LLM processing, each of which is performed within the EEA under zero-data-retention arrangements with the relevant Subprocessors. Audio recordings sent for transcription are deleted once transcription is complete.
Scape does not transfer the content of Customer emails, calendar data, or meetings outside the EEA. Where limited account or usage data (for example, payment or error-monitoring data) is processed by a Subprocessor outside the EEA, the United Kingdom, or Switzerland, that transfer is governed by the European Commission's Standard Contractual Clauses, together with the UK International Data Transfer Addendum and the Swiss addendum where applicable, and the supplementary technical and organizational measures described in Section 7. Where the EU SCCs apply, they are governed by the law of Sweden, with the Swedish Authority for Privacy Protection (IMY) as the competent supervisory authority.
If any further processing of Customer Personal Data outside the EEA, the UK, or Switzerland becomes necessary in the future, Scape will ensure the transfer is governed by an appropriate safeguard under applicable data protection law, together with any supplementary measures needed to ensure an essentially equivalent level of protection, and will notify the Customer and update the Scape Trust Center before any such transfer begins.
If Scape receives a legally binding request from a public authority for Customer Personal Data, then unless legally prohibited Scape will notify the Customer without undue delay, attempt to redirect the authority to the Customer, and disclose only the minimum Personal Data strictly required. Scape will not provide any government authority with direct or unfettered access to Personal Data and will challenge requests that are unlawful, overbroad, or inconsistent with applicable data protection law.
Scape implements appropriate technical and organizational measures to protect Personal Data. Scape may update these measures provided the overall level of security is not reduced.
Personal Data is encrypted in transit using TLS. Connections to Scape's database enforce TLS in production.
Personal Data is encrypted at rest using industry-standard AES-256 encryption provided by Scape's cloud infrastructure.
This is true for all vendors storing email content and meeting summaries (Turbopuffer, PlanetScale & Google Cloud).
Access to production systems is managed through cloud identity and access management (IAM). Scape does not use long-lived service-account keys.
Administrative access to key systems requires multi-factor authentication.
Customer data is logically isolated per workspace, enforced at the application data layer to prevent cross-tenant access.
User authentication is handled through WorkOS, with session tokens verified on each request.
Production, staging, and development run in separate, isolated environments with separate databases and credentials.
Scape operates error monitoring, distributed tracing, structured logging, and metrics across its production systems.
A current list of Subprocessors is maintained in the Scape Trust Center at https://trust.scape.app/subprocessors. Subprocessors include Google Cloud (hosting and LLM inference via Vertex AI), PlanetScale (database), Turbopuffer (vector storage), WorkOS (authentication), ElevenLabs (meeting transcription), and Stripe (payment processing). Subprocessors are bound by data-protection terms and may only process Personal Data to provide the Service.
Scape maintains a SOC 2 Type II attestation and an ISO/IEC 27001 certification, each assessed by an independent third party on an annual basis. Scape processes Personal Data in compliance with the GDPR and other applicable data protection law. Current copies of Scape's SOC 2 Type II report and ISO/IEC 27001 certificate are made available to the Customer through the Scape Trust Center, subject to confidentiality obligations.
Taking into account the nature of processing and the information available to it, Scape will provide reasonable assistance to the Customer in:
Where Scape receives a Data Subject request directly, it will not respond except to direct the individual to the Customer, unless legally required or instructed otherwise.
The Customer may request Scape's assistance with a Data Protection Impact Assessment or a prior consultation with a supervisory authority. Such assistance consists of Scape providing relevant information about the Personal Data processed in the Service, and Scape may charge its professional-services fees on a time-and-materials basis for such assistance.
Any request for information, assistance, or activity beyond Scape's ordinary course of business, routines, or practices, or beyond what is otherwise commercially reasonable, may be subject to additional fees and charges to be agreed between the parties.
Scape will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will include, to the extent known:
Scape will take reasonable steps to contain and remediate the breach. Scape's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.
For clarity, unsuccessful attempts that do not compromise the security of Personal Data (such as failed log-in attempts, pings, or port scans) do not constitute Personal Data Breaches.
The obligations in this Section do not apply to the extent a Personal Data Breach is caused by the Customer, the Customer's affiliate, or anyone acting on the Customer's behalf, except that Scape will inform the Customer of the breach and provide the information it has identified up to the point at which it determines the breach was so caused.
On reasonable written request, and no more than once per year unless required by a supervisory authority, Scape will make available information necessary to demonstrate compliance with this DPA. Scape satisfies this primarily by providing its SOC 2 Type II report, ISO/IEC 27001 certificate, and other security documentation through the Scape Trust Center.
On termination or expiry of the Agreement, at the Customer's choice Scape will return or delete the Personal Data it processes on the Customer's behalf, including emails, calendar data, meeting recordings, transcripts, and derived data such as embeddings. Scape will retain Personal Data after termination only to the extent, and for as long as, permitted or required under applicable data protection laws. Copies of Personal Data may remain in encrypted backups for a limited period after deletion from active systems. Those copies are automatically overwritten as backups expire on Scape's regular backup schedule, and are not used for any other purpose in the meantime.
Deletion or return of Personal Data through the standard functionality of the Service, and deletion carried out in the ordinary course on termination, are not chargeable. Where the Customer asks Scape to perform a custom data export or a bespoke deletion exercise requiring substantial manual effort, Scape may recover its reasonable and documented costs at its then-current professional-services rates, except where applicable data protection law prohibits such a charge.
To the extent Scape processes Personal Data on the Customer's behalf that is subject to U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”) and comparable state laws (collectively, “U.S. Privacy Laws”), this Section applies. For the purposes of the CCPA, the Customer is the “business” and Scape is a “service provider.” Scape will:
The Customer has the right to take reasonable and appropriate steps to help ensure that Scape uses Personal Data in a manner consistent with the Customer's obligations under U.S. Privacy Laws. Scape certifies that it understands and will comply with these restrictions.
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Any reference to the liability of a party in the Agreement means the aggregate liability of that party under the Agreement and this DPA together, and liability under this DPA will not be considered separate from, or additional to, the limitations set out in the Agreement.
Neither party is obligated to indemnify the other for any administrative fine imposed on it by a supervisory authority under applicable data protection law.
To the maximum extent permitted by law, neither party will be liable to the other under this DPA for any loss of profits, revenue, goodwill, or anticipated savings, or for any indirect, special, incidental, or consequential damages, even if advised of the possibility of such damages.
This DPA is governed by the laws of Sweden, and is subject to the same jurisdiction and dispute-resolution terms as the Agreement. Stockholms tingsrätt (Stockholm District Court) will be the court of first instance.
For privacy or security matters, contact:
Scape © 2026