Data Processing Agreement

Last updated: 2025-11-17

This Data Processing Addendum (“DPA”) forms part of the agreement (“Agreement”) between the Customer (“Controller”) and Reworks, Inc. (“Processor”) when Scape processes Personal Data on behalf of the Customer.

1. Definitions

Terms used in this DPA have the same meaning as in the Agreement or under GDPR, including: “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Processing”, “Personal Data Breach”, “SCCs”

2. Roles of the Parties

Customer is the Controller.

Reworks, Inc. (Scape) is the Processor.

Scape will process Personal Data only on documented instructions from the Controller.

3. Nature & Purpose of Processing

Purpose: Deliver the Scape Service, including email summarization, drafting, meeting notes, and related features.

Duration: For the term of the Agreement and any applicable retention period.

Type of Personal Data:

  • Email content and metadata (authorized by user)
  • Calendar content and metadata
  • User account information
  • Usage and device data

Data Subjects:

Customer's employees, users, contacts, and any individuals whose Personal Data appears in emails or calendars

Scape does not perform contact enrichment or pull external data about Data Subjects.

4. Subprocessors

Processor may use subprocessors.

Each subprocessor will be bound by data-protection obligations at least as protective as those in this DPA.

Current subprocessors include:

  • AWS
  • Supabase
  • PostHog
  • Sentry
  • Inngest
  • OpenAI
  • Anthropic
  • Google
  • Stripe

Processor will make an up-to-date list available upon request.

Scape does not use Customer Data to train or improve machine-learning models. Scape uses third-party AI providers exclusively through their APIs, and these providers publicly state that data submitted through their APIs is not used to train their models. Scape has furthermore disabled all optional training-related features and processes Customer Data solely to provide the Service.

5. International Transfers

When Personal Data is transferred outside the EEA/UK, Processor will rely on: Standard Contractual Clauses (SCCs) or another lawful mechanism.

6. Security Measures

Processor will implement appropriate technical and organizational measures, including:

  • Encryption in transit and at rest
  • Access control and authentication
  • Logging and monitoring
  • Regular security assessments
  • Incident response processes
  • Physical security when applicable

A detailed description of measures can be provided upon request.

7. Assistance to Controller

Processor will assist the Controller in:

  • Responding to Data Subject rights requests
  • Conducting Data Protection Impact Assessments (DPIAs)
  • Handling Personal Data Breaches
  • Ensuring compliance with GDPR Article 32–36 obligations

8. Personal Data Breaches

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach. The notification will include:

  • Description of the breach
  • Categories of affected data
  • Likely consequences
  • Measures taken or proposed

9. Deletion or Return of Data

Upon termination of the Agreement, Controller may request that Processor:

  • Return all Personal Data, or
  • Delete all Personal Data

unless retention is legally required.

10. Audits

Controller may conduct (or appoint a third party to conduct) audits to verify Processor's compliance with this DPA. Audits must be reasonable, not disrupt operations, and respect confidentiality.

11. Liability

Liability is governed by the Agreement.

This DPA does not expand or reduce either party's liability under the Agreement.

12. Governing Law

This DPA is governed by the law specified in the Agreement.

If none is specified, it is governed by the laws of the State of California or Delaware, depending on your preference.

13. Contact Information

For privacy or security matters, contact:

security@scape.app

Reworks, Inc.

1209 Orange St

Wilmington, DE 19801

Scape © 2025

Privacy policyTerms and conditionsDPATrust center