Data Processing Agreement

Effective Date: March 15, 2026
Last Updated: March 20, 2026

This Data Processing Agreement (“DPA”) is entered into between:

• Scopable, Inc., a Delaware corporation (“Processor,” “Scopable,” “we,” or “us”), and
• The entity identified in the applicable Order Form or account registration (“Controller,” “Customer,” or “you”)

(each a “Party,” collectively the “Parties”).

This DPA forms part of and is incorporated into the Scopable Terms of Service or such other written agreement between the Parties governing Customer's use of the Scopable platform (the “Agreement”). In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to data protection matters.

1. Definitions

1.1 “Applicable Data Protection Law”

Means all applicable laws and regulations relating to the processing of personal data, including (as applicable): the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); the UK GDPR and Data Protection Act 2018; the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act (“CCPA/CPRA”); and any other applicable national, state, or provincial privacy laws.

1.2 “Controller”

Means the entity that determines the purposes and means of processing Personal Data (i.e., the Customer).

1.3 “Data Subject”

Means an identified or identifiable natural person whose Personal Data is processed under this DPA.

1.4 “Personal Data”

Means any information relating to an identified or identifiable natural person that is processed by Scopable on behalf of Customer in connection with the Services.

1.5 “Processor”

Means the entity that processes Personal Data on behalf of a Controller (i.e., Scopable).

1.6 “Processing”

Means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion.

1.7 “Services”

Means the Scopable SaaS platform and related services provided to Customer under the Agreement.

1.8 “Sub-processor”

Means any third party engaged by Scopable to process Personal Data on Customer's behalf.

1.9 “Security Incident”

Means any confirmed unauthorized or unlawful access to, acquisition of, disclosure of, or destruction of Personal Data processed under this DPA.

2. Scope and Roles

2.1 Processor Role

Scopable processes Personal Data solely as a Processor acting on behalf of Customer (the Controller) for the purpose of providing the Services.

2.2 Customer as Controller

Customer is responsible for ensuring it has a lawful basis for processing Personal Data and for the accuracy and legality of Personal Data submitted to the Services.

2.3 Nature of Data Processed

In the ordinary course of providing the Services, Scopable may process the following categories of Personal Data submitted by or on behalf of Customer:

• Contact information (name, email address, phone number, job title)
• Business information (company name, MSP client details)
• Usage and account data (login credentials, activity logs, preferences)
• Quote and proposal data (which may include end-client contact details)

The Data Subjects are: Customer's employees, contractors, and end-clients (MSP customers) whose information Customer inputs into the Services.

2.4 Sensitive Data

Customer agrees not to submit special categories of personal data (as defined under GDPR Article 9) or data of minors without prior written agreement.

3. Scopable's Obligations

Scopable shall:

3.1 Process Personal Data only on documented instructions from Customer, as set forth in this DPA and the Agreement, unless required to do so by applicable law (in which case Scopable shall, to the extent permitted by law, inform Customer prior to processing).

3.2 Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

3.3 Implement and maintain technical and organizational security measures appropriate to the risk, as further described in Exhibit A (Security Measures).

3.4 Notify Customer without undue delay (and in any event within 72 hoursof Scopable becoming aware) of a confirmed Security Incident affecting Customer's Personal Data.

3.5Assist Customer, taking into account the nature of the processing and information reasonably available to Scopable, with: (a) fulfilling Data Subject rights requests; (b) conducting data protection impact assessments; and (c) complying with obligations under Applicable Data Protection Law — to the extent reasonably practicable and at Customer's reasonable cost.

3.6At Customer's election (notified in writing within 30 days of termination of the Agreement), either delete or return Customer's Personal Data, except to the extent retention is required by applicable law.

3.7 Make available to Customer information reasonably necessary to demonstrate compliance with this DPA and permit (and contribute to) audits conducted by Customer or its authorized representative, with reasonable advance notice and subject to reasonable confidentiality obligations.

4. Customer's Obligations

Customer shall:

4.1 Ensure all Personal Data submitted to the Services is collected and transferred lawfully, including providing appropriate notices to Data Subjects.

4.2Ensure Customer's instructions to Scopable comply with Applicable Data Protection Law.

4.3 Promptly notify Scopable if Customer becomes aware of any actual or suspected breach or misuse of the Services.

5. Sub-processors

5.1 General Authorization

Customer provides a general authorization for Scopable to engage Sub-processors to assist in delivering the Services, subject to this Section 5.

5.2 Current Sub-processors

Scopable's current Sub-processor list is set forth in Exhibit B. Scopable will update this list as Sub-processors change.

5.3 Notification of Changes

Scopable shall notify Customer (via email or in-app notice) at least 14 daysin advance of adding a new Sub-processor that will process Customer's Personal Data.

5.4 Objection

Customer may object to a new Sub-processor by providing written notice within 10 days of Scopable's notification. If the Parties cannot resolve the objection within 30 days, either Party may terminate the relevant Services with 30 days' written notice, with a pro-rata refund of any prepaid fees.

5.5 Sub-processor Obligations

Scopable shall impose data protection obligations on Sub-processors substantially equivalent to those in this DPA.

6. Data Transfers

6.1 U.S. Processing

The Services are hosted and processed primarily in the United States (via Supabase/Vercel infrastructure).

6.2 International Transfers

To the extent Customer is subject to GDPR or UK GDPR and Personal Data is transferred from the EEA/UK to a third country, the Parties agree to execute Standard Contractual Clauses (SCCs) as required by the European Commission or UK ICO, which are incorporated by reference.

6.3 CCPA

For California residents: Scopable is a “service provider” under the CCPA/CPRA and shall not sell or share Personal Data, use it outside the scope of the Agreement, or retain it beyond what is necessary to provide the Services.

7. Data Subject Rights

7.1 Scopable shall promptly refer to Customer any Data Subject requests received directly by Scopable relating to Personal Data processed under this DPA.

7.2 Customer is responsible for responding to Data Subject requests. Scopable will provide reasonable assistance as described in Section 3.5.

8. Security

8.1 Scopable shall implement technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. See Exhibit A for details.

8.2 Customer is responsible for securing its own account credentials and access to the Services.

9. Term and Termination

9.1This DPA remains in effect for so long as Scopable processes Personal Data on Customer's behalf.

9.2 Upon termination or expiration of the Agreement, Scopable will delete or return Personal Data in accordance with Section 3.6.

10. Liability

10.1Each Party's liability under this DPA is subject to the limitations and exclusions set forth in the Agreement.

10.2Nothing in this DPA limits either Party's liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; or (c) any other liability that cannot be excluded by applicable law.

11. General

11.1 Governing Law

This DPA is governed by the laws of the State of Delaware, consistent with the Agreement.

11.2 Order of Precedence

In the event of conflict between this DPA and the Agreement, this DPA controls for data protection matters.

11.3 Entire Agreement

This DPA (including Exhibits) constitutes the entire agreement between the Parties with respect to processing of Personal Data under the Agreement.

11.4 Amendments

Scopable may update this DPA to reflect changes in law or its practices, with notice to Customer as described in Section 5.3.

Exhibit A — Security Measures

Scopable implements the following technical and organizational security measures:

These measures may be updated by Scopable from time to time to maintain appropriate protection levels.

Exhibit B — Current Sub-processors

This list will be updated as Sub-processors change. Current version available upon request at ….

For questions about this DPA, contact: …

End of Data Processing Agreement