Legal

ENDE

Data Processing Agreement

How Scalable processes customer data as a processor under Art. 28 GDPR — and how to request a signed DPA.

Last updated
30 May 2026
Jurisdiction
Germany

Overview

When you use Scalable to process personal data about your own customers or contacts, you act as the controller and Machete Marketing Germany GmbH ("Scalable") acts as a processor on your behalf under Article 28 GDPR. This page summarises how we handle that relationship and how to obtain a signed Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag).

A complete, executable DPA — including the Article 28(3) terms, our Technical and Organizational Measures (Annex 2), the EU Standard Contractual Clauses (Module 2) for international transfers, and the approved sub-processor list (Annex 3) — is available to business and enterprise customers.

Request a signed DPA: email legal@scalable.so with your legal entity name. We provide a pre-prepared DPA for countersignature.

Roles

  • You — controller of the personal data you upload or generate through the Services.
  • Scalable — processor, acting only on your documented instructions (the Services and your configuration constitute those instructions).
  • Sub-processors — the infrastructure and AI providers we engage to deliver the Services, each under Article 28-compliant terms.

Processing instructions

We process customer personal data only to provide and support the Services, as instructed through your use of them, and as required by applicable law. We do not use your data, or the personal data within it, to train or fine-tune AI models.

Security measures

We maintain technical and organizational measures appropriate to the risk (Article 32 GDPR), including encryption in transit and at rest, tenant isolation via database row-level security, access controls, monitoring, and backups. The full measures are set out in the DPA's TOM annex and our Security overview, available on request.

Sub-processors

We engage sub-processors to deliver the Services and remain responsible for their performance. Our Privacy Policy discloses them by category and names our principal providers; a full, named sub-processor list is provided to customers on request and to any data subject on an access request under Article 15 GDPR. We give 30 days' advance notice of new or replacing sub-processors and a reasonable objection right.

International transfers

Where a sub-processor processes data outside the EU/EEA, transfers are protected by the EU-US Data Privacy Framework (for certified providers) or the EU Standard Contractual Clauses with a transfer-impact assessment. The Standard Contractual Clauses are incorporated into the signed DPA.

Data subject rights, breach notification, deletion

We assist you in responding to data-subject requests, notify you without undue delay of any personal-data breach affecting your data, and return or delete customer personal data at the end of the service relationship, subject to legal retention duties. These commitments are set out in full in the signed DPA.

Contact

To request a DPA or ask a data-protection question: legal@scalable.so.