Data Processing Addendum

Last updated: July 6, 2026

This Data Processing Addendum ("DPA") forms part of the Sellscape AI Terms of Service and applies whenever Sellscape AI ("Processor") processes Personal Data on behalf of the Customer ("Controller") under GDPR, UK GDPR, or analogous laws.

1. Scope of processing

Processor will process Personal Data only to provide the Service and on documented instructions from Controller, including data uploaded by Controller (prospect contact details), data generated by the Service (AI drafts, reply classifications), and connected-service data (Gmail/Calendar tokens and content scoped to authorized accounts).

2. Categories of data subjects

Controller's end users, employees, and the business prospects Controller targets through the Service.

3. Sub-processors

Controller authorizes the following sub-processors. Processor will notify Controller of additions with at least 30 days' notice.

  • Lovable Cloud / Supabase — hosting & database (EU/US)
  • Vercel — application hosting & edge runtime
  • Stripe — payment processing
  • SendGrid (Twilio) — outbound email delivery
  • Lovable AI Gateway — LLM inference
  • Sentry — error monitoring

4. International transfers

Where Personal Data is transferred outside the EEA / UK, transfers are governed by the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable) incorporated by reference.

5. Security

Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access, audited admin actions, principle of least privilege, regular dependency scanning, and incident response procedures.

6. Data subject requests

Processor will assist Controller in responding to access, rectification, erasure, restriction, portability, and objection requests within the timeframes required by law.

7. Breach notification

Processor will notify Controller without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data Breach.

8. Deletion and return

On termination, Personal Data is deleted within 90 days unless retention is required by law.

9. Audit

Processor will make available all information necessary to demonstrate compliance and will allow audits, including inspections, on reasonable notice and at Controller's expense.

10. Contact

DPO / Privacy contact: dpo@sellscape.ai