Data Processing Addendum
Last updated: July 6, 2026
This Data Processing Addendum ("DPA") forms part of the Sellscape AI Terms of Service and applies whenever Sellscape AI ("Processor") processes Personal Data on behalf of the Customer ("Controller") under GDPR, UK GDPR, or analogous laws.
1. Scope of processing
Processor will process Personal Data only to provide the Service and on documented instructions from Controller, including data uploaded by Controller (prospect contact details), data generated by the Service (AI drafts, reply classifications), and connected-service data (Gmail/Calendar tokens and content scoped to authorized accounts).
2. Categories of data subjects
Controller's end users, employees, and the business prospects Controller targets through the Service.
3. Sub-processors
Controller authorizes the following sub-processors. Processor will notify Controller of additions with at least 30 days' notice.
- Lovable Cloud / Supabase — hosting & database (EU/US)
- Vercel — application hosting & edge runtime
- Stripe — payment processing
- SendGrid (Twilio) — outbound email delivery
- Lovable AI Gateway — LLM inference
- Sentry — error monitoring
4. International transfers
Where Personal Data is transferred outside the EEA / UK, transfers are governed by the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable) incorporated by reference.
5. Security
Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access, audited admin actions, principle of least privilege, regular dependency scanning, and incident response procedures.
6. Data subject requests
Processor will assist Controller in responding to access, rectification, erasure, restriction, portability, and objection requests within the timeframes required by law.
7. Breach notification
Processor will notify Controller without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data Breach.
8. Deletion and return
On termination, Personal Data is deleted within 90 days unless retention is required by law.
9. Audit
Processor will make available all information necessary to demonstrate compliance and will allow audits, including inspections, on reasonable notice and at Controller's expense.
10. Contact
DPO / Privacy contact: dpo@sellscape.ai