This Data Processing Addendum ("DPA") forms part of the Terms of Service between Scalica Ltd ("Scalica", "Processor", "we") and the customer agreeing to those Terms ("Customer", "Controller", "you"). It applies whenever Scalica processes personal data on your behalf in connection with the Services. Where the Terms and this DPA conflict on the subject of data processing, this DPA prevails.
When this DPA applies. It applies to personal data of third parties that you put into the Services and for which you are the controller — most importantly your end-customers' data in Real UGC from Customers, and any personal data of individuals contained in images you connect to ContentTagger or in inputs to Release Radar or Inventory Forecast. It does not apply to your own account/billing data, for which Scalica is the controller under the Privacy Policy.
1. Definitions
"UK GDPR", "EU GDPR", "controller", "processor", "data subject", "personal data", "processing", "personal data breach", and "supervisory authority" have the meanings given in the applicable data protection law. "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and, where it applies to your processing, the EU GDPR. "Customer Personal Data" means personal data processed by Scalica on your behalf under the Terms.
2. Roles and scope
- You are the controller (or, where you act on behalf of another controller, the processor) and Scalica is the processor (or sub-processor) in respect of Customer Personal Data.
- Scalica will process Customer Personal Data only to provide and support the Services and only on your documented instructions, including as set out in the Terms, this DPA, and your configuration and use of the Services. Your instructions must not require Scalica to act in breach of Applicable Data Protection Law.
- If Scalica is required by law to process Customer Personal Data otherwise than on your instructions, it will inform you of that requirement before processing, unless the law prohibits it.
- Scalica will inform you if, in its opinion, an instruction infringes Applicable Data Protection Law.
3. Details of processing (Annex 1)
| Element | Detail |
|---|
| Subject matter | Provision of the Services selected by the Customer. |
| Duration | For the term of the Terms, plus the retention periods in the Privacy Policy. |
| Nature and purpose | Hosting, storage, transmission, AI-based tagging or moderation, email delivery, reward tracking, monitoring, and forecasting, as applicable to the Service used. |
| Categories of data subjects | The Customer's end-customers and contacts; individuals appearing in images or other Customer Content. |
| Categories of personal data | Names, email addresses, order metadata, images and videos and their contents, and any other personal data the Customer chooses to submit. The Customer must not submit special category data unless agreed in writing. |
| Special category data | Not intended. The Customer is responsible for not submitting special category data (e.g. health, biometric) without a lawful basis and prior written agreement with Scalica. |
4. Your obligations as controller
- You warrant that you have a lawful basis for the processing you instruct, and that you have provided all required privacy notices to, and obtained all required consents from, the relevant data subjects.
- You are responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which you acquired it.
- You will not instruct Scalica to process Customer Personal Data in breach of Applicable Data Protection Law.
5. Scalica's obligations
- Confidentiality: Scalica ensures that persons authorised to process Customer Personal Data are bound by confidentiality obligations.
- Security: Scalica implements appropriate technical and organisational measures as described in Annex 2 (Section 9), having regard to the state of the art, the costs of implementation, and the risk to data subjects.
- Assistance: taking into account the nature of the processing, Scalica will assist you by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests, and to meet your obligations on security, breach notification, data protection impact assessments, and prior consultation with a supervisory authority.
- Deletion or return: on termination, Scalica will delete or return Customer Personal Data in accordance with Section 8 and the retention periods in the Privacy Policy.
- Records and audits: Scalica will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, on reasonable prior notice, no more than once per year (unless required by a supervisory authority or following a breach), subject to confidentiality and to not unreasonably disrupting Scalica's operations.
6. Sub-processors
- You provide general authorisation for Scalica to engage sub-processors to process Customer Personal Data. The current list is maintained at scalica.ai/subprocessors.
- Scalica imposes data protection obligations on its sub-processors that are no less protective than those in this DPA, and remains liable to you for its sub-processors' performance.
- Scalica will give you at least 30 days' notice (by email or via the sub-processor page) before adding or replacing a sub-processor that materially affects the processing of Customer Personal Data. You may object on reasonable data-protection grounds within that period; if the objection cannot be resolved, you may terminate the affected Service.
- AI sub-processors: where Scalica uses AI providers to deliver features (for example tag generation or content moderation), those providers are engaged as sub-processors and are contractually bound not to use Customer Personal Data to train, develop, or improve their general models.
7. International transfers
Where Scalica or its sub-processors process Customer Personal Data outside the UK or EEA, Scalica relies on an appropriate transfer mechanism — the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or an adequacy decision. Where the EU SCCs apply, they are incorporated into this DPA by reference, with Scalica as data importer and you as data exporter, and the relevant module (controller-to-processor or processor-to-processor) applying.
8. Personal data breach, deletion, and return
- Breach notification: Scalica will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required for you to meet your own notification obligations.
- Deletion or return: within 30 days of termination of the relevant Service or on your written request, Scalica will delete or, at your choice, return Customer Personal Data, and delete existing copies, except to the extent retention is required by law (for example tax records) or is held in routine backups that are deleted on a rolling 30-day cycle.
9. Annex 2 — Technical and organisational measures
- Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (via Supabase / Stripe).
- Row-level security and least-privilege access controls in the database.
- OAuth tokens stored encrypted and not exposed in client code; authentication delegated to Google or Shopify OAuth (no password storage).
- Access to production data limited to the founder and authorised personnel on a need-to-know basis, under confidentiality obligations.
- Error monitoring and logging via Sentry (EU region), with diagnostic logs retained 30 days.
- Sub-processors selected for their own security certifications and data-protection commitments.
- Measures are reviewed periodically and may be updated provided the level of protection is not reduced.
10. Liability and term
The liability provisions of the Terms apply to this DPA. This DPA takes effect when you accept the Terms and continues for as long as Scalica processes Customer Personal Data on your behalf. Provisions that by their nature should survive termination will do so.
11. Contact
Data protection queries and instructions under this DPA should be sent to [email protected].