Contact Us

DPA | ScopeB2B

Awesome Image Awesome Image
Privacy Policy
Awesome Image Awesome Image Awesome Image
Awesome Image Awesome Image

Data Processing Agreement (DPA)

Version: 1.0
Effective Date: May 27, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between ScopeB2B Solutions (“ScopeB2B”, “Data Processor”) and the client entity identified in the applicable Engagement Agreement (“Client”, “Data Controller”), collectively referred to as the “Parties”.

This DPA applies wherever ScopeB2B processes personal data on behalf of the Client, or delivers personal data to the Client, in connection with the Services described in the applicable Engagement Agreement. It is incorporated by reference into ScopeB2B’s Terms of Service.

To request a countersigned copy of this DPA, contact: dpo@scopeb2b.com

1. Definitions

Applicable Data Protection Law means GDPR, UK GDPR, CCPA/CPRA, PIPEDA and other applicable privacy legislation.

Personal Data means information relating to an identified or identifiable natural person.

Processing includes collection, storage, use, disclosure, restriction, deletion, and destruction of data.

Data Subject means the individual to whom Personal Data relates.

Sub-processor means any third party engaged by ScopeB2B to process Personal Data.

Standard Contractual Clauses (SCCs) means the approved contractual mechanisms governing international transfers of personal data.

2. Scope and Roles

2.1 Controller and Processor

The Client acts as Data Controller and ScopeB2B acts as Data Processor regarding Personal Data processed under the Engagement Agreement.

Where ScopeB2B sources and delivers B2B contact data from its own databases or public sources, ScopeB2B acts as an independent Data Controller for that sourcing activity.

2.2 Nature and Purpose of Processing

  • Building, verifying and enriching B2B contact records.
  • Delivering contact discovery lists and CRM enrichment.
  • Tele-verification and quality assurance.
  • Lead generation and market research.
  • LinkedIn profile enrichment.

2.3 Categories of Data Subjects

Business professionals including executives, directors, managers and employees within the Client’s target market.

2.4 Categories of Personal Data

  • Names and business contact details.
  • Job title, department and seniority.
  • LinkedIn profile URLs.
  • Company information and firmographics.
  • Compliance and opt-out information.

2.5 Duration

Processing continues for the duration of the Engagement Agreement and is subject to the retention rules described in this DPA.

3. ScopeB2B’s Obligations as Data Processor

  • Process data only on documented instructions.
  • Maintain confidentiality obligations.
  • Implement appropriate security controls.
  • Manage sub-processors responsibly.
  • Assist with Data Subject rights requests.
  • Support compliance and audit activities.
  • Notify Clients of data breaches without undue delay.
  • Delete or return Client data upon termination.
  • Provide compliance information upon reasonable request.

4. Client Obligations as Data Controller

  • Ensure instructions comply with applicable laws.
  • Maintain a lawful basis for processing.
  • Provide required privacy notices.
  • Maintain suppression and opt-out lists.
  • Use delivered data lawfully.
  • Not resell or transfer personal data without authorization.

5. Lawful Basis for Processing

ScopeB2B relies primarily on Legitimate Interests under Article 6(1)(f) GDPR for processing business contact data for B2B outreach purposes.

Where required, processing may also be based on legal obligations under applicable law.

California and Canadian records are processed in accordance with CCPA/CPRA and PIPEDA requirements.

6. Sub-processors

6.1 Authorised Sub-processors

The Client grants general written authorization for the use of approved sub-processors.

6.2 New Sub-processors

Clients will receive 30 days’ notice before any material change or addition.

6.3 Sub-processor Obligations

Equivalent contractual privacy obligations will be imposed on all sub-processors.

7. International Data Transfers

Where international transfers occur, ScopeB2B relies on Standard Contractual Clauses (SCCs) and applicable UK transfer mechanisms.

Transfer Impact Assessments and supporting documentation are available upon request.

8. Data Subject Rights

  • Access requests handled within 30 days.
  • Right to erasure requests honoured.
  • Rectification of inaccurate records.
  • Objection requests respected.
  • Restriction of processing where applicable.

Requests may be submitted to dpo@scopeb2b.com.

9. Data Retention and Deletion

9.1 Client-Provided Data

Deleted within 30 days after project completion unless otherwise requested.

9.2 Delivered Data

Backup copies retained for audit purposes for a maximum of 90 days.

9.3 Opt-Out Records

Retained indefinitely to ensure suppression compliance.

10. Security Measures

ScopeB2B maintains technical and organisational safeguards including access controls, encryption, incident response procedures, staff training and vendor management processes.

11. Audit Rights

Clients may audit compliance with at least 30 days’ notice and no more than once annually unless a breach has occurred.

12. Governing Law and Dispute Resolution

This DPA is governed by the same governing law specified in the applicable Engagement Agreement and Terms of Service.

13. Contact and DPO

Data Protection Officer / Privacy Contact
ScopeB2B Solutions
Surat, Gujarat, India
Email: dpo@scopeb2b.com

Schedule A – Technical and Organisational Security Measures

Access Controls

  • Role-Based Access Control (RBAC).
  • Least privilege access model.
  • Multi-Factor Authentication (MFA).
  • Periodic access reviews.
  • Rapid access revocation procedures.

Data in Transit

  • TLS 1.2+ encryption.
  • Encrypted file transfers.

Data at Rest

  • Encrypted storage.
  • Restricted database access.

Physical Security

  • Secured office environments.
  • Clean desk policy.

Incident Response

  • Documented response procedures.
  • Annual breach testing.
  • Post-incident reviews.

Personnel

  • Confidentiality agreements.
  • Privacy awareness training.
  • Background screening where appropriate.

Vendor Management

  • Security reviews before engagement.
  • DPAs with sub-processors.

Schedule B – Authorised Sub-processors

Sub-processor Location Purpose
Google Workspace USA Email and document storage
Cloudways / DigitalOcean USA / EU Hosting infrastructure
CRM Provider (TBC) TBC Lead management
Email Provider (e.g. SendGrid) USA Transactional email delivery

Schedule C – Standard Contractual Clauses

Where required for international transfers, the European Commission SCCs (2021) and UK IDTA are incorporated by reference into this DPA.

For a countersigned version of this DPA, contact dpo@scopeb2b.com.