Legal
Data Processing Agreement
Processor terms for customer organizational data (GDPR Art. 28).
Version 2025-06-01 · Intellescope, Inc.
Parties and scope
This Data Processing Agreement ("DPA") forms part of the agreement between the customer entity ("Controller") and Intellescope, Inc. ("Processor") for Intellescope.
It applies when Processor processes Personal Data on behalf of Controller under GDPR, UK GDPR, or similar laws.
Definitions
"Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have meanings under applicable Data Protection Laws.
"Customer Data" means data submitted to the Service by or for Controller, including workforce account data and security operations content containing Personal Data.
Processing instructions
Processor will process Customer Data only on documented instructions from Controller, including these Terms, this DPA, and configuration within the Service.
Processor will inform Controller if an instruction infringes Data Protection Laws.
Confidentiality of personnel
Processor ensures persons authorized to process Customer Data are bound by confidentiality obligations.
Security measures
Processor implements appropriate technical and organizational measures including: encryption in transit; tenant isolation; access controls; audit logging; secrets encryption; vulnerability management; and incident response procedures described in our security documentation.
Controller is responsible for identity provider configuration, MFA policy, and user provisioning.
Subprocessors
Controller authorizes Processor to engage subprocessors listed at /legal/subprocessors. Processor will provide notice of material subprocessor changes and an objection mechanism via customer success or legal contact.
Processor imposes data protection terms on subprocessors substantially similar to this DPA.
Data subject requests
Processor will assist Controller in responding to Data Subject requests using available tools (e.g., user data export API) and reasonable commercial efforts.
Controller is responsible for validating requests and communicating with Data Subjects.
Personal data breach
Processor will notify Controller without undue delay after becoming aware of a Personal Data breach affecting Customer Data, and provide information reasonably available to assist Controller's obligations.
Deletion and return
Upon termination, Processor will delete or return Customer Data per Controller's written instructions within a commercially reasonable period, subject to backup retention cycles and legal holds.
Audits
Processor will make available information necessary to demonstrate compliance and allow audits upon reasonable notice, subject to confidentiality and frequency limits, or provide third-party audit reports (e.g., SOC 2) when available.
International transfers
Where transfers require safeguards, the parties will execute Standard Contractual Clauses (Module Two: Controller to Processor) incorporated by reference, including applicable annexes describing processing details available upon request.
Contact
Processor contact for data protection: privacy@intellescope.io.
Controller acceptance is recorded in the Service by an authorized tenant administrator.