Data Processing Addendum
Last updated: June 30, 2026
This DPA forms part of our Terms of Service for customers processing personal data subject to GDPR, UK GDPR, or comparable regimes. By using Amazon Scout you agree to this DPA in the role of Controller (you) and us as Processor of the personal data you provide to us via your account and your usage of our API.
1. Scope
We process personal data only on your documented instructions: to provide the service, to bill you, and to comply with applicable law. We do not process personal data for our own purposes beyond the service itself.
2. Sub-processors
- Vercel — hosting (USA)
- Neon — Postgres database (USA)
- AWS — S3 object storage (USA)
- Stripe — payments (USA, GDPR-bound)
- Resend — transactional email (USA / EU, GDPR-bound)
- Apify — upstream scrape execution (EU, GDPR-bound)
We will notify you in advance of any change to this list. All sub-processors are bound to standard contractual clauses for international data transfers.
3. Security
TLS 1.2+ everywhere, encryption-at-rest for Postgres and S3, principle-of-least-privilege IAM for all infrastructure access, password hashing with bcrypt cost factor 12, short-lived signed URLs for any object access.
4. Data-subject rights
We assist you with data-subject access / deletion / portability requests within 30 days of receiving a request from you in writing.
5. Incident notification
We notify affected customers without undue delay (and within 72 hours where required by law) of any personal-data breach affecting their data.
6. Audit
We provide reasonable information to demonstrate compliance with this DPA. For on-site audits, please use the contact form with at least 30 days notice.
7. Signature
To request a counter-signed PDF copy of this DPA on your company letterhead, ask via the form. We will return it within 5 business days.