AutoScaled Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between AutoScaled ("Processor") and the customer or user entity ("Customer" or "Controller") and applies to the extent that AutoScaled processes Personal Data on behalf of Customer under applicable Data Protection Laws, including Regulation (EU) 2016/679 ("GDPR").

This DPA is incorporated into and forms part of the AutoScaled Terms and Conditions, Section 10 (Privacy and Data Protection).

---

1. Definitions

Capitalized terms not otherwise defined in this DPA shall have the meanings given in the GDPR and the AutoScaled Terms and Conditions.

---

2. Roles of the Parties

Customer is the Data Controller.
AutoScaled acts as Data Processor when processing Personal Data on behalf of Customer.

---

3. Subject Matter and Duration

Processing relates to the provision of the AutoScaled SaaS platform, including integrations, analytics, and support services.

Processing continues for the duration of the Services and for up to 30 days after termination, after which Personal Data will be deleted or anonymized unless retention is legally required.

---

4. Nature and Purpose of Processing

Processing activities include:

• Hosting and storage of Customer Content
• Rendering and generation of presentations
• Synchronization with integrated services
• Product analytics and diagnostics
• Technical support and troubleshooting

---

5. Types of Personal Data and Data Subjects

Data Subjects

• Customer users
• End customers of Customer (as uploaded by Customer)

Categories of Personal Data

• Names, email addresses, contact details
• CRM records and structured business data
• Uploaded documents and presentation content
• Usage metadata and logs
• IP addresses and device identifiers (limited)

---

6. Processor Obligations

AutoScaled shall:

a. Process Personal Data only on documented instructions from Customer.
b. Ensure persons authorized to process data are bound by confidentiality.
c. Implement appropriate technical and organizational measures (Annex II).
d. Assist Customer with data subject rights requests.
e. Assist with DPIAs and regulatory consultations where reasonably required.
f. Delete or return Personal Data within 30 days after termination.
g. Make available information necessary to demonstrate compliance.

---

7. Subprocessing

Customer authorizes AutoScaled to engage subprocessors.

AutoScaled shall:

• Maintain a list of subprocessors in Annex III
• Impose equivalent data protection obligations on subprocessors
• Remain liable for subprocessor compliance

AutoScaled may update subprocessors with reasonable notice.

---

8. Personal Data Breach Notification

AutoScaled shall notify Customer without undue delay and within 72 hours after becoming aware of a Personal Data Breach, unless the breach is unlikely to result in risk to individuals.

Notification will include:

• Description of the breach
• Categories and approximate number of affected individuals
• Likely consequences
• Measures taken or proposed

---

9. Audit Rights — Model A

Customer may request documentation reasonably necessary to verify compliance.

On-site audits are not permitted.
This satisfies GDPR Article 28(3)(h) via an information-based audit model.

---

10. International Data Transfers and SCCs

Where Personal Data is transferred outside the EEA, UK, or Switzerland to countries without adequacy decisions, the parties agree that the EU Standard Contractual Clauses (SCCs) apply.

SCC Configuration

• Module Two (Controller → Processor)
• Customer = Data Exporter
• AutoScaled = Data Importer
• Supervisory Authority: Irish Data Protection Commission
• Annexes correspond to this DPA Annexes

Additional safeguards are described in Annex II.

---

11. Liability

Liability under this DPA follows the limitation of liability provisions in the Terms and Conditions.
Nothing in this DPA limits liability where prohibited by law.

---

12. Governing Law and Jurisdiction

This DPA and any disputes arising from it are governed by the laws of Ireland.
Supervisory authority: Irish Data Protection Commission (DPC).

---

ANNEX I — Processing Details

Subject Matter

Provision of AutoScaled SaaS presentation automation platform.

Duration

Term of Services plus 30 days.

Purpose

Presentation generation, CRM syncing, analytics, support.

Data Subjects

Customer users and Customer end-clients.

Personal Data

Contact details, CRM records, uploaded files, usage logs.

---

ANNEX II — Technical and Organizational Measures

AutoScaled implements the following safeguards:

Access Controls

• Role-based access controls
• MFA for administrative systems
• Least-privilege policies

Encryption

• TLS encryption in transit
• Encryption at rest where supported

Infrastructure

• Hosted on AWS and Vercel
• Segregated environments

Monitoring

• Logging and alerting
• Error and performance tracking

Incident Response

• Breach detection procedures
• Notification within 72 hours

Retention

• Deletion within 30 days of termination

Vendor Controls

• DPAs with subprocessors
• SCCs or adequacy mechanisms

---

ANNEX III — Authorized Subprocessors

AutoScaled may update subprocessors with reasonable notice and contractual safeguards.