Legal

Data Processing Addendum

Last updated: June 14, 2026

This page summarizes how AND AI processes personal data on behalf of agency Organizations using Scopeyard, for the purposes of GDPR Article 28 and similar data protection laws. It supplements our Privacy Policy and Terms of Service.

1. Scope & roles

Where your Organization uses Scopeyard to store or process personal data about your clients or Client Guests (for example, names and email addresses used for project approvals), your Organization acts as the data controller for that data, and AND AI acts as the data processor, processing it only on your Organization’s instructions and as needed to provide the Service.

2. Details of processing

  • Subject matter: provision of the Scopeyard delivery workspace, client views, approvals, and billing-ready summaries.
  • Duration: for as long as your Organization has an active account, plus any retention period described in our Privacy Policy.
  • Nature & purpose: hosting, storage, transmission, and display of project, deliverable, approval, and billing data within your Organization’s workspace.
  • Categories of data subjects:your Organization’s team members and the Client Guests it invites.
  • Categories of personal data: names, email addresses, and any personal data your Organization includes in project descriptions, deliverables, comments, or approvals.

3. Subprocessors

AND AI uses the subprocessors listed in Section 6 of our Privacy Policy (currently Stripe for payments, Brevo for transactional email, and our cloud hosting and database providers) to provide the Service. We will update that list if our subprocessors change.

4. Security measures

We apply technical and organizational measures appropriate to the risk, including encrypted connections (HTTPS), signed and HTTP-only session cookies, role-based access within Organizations, and access scoping so that Client Guests can only see projects they have been invited to.

5. International transfers

As described in our Privacy Policy, AND AI and its subprocessors may process data outside your country, including in Singapore. Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, AND AI relies on appropriate safeguards such as Standard Contractual Clauses with the relevant subprocessor.

6. Requesting a signed DPA

If your Organization requires a countersigned Data Processing Agreement (for example, to satisfy your own GDPR compliance documentation), email legal@scopeyard.iowith your Organization name and we’ll be happy to arrange one.

Scopeyard

Focus work.Get approval.Get paid.

Start 30-day trial →Book a walkthrough
Scopeyard© 2026 · made for agencies