Legal
Data Processing Agreement
Version 1.1 — Last updated March 2026
GDPR-compliant data handling for all client engagements. This DPA forms part of the agreement between Scaleflow and the Client.
This Data Processing Agreement ("DPA") forms part of the agreement between Scale Force Consultancy B.V., trading as "Scaleflow", registered at Laan van Kronenburg 14, 1183 AS Amstelveen, KvK 90277538, and the Client. Scaleflow acts as Processor; the Client acts as Controller.
Article 1
General
In this DPA, "Processor" means Scale Force Consultancy B.V. (trading as Scaleflow) and "Controller" means the Client. Definitions used in this DPA have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR").
This DPA may be updated by the Processor from time to time to reflect changes in processing activities or applicable law. All personnel with access to personal data are bound by confidentiality obligations.
Scaleflow is part of a corporate group that includes Scale Force B.V. Where relevant, personal data may be shared within this group for the purposes described in this DPA.
Article 2
Scope and Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of delivering the agreed services, which include automated analysis of code repositories, technology assessments, advisory services, and coaching.
Article 3
Categories of Data
The following categories of personal data may be processed under this DPA:
- Developer names, email addresses, and usernames
- Commit metadata (e.g., timestamps, repository activity)
- Infrastructure usernames and access logs
- IP addresses
- Project management contact details
No special categories of personal data (as defined in Article 9 GDPR) are intentionally processed.
Article 4
Instructions
The Processor shall process personal data only on the basis of documented instructions from the Controller, unless required to do so by Union or Member State law.
Article 5
Security Measures
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit and at rest
- Multi-factor authentication (MFA)
- Role-based access control (RBAC)
- Logging and monitoring of access
- Secure hosting within the EEA
- Regular review of security measures
Article 6
Location
All processing of personal data under this DPA takes place within the European Economic Area (EEA).
Article 7
Sub-Processors
The Controller grants the Processor general authorisation to engage sub-processors. The Processor shall notify the Controller at least 14 days in advance of any intended addition or replacement of a sub-processor. The Controller may object to a new sub-processor on reasonable grounds.
Article 8
Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
Article 9
Data Protection Impact Assessment
The Processor shall assist the Controller in conducting a Data Protection Impact Assessment (DPIA) where required under Article 35 GDPR, and in prior consultation with the supervisory authority under Article 36 GDPR.
Article 10
Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller within 48 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
Article 11
Audit Rights
The Controller has the right to conduct or commission an audit of the Processor's data processing activities once per calendar year, with at least 30 days' written notice. Audits are conducted at the Controller's expense. A documentation-based audit is preferred where feasible.
Article 12
Deletion and Return
Upon completion of the relevant Statement of Work, the Processor shall delete all personal data within 30 days. Backups shall be purged within 90 days of SOW completion. The Processor may retain anonymised and aggregated data that no longer constitutes personal data.
Article 13
Liability
The liability of each party under this DPA is subject to the limitations set out in the Agreement. Neither party's liability for breaches of its obligations under the GDPR shall be limited.
Article 14
Governing Law
This DPA is governed by and construed in accordance with the laws of the Netherlands. Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts in Amsterdam.
Annex 1
Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting and infrastructure | EU regions |
| Google Workspace | Email, documents, and collaboration | EEA |
| Attio CRM | Client relationship management | EEA |
| GitHub | Code analysis | EEA |
Contact
Questions about this DPA?
Scale Force Consultancy B.V. (trading as Scaleflow)
Laan van Kronenburg 14, 1183 AS Amstelveen
Email: privacy@scaleflow.com
See also: Privacy Policy · Cookie Statement