Data Processing Agreement
Version 1.1 — 26 / 1 / 2026
This Data Processing Agreement (“DPA”) forms part of any agreement between Scale Force Consultancy B.V. (trading as “Scaleflow”) and a client (the “Agreement”) under which Scaleflow processes personal data on behalf of that client.
By executing the Agreement, the client accepts this DPA as published at scaleflow.com/legal/dpa at the time of execution.
Article 1 — General
1.1 Roles of the Parties
Where Scaleflow processes personal data in the course of providing Services under the Agreement, Scaleflow acts as Processor and the client acts as Controller within the meaning of Regulation (EU) 2016/679 (General Data Protection Regulation — “GDPR”).
1.2 Definitions
Terms not defined in this DPA have the meaning given in the GDPR.
1.3 Updates
Scaleflow may update this DPA from time to time to reflect changes in applicable law or processing activities, provided that such updates do not materially reduce the level of protection afforded to personal data. Clients will be notified of any material changes.
1.4 Confidentiality
Scaleflow ensures that all personnel authorised to process personal data are bound by confidentiality obligations and have received appropriate data protection training.
1.5 Group Structure
Scaleflow forms part of a corporate group. Personnel performing Services may be employed by affiliated group entities, including Scale Force B.V., registered in the Netherlands.
Where such affiliated entities have access to personal data in the course of providing Services, they act as authorised sub-processors under this DPA. Scaleflow remains fully responsible for their acts and omissions in accordance with Article 28(4) GDPR.
Article 2 — Scope and Purpose of Processing
Scaleflow processes personal data solely for the purpose of performing the Services described in the Agreement and applicable Statement(s) of Work. This may include:
• Automated analysis of source code repositories and development metadata
• Technical and organisational assessments
• Advisory, coaching, and fractional leadership services
• Interaction with client teams and systems
Scaleflow does not process personal data for any other purpose unless required by EU or Member State law.
The client is responsible for ensuring that processing has a lawful basis under Article 6 GDPR.
Article 3 — Categories of Data and Data Subjects
Depending on the engagement, processing may include:
• Developer names, email addresses, usernames, commit metadata
• Infrastructure usernames, IP addresses, and access logs
• Names and contact details in project management or documentation tools
• Contact details of client personnel
No special categories of personal data (Article 9 GDPR) are intentionally processed. If encountered, Scaleflow will notify the client and await instructions.
Data subjects may include:
• Client developers and engineers
• Client employees and contractors
• Client management and key stakeholders
Article 4 — Instructions
Scaleflow processes personal data only on documented instructions from the client, as set out in:
• This DPA
• The Agreement
• The applicable Statement of Work
If Scaleflow believes an instruction violates the GDPR, it will inform the client and may suspend execution of the relevant instruction until clarified.
Article 5 — Security Measures
Scaleflow implements appropriate technical and organisational measures in accordance with Article 32 GDPR, including:
• Encryption of data in transit and at rest
• Multi-factor authentication for administrative access
• Role-based access control based on least privilege
• Logging and monitoring of access
• Secure hosting within the European Economic Area
• Regular review and testing of security measures
• Procedures ensuring confidentiality, integrity, availability, and resilience
Security measures may evolve to reflect technological developments, provided that the overall level of protection is not reduced.
Article 6 — Location of Processing
Processing takes place within the European Economic Area (EEA).
Article 7 — Sub-Processors
The client grants general authorisation for Scaleflow to engage sub-processors listed in Annex 1.
Scaleflow will notify clients of intended changes at least fourteen (14) days in advance. Clients may object on reasonable data protection grounds.
Scaleflow ensures sub-processors are bound by written agreements imposing data protection obligations no less protective than those set out in this DPA. Scaleflow remains fully liable for its sub-processors.
Article 8 — Data Subject Rights
Scaleflow assists the client in responding to data subject requests under Chapter III GDPR.
If Scaleflow receives a request directly from a data subject, it will notify the client and not respond unless authorised.
Article 9 — Data Breach Notification
Scaleflow will notify the client without undue delay and no later than forty-eight (48) hours after becoming aware of a personal data breach affecting personal data processed under the Agreement.
The notification will include, to the extent available:
• Nature of the breach
• Categories and approximate number of affected data subjects
• Likely consequences
• Measures taken or proposed
Scaleflow will cooperate in mitigation and remediation.
Article 10 — Assistance with Compliance
Scaleflow assists the client in complying with Articles 32–36 GDPR, including security, breach notifications, DPIAs, and prior consultations.
Article 11 — Audit
Scaleflow makes available information reasonably necessary to demonstrate compliance.
Clients may conduct an audit no more than once per calendar year, with at least thirty (30) days’ prior notice. Audits must be limited to information reasonably necessary to verify compliance and may not include access to data relating to other clients. Documentation-based audits are preferred where reasonably possible. Audits are conducted at the client’s expense.
Article 12 — Deletion and Return of Data
Upon completion or termination of a Statement of Work, Scaleflow will delete personal data within thirty (30) days.
Backup systems are purged within ninety (90) days in accordance with standard retention policies.
Scaleflow may retain anonymised and aggregated data or data required by law, restricted to the purpose for which retention is required.
Article 13 — Liability
Liability arising from this DPA is subject to the limitations of liability set out in the Agreement.
Nothing in this DPA limits or excludes liability to data subjects or supervisory authorities under the GDPR.
Article 14 — Governing Law
This DPA is governed by the laws of the Netherlands. Disputes are resolved in accordance with the dispute resolution clause of the Agreement.
Annex 1 — Approved Sub-Processors
Amazon Web Services EMEA SARL — Cloud infrastructure and hosting — EU (Frankfurt, Germany)
Scale Force B.V. — Provision of personnel and operational support — Netherlands (EEA)