Data Processing Agreement

Last updated: 2026-05-19

This Data Processing Addendum (“DPA”) forms part of the agreement (“Agreement”) between the Customer (“Controller”) and Reworks AI Labs AB (“Processor”) when Scape processes Personal Data on behalf of the Customer.

1. Definitions

Terms used in this DPA have the same meaning as in the Agreement or under GDPR, including: “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Processing”, “Personal Data Breach”, “SCCs”

2. Roles of the Parties

The customer is the Controller.

Reworks AI Labs AB (Scape) is the Processor.

3. Nature & Purpose of Processing

Purpose: Deliver the Scape Service, including email summarization, drafting, meeting notes, and related features.

Duration: For the term of the Agreement and any applicable retention period.

Type of Personal Data:

  • Email content and metadata (authorized by user)
  • Calendar content and metadata
  • User account information
  • Usage and device data
  • Meeting recordings and transcripts

Data Subjects:

Customer's employees, users, contacts, and any individuals whose Personal Data appears in emails or calendars

Scape does not perform contact enrichment or pull external data about Data Subjects.

4. Subprocessors

For each subprocessor the processor has assessed a data-protection agreement in order to adhere to this DPA. The processor maintains an up-to-date list in the Scape Trust Center.

Scape does not use Customer Data to train or improve machine-learning models. Scape uses third-party AI providers exclusively through their APIs, and these providers publicly state that data submitted through their APIs is not used to train their models. Scape has furthermore disabled all optional training-related features and processes Customer Data solely to provide the Service.

5. International Transfers

When Personal Data is transferred outside the EEA/UK, Processor will rely on: Standard Contractual Clauses (SCCs) or another lawful mechanism.

6. Security Measures

Processor will implement appropriate technical and organizational measures, including:

  • Encryption in transit and at rest
  • Access control and authentication
  • Logging and monitoring
  • Regular security assessments
  • Incident response processes
  • Physical security when applicable

A detailed description of measures is available in the Scape Trust Center.

7. Assistance to Controller

Processor will assist the Controller in:

  • Responding to Data Subject rights requests
  • Conducting Data Protection Impact Assessments (DPIAs)
  • Handling Personal Data Breaches
  • Ensuring compliance with GDPR Article 32–36 obligations

8. Personal Data Breaches

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach. The notification will include:

  • Description of the breach
  • Categories of affected data
  • Likely consequences
  • Measures taken or proposed

9. Deletion or Return of Data

Upon termination of the Agreement, Controller may request that Processor:

  • Return all Personal Data, or
  • Delete all Personal Data

unless retention is legally required.

10. Audits

Controller may conduct (or appoint a third party to conduct) audits to verify Processor's compliance with this DPA. Audits must be reasonable, not disrupt operations, and respect confidentiality.

11. Liability

Liability is governed by the Agreement.

This DPA does not expand or reduce either party's liability under the Agreement.

12. Governing Law

This DPA is governed by the laws of Sweden.

13. Contact Information

For privacy or security matters, contact:

security@scape.app

Reworks AI Labs, AB

Luntmakargatan 26

111 37, Stockholm, Sweden

Scape © 2026

Privacy policyTerms and conditionsDPASecurity