Last updated: July 13, 2026
This Data Processing Agreement (the “DPA”) forms part of the Scape Terms of Service, together with any order form or other agreement between the Customer and Reworks AI Labs AB (“Scape”, “we”, “us”, or “our”) governing the Customer's use of the Service (collectively, the “Agreement”). This DPA is incorporated into the Agreement and describes how Scape processes Personal Data in connection with the Service. Scape processes Customer Personal Data on behalf of the Customer as Processor, subject to the obligations in this DPA, and processes certain other Personal Data, including Analytics Data, as an independent Controller as described in Section 2 and Section 12.
1. Definitions
“Controller” and “Processor” have the meanings given under the GDPR and equivalent terms under other applicable Data Protection Laws.
“Data Protection Laws” means, collectively, the EU General Data Protection Regulation (GDPR), the UK GDPR, the revised Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and any other applicable national, state, or supranational privacy laws.
“Personal Data” means any information that relates to an identified or identifiable natural person.
“Processing” means any operation performed on Personal Data.
“Service” means the Scape application, website, desktop app, and related features.
“Customer”, “User”, “you” means the individual or legal entity entering the Agreement.
“Customer Data” means the content Scape processes on your behalf to provide the Service, and excludes “Analytics Data”.
“Customer Personal Data” means Personal Data contained within Customer Data that Scape Processes on behalf of the Customer to provide the Service.
“Authentication Data” means credentials and tokens used to authenticate the Customer or its users and to connect the Service to third-party services, such as OAuth tokens.
“Analytics Data” means information about how you interact with the Service, such as logins, device and browser information, and feature usage.
“Covered Data” means, collectively, Personal Data, Customer Data, Analytics Data, and derived data such as embeddings.
“De-Identified Data” means data that has been processed so that it can no longer reasonably be linked to an identifiable individual.
“Sub-processor” means any processor, vendor, or service provider engaged by Scape to process Customer Data to provide the Service.
“AI Sub-processor” means any Sub-processor that processes Customer Data using large language models (LLMs) or similar AI models to provide AI-powered features such as summarization and transcription (“AI-processing”).
“Data Subject” is the Customer's employees and users, and any individuals whose Personal Data appears in their emails, calendars, or meetings.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Unsuccessful attempts that do not compromise the security of Personal Data (such as failed log-in attempts, pings, or port scans) do not constitute a Personal Data Breach.
“Standard Contractual Clauses” (or "SCCs") means the European Commission's standard contractual clauses adopted in Decision (EU) 2021/914 of 4 June 2021, and any clauses subsequently replacing them together with the UK International Data Transfer Addendum and the Swiss addendum where applicable.
2. Roles of the Parties
The Customer is the Controller of Customer Personal Data processed under this DPA. Reworks AI Labs AB (Scape) is the Processor.
Where the Customer is itself a Processor acting on behalf of a third-party Controller, Scape acts as a Sub-processor, and the Customer's instructions are deemed to reflect those of the ultimate Controller.
Scape also acts as an independent Controller for limited data it processes for its own business purposes, such as account administration, billing, security, and product analytics (including Analytics Data, as described in Section 12). Such processing is governed by the Scape Privacy Policy.
3. Nature and Purpose of Processing
Purpose: To deliver the Scape Service, including email summarization, drafting, meeting notes, transcription, search, and related features.
Duration: Scape processes Customer Personal Data for the term of the Agreement and only for as long as necessary to provide the Service and fulfil the purposes set out in this DPA.
Type of Customer Personal Data:
- Email content and metadata (authorized by the user)
- Calendar content and metadata
- Meeting audio recordings, transcripts, and summaries
- Derived data such as vector embeddings generated from email and meeting content
- User account information
4. Processor Obligations
Scape will:
- Process Customer Personal Data only on the Customer's documented instructions, including as set out in this Agreement unless required by law to do otherwise, in which case Scape will inform the Customer where legally permitted;
- Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
- Promptly inform the Customer if, in Scape's opinion, an instruction infringes applicable Data Protection Law;
- Implement the security measures described in Section 7;
- Not sell or share Customer Personal Data, and not use it for any purpose other than providing the Service.
The Customer's complete and final documented instructions to Scape consist of this DPA, the Agreement, and the Customer's use and configuration of the Service. Any additional or alternative instructions require the parties' prior written agreement.
Scape does not use Covered Data to train or improve machine-learning models. All AI-processing is performed within the EU through AI Sub-processors. AI Sub-processors are bound by data protection agreements that ensure EU residency and zero data retention.
5. Sub-processors
The Customer provides general authorization for Scape to engage Sub-processors to process Customer Personal Data in order to provide the Service. Before engaging a Sub-processor, Scape carries out appropriate due diligence and ensures the Sub-processor is bound by data-protection obligations no less protective than those in this DPA, whether under a written agreement with Scape or under the Sub-processor's published data processing terms, which Scape has reviewed and accepted. Scape remains responsible for its Sub-processors' performance to the extent required by applicable Data Protection Laws.
Scape maintains a current list of its Sub-processors in the Scape Trust Center at https://trust.scape.app/subprocessors and informs Customers of any intended change concerning the addition or replacement of a Sub-processor by updating that list. If the Customer does not wish to consent to the use of a new Sub-processor, the Customer may notify Scape, within twenty (20) business days of Scape notifying the Customer of the change, that it objects on reasonable grounds relating to the protection of Customer Personal Data. The parties will then work together in good faith to find a mutually acceptable resolution.
6. Data Location and International Transfers
Scape hosts and processes all Customer Data within the EU and does not transfer the Customer Data outside the EU. Certain limited categories of Personal Data that are not Customer Data, namely Authentication Data (such as OAuth tokens) and Analytics Data, may be processed by Sub-processors outside the EEA, the United Kingdom, or Switzerland; any such transfer is governed by the SCCs. Where the EU SCCs apply, they are governed by the law of Sweden, with the Swedish Authority for Privacy Protection (IMY) as the competent supervisory authority.
If processing of Customer Data outside the EEA, the UK, or Switzerland becomes necessary in the future, Scape will ensure the transfer is governed by an appropriate safeguard under applicable Data Protection Law. Scape will also apply any supplementary measures needed to ensure an essentially equivalent level of protection. Scape will notify the Customer and update the Scape Trust Center before any such transfer begins.
If Scape receives a legally binding request from a public authority for Customer Data, then unless legally prohibited, Scape will notify the Customer without undue delay, attempt to redirect the authority to the Customer, and disclose only the minimum Customer Personal Data required. Scape will not provide any government authority with direct or unfettered access to Customer Personal Data and will challenge requests that are unlawful, overbroad, or inconsistent with applicable Data Protection Law.
7. Security Measures
Scape is built to a security standard that goes beyond typical industry practice. Most services encrypt data at rest and in transit; we additionally encrypt per user, keep data encrypted even inside our own infrastructure, and decrypt only the specific data needed for a given operation, for the duration of that operation.
7.1 Encryption architecture
All data is encrypted in transit (TLS) and at rest (AES-256), with encryption applied per user. Decryption keys are held in Google Cloud Key Management Service (KMS) and are never stored alongside the data. No data can be decrypted without access to decryption keys in KMS. During processing, only the data required for the specific request is decrypted, and it is re-encrypted the moment processing completes. Customer Data is additionally logically isolated per workspace, enforced at the application data layer to prevent cross-tenant access. Authentication Data is handled through our identity provider, with session tokens verified on each request. All Scape employees only have the minimum access and permissions their work requires. Full administrative access exists only on a dedicated superadmin account protected by multi-factor authentication and split credentials, so no single person can use it alone. Production, staging, and development run in separate, isolated environments with separate databases and credentials; Customer Data exists only in production.
7.2 Organizational security
Every Sub-processor is bound by DPAs ensuring that Customer Data never leaves the EU, and furthermore AI Sub-processors' DPAs bind them to zero data retention policies.
Furthermore Scape is certified to SOC 2 Type II and ISO 27001, and our processing of Personal Data complies with the GDPR and relevant Data Protection Laws. We undergo independent third-party audits annually and current certifications and reports are available in the Scape Trust Center.
All personnel undergo background checks, sign confidentiality agreements, and complete security training. We run centralized logging, monitoring, and incident-response procedures, and perform regular security reviews and vendor due diligence.
7.3 Breach notification
We maintain an incident-response process and will notify affected customers without undue delay after becoming aware of a Personal Data Breach affecting their Personal Data, as further described in Section 9. Notification of, or response to, a breach is not an acknowledgment of fault or liability. Our security depends in part on third-party providers; we remain responsible for our Sub-processors' performance to the extent required by applicable Data Protection Laws.
For more information regarding our security measures, please view our Security Whitepaper.
8. Assistance to Controller
Scape will provide reasonable assistance to the Customer in accordance with GDPR or applicable Data Protection Law. This includes responding to Data Subject requests such as access, correction, deletion, portability, objection and restriction.
Where Scape receives a request directly from a Data Subject who is not the Customer, for example, an employee of the Customer who uses Scape but is not the signatory to this Agreement, Scape will direct that Data Subject to the Customer. This applies unless Scape is legally required, or instructed by the Customer to respond.
The Customer may request Scape's assistance with a Data Protection Impact Assessment or a prior consultation with a supervisory authority. Such assistance consists of Scape providing relevant information about the Customer Personal Data processed in the Service, and Scape may charge its professional-services fees on a time-and-materials basis for such assistance.
Any request for information, assistance, or activity beyond Scape's ordinary course of business, routines, or practices, or beyond what is otherwise commercially reasonable, may be subject to additional fees and charges to be agreed between the parties.
9. Personal Data Breaches
Scape will notify the Customer without undue delay after becoming aware of a Personal Data Breach. The notification will include, to the extent known:
- A description of the breach;
- The categories and approximate volume of affected data and Data Subjects;
- The likely consequences;
- The measures taken or proposed to address it.
Scape will take reasonable steps to contain and remediate the breach. Scape's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.
For clarity, unsuccessful attempts that do not compromise the security of Personal Data (such as failed log-in attempts, pings, or port scans) do not constitute Personal Data Breaches.
The obligations in this Section do not apply to the extent a Personal Data Breach is caused by the Customer, the Customer's affiliate, or anyone acting on the Customer's behalf, except that Scape will inform the Customer of the breach and provide the necessary information as described above.
10. Audits
On reasonable written request, and no more than once per year unless required by a supervisory authority, Scape will make available information necessary to demonstrate compliance with this DPA. Scape satisfies this primarily by providing its SOC 2 Type II report, ISO/IEC 27001 certificate, and other security documentation through the Scape Trust Center.
11. Deletion or Return of Data
On termination or expiry of the Agreement, at the Customer's choice Scape will return or delete the Customer Personal Data it processes on the Customer's behalf. Unless otherwise agreed, Scape will complete that return or deletion within thirty (30) days of termination or expiry, subject to the backup-retention provisions below. In case of request for export of your personal data the deletion window will be prolonged by ten (10) days. Scape will retain Customer Personal Data after termination only to the extent, and for as long as, permitted or required under applicable Data Protection Laws. Copies of Customer Personal Data may remain in encrypted backups for a limited period after deletion from active systems. Those copies are automatically overwritten as backups expire on Scape's regular backup schedule, and are not used for any other purpose in the meantime.
Deletion or return of Customer Personal Data through the standard functionality of the Service, and deletion carried out in the ordinary course on termination, are not chargeable. Where the Customer asks Scape to perform a custom data export or a bespoke deletion exercise requiring substantial manual effort, Scape may recover its reasonable and documented costs at its then-current professional-services rates, except where applicable Data Protection Law prohibits such a charge.
12. Analytics Data
We automatically collect operational telemetry that helps us secure and improve the Service. This may include:
- Logins and timestamps
- Device information and operating system
- Browser type and version
- IP address and approximate (city-level) location
- Session and performance metrics
- Pages, features, and APIs accessed within the Service
- Error and debugging diagnostics
- Email addresses in isolation
Analytics Data is retained for up to ninety (90) days unless a longer period is required by law. Scape does not use Analytics Data or any other Covered Data to train AI models, does not sell it, and does not use it for cross-context behavioral advertising.
13. De-identified Data
Scape may create De-Identified Data from Personal Data and use it for any lawful business purpose, provided that such data cannot reasonably be used to identify the Customer or any Data Subject, Scape does not attempt to re-identify it, and it is not used to train AI models. Any de-identification will meet the standards required under Data Protection Laws.
14. U.S. Privacy Laws
To the extent Scape processes Customer Personal Data on the Customer's behalf that is subject to U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”) and comparable state laws (collectively, “U.S. Privacy Laws”), this Section applies. For the purposes of the CCPA, the Customer is the “business” and Scape is a “service provider.” Scape will:
- Process Customer Personal Data only to provide the Service and for the business purposes set out in this DPA and the Agreement, and will not retain, use, or disclose it for any other purpose;
- Not “sell” or “share” Customer Personal Data as those terms are defined under U.S. Privacy Laws, and not use it for cross-context behavioral advertising;
- Not combine Customer Personal Data with personal information received from, or on behalf of, any other party, or collected from Scape's own interactions with the Data Subject, except as permitted under U.S. Privacy Laws;
- Provide the same level of privacy protection as is required of a service provider or contractor under U.S. Privacy Laws;
- Notify the Customer without undue delay if Scape determines it can no longer meet its obligations under U.S. Privacy Laws; and
- Cooperate with the Customer to stop and remediate any unauthorized use of Customer Personal Data.
The Customer has the right to take reasonable and appropriate steps to help ensure that Scape uses Customer Personal Data in a manner consistent with the Customer's obligations under U.S. Privacy Laws.
15. Liability
The liability provisions and limitations set out in the Scape Terms of Service apply to this DPA. Scape's total aggregate liability arising out of or relating to the Agreement and this DPA combined is subject to a single aggregate liability cap as set out in the Terms of Service, and liability under this DPA does not increase or add to that cap.
16. Survival and Amendments
This DPA remains in effect for as long as Scape processes Customer Personal Data, including any period after termination or expiry of the Agreement during which Customer Personal Data remains in encrypted backups pending deletion under Section 11. Scape may update this DPA by posting a revised version. For updates that materially change the protection of Customer Personal Data, Scape will give at least thirty (30) days' notice, and the Customer may terminate the affected Services before the update takes effect and receive a pro-rata refund of prepaid, unused fees.
17. Governing Law
This DPA is governed by the laws of Sweden, and is subject to the same jurisdiction and dispute-resolution terms as the Agreement. Stockholms tingsrätt (Stockholm District Court) will be the court of first instance.
18. Contact Information
For privacy or security matters, contact: