This Data Processing Addendum (“DPA”) is a scaffold of the terms that will apply when Scriba processes personal data on behalf of an institutional customer (e.g. a law school, clinic, or firm) that has signed a written subscription agreement with us.
1. Definitions
Capitalized terms not defined here have the meanings given in the GDPR, UK GDPR, and applicable US state privacy laws (including the CCPA/CPRA).
2. Roles
For personal data processed on behalf of Customer, Customer is the controller and Scriba is the processor. For account, billing, and product analytics data, Scriba is an independent controller.
3. Sub-processors
Scriba engages sub-processors to host infrastructure, deliver email, and provide AI inference. A current list is available on request; material additions will be communicated to Customer with reasonable notice.
4. Security
Scriba maintains administrative, physical, and technical safeguards appropriate to the risk, including encryption in transit, access controls, and audit logging.
5. Transfers
Where personal data of EEA, UK, or Swiss data subjects is transferred to a country without an adequacy decision, the Standard Contractual Clauses (Module 2) apply and are incorporated by reference.