RepScout

RepScout

Data Processing Addendum

Our data processing addendum

Effective Date: 10th October 2025
Last updated: 10th October 2025

This Data Processing Addendum (“DPA”) forms part of the RepScout Terms of Service (“Agreement”) between RepScout AI Ltd (“RepScout,” “Processor,” “we,” “us”) and the Client (“Controller,” “you”) and reflects the parties’ agreement on the Processing of Personal Data in accordance with applicable data protection laws.

By creating an account, subscribing via Stripe, or otherwise using RepScout’s Services, the Client agrees to this DPA.

1. DEFINITIONS

  • Data Protection Laws: All applicable data protection and privacy legislation, including the UK GDPR, EU GDPR, and the UK Data Protection Act 2018.
  • Personal Data, Processing, Controller, Processor, Data Subject: Meanings as set out in the GDPR.
  • Subprocessor: A third-party processor engaged by RepScout to support service delivery.
  • Client Data: Any Personal Data that the Client uploads, provides, or otherwise makes available to RepScout in connection with the Services.

2. ROLES OF THE PARTIES

  • Client as Controller: The Client acts as the Data Controller, determining the purpose and means of Processing Personal Data.
  • RepScout as Processor: RepScout acts as a Data Processor, Processing Personal Data only as necessary to provide the Services as described in the Agreement.
  • RepScout shall not determine the purposes of Processing or use Client Data for its own purposes.

3. SUBJECT MATTER AND DURATION

  • This DPA governs all Processing of Client Data carried out by RepScout during the term of the Agreement and any period thereafter during which RepScout retains Client Data.
  • Processing will cease, and data will be deleted or returned, in accordance with Section 10 (Data Return & Deletion).

4. NATURE AND PURPOSE OF PROCESSING

RepScout Processes Client Data solely to:

  • Deliver platform functionality including candidate assessments and reporting;
  • Send automated communications via AWS SES;
  • Store and manage assessment logs and analytics;
  • Provide technical support, product analytics, and compliance monitoring.

RepScout does not sell or use Personal Data for marketing, training, or profiling unrelated to service delivery.

5. TYPES OF PERSONAL DATA AND DATA SUBJECTS

  • Data Subjects: Job candidates, Client employees, users, or administrators.
  • Personal Data Types: Name, email address, CV or profile details, voice recordings (optional), test results, timestamps, and platform activity logs.

6. SECURITY MEASURES

RepScout implements appropriate technical and organizational measures including:

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Role-based access control (RBAC)
  • Continuous monitoring, vulnerability scanning, and logging
  • Quarterly third-party penetration testing

7. SUBPROCESSORS

  • Client authorizes RepScout to engage subprocessors for operational support.
  • Current subprocessors include:
    • Amazon Web Services (AWS) – Hosting and SES email delivery (EU-West-1 / US-East-1)
    • Google Analytics – Website and platform analytics
    • Sentry – Error tracking and observability
    • Amplitude Analytics – Product analytics and usage metrics
  • RepScout ensures that all subprocessors are bound by written agreements imposing equivalent data protection obligations.

8. DATA SUBJECT RIGHTS

RepScout will, where possible and as required by law, assist the Client in fulfilling its obligations to respond to Data Subject requests, including access, correction, erasure, restriction, and portability.

9. DATA BREACH NOTIFICATION

RepScout shall notify the Client without undue delay (and within 48 hours) upon becoming aware of a confirmed Personal Data Breach.
Notifications will include known details, potential impact, and remediation measures.

10. DATA RETURN AND DELETION

  • Upon termination or expiration of the Agreement, RepScout shall delete or return all Client Data unless retention is required by law.
  • Default retention period: 12 months post-termination unless otherwise agreed.
  • All deletion events are logged for audit purposes.

11. AUDITS AND DEMONSTRATION OF COMPLIANCE

  • Upon written request, RepScout will provide documentation sufficient to demonstrate compliance with this DPA (e.g., SOC 2 or ISO audit evidence).
  • Clients may conduct one audit per year with reasonable notice, subject to confidentiality safeguards.

12. INTERNATIONAL DATA TRANSFERS

RepScout may transfer Personal Data outside the UK or EEA only:

  • To jurisdictions with adequacy decisions, or
  • Pursuant to the Standard Contractual Clauses (SCCs) where required.
    Data residency (EU or US) is determined at Client onboarding and remains in-region unless otherwise agreed.

13. MISCELLANEOUS

  • This DPA is governed by the laws of England and Wales.
  • Any disputes shall be handled in the courts of London, UK.
  • This DPA applies automatically to all Clients using the RepScout platform under the Terms of Service.

Effective Incorporation

This DPA is incorporated by reference into RepScout’s Terms of Service and does not require separate signature.
By using RepScout’s Services, you acknowledge and agree to this DPA.

Contact for Data Protection Matters
Data Protection Officer, RepScout AI Ltd
📧 tim@repscout.ai

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.