Data Processing Agreement

Last updated 2026-05-03 · Operated by Scuti Marketplace India (OPC) Pvt Ltd

Most Scutum customers don't need a DPA from us. The platform is self-hosted: data your applications process stays on your infrastructure and we never see it. Under GDPR / UK GDPR / similar frameworks, we are not the processor — your team is the controller, your provider (OpenAI, Anthropic, etc.) is the processor on the model side, and we are the licensor of the software running between them.

When you do need a DPA from us

You need a DPA from Scutum in two cases:

If you use our managed offering (we run a dedicated Scutum instance for you on our infrastructure). In that mode we are a processor; the DPA binds us to GDPR / CCPA / similar processor obligations.
If your security team requires a DPA from every vendor as a procurement step, even when there's no actual data processing relationship. We sign these.

What our standard DPA covers

The Scutum DPA is based on the EU Standard Contractual Clauses (Module 2: controller-to-processor) with adjustments for our actual data flow. It covers:

Scope of processing (only what's needed to provide the contracted service).
Sub-processor list (Cloudflare, OCI, GCP for managed; subset of these for self-hosted+support).
Sub-processor change notification (30 days advance for material changes; right to object).
Security measures: encryption in transit, encryption at rest where we hold data, access controls, audit logging, key separation per tenant.
Breach notification (72 hours per GDPR Art. 33).
Data subject rights handling (we forward, you action).
International transfer mechanisms (SCCs as adequate transfer mechanism).
Audit and inspection rights, with mutually-agreed reasonable scope.
Term, termination, and post-termination data return / deletion.

How to get the DPA

Email us with your legal entity name, country of registration, and the modes you're considering (self-hosted / managed / hybrid). We'll send the version current to your scenario within one business day.

[email protected]

Why we don't ship a single PDF here

Two reasons we don't auto-publish a downloadable PDF:

The DPA varies materially based on whether the deployment is self-hosted (we are not a processor) versus managed (we are). A single document forces unhelpful disclaimers throughout.
Some customers' legal teams want amendments to specific clauses — sub-processor lists, jurisdiction, audit scope — and serving the negotiation form alongside the standard form is clearer than a hidden track-changes process.

Sub-processors (current list)

For the public website and any sales / onboarding interaction:

Cloudflare (USA, with EU PoPs) — DNS, TLS termination, edge caching.
Google Workspace (USA, regional storage) — email and calendar at scutum.dev addresses.
Cal.com (USA) — demo booking widget.
Resend (USA) — transactional email.
Oracle Cloud Infrastructure (region: ap-mumbai-1) — host serving scutum.dev.
GitHub (USA) — source repository, image registry.

For managed Scutum deployments, the sub-processor list depends on the region and tier you're contracted to. Documented in the signed DPA.

Material changes

We notify customers of material sub-processor changes at least 30 days before the change takes effect. You may object in writing; we work with you to find a mutually-acceptable alternative or, if none is possible, you may terminate the affected service.

Contact

DPA requests: [email protected] · Security questions: [email protected]