Scripe 4.0 is here!

|

Read the update

Data Processing Agreement (DPA)

Version: July 2026

This Data Processing Agreement ("DPA") forms part of the Scripe Software-as-a-Service Agreement available at https://scripe.io/terms (the "Agreement") between Scripe GmbH, Bismarckstraße 68a, 12157 Berlin, Germany ("Scripe", the "Processor") and the business customer using the Scripe service (the "Customer", the "Controller"). It is incorporated into the Agreement by reference and applies automatically to all business customers — no signature is required. Customers who require a countersigned copy (e.g. for their processing records under Art. 30 GDPR) can request one at privacy@scripe.io.

In case of discrepancies between the English and the German language version of this DPA, the German version prevails. In case of conflicts between this DPA and the Agreement, this DPA prevails with regard to the processing of personal data.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject" and "supervisory authority" have the meaning given to them in Regulation (EU) 2016/679 ("GDPR"). "Customer Data" means all personal data that Scripe processes on behalf of the Customer in the course of providing the service, as further described in Annex 1.

2. Roles and scope

  1. For the processing of Customer Data, the Customer is the controller within the meaning of Art. 4 No. 7 GDPR and Scripe is the processor within the meaning of Art. 4 No. 8 GDPR. Customer Data includes in particular: content, drafts, media, recordings and knowledge sources that the Customer and its users bring into the workspace; the LinkedIn accounts connected by the Customer's users together with the profile, post and analytics data retrieved for them; and the scheduling, publishing and engagement data processed to provide the contracted features.

  2. Scripe determines neither the purposes nor the essential means of processing Customer Data: the Customer decides which accounts are connected, which content is created, edited, scheduled and published, which team members have access, and which optional features (e.g. engagement automation, integrations) are activated. Scripe processes Customer Data solely to provide, secure and support the contracted service.

  3. This DPA does not apply to processing for which Scripe is itself the controller, in particular: managing user and customer accounts, authentication, contract administration, billing and payment; securing and monitoring the service and preventing abuse; aggregate product analytics and error diagnostics; Scripe's own marketing and communication; compliance with Scripe's own legal obligations; and the operation of Scripe's cross-customer index of publicly available LinkedIn content (inspiration/benchmark features). Such processing is described in Scripe's privacy notice at https://scripe.io/privacy.

  4. The parties are not joint controllers (Art. 26 GDPR) for any processing under the Agreement.

3. Subject matter, duration, nature and purpose

The subject matter, duration, nature and purpose of the processing as well as the types of personal data and the categories of data subjects are set out in Annex 1.

4. Instructions

  1. Scripe processes Customer Data only on the Customer's documented instructions, including with regard to transfers to third countries, unless Scripe is required to process by Union or Member State law; in such a case, Scripe informs the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Art. 28 (3) (a) GDPR).

  2. The Agreement, this DPA and the Customer's configuration and use of the service (including settings made by the Customer's authorized users in the product, e.g. connecting accounts, scheduling posts, activating engagement policies) constitute the Customer's complete documented instructions. Additional instructions require agreement in text form.

  3. Scripe informs the Customer without undue delay if, in Scripe's opinion, an instruction infringes the GDPR or other applicable data protection provisions. Scripe may suspend the execution of such an instruction until it is confirmed or changed by the Customer.

5. Confidentiality

Scripe ensures that all persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28 (3) (b) GDPR), and process Customer Data only to the extent required for their tasks.

6. Security of processing

Scripe implements and maintains appropriate technical and organizational measures pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for data subjects. The measures in place at the time of this version are described in Annex 2. Scripe may update these measures, provided the level of protection does not fall below the level provided by Annex 2.

7. Sub-processors

  1. The Customer grants Scripe a general written authorization to engage sub-processors for the processing of Customer Data (Art. 28 (2) GDPR). The sub-processors engaged at the time of this version are listed at https://scripe.io/subprocessors, which forms part of this DPA as Annex 3.

  2. Scripe announces intended additions or replacements of sub-processors at https://scripe.io/subprocessors at least 30 days before the new sub-processor processes Customer Data. Business customers can subscribe to change notifications by e-mailing privacy@scripe.io. The Customer may object to a change on reasonable data protection grounds within 30 days of the announcement; in that case, the parties will seek a mutually agreeable solution (e.g. opting out of an affected optional feature). If no solution is found, either party may terminate the affected services with effect from the date the change takes effect.

  3. Scripe imposes on each sub-processor, by way of a contract pursuant to Art. 28 (4) GDPR, data protection obligations essentially equivalent to those set out in this DPA, and remains fully liable to the Customer for the performance of each sub-processor's obligations.

8. International transfers

Scripe processes Customer Data primarily within the European Union. Where Customer Data is transferred to a country outside the EU/EEA that is not subject to an adequacy decision of the European Commission, Scripe ensures appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with the respective sub-processor and/or reliance on the EU–U.S. Data Privacy Framework where the recipient is certified. Details per sub-processor are provided at https://scripe.io/subprocessors.

9. Assistance to the Customer

  1. Taking into account the nature of the processing, Scripe assists the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests of data subjects exercising their rights under Chapter III GDPR (Art. 28 (3) (e) GDPR). If a data subject contacts Scripe directly regarding Customer Data, Scripe forwards the request to the Customer without undue delay. The service provides export and deletion capabilities the Customer can use self-service.

  2. Scripe assists the Customer in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to Scripe (Art. 28 (3) (f) GDPR).

10. Personal data breach

Scripe notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data (Art. 33 (2) GDPR). The notification describes, as far as known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Scripe documents breaches and reasonably cooperates with the Customer in investigating and mitigating them.

11. Deletion and return of Customer Data

  1. During the term, the Customer can export Customer Data through the service or request assistance at privacy@scripe.io; upon termination of the Agreement, Scripe reasonably supports the Customer in retrieving or securing Customer Data (see Section XII of the Agreement).

  2. After the end of the provision of services, Scripe deletes all Customer Data remaining on its systems irretrievably within 30 days, unless Union or Member State law requires further storage (Art. 28 (3) (g) GDPR). Backups are deleted or overwritten in the ordinary backup cycle. No right of retention or lien exists in respect of Customer Data.

12. Audits

  1. Scripe makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this DPA, in particular relevant certifications, attestations and audit reports of Scripe and its infrastructure sub-processors (Art. 28 (3) (h) GDPR).

  2. Where such information is insufficient in an individual case, the Customer (or an independent auditor mandated by the Customer that is not a competitor of Scripe) may conduct an audit, including an inspection, of the processing operations concerned. Audits require reasonable advance notice of at least 30 days, take place during regular business hours no more than once per calendar year (except following a personal data breach or where required by a supervisory authority), must not disrupt Scripe's operations disproportionately, and are subject to confidentiality. Each party bears its own costs.

13. No use for model training; no cross-customer use

Scripe does not use Customer Data to train machine-learning models for the benefit of other customers or third parties. AI personalization (e.g. tone-of-voice profiles or the optional per-workspace image model) is built exclusively from the respective Customer's own data and used only for that Customer's workspace. Scripe contractually requires its AI sub-processors not to use Customer Data submitted through Scripe to train their foundation models. For clarity: the inspiration/benchmark index of publicly available LinkedIn content is operated by Scripe as controller outside this DPA (see clause 2.3 and the privacy notice).

14. Term, liability, final provisions

  1. This DPA applies as long as Scripe processes Customer Data under the Agreement.

  2. Liability under this DPA is governed by the liability provisions of the Agreement; Art. 82 GDPR remains unaffected.

  3. This DPA is governed by German law. Place of jurisdiction is Berlin, Germany.

  4. Scripe may update this DPA where required by law, by supervisory guidance or by changes to the service, provided the level of protection for the Customer is not materially reduced; material updates are announced on this page with reasonable advance notice.

Annex 1 — Details of the processing

Subject matter: Provision of the Scripe platform — an application for creating, personalizing, scheduling, publishing and analyzing LinkedIn content for the Customer's workspace, including collaboration, media library, knowledge base, analytics and optional engagement and integration features.

Duration: Term of the Agreement, plus the deletion period under clause 11.

Nature and purpose of processing: Hosting and storage; transcription of audio/video; AI-supported content generation and editing based on the Customer's inputs; retrieval of profile, post history and analytics data of connected LinkedIn accounts via LinkedIn's official APIs; scheduling and publishing of posts to member profiles and company pages; execution of engagement actions (like/comment/repost) configured and approved by the Customer's users; analytics and reporting; notifications (e-mail, push, realtime, connected messengers); support.

Categories of data subjects:

  • users of the Customer (team members, administrators, invited "amplifiers");
  • persons whose personal data appears in content, recordings, documents or knowledge sources provided by the Customer;
  • persons interacting with the Customer's LinkedIn presence, to the extent retrieved for the Customer (e.g. authors of posts mentioning the Customer's company page, follower statistics);
  • persons the Customer invites to provide input (e.g. via the public answer link, WhatsApp or e-mail requests).

Types of personal data:

  • identification and contact data (name, e-mail address, profile image, workspace role);
  • LinkedIn account and profile data of connected accounts (profile information, vanity URL, OAuth tokens, connection status);
  • content data (post drafts and published posts, comments, media, images, documents, knowledge sources, chat and interview conversations);
  • audio/video recordings and transcripts (voice notes, voice input, uploaded recordings);
  • analytics and engagement data (impressions, reactions, comments, follower statistics, page statistics including aggregated demographic breakdowns provided by LinkedIn);
  • usage and technical data required to provide the service (log data, device data, notification tokens);
  • communication data of connected channels activated by the Customer (e.g. Slack, Notion, WhatsApp phone number and messages).

Special categories of data (Art. 9 GDPR): Not intended to be processed; may be incidentally contained in content the Customer chooses to process (e.g. spoken recordings). The Customer is responsible for ensuring a legal basis for such content.

Annex 2 — Technical and organizational measures (Art. 32 GDPR)

Encryption and transport security: All data in transit is encrypted using TLS. Data at rest is encrypted at the infrastructure level by Scripe's hosting providers (managed database, object storage, backups).

Access control: Authentication via a managed identity provider with single sign-on support; role-based access within workspaces (owner/admin/member); access to production systems restricted to authorized personnel on a need-to-know basis; API access via scoped, hashed keys with rate limiting; LinkedIn account access exclusively via OAuth tokens that users can revoke at any time — Scripe never receives LinkedIn passwords.

Infrastructure: Hosting on established cloud providers (see Annex 3) with certified data centers (e.g. ISO 27001 / SOC 2 attestations of the providers); primary file storage in the EU (Frankfurt region); logical tenant separation at workspace level.

Availability and resilience: Redundant managed infrastructure, automated backups, queue-based processing with retry mechanisms, monitoring and alerting, documented incident response.

Data minimization and retention: Deletion workflows for accounts and workspaces (including deletion of stored files and third-party records); automated pruning of externally sourced content; configurable data exports.

Personnel and organization: Confidentiality obligations for all personnel; least-privilege administration; data protection contact (privacy@scripe.io); vendor due diligence with Art. 28 agreements for all sub-processors; logging and review of security-relevant events.

Annex 3 — Sub-processors

The current list of sub-processors, including entities, countries, purposes and transfer safeguards, is published and maintained at https://scripe.io/subprocessors and forms part of this DPA.