ScopeMantle is SOC 2 Type II in progress, read our trust commitments →

ScopeMantle

Legal

Data Processing Agreement

Last updated: April 23, 2026Effective: May 1, 2026
⚠️ This is a template. ScopeMantle's final legal documents will be reviewed by counsel before launch. Do not rely on this language for contractual purposes.

Template notice

This is a template DPA for review. To execute a countersigned copy for your organization, contact legal@scopemantle.com. We can sign DocuSign, electronic-PDF, or paper.

Standard Contractual Clauses

Where Customer Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor) or Module 3 (processor-to-processor), as applicable. The UK International Data Transfer Addendum (March 2022) and the Swiss FDPIC requirements are deemed incorporated.

Subject matter, duration, nature, and purpose

  • Subject matter, provision of the ScopeMantle third-party access governance and privacy operations platform.
  • Duration, for the duration of the underlying subscription, plus any post-termination retention period.
  • Nature, collection, storage, organization, retrieval, analysis, and deletion of Customer Personal Data, as necessary to provide the Service.
  • Purpose, providing, securing, and improving the Service for Customer.

Types of data and categories of data subjects

Categories of data subjects — Customer's employees, contractors, and (for DSAR workflows) Customer's end users.

Types of personal data, name, work email, employee directory metadata, OAuth grant identifiers and scopes, login and audit events, and any DSAR-related personal data Customer chooses to process via the Service.

Technical and organizational measures

ScopeMantle maintains the security measures described on our Security page and Trust Center, including: SOC 2 Type II controls (in progress), encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access, mandatory MFA, quarterly key rotation, and an incident response program with 72-hour notification.

Sub-processors

The current list of sub-processors is published at /legal/sub-processors. Customer is notified at least 30 days before a new sub-processor is added and may object on reasonable data-protection grounds.

Audit rights

ScopeMantle makes available its most recent SOC 2 Type II report and ISO 27001 certificate (when issued) under NDA. Customer may request additional audit information no more than once per year, on 30 days' notice, and any on-site audit must not unreasonably interfere with ScopeMantle's operations.

Breach notification

ScopeMantle will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notice will include known facts, scope, mitigations taken, and a contact for follow-up.