Data Processing Agreement

GDPR Compliance: This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and forms part of the Terms of Service between ScoutVibe and the Customer.

To Execute This DPA: Customers requiring a signed DPA should contact contact@ialae.com with subject "DPA Request" including your company name and ScoutVibe account email.

1. Parties and Background

This Data Processing Agreement ("DPA") is entered into between:

Data Controller ("Customer" or "Controller")

The entity that has agreed to ScoutVibe's Terms of Service and is using ScoutVibe's analytics services to collect and process data from its website visitors.

Data Processor ("ScoutVibe" or "Processor")

ScoutVibe, operated by a company founded in the Kingdom of Morocco, providing website analytics and visitor tracking services.

The Controller has engaged the Processor to provide website analytics and visitor tracking services (the "Services") which require the Processor to process Personal Data on behalf of the Controller.

2. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

"Processing"

Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

"Data Subject"

The identified or identifiable natural person to whom Personal Data relates (i.e., website visitors tracked through ScoutVibe).

"Sub-processor"

Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Protection Laws"

GDPR, UK GDPR, and any other applicable data protection legislation in the relevant jurisdictions.

"Personal Data Breach"

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Standard Contractual Clauses" or "SCCs"

The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.

"Services"

The website analytics and visitor tracking services provided by ScoutVibe as described in the Terms of Service.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing website analytics and visitor tracking services as described in the Terms of Service.

3.2 Nature of Processing

The processing activities include:

Collection of visitor data through the ScoutVibe tracking script
Storage of collected data on secure cloud infrastructure
Analysis and aggregation of visitor behavior data
Generation of analytics reports and insights
Provision of dashboard access for data visualization
Cross-device and cross-session visitor identification

3.3 Purpose of Processing

Personal Data is processed solely for the following purposes:

Providing the Services as described in the Terms of Service
Enabling website analytics and visitor tracking functionality
Generating reports and insights for the Controller
Technical operation, maintenance, and improvement of the Services
Compliance with legal obligations

3.4 Duration of Processing

Processing shall continue for the duration of the Terms of Service agreement.

3.4.1 Standard Retention Periods (During Active Service)

The following retention periods apply to data collected during the active service period:

Event Data: 24 months from collection date
Session Data (time-on-page, focus events): 12 months from collection date
Prospect Profiles: Retained while Controller's account is active
Unclaimed Tracking Tokens: 90 days from creation

3.4.2 Upon Termination

When the Terms of Service agreement is terminated:

The Controller may request data export within 30 days of termination
All Personal Data will be permanently deleted within 90 days of termination
Aggregate, anonymized statistical data may be retained indefinitely
Data required for legal compliance may be retained as required by law

4. Categories of Data Subjects

The Personal Data processed concerns the following categories of Data Subjects:

Visitors to the Controller's website(s)
Users of the Controller's web applications
Prospects and leads identified through the Controller's marketing activities
Any other individuals whose data is collected through the ScoutVibe tracking script

5. Types of Personal Data

The following types of Personal Data are processed:

Category	Data Types
Technical Identifiers	Device fingerprints, browser fingerprints, session IDs, prospect IDs, tracking tokens
Device Information	Browser type/version, operating system, screen resolution, device type, language settings, timezone
Behavioral Data	Pages visited, click events, scroll depth, time on page, referrer URLs, session duration
Contact Information	Email addresses (when voluntarily provided by Data Subjects through forms)
Geographic Data (City-Level)	Country, region/state, and city derived from IP address. IP addresses are hashed using SHA-256 with a secure salt and cannot be reversed. Latitude, longitude, and precise coordinates are NOT collected or stored.

Special Categories of Data: The Processor does not intentionally collect or process special categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). The Controller shall not configure the Services to collect such data.

Device Fingerprinting Notice: The Services use device fingerprinting technology for visitor identification. Under ePrivacy Directive Article 5(3), this may require end user consent. The Controller is responsible for obtaining any required consent before enabling tracking. The Processor provides consent mode controls (window.scoutvibe_consent) and automatically respects Global Privacy Control (GPC) signals.

6. Processor Obligations

6.1 Processing Instructions

The Processor shall:

Process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by applicable law
Immediately inform the Controller if any instruction infringes Data Protection Laws
Not process Personal Data for any purpose other than providing the Services

6.2 Confidentiality

The Processor shall:

Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
Limit access to Personal Data to personnel who need access to perform the Services
Implement appropriate access controls and authentication measures

6.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Controls: Role-based access control, multi-factor authentication
Infrastructure Security: AWS security best practices, VPC isolation, security groups
Monitoring: Continuous security monitoring, intrusion detection, log analysis
Business Continuity: Regular backups, disaster recovery procedures
Vulnerability Management: Regular security assessments, timely patching

Detailed security measures are described in Annex B.

6.4 Sub-processing

The Processor shall:

Not engage another processor (Sub-processor) without prior written authorization from the Controller
The Controller hereby provides general authorization for the Sub-processors listed in Annex C
Inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object
Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
Remain fully liable for Sub-processor compliance

6.5 Data Subject Rights

The Processor shall:

Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
Promptly notify the Controller of any Data Subject request received directly
Not respond directly to Data Subject requests unless authorized by the Controller
Provide technical capabilities to enable the Controller to fulfill Data Subject requests

Exercise Your Data Rights:

Submit a Data Subject Request Form

For End Users: If you are a website visitor whose data was collected through a ScoutVibe implementation, use the form above to submit your data rights request.

For ScoutVibe Customers: Please submit your data request through your Account Settings page.

6.6 Personal Data Breach

In the event of a Personal Data Breach, the Processor shall:

Notify the Controller without undue delay, and in any event within 48 hours of becoming aware
Provide sufficient information to enable the Controller to meet its breach notification obligations
Cooperate with the Controller's investigation and remediation efforts
Document all breaches, including facts, effects, and remedial actions taken

6.7 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with:

Data Protection Impact Assessments (DPIAs) where required
Prior consultations with supervisory authorities where required

6.8 Audit Rights

The Processor shall:

Make available all information necessary to demonstrate compliance with this DPA
Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
Audits shall be conducted with reasonable notice (minimum 30 days), during normal business hours, and subject to confidentiality obligations
The Controller shall bear the costs of any audit unless the audit reveals material non-compliance

7. Controller Obligations

The Controller warrants and agrees that:

It has a lawful basis for processing Personal Data through the Services
It has provided appropriate notice to Data Subjects regarding the use of analytics tracking
It has obtained any required consents from Data Subjects where applicable
Its instructions to the Processor comply with Data Protection Laws
It will maintain an appropriate privacy policy disclosing the use of ScoutVibe
It will respond to Data Subject requests within statutory timeframes
It will not use the Services to process special categories of Personal Data
It will not use the Services to knowingly track children without appropriate parental consent

8. International Data Transfers

8.1 Transfer Locations

Personal Data may be transferred to and processed in:

United States: AWS infrastructure hosting
Morocco: Company operations
Other locations: As specified for Sub-processors in Annex C

8.2 Transfer Mechanisms

For transfers outside the EEA/UK to countries without an adequacy decision, the following mechanisms apply:

Standard Contractual Clauses: The parties agree to be bound by the EU Commission's Standard Contractual Clauses (Module Two: Controller to Processor) as set forth in Commission Implementing Decision (EU) 2021/914
UK Addendum: For transfers from the UK, the UK Addendum to the SCCs applies
Supplementary Measures: Additional technical and organizational measures as described in Annex B

8.3 Transfer Impact Assessment

The Processor has conducted a transfer impact assessment and determined that the safeguards in place provide an adequate level of protection for transferred Personal Data.

9. Liability and Indemnification

9.1 Liability

Each party shall be liable for damages caused by processing that infringes Data Protection Laws or this DPA, subject to the limitations set forth in the Terms of Service.

9.2 Indemnification

The Controller agrees to indemnify and hold harmless the Processor from claims, damages, and expenses arising from:

The Controller's breach of this DPA
The Controller's failure to have a lawful basis for processing
The Controller's failure to provide required notices or obtain required consents
Claims by Data Subjects resulting from the Controller's instructions or use of the Services

10. Term and Termination

10.1 Term

This DPA shall remain in effect for the duration of the Terms of Service agreement.

10.2 Effects of Termination

Upon termination:

The Processor shall cease processing Personal Data except as necessary to return or delete data
The Controller may request return of Personal Data in a standard format within 30 days
The Processor shall delete all Personal Data within 90 days, unless retention is required by law
The Processor shall certify deletion upon Controller's request

11. General Provisions

11.1 Precedence

In the event of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

11.2 Amendments

This DPA may be amended by the Processor to reflect changes in Data Protection Laws. Material changes will be notified to the Controller with 30 days' notice.

11.3 Governing Law

This DPA shall be governed by the laws of the Kingdom of Morocco, without regard to conflict of law principles. For matters relating to GDPR compliance, the relevant provisions of EU law shall apply.

11.4 Severability

If any provision of this DPA is found invalid, the remaining provisions shall continue in effect.

ANNEX A: Details of Processing

A.1 Subject Matter of Processing

Website analytics and visitor tracking services

A.2 Duration of Processing

For the term of the Terms of Service agreement

A.3 Nature and Purpose of Processing

Collection of website visitor data via tracking script
Storage and analysis of behavioral data
Generation of analytics reports and insights
Cross-session and cross-device visitor identification
Prospect tracking and attribution

A.4 Categories of Data Subjects

Website visitors
Application users
Prospects and leads

A.5 Types of Personal Data

Device and browser information
Device fingerprints and identifiers
Behavioral and interaction data
Session and timing data
Email addresses (when voluntarily provided)

A.6 Special Categories of Data

None. The Services are not intended to process special categories of Personal Data.

ANNEX B: Technical and Organizational Security Measures

B.1 Data Encryption

TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest
Encrypted database connections
Secure key management practices

B.2 Access Control

Role-based access control (RBAC)
Principle of least privilege
Multi-factor authentication for administrative access
Regular access reviews
Unique user credentials

B.3 Infrastructure Security

AWS cloud infrastructure with SOC 2 Type II certification
Virtual Private Cloud (VPC) isolation
Security groups and network ACLs
DDoS protection
Web Application Firewall (WAF)

B.4 Monitoring and Logging

Continuous security monitoring
Intrusion detection systems
Audit logging of access and changes
Log retention and analysis
Alerting for security events

B.5 Business Continuity

Regular automated backups
Geographic redundancy
Disaster recovery procedures
Recovery time objectives defined

B.6 Personnel Security

Confidentiality agreements for all personnel
Security awareness training
Background checks where permitted
Access termination procedures

B.7 Vulnerability Management

Regular security assessments
Penetration testing
Timely security patches
Secure development practices

ANNEX C: Authorized Sub-processors

The Controller hereby authorizes the engagement of the following Sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure hosting, data storage, computing services	United States
OpenAI, Inc.	AI-powered analytics insights, content analysis, and automated recommendations. Data processed includes anonymized behavioral patterns and aggregated analytics data only.	United States
Google LLC (Gemini AI)	AI services for advanced analytics processing and natural language insights. Data processed includes anonymized visitor patterns and aggregate statistics only.	United States
Payment Processor	Payment processing (billing data only, not analytics data)	United States / EU
Email Service Provider	Transactional email delivery (service notifications only)	United States / EU

AI Services Data Handling: Personal Data sent to AI sub-processors (OpenAI, Google Gemini) is limited to anonymized or aggregated data only. No directly identifiable information (emails, names) is transmitted to AI services. These services are used solely for generating analytics insights and recommendations.

The Controller will be notified of any changes to Sub-processors at least 30 days before engagement. Objections may be raised within 14 days of notification.

Data Controller (Customer)

Company Name:

Signature

Name and Title

Date

Data Processor (ScoutVibe)

Company: ScoutVibe

Signature

Name and Title

Date

12. Contact Information

For DPA inquiries and execution requests:

Email: contact@ialae.com

Subject Line: ScoutVibe DPA Request

Data Protection Officer:

Email: contact@ialae.com

Subject Line: ScoutVibe DPO Inquiry

This Data Processing Agreement is designed to meet the requirements of GDPR Article 28 and provide a clear framework for the processing of Personal Data.