DPA — summary
Last updated: 17 May 2026
1. Scope
This Data Processing Addendum (DPA) summarises how Scitus.ai processes personal data on behalf of customers. A full signed DPA is available before onboarding for all paid customers, with provisions appropriate to the personal data being processed and the customer's home jurisdiction.
2. Roles
For the marketing site and demo requests, Scitus.ai is the data controller. For the Scitus platform itself, Scitus.ai acts as a data processor on behalf of you, the customer, who remains the controller of personal data you upload.
3. Subprocessors
We maintain a published list of subprocessors (cloud hosting, transactional email, analytics, customer support tooling). Customers are notified 30 days before any new subprocessor is added. The current list is available on request to hello@scitus.ai.
4. Security measures
We implement industry-standard organisational and technical security measures, including encryption in transit (TLS 1.2+), encryption at rest, role-based access control, audit logging, and annual security reviews. Background checks are performed for all engineering staff.
5. Data location and transfers
Customer data is stored in the region closest to the customer. Cross-border transfers, where they occur, rely on appropriate transfer mechanisms (such as Standard Contractual Clauses or equivalent recognised safeguards).
6. Breach notification
We notify customers of confirmed personal-data breaches affecting their data within 72 hours of becoming aware. Notifications include scope, affected categories, mitigations, and our point of contact.
7. Audit & support
Enterprise customers may audit our security posture annually under NDA. Pen-test summaries and SOC-2-style reports are made available on request.
Questions about this document? Email hello@scitus.ai.