Data Processing Agreement
Last updated: 9 March 2026
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Data Controller: You, the customer (“Controller”)
- Data Processor: Offeryn Ltd, trading as Overscope (“Processor”)
This DPA supplements the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller.
2. Definitions
Terms used in this DPA have the meanings given in the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Terms of Service.
3. Scope of Processing
| Subject matter | Provision of AI-powered scope intelligence services |
| Duration | Duration of the subscription agreement, plus 30 days |
| Nature and purpose | Document parsing, scope analysis, change order generation, project management integration, revenue recovery analysis (including historical project data comparison, billing reconciliation, and recovery report generation) |
| Types of personal data | Names, email addresses, job titles, project data, IP addresses, usage data, historical project management data (ticket titles, descriptions, assignees, time entries), email and conversation excerpts uploaded for recovery analysis |
| Categories of data subjects | Customer employees, client contacts named in SOWs, individuals referenced in historical project data (ticket assignees, time entry authors, communication participants) |
4. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorised to process personal data are subject to confidentiality obligations
- Implement appropriate technical and organisational measures to ensure security of processing (see Section 6)
- Not engage another processor without prior written authorisation of the Controller (see Section 5)
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
- Delete or return all personal data upon termination, at the Controller's choice, within 30 days
- Make available all information necessary to demonstrate compliance and allow for audits
5. Sub-Processors
The Controller provides general written authorisation for the Processor to engage sub-processors. Current sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting and compute | United States (IDTA) |
| Neon | PostgreSQL database hosting | United States (IDTA) |
| AWS S3 | Document storage | United States (IDTA) |
| OpenAI | AI analysis (zero data retention API) | United States (IDTA) |
| Clerk | Authentication and identity management | United States (IDTA) |
| Stripe | Payment processing | United States (IDTA) |
| Resend | Transactional email delivery | United States (IDTA) |
| PostHog EU | Product analytics (with consent only) | EU (Frankfurt) |
The Processor will notify the Controller of any intended changes to sub-processors at least 14 days in advance, giving the Controller the opportunity to object.
6. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption in transit (TLS 1.2+) on all connections
- OAuth tokens encrypted at rest with AES-256-GCM before database storage
- Database connections enforce SSL in production
- Role-based access control (RBAC) with organisation-level data isolation
- Audit logging of all data access and modifications
- Automated vulnerability scanning and dependency updates
- All credentials stored as environment variables, never in source code
- Automated database backups with point-in-time recovery via Neon
- Per-endpoint and global rate limiting
- Incident response procedures with 72-hour breach notification
7. Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
- The nature of the breach, including categories and approximate number of records
- Contact details for further information
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. International Transfers
Where personal data is transferred outside the United Kingdom, the Processor ensures appropriate safeguards are in place in accordance with UK GDPR Article 46, including:
- International Data Transfer Agreements (IDTAs) issued by the ICO for transfers to the United States
- Adequacy decisions where applicable
- Supplementary measures including encryption and access controls
9. Data Subject Rights
The Processor provides self-service tools for data subject rights:
- Access & Portability: Data export available via the Service dashboard (JSON format)
- Erasure: Account deletion available via the Service dashboard
- Rectification: Users can update their profile information directly
For requests that cannot be fulfilled through the Service, contact support@overscope.co.uk.
10. Audit Rights
The Controller may audit the Processor's compliance with this DPA with reasonable notice (minimum 30 days). The Processor will cooperate with audits and provide access to relevant documentation, facilities, and personnel.
11. Term and Termination
This DPA remains in effect for the duration of the Terms of Service. Upon termination, the Processor shall delete all personal data within 30 days, unless retention is required by law. Anonymised audit logs may be retained for up to 2 years for compliance purposes.
12. Recovery Data Retention
Historical project data uploaded for Revenue Recovery analysis is subject to the following additional retention provisions:
- Recovery analyses and associated data are automatically archived after 12 months of inactivity
- Users may manually delete recovery analyses and all associated data (documents, signals, recovery items, and reports) at any time via the Service dashboard
- Known assignee names and email addresses within uploaded project data are redacted before processing by AI sub-processors. Original uploaded documents are stored encrypted on AWS S3 and subject to standard deletion timelines
13. Governing Law
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
For questions about this DPA or data protection matters:
- Data Protection Officer: support@overscope.co.uk
- Company: Offeryn Ltd