GDPR Compliance

Last update:

ScoutOS is committed to upholding the highest standards of data protection and privacy in accordance with the General Data Protection Regulation (GDPR). We recognize the importance of safeguarding personal information and ensuring transparency in our data processing activities. This page outlines our GDPR compliance measures and how you, as our valued customer, can exercise your rights under the regulation.

When ScoutOS is a Data Processor

In the majority of cases, ScoutOS acts as a data processor under GDPR.

Our customers - typically businesses that integrate ScoutOS into their workflows - act as data controllers, determining what data is collected, the legal basis for its collection, and how it should be processed. ScoutOS processes this data strictly in accordance with our customers' instructions, and only for the purposes specified in our agreements.

ScoutOS is designed to support customers' GDPR compliance efforts, and we implement a range of technical, organizational, and contractual measures to meet the obligations of a data processor under Articles 28–36 of the GDPR.

Here’s how we uphold our responsibilities as a data processor:

Data Processing on Documented Instructions

ScoutOS processes personal data only on the documented instructions of our customers, including with respect to:

  • The nature and purpose of processing
  • The types of data involved
  • The categories of data subjects
  • The duration of processing
  • Any sub-processors involved

We never process customer data for our own purposes and do not access or use customer data unless required to comply with legal obligations.

Data Processing Agreements (DPAs)

We offer a comprehensive Data Processing Agreement (DPA) that clearly defines our obligations as a processor and your rights and responsibilities as a controller. The DPA includes:

  • Scope of processing
  • Confidentiality obligations
  • Technical and organizational security measures
  • Sub-processor controls and approval
  • Support for data subject rights
  • Breach notification terms

Our standard DPA is available to all contracted customers and aligns with the GDPR’s Article 28 requirements.

Support for Data Subject Rights (DSARs)

ScoutOS provides features and tools that support our customers in responding to Data Subject Access Requests (DSARs), including:

  • Retrieving data related to a specific user
  • Exporting data in a structured, commonly used format (for portability)
  • Correcting or updating data
  • Deleting data upon request

When you receive a DSAR from your end-user, ScoutOS will cooperate promptly and fully, acting in accordance with your lawful instructions and our contractual commitments. To initiate a DSAR process, email us at info@scoutos.com

Security of Processing

We maintain a rigorous security posture to protect customer data, including:

  • Encryption at rest and in transit
  • Access controls and authentication mechanisms
  • Vulnerability management and patching
  • Regular audits and penetration testing
  • An incident response plan and breach notification process

These safeguards are described in more detail in our Security Overview, and we continue to enhance our infrastructure in alignment with industry best practices and emerging compliance standards.

Sub-Processors

ScoutOS relies on a select group of vetted sub-processors to help us deliver our services (e.g., cloud infrastructure, hosting, and AI model APIs). We:

  • Maintain an up-to-date list of all sub-processors
  • Require sub-processors to meet the same high standards of data protection
  • Offer advance notice and transparency about sub-processor changes
  • Sign data protection agreements with each sub-processor

Customers may review our list of sub-processors at any time and have the right to object where appropriate.

Data Retention and Deletion

As a processor, ScoutOS retains data only for as long as instructed by the customer, or as required to provide the service. Upon contract termination or at the customer's request, we:

  • Delete or return all personal data
  • Confirm deletion in writing upon request
  • Ensure backups or logs containing personal data are purged according to retention schedules

This gives you full control over your data lifecycle.

Breach Notification

In the unlikely event of a data breach involving personal data, ScoutOS will:

  • Notify the affected customer without undue delay
  • Provide all available details about the scope, impact, and remediation steps
  • Cooperate fully in customer-led communications to data protection authorities or data subjects, as applicable

Audits and Transparency

We welcome transparency. ScoutOS undergoes 3rd party audits related to data protection and will:

  • Provide information necessary to demonstrate compliance
  • Make available our security documentation and audit summaries
  • Cooperate in good faith with inspection requests, subject to reasonable limits

ScoutOS as a Data Controller to Provide Services to Our Customers

ScoutOS never acts as the controller of your customer data. There are limited scenarios where ScoutOS may act as a controller:

  • For example, when we collect personal data to manage our own customer relationships (e.g. your email address to send onboarding material or support updates).
  • In those cases, we decide the purpose and legal basis (e.g., contractual necessity, legitimate interest), so we are the controller for that limited scope necessary to administer services to our customers.

In the capacity that ScoutOS acts as a controller, we process personal data based on lawful grounds, including:

  • Consent: When you provide clear permission for us to process your data for specific purposes.
  • Contractual Necessity: To fulfill our obligations under a contract with you.
  • Legitimate Interests: For purposes such as improving our services, provided these interests are not overridden by your rights.

We ensure that any data processing is necessary, proportionate, and conducted with your rights in mind. We collect only the personal data necessary for the specified purposes and do not use it beyond those purposes without obtaining additional consent in alignment with the GDPR principles of data minimization and purpose limitation.