Data Processing Agreement (AET / DPA)
Last updated: 20 September 2025
This Data Processing Engagement Agreement (AET), also known as a Data Processing Agreement (DPA), forms part of the terms applicable to the Data and Data & Tips plans of ScoringMy, owned by PeopleXBrand Aceleradora S.L., with Tax ID No. B-56994916 and registered office at C. Gregorio Benítez 10, 28043 Madrid (Spain).
Role of the Parties
When client companies use ScoringMy to analyse or manage data from LinkedIn profiles and third-party emails, PeopleXBrand Aceleradora S.L. acts as the Processor, and the contracting company acts as the Controller, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
Purpose of the Processing
The Processor shall handle the personal data entered into the platform solely for the purpose of providing the contracted services in ScoringMy, without using them for its own purposes or sharing them with unauthorised third parties.
Data Processed
- First name and surname(s)
- Job title or professional role
- Email address
- Public information from LinkedIn profiles
- Technical usage data (logs, IP, configuration, activity)
Categories of Data Subjects
- Employees, managers, collaborators or third parties whose public profiles are analysed in ScoringMy.
- Registered users of the platform.
Duration
Processing will continue while the Controller maintains an active account or subscription in ScoringMy, or until the Controller requests data deletion.
Authorised Sub-processors
| Provider | Service | Location | GDPR Safeguards | More Info |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting and data storage | Germany (EU) | GDPR-compliant | www.hetzner.com |
| Stripe Payments Europe, Ltd. | Payment gateway (card/SEPA) | Ireland (EU) and USA (SCC) | Standard Contractual Clauses | stripe.com |
| ActiveCampaign, LLC | Transactional email automation and delivery | EU or USA (SCC) | Standard Contractual Clauses | activecampaign.com |
| Google Ireland Ltd. | Authentication (Google Connect / OAuth) | Ireland (EU) | GDPR-compliant | policies.google.com |
PeopleXBrand may update this list of sub-processors by giving 15 calendar days’ advance notice to business customers. If the customer does not object within that period, the update will be considered accepted.
Security Measures
- Encryption of data in transit (TLS)
- Access control with secure authentication
- Backups on European servers
- Access logs and monitoring
- Internal security and confidentiality policies
Data Return or Deletion
Once the contract ends or the service is cancelled, the data processed on behalf of the Controller will be deleted or returned within a maximum of 30 calendar days, unless a legal obligation requires retention.
International Transfers
Where necessary, data transfers outside the European Economic Area rely on Standard Contractual Clauses (SCCs) approved by the European Commission and additional security measures.
Governing Law and Jurisdiction
This agreement is governed by Spanish law and Regulation (EU) 2016/679 (GDPR). The parties submit to the Courts and Tribunals of Madrid, unless a mandatory legal provision requires otherwise.
Contact
If you have any questions about this AET or about the processing carried out by PeopleXBrand, you can contact:
📩 legal@scoringmy.com