Data Processing Agreement
Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR.
Last updated: 20 September 2025
This Data Processing Agreement (DPA), also known in Spanish as an Acuerdo de Encargo de Tratamiento (AET), forms part of the terms applicable to the Data and Data & Tips plans of ScoringMy, owned by PeopleXBrand Aceleradora S.L., with Spanish tax ID B-56994916 and registered office at C. Gregorio Benítez 10, 28043 Madrid (Spain).
1. Roles of the parties
When client companies use ScoringMy to analyse or manage data from LinkedIn profiles and third-party email addresses, PeopleXBrand Aceleradora S.L. acts as Data Processor, and the contracting company as Data Controller, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
2. Purpose of the processing
The Processor shall process the personal data entered into the platform solely for the purpose of providing the services contracted through ScoringMy, without using them for its own purposes or disclosing them to unauthorised third parties.
3. Data processed
- First name and surname
- Job title or professional position
- Email address
- Public information from LinkedIn profiles
- Technical usage data (logs, IP, configuration, activity)
4. Categories of data subjects
- Employees, executives, collaborators or third parties whose public profiles are analysed in ScoringMy.
- Registered users of the platform.
5. Duration
Processing shall continue for as long as the Controller keeps its ScoringMy account or subscription active, or until it requests the erasure of the data.
6. Authorised sub-processors
PeopleXBrand uses technology providers that act as sub-processors. All of them offer adequate safeguards in accordance with the GDPR.
| Provider | Service | Location | GDPR safeguards | More info |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting and data storage | Germany (EU) | GDPR-compliant | hetzner.com |
| Stripe Payments Europe, Ltd. | Payment gateway (card/SEPA) | Ireland (EU) and USA (SCC) | Standard Contractual Clauses | stripe.com |
| ActiveCampaign, LLC | Automation and transactional email delivery | EU or USA (SCC) | Standard Contractual Clauses | activecampaign.com |
| Google Ireland Ltd. | Authentication (Google Connect / OAuth) | Ireland (EU) | GDPR-compliant | policies.google.com |
PeopleXBrand may update this list of sub-processors by giving business clients 15 calendar days' prior notice. If the client raises no objection within that period, the change shall be deemed accepted.
7. Security measures
PeopleXBrand applies appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS)
- Access control with secure authentication
- Backups on European servers
- Access logging and monitoring
- Internal security and confidentiality policies
8. Return or erasure of data
Once the contract ends or the service is cancelled, the data processed on behalf of the Controller shall be erased or returned within a maximum of 30 calendar days, unless there is a legal obligation to retain them.
9. International transfers
Where necessary, transfers of data outside the European Economic Area are covered by Standard Contractual Clauses (SCC) approved by the European Commission, together with additional security measures.
10. Governing law and jurisdiction
This agreement is governed by Spanish law and Regulation (EU) 2016/679 (GDPR).
The parties submit to the Courts and Tribunals of Madrid city, save where mandatory legal provisions state otherwise.
Contact
If you have any questions about this DPA or about the processing carried out by PeopleXBrand, you can contact: legal@scoringmy.com