Skip to content
Notiscale LogoNotiscale
Sign up

Data Processing Agreement

How Notiscale processes personal data on your behalf, under Article 28 GDPR.

Last updated: 2026-06-26

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service between “ID26, operating under the brand Notiscale” (“Notiscale”, “Processor”) and the customer (“Customer”, “Controller”). It governs the processing of personal data that Notiscale carries out on the Customer’s behalf when providing the AI-first CRM and reflects the requirements of Article 28 of the EU General Data Protection Regulation (“GDPR”).

1. Parties & Roles

For the purposes of this DPA and applicable data protection law:

  • The Customer (creator or agency) acts as the Controller and determines the purposes and means of processing the personal data it submits to the Services.
  • Notiscale acts as the Processor and processes that personal data only on the Customer’s behalf and on its documented instructions.

2. Scope & Acceptance

By creating an account and using the Services, the Customer agrees to the Terms of Service, Privacy Policy and this DPA, each incorporated by reference. No separate signature is required: this DPA is automatically entered into and forms a binding contract under Article 28 GDPR for the duration of the Customer’s use of the Services. A countersigned copy is available on request for institutional procurement teams at [email protected].

3. Subject Matter, Duration & Purpose

  • Subject matter: provision of the Notiscale AI-first CRM (CRM, AI-assisted and automated response generation, analytics and automations).
  • Duration: for as long as the Customer uses the Services, and thereafter until data is returned or deleted in accordance with Section 10.
  • Nature & purpose: processing fan communications and related metadata to operate the CRM, generate suggested or automated responses, deliver analytics, and run automations configured by the Customer.

4. Categories of Data & Data Subjects

  • Personal data: fan messages and previews/metadata, usernames and platform identifiers, CRM notes, performance and analytics signals, and creator/account metadata.
  • Data subjects: fans/subscribers communicating with the Customer’s connected accounts, creators, and the Customer’s team members (admins, managers, chatters).
  • The Customer must not submit special-category data unless strictly necessary, and warrants it has a lawful basis to provide all data to Notiscale.

5. Processor Obligations

In accordance with Article 28 GDPR, Notiscale shall:

  • process personal data only on the Customer’s documented instructions, including for transfers, unless required by law;
  • ensure that persons authorized to process the data are bound by confidentiality;
  • implement appropriate technical and organizational measures (Article 32 GDPR);
  • assist the Customer in responding to data-subject rights requests and in meeting its obligations regarding security, breach notification and data protection impact assessments (Articles 32–36 GDPR);
  • make available the information necessary to demonstrate compliance with Article 28.

6. Subprocessors

The Customer grants Notiscale general authorization to engage subprocessors to provide the Services. A current list of subprocessors — including AI inference and routing providers, hosting, payment, email and analytics providers — is published on our Subprocessors page. Notiscale imposes data protection obligations on each subprocessor that are no less protective than those in this DPA, and remains responsible for their performance. We will provide a mechanism to be notified of new subprocessors so the Customer may object on reasonable grounds.

7. International Transfers

Some subprocessors are located outside the European Economic Area (“EEA”), including in the United States. Where personal data is transferred outside the EEA, Notiscale relies on appropriate safeguards under Chapter V GDPR, such as the European Commission’s Standard Contractual Clauses (“SCCs”), together with supplementary technical and organizational measures.

8. Security, Breach & Assistance

  • Notiscale maintains technical and organizational measures appropriate to the risk, including access controls, encryption in transit, and least-privilege access.
  • Notiscale will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, and provide reasonable information to support the Customer’s own notification duties.
  • Notiscale will provide reasonable assistance with data-subject requests received by the Customer (access, rectification, erasure, restriction, portability, objection).

9. Audits & Records

Notiscale maintains records of processing activities carried out on the Customer’s behalf and will, on reasonable prior notice and subject to confidentiality, make available information necessary to demonstrate compliance with this DPA, and contribute to audits conducted by the Customer or an independent auditor it mandates.

10. Return & Deletion

On termination of the Services, Notiscale will, at the Customer’s choice, delete or return the personal data processed on its behalf and delete existing copies, unless retention is required by law. By default, data is deleted in accordance with the retention period described in our Privacy Policy.

11. Liability & Contact

Liability under this DPA is subject to the limitations set out in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.