Data Processing Agreement (DPA)
Last Updated: February 26, 2026
This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms and Conditions (the "Agreement") between ScoutX Holdings, Inc. (operating as "AllScout", "we", "us", or "our") and the user or entity ("Customer", "you", or "your") that purchases, installs, or operates AllScout hardware and software services (the "Services").
This DPA governs the processing of Personal Data by ScoutX on behalf of the Customer in the context of providing the Services.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by ScoutX on behalf of the Customer, including video footage, audio recordings, facial geometry/AI analysis, and telemetry data.
"Controller" (or "Business" under CCPA) means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of the Services (specifically video/audio feeds), the Customer is the Controller.
"Processor" (or "Service Provider" under CCPA) means the entity that processes Personal Data on behalf of the Controller. ScoutX acts as the Processor/Service Provider.
"Applicable Privacy Laws" means all US federal and state privacy laws applicable to the processing of Personal Data, including but not limited to the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA").
2. Processing of Personal Data
2.1. Roles of the Parties. In relation to the Personal Data captured via AllScout Devices and processed via the Platform, the Customer is the Data Controller and ScoutX is the Data Processor.
2.2. Customer's Instructions. ScoutX will process Personal Data only on documented instructions from the Customer, which are defined by the Agreement, this DPA, and the Customer's configuration of the Services (e.g., setting AI alerts, recording schedules).
2.3. Compliance with Laws. The Customer represents and warrants that it has all necessary rights, consents, and lawful bases to process the Personal Data and to provide it to ScoutX. The Customer is solely responsible for displaying appropriate surveillance notices and complying with local two-party consent laws regarding audio recording.
3. CCPA / CPRA Specific Terms (Service Provider Obligations)
To the extent the CCPA/CPRA applies to the processing of Personal Data, ScoutX acknowledges and agrees that:
No Selling or Sharing: ScoutX will not "sell" or "share" Personal Data (as those terms are defined in the CCPA/CPRA).
Purpose Limitation: ScoutX will not retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement, or as otherwise permitted by the CCPA/CPRA.
No Secondary Use: ScoutX will not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and ScoutX.
Combining Data: ScoutX will not combine Personal Data received from the Customer with Personal Data received from other sources, except as explicitly permitted by the CCPA/CPRA (e.g., for anonymized/aggregated AI model improvement, subject to Customer opt-in/opt-out preferences).
4. Sub-processors
4.1. Authorization. Customer provides general authorization for ScoutX to engage third-party sub-processors (e.g., cloud hosting providers like AWS/GCP, specialized AI processing nodes) to fulfill its obligations.
4.2. Sub-processor Obligations. ScoutX shall enter into a written agreement with each sub-processor imposing data protection terms that require the sub-processor to protect the Personal Data to the same standard as required by this DPA. ScoutX remains fully liable for all obligations subcontracted to, and all acts and omissions of, the sub-processor.
5. Data Subject Rights
5.1. Customer Responsibility. As the Controller, the Customer is responsible for responding to inquiries and requests from Data Subjects (e.g., a visitor requesting a copy of video footage capturing their image, or requesting its deletion).
5.2. ScoutX Assistance. ScoutX shall, to the extent legally permitted, promptly notify the Customer if it receives a request directly from a Data Subject concerning the Customer's Personal Data. ScoutX will not respond directly to such a request without Customer's prior written consent, except to redirect the Data Subject to the Customer.
5.3. Technical Support. ScoutX will provide Customer with the technical tools and App features reasonably necessary to delete, export, or restrict the processing of Personal Data to help Customer fulfill Data Subject requests.
6. Security and AI Processing
6.1. Security Measures. ScoutX shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This includes encryption of video feeds in transit and at rest.
6.2. AI and Machine Learning. Where Customer enables AI features (e.g., person or pet detection), ScoutX will process video/audio solely to deliver these real-time alerts. Customer acknowledges that machine learning features are automated and do not involve human review of un-anonymized footage unless explicitly requested by the Customer for technical support.
7. Law Enforcement Requests
If a law enforcement or government agency requests access to Customer’s Personal Data, ScoutX shall:
Attempt to redirect the agency to request the data directly from the Customer.
Promptly notify the Customer of the request, unless legally prohibited from doing so.
Reject the request unless legally compelled (e.g., by a valid subpoena or search warrant) or in the event of an imminent, verifiable emergency involving danger of death or serious physical injury.
8. Data Deletion and Return
Upon termination of the Agreement or expiration of the Customer's subscription tier, ScoutX shall delete all Customer Personal Data (including stored cloud footage) from its active systems in accordance with its standard retention schedules, unless applicable law requires continued storage.
9. Audits and Compliance
Upon reasonable written request by the Customer (no more than once annually), ScoutX will make available all information necessary to demonstrate compliance with this DPA, typically in the form of third-party security certifications (e.g., SOC 2, ISO 27001) or a detailed privacy questionnaire response, provided such disclosures do not compromise ScoutX's overall platform security or trade secrets.
