Data Processing Agreement

Last updated: April 15, 2026

This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Service ("Agreement") between Agentive Group Co Pty Ltd (ACN 695 269 222, ABN 54 695 269 222), trading as Scribekast.AI ("Processor", "we", "our", or "us"), and the entity subscribing to the Service ("Controller", "you", or "your").

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Scribekast.AI service. It is designed to ensure compliance with the Australian Privacy Act 1988 (Cth), the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection legislation.

1. Definitions

In this DPA, the following terms have the meanings set out below:

"Controller" means the entity that determines the purposes and means of the processing of Personal Data, being the subscriber to the Scribekast.AI service.
"Processor" means Agentive Group Co Pty Ltd, which processes Personal Data on behalf of the Controller in connection with the Service.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Data Protection Laws" means the Australian Privacy Act 1988 (Cth), the GDPR (EU) 2016/679, the UK GDPR, and any other applicable data protection legislation.

2. Scope and Application

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Scribekast.AI service. The categories of Personal Data and Data Subjects covered by this DPA include:

Categories of Data Subjects:

Employees, contractors, and authorised users of the Controller who access the Service.
Individuals whose personal information may appear in content processed through the Service (e.g., content sourced from RSS feeds).

Categories of Personal Data:

Account information (name, email address, hashed password).
OAuth access tokens and refresh tokens for connected social media platforms.
Content data (RSS source URLs, AI-generated content, editorial edits, publishing records).
Usage data (login timestamps, feature usage, IP addresses).
Billing identifiers (Stripe customer IDs, subscription metadata).

Nature and Purpose of Processing:

The Processor processes Personal Data to provide the Scribekast.AI service, including account management, RSS feed monitoring, AI-powered content generation, human-in-the-loop content review, scheduled publishing to connected social media accounts, usage analytics, and billing.

Duration of Processing:

Processing continues for the duration of the Agreement and for such additional period as is necessary to fulfil the Processor's obligations under this DPA and applicable law (including data retention obligations).

3. Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Agreement and this DPA constitute the Controller's complete instructions at the time of execution.
The Processor shall not process Personal Data for any purpose other than providing the Service as described in the Agreement.
If the Processor believes that an instruction from the Controller infringes applicable Data Protection Laws, the Processor shall promptly inform the Controller.
The Controller may provide additional or revised processing instructions in writing, provided they are consistent with the scope of the Agreement.

4. Data Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

4.1 Encryption

All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
OAuth tokens and other sensitive credentials are encrypted at rest using industry-standard encryption algorithms.
User passwords are hashed using bcrypt with an appropriate work factor and are never stored in plain text.
Database connections are encrypted.

4.2 Access Controls

Multi-tenant architecture with strict data isolation between Controller accounts.
Authentication via httpOnly, secure JWT cookies.
Role-based access controls within multi-user accounts.
Internal access to production systems restricted to authorised personnel on a need-to-know basis.

4.3 Infrastructure Security

Cloud infrastructure with automated security patching.
Network-level security controls, including firewalls and intrusion detection.
Regular security monitoring and logging.
Automated backups with encryption.

4.4 Personnel

All personnel with access to Personal Data are bound by confidentiality obligations.
Access to production systems is reviewed and audited periodically.

5. Sub-processors

5.1 Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-processors to assist in providing the Service, subject to the conditions in this section.

5.2 Current Sub-processors

As of the date of this DPA, the Processor engages the following Sub-processors:

Sub-processor	Purpose	Location
OpenAI	AI content generation (processes source article content and editorial prompts)	United States
Stripe, Inc.	Payment processing and subscription billing	United States
Railway	Application hosting and infrastructure	United States
Supabase	Database hosting (PostgreSQL) and Google OAuth token verification	Japan (AWS ap-northeast-1, Tokyo)
Sentry	Error monitoring and application performance	United States
Social Media Platforms	Content publishing via APIs (LinkedIn, Facebook, Instagram, X, TikTok, YouTube, WordPress)	Various

5.3 Obligations

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

5.4 Changes to Sub-processors

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-processor.
The Controller may object to a new Sub-processor by providing written notice within 14 days of being notified. If the Processor cannot reasonably accommodate the objection, the Controller may terminate the Agreement.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
If the Processor receives a request from a Data Subject directly, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required to do so by applicable law.
The Processor shall provide the Controller with self-service tools within the platform to facilitate the export, correction, and deletion of Personal Data where technically feasible.
The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests within the timeframes required by applicable law.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.
The notification shall include, to the extent reasonably available:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned.
- The name and contact details of the Processor's data protection contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
The Processor shall not notify any third party of a Personal Data Breach without the Controller's prior written consent, unless required to do so by applicable law.

8. International Data Transfers

The Processor is based in Australia. Personal Data may be transferred to and processed in countries outside Australia, including the United States, in connection with the Sub-processors listed in Section 5.
Where Personal Data is transferred from the EEA or UK to a country that has not received an adequacy decision, the Processor shall ensure appropriate safeguards are in place, including the EU Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), which are incorporated into this DPA by reference.
Where Personal Data is transferred from Australia, the Processor shall take reasonable steps to ensure the overseas recipient handles the information in accordance with the Australian Privacy Principles, as required by APP 8.
The Processor shall ensure that all Sub-processors in third countries are bound by data transfer mechanisms that comply with applicable Data Protection Laws.

9. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.
The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits of the Processor's data processing activities, subject to the following conditions:
- The Controller shall provide at least 30 days' written notice of an intended audit.
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
- The Controller shall bear the costs of the audit, unless the audit reveals a material breach of this DPA by the Processor.
- Audits shall be limited to once per 12-month period, unless required by a supervisory authority or triggered by a Personal Data Breach.
Where available, the Processor may satisfy audit requests by providing relevant third-party certifications, audit reports (e.g., SOC 2), or summaries of independent security assessments.
Any auditor appointed by the Controller must execute a confidentiality agreement acceptable to the Processor before being given access.

10. Term and Termination

This DPA takes effect on the date the Controller first subscribes to the Service and continues for the duration of the Agreement.
Upon termination of the Agreement, the Processor shall, at the Controller's election:
- Return: Provide the Controller with a copy of all Personal Data in a structured, commonly used, machine-readable format within 30 days of the termination date.
- Delete: Securely delete all Personal Data within 90 days of the termination date, unless retention is required by applicable law.
The Processor shall provide written confirmation of deletion upon the Controller's request.
Sections 1 (Definitions), 4 (Data Security), 7 (Data Breach Notification), 8 (International Data Transfers), and 9 (Audit Rights) shall survive the termination of this DPA to the extent necessary to fulfil their purpose.

11. Contact

For questions, requests, or notices relating to this Data Processing Addendum, please contact our Data Protection Officer:

Email: privacy@scribekast.ai
Entity: Agentive Group Co Pty Ltd (ACN 695 269 222, ABN 54 695 269 222)
Location: Australia

For general legal inquiries, you may also contact us at privacy@scribekast.ai.