The Construction Scope Data Processing Addendum (DPA) supplements our Terms of Service and applies whenever we process personal data on your behalf as your processor under applicable data protection law (GDPR, UK GDPR, CCPA, and equivalents).
Scope
The DPA covers all customer data and end-user personal data that flows through Construction Scope: customer records, employee accounts, time entries, payment metadata, and any uploaded attachments. It does not cover payment card numbers — those are tokenized by Stripe and never reach our systems.
Processor obligations
We process personal data only on documented instructions from you (the controller). We do not sell, share for cross-context behavioral advertising, or use customer data to train AI models without explicit written consent.
Security
Our security commitments — encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, SOC 2 Type II audited, audit logging on every state change — are detailed on our security page.
Sub-processors
The current list of sub-processors is at constructionscope.net/legal/sub-processors. You have the right to object to new sub-processors; if you do, we will work with you to find an alternative or, failing that, terminate the affected service.
Data subject requests
We will assist you in responding to data subject requests (access, rectification, erasure, portability) within 5 business days. Most requests can be fulfilled through the self-service data export in Settings.
International transfers
For transfers of personal data outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and on additional safeguards where required by the receiving country's laws.
Get the signed DPA
For an executed PDF copy of the DPA, email legal@constructionscope.net with your workspace name and the legal entity that will be the contracting party. We respond within 2 business days.