Legal
Data Processing Agreement
Article 28 GDPR · Australian Privacy Principles. This DPA is incorporated into the Scorafy Terms of Service and is binding when you accept those Terms - no separate signature is required.
Last updated: 10 June 2026
This Data Processing Agreement ("DPA") forms part of the Scorafy Terms of Service (the "Agreement") and governs how Cognitiv Pty Ltd (ACN 688 133 977), trading as Scorafy ("Scorafy", "we", the "Processor"), processes Personal Data on behalf of a customer ("you", the "Customer" or "Controller") who uses the Scorafy platform. By accepting the Terms of Service, you agree to this DPA.
1. Definitions
"Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Sub-processor", "Personal Data Breach" and "Supervisory Authority" have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). Where you or your Data Subjects are in Australia, equivalent terms under the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") apply with corresponding meaning.
"Customer Personal Data" means Personal Data that Scorafy Processes on your behalf under the Agreement, including assessment respondents' answers, names, email addresses, and any audio/video responses and uploaded files.
2. Roles of the parties
You are the Controller of Customer Personal Data. Scorafy is the Processor and Processes Customer Personal Data only on your documented instructions, including the instructions in the Agreement, this DPA, and the configuration you select in the platform (for example, assessment design, response-capture settings, and retention period). For respondent data, you (as the account holder creating the assessment) are the Controller; Scorafy is the Processor under Article 28 GDPR and an equivalent processor obligation under the APPs.
3. Scope and purpose of processing
| Subject matter | Provision of the Scorafy AI assessment platform. |
|---|---|
| Duration | The term of the Agreement, plus the retention period in clause 7. |
| Nature and purpose | Hosting assessments; collecting respondent answers; AI analysis of open-ended responses against your rubric; human-in-the-loop scoring; report generation and delivery; account and team management. |
| Types of Personal Data | Respondent name, email address, free-text answers, optional audio/video responses, optional uploaded documents (e.g. resumes); account-holder name and email. |
| Categories of Data Subjects | Your assessment respondents (e.g. candidates, learners, employees) and your authorised users. |
| Special categories | Scorafy does not require special-category data. Audio/video responses may constitute biometric data; you control whether these capture modes are enabled per assessment. |
4. Processor obligations
Scorafy shall:
- Process Customer Personal Data only on your documented instructions, including for international transfers, unless required by law (in which case we will notify you unless legally prohibited);
- ensure persons authorised to Process Customer Personal Data are bound by confidentiality;
- implement the technical and organisational measures in Schedule 2;
- respect the conditions in clause 6 for engaging Sub-processors;
- assist you, taking into account the nature of Processing, in responding to Data Subject requests (clause 5);
- assist you with security, breach notification, data protection impact assessments, and prior consultation (Articles 32–36 GDPR);
- at your choice, delete or return all Customer Personal Data at the end of the Agreement, and delete existing copies unless storage is required by law;
- make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (clause 9);
- not use Customer Personal Data to train any AI model. Our sub-processor agreements with AI providers prohibit training on Customer data.
5. Data Subject rights
Scorafy will, taking into account the nature of the Processing, assist you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection). The platform provides per-response deletion, email removal, and configurable PII retention to support this directly.
6. Sub-processors
You provide general authorisation for Scorafy to engage the Sub-processors listed in Schedule 1. Scorafy imposes data-protection obligations on each Sub-processor that are materially equivalent to those in this DPA by written contract; remains liable to you for each Sub-processor's performance; and will give you reasonable prior notice of the addition or replacement of a Sub-processor, with the opportunity to object on reasonable data-protection grounds.
7. Retention and deletion
Customer Personal Data is retained for the period you configure per assessment (PII retention setting). By default, respondent personally identifying information is anonymised after the configured retention window. On termination, Scorafy will delete or return Customer Personal Data in line with clause 4 and the "Effect of termination" provisions of the Terms (30-day export window, then deletion).
8. International transfers
Customer Personal Data is stored in the European Union (Supabase, Dublin, Ireland), or in Australia (Sydney) where you have elected Australian hosting. Certain Sub-processors (Schedule 1) Process Personal Data in transit in the United States or other jurisdictions. Where Personal Data is transferred outside the EEA or the UK, the transfer is governed by the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum where applicable, incorporated into each Sub-processor's own data-processing terms. For Australian Customers, Scorafy takes reasonable steps to ensure each overseas recipient handles Personal Data consistently with the APPs.
Material disclosure (AI processing). AI analysis (Anthropic) and audio/video transcription (Deepgram) are performed on United States-based models. Data is processed in transit and is not used for model training, but there is currently no Australian or EU model-hosting region for these functions. You acknowledge this where you enable AI analysis or audio/video response capture.
9. Audit
Scorafy will make available information reasonably necessary to demonstrate compliance with this DPA, including the public statement at scorafy.com/gdprand Sub-processor data-processing terms on request. On reasonable written notice, no more than once per 12 months (unless required by a Supervisory Authority or following a Personal Data Breach), you may request a documented review of Scorafy's relevant measures.
10. Personal Data Breach
Scorafy will notify you without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide the information you reasonably require to meet your own notification obligations.
11. General
This DPA forms part of and is subject to the Agreement. In the event of conflict on data-protection matters, this DPA prevails. It is governed by the law stated in the Agreement. Nothing in this DPA excludes or limits any non-excludable right or remedy under the Australian Consumer Law.
Schedule 1 - Sub-processors
As at 10 June 2026.
| Sub-processor | Region | Purpose |
|---|---|---|
| Supabase | Dublin, Ireland (or Sydney, Australia if elected) | Database, file storage, and authentication (primary data store) |
| Anthropic (Claude) | United States | AI report generation. Customer data not used to train models. |
| Deepgram | United States | Audio and video transcription |
| Stripe | United States / Australia | Subscription billing and payment processing |
| Resend | United States | Transactional email |
| Vercel | Global edge network | Application hosting and edge delivery |
| Google LLC | United States | Web analytics (GA4) on marketing pages only, after analytics-cookie consent. Not invoked for assessment data, responses, or report contents. |
Schedule 2 - Technical and organisational measures
- Tenant isolation: every user belongs to an organisation; all Customer data is row-level-security (RLS) scoped by organisation. No cross-organisation read path exists.
- Access control: role-based access within each organisation (Owner / Admin / Member / Viewer); only the organisation's authorised users can access its data.
- Encryption: data encrypted in transit (TLS 1.2+) and at rest (AES-256, Supabase/AWS managed).
- Authentication: email/password with verification, optional authenticator-app multi-factor authentication (TOTP), and managed invite links for team members.
- Audit trail: significant organisation actions are recorded with actor and timestamp.
- Data minimisation: only the data needed to run an assessment is collected; PII retention is configurable per assessment with automated anonymisation.
- Human-in-the-loop: AI scores are reviewable and overridable by a qualified assessor before a result is finalised.
- Secure development: automated dependency-vulnerability and static-analysis scanning on every change; an internal authorisation/isolation test suite.
- Sub-processor contracts: each Sub-processor is engaged under its own data-processing terms incorporating SCCs where relevant.
- Breach response: documented notification process per clause 10 (48-hour notification).
Questions about this DPA or our data practices: adam@scorafy.com.