Scravio

Scravio Data Processing Addendum

Last updated: June 6, 2026

This Data Processing Addendum (the "DPA") forms part of the Terms of Service, an Order, or another agreement governing the customer's use of Scravio (the "Agreement") between the customer identified in the applicable account, Workspace, checkout, or Order ("Customer," "you," or "your") and Zorix, LLC, doing business as Scravio ("Scravio," "we," "us," or "our").

This DPA applies only to the extent Scravio processes Customer Personal Data as a processor, service provider, or contractor on behalf of Customer in connection with the Service.

If there is a conflict between this DPA and the Agreement regarding processing of Customer Personal Data, this DPA controls to the extent of the conflict. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control to the extent required by applicable law.

1. Definitions

Agreement means the Terms of Service, any applicable Order, and other terms governing Customer's use of the Service.

Applicable Data Protection Laws means all data protection, privacy, electronic communications, and security laws applicable to the processing of Customer Personal Data under the Agreement, which may include GDPR, UK GDPR, Swiss data protection laws, ePrivacy/PECR, CCPA/CPRA, and other U.S. state privacy laws.

CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act and implementing regulations.

Customer Personal Data means personal data, personal information, or similar regulated data contained in Customer Content that Scravio processes on behalf of Customer as processor, service provider, or contractor to provide the Service.

Data Subject means an identified or identifiable individual to whom Customer Personal Data relates.

EU SCCs means the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914, as amended, replaced, or superseded.

GDPR means Regulation (EU) 2016/679.

Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Scravio. Security Incident does not include unsuccessful attempts, pings, port scans, denial-of-service attempts, or similar events that do not compromise Customer Personal Data.

Subprocessor means a third party engaged by Scravio to process Customer Personal Data on behalf of Customer in connection with the Service.

UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner's Office under section 119A of the UK Data Protection Act 2018, as amended, replaced, or superseded.

UK GDPR means the UK General Data Protection Regulation as incorporated into UK law.

Terms such as controller, processor, business, service provider, contractor, personal data, personal information, processing, sale, and sharing have the meanings given in Applicable Data Protection Laws.

2. Roles of the parties

For Customer Personal Data:

  1. Customer is the controller, business, or equivalent entity;
  2. Scravio is the processor, service provider, contractor, or equivalent entity; and
  3. each party will comply with Applicable Data Protection Laws applicable to its role.

This DPA does not apply to personal data that Scravio processes as controller, such as account data, billing data, support data, security logs, product analytics, fraud prevention data, sanctions screening data, and legal compliance data. That processing is described in the Privacy Policy.

3. Customer instructions

Scravio will process Customer Personal Data only on Customer's documented instructions, including:

  1. the Agreement;
  2. this DPA;
  3. Customer's configuration, task settings, workflow settings, API requests, URLs, domains, lists, prompts, filters, and other Service instructions;
  4. written instructions from authorized Customer users; and
  5. instructions required to provide support, security, troubleshooting, or account administration requested by Customer.

Customer instructs Scravio to process Customer Personal Data to provide, secure, maintain, troubleshoot, support, and improve the Service; generate and store Outputs; manage Workspaces; prevent abuse and fraud; comply with law; and perform the processing described in Annex 1.

Scravio may refuse, suspend, or terminate processing instructions if Scravio reasonably believes the instruction violates Applicable Data Protection Laws, the Agreement, third-party rights, platform terms, technical restrictions, or Scravio risk policies.

If Scravio is legally required to process Customer Personal Data outside Customer's instructions, Scravio will notify Customer before doing so unless prohibited by law.

4. Customer obligations

Customer represents and warrants that:

  1. Customer has all necessary rights, notices, consents, lawful bases, permissions, and authorizations for Customer Personal Data and Customer's instructions;
  2. Customer's instructions comply with Applicable Data Protection Laws;
  3. Customer has provided all notices required to Data Subjects;
  4. Customer has established a lawful basis for collecting, submitting, discovering, validating, enriching, exporting, contacting, and otherwise using Customer Personal Data;
  5. Customer will not submit or instruct Scravio to process prohibited data, sensitive data, special category data, children's data, protected-class data, or data that Customer is not lawfully permitted to process;
  6. Customer will honor Data Subject rights, opt-outs, objections, suppression lists, unsubscribe requests, and do-not-contact requests;
  7. Customer will comply with applicable marketing, anti-spam, ePrivacy, platform, and communications laws; and
  8. Customer will use the Service only with public, non-gated, non-password-protected sources that Customer is lawfully permitted to access and process.

Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

5. Scravio processor obligations

Scravio will:

  1. process Customer Personal Data only as described in this DPA and the Agreement;
  2. ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations;
  3. implement and maintain appropriate technical and organizational measures as described in Annex 2;
  4. assist Customer with Data Subject requests as described in Section 8;
  5. assist Customer with security, breach notification, data protection impact assessments, and consultations as described in Sections 9 and 10;
  6. use Subprocessors only as described in Section 7;
  7. delete or return Customer Personal Data as described in Section 11;
  8. make available information reasonably necessary to demonstrate compliance with this DPA as described in Section 12; and
  9. notify Customer if Scravio believes an instruction infringes Applicable Data Protection Laws, unless prohibited by law.

6. Confidentiality and access controls

Scravio will restrict access to Customer Personal Data to personnel, contractors, and Subprocessors who need access to provide, secure, support, or maintain the Service or to comply with legal obligations.

Scravio will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations, whether contractual, statutory, or professional.

7. Subprocessors

Customer grants Scravio general written authorization to engage Subprocessors to process Customer Personal Data in connection with the Service.

Scravio will maintain a list of Subprocessors on the Subprocessor Page or another location made available to Customer. Scravio will use commercially reasonable efforts to provide notice of material changes to Subprocessors where required by Applicable Data Protection Laws.

Scravio will enter into written agreements with Subprocessors requiring data protection obligations that are materially no less protective than those in this DPA, to the extent applicable to the services provided by the Subprocessor.

Customer may object to a new Subprocessor by providing written notice to [email protected] within 10 days after receiving notice, where Applicable Data Protection Laws provide Customer a right to object. The objection must explain Customer's reasonable data protection grounds.

If Customer objects and the parties cannot resolve the objection, Scravio may, at its discretion:

  1. use commercially reasonable efforts to provide the Service without the Subprocessor;
  2. provide a reasonable workaround;
  3. allow Customer to terminate the affected Service; or
  4. terminate the affected Service if no reasonable alternative is available.

Termination under this section does not entitle Customer to a refund unless required by mandatory law or expressly provided in the Refund & Cancellation Policy.

Scravio remains responsible for Subprocessors' processing of Customer Personal Data to the extent required by Applicable Data Protection Laws.

8. Data Subject requests

Taking into account the nature of the processing, Scravio will provide reasonable assistance to Customer, using appropriate technical and organizational measures, to help Customer respond to Data Subject requests relating to Customer Personal Data.

If Scravio receives a Data Subject request relating to Customer Personal Data for which Customer is the controller or business, Scravio may:

  1. direct the requester to Customer;
  2. notify Customer where legally permitted and reasonably identifiable; or
  3. respond directly only as instructed by Customer or required by law.

Customer is responsible for verifying requests, responding to Data Subjects, and determining whether requests should be fulfilled or denied.

9. Security Incidents

Scravio will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data.

The notice will include information reasonably available to Scravio, which may include:

  1. the nature of the Security Incident;
  2. categories and approximate number of affected Data Subjects and records, if known;
  3. likely consequences, if known;
  4. measures taken or proposed to address the Security Incident; and
  5. contact information for follow-up.

Scravio's notification of or response to a Security Incident is not an admission of fault or liability.

Customer is responsible for determining whether the Security Incident requires notification to Data Subjects, regulators, customers, or other parties, unless Applicable Data Protection Laws impose direct notification obligations on Scravio.

10. Assistance with compliance, DPIAs, and consultations

Taking into account the nature of the processing and information available to Scravio, Scravio will provide reasonable assistance to Customer with:

  1. security obligations;
  2. breach notification obligations;
  3. data protection impact assessments;
  4. prior consultations with supervisory authorities; and
  5. other obligations under Applicable Data Protection Laws that relate to Scravio's processing of Customer Personal Data.

Scravio may charge reasonable fees for assistance that is not included in the standard Service or that requires significant additional resources, unless prohibited by law.

11. Return and deletion

During the subscription term, Customer may export Customer Personal Data using available Service functionality, subject to plan limits, technical limitations, and the Agreement.

Upon termination or expiration of the Agreement, Scravio will delete or return Customer Personal Data according to the Agreement, Service functionality, workspace settings, and Scravio retention practices, unless law requires or permits retention.

Unless a different retention period is stated in an Order or Service setting, Customer task inputs, Outputs, and exports are typically retained for up to 90 days after task completion, and backups are overwritten on a rolling basis typically within 30 to 60 days.

Scravio may retain Customer Personal Data to the extent required or permitted for legal compliance, security, fraud prevention, abuse prevention, dispute resolution, backup integrity, tax, accounting, enforcement of the Agreement, or to comply with law. Retained data remains subject to this DPA until deleted or anonymized.

12. Audits and information

Scravio will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, certifications, summaries, policies, questionnaires, or other information.

If Scravio has a current third-party audit report or certification relevant to the Service, Scravio may provide it under confidentiality obligations instead of an on-site audit.

Customer may request an audit no more than once per 12-month period, unless required by a regulator or following a confirmed Security Incident affecting Customer Personal Data. Audits must be:

  1. conducted during normal business hours;
  2. subject to reasonable advance written notice;
  3. limited to Scravio's processing of Customer Personal Data;
  4. performed in a manner that does not disrupt Scravio operations or compromise security or confidentiality of other customers; and
  5. conducted by an independent auditor bound by confidentiality obligations.

Customer is responsible for audit costs, including Scravio's reasonable fees for time and resources, unless prohibited by Applicable Data Protection Laws.

13. International data transfers

Customer authorizes Scravio and its Subprocessors to transfer Customer Personal Data to the United States and other countries where Scravio or its Subprocessors operate.

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not been deemed adequate and transfer safeguards are required, the following apply:

  1. for transfers from the EEA, the EU SCCs, Module Two (controller to processor), are incorporated by reference;
  2. for transfers from the UK, the UK Addendum is incorporated by reference and modifies the EU SCCs as required for UK transfers;
  3. for transfers from Switzerland, the EU SCCs apply with Swiss-specific modifications required by Swiss data protection law;
  4. Customer is the data exporter and Scravio is the data importer unless the transfer context requires otherwise;
  5. the processing details in Annex 1 apply as Appendix/Annex I to the SCCs;
  6. the technical and organizational measures in Annex 2 apply as Appendix/Annex II to the SCCs; and
  7. the Subprocessor information in Annex 3 and the Subprocessor Page apply as Appendix/Annex III to the SCCs where applicable.

By entering into the Agreement, the parties are deemed to have executed the EU SCCs and UK Addendum where required. If execution of additional transfer documents is legally required, the parties will cooperate in good faith.

14. CCPA and U.S. state privacy laws

For Customer Personal Data subject to CCPA or similar U.S. state privacy laws, Scravio acts as a service provider, contractor, or processor.

Scravio will not:

  1. sell Customer Personal Data;
  2. share Customer Personal Data for cross-context behavioral advertising;
  3. retain, use, or disclose Customer Personal Data outside the business purposes of providing the Service and performing the Agreement;
  4. retain, use, or disclose Customer Personal Data for a commercial purpose other than the business purposes specified in the Agreement;
  5. combine Customer Personal Data with personal information received from or on behalf of another person, or collected from Scravio's own interactions with a Data Subject, except as permitted by applicable law; or
  6. process Customer Personal Data in a manner inconsistent with Scravio's service provider, contractor, or processor obligations under applicable U.S. state privacy laws.

Customer may take reasonable and appropriate steps to ensure Scravio uses Customer Personal Data consistently with Customer's obligations, as described in this DPA.

Scravio will notify Customer if Scravio determines it can no longer meet its obligations under applicable U.S. state privacy laws. Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

15. Security testing and vulnerability reports

Customer must not conduct penetration tests, vulnerability scans, load tests, automated security tests, or similar tests against the Service without Scravio's prior written authorization.

Security concerns should be reported to [email protected]. Scravio may provide additional vulnerability disclosure instructions on the Security Page.

16. Liability

Each party's liability under this DPA is subject to the limitations, exclusions, and caps in the Agreement, except to the extent prohibited by Applicable Data Protection Laws or the Standard Contractual Clauses.

17. Duration

This DPA begins when Customer uses the Service to process Customer Personal Data and continues until Scravio deletes or anonymizes all Customer Personal Data subject to this DPA, unless terminated earlier according to the Agreement and Applicable Data Protection Laws.

18. Changes to this DPA

Scravio may update this DPA from time to time. For material changes, Scravio will provide notice where required by law or where reasonably appropriate.

Changes apply prospectively from the stated effective date. If Customer does not agree to an updated DPA, Customer must stop using the Service to process Customer Personal Data and cancel before the next renewal.

19. Contact

Privacy and DPA questions may be sent to:

Email: [email protected]
Company: Zorix, LLC, doing business as Scravio
Address: 1111B S Governors Ave STE 40623, Dover, DE 19904, United States
Phone: +13024402968

Annex 1: Details of processing

A. Subject matter

Scravio's processing of Customer Personal Data to provide the Service, including discovery, validation, de-duplication, enrichment, organization, storage, display, export, support, security, troubleshooting, and Service administration.

B. Duration

The subscription term and any period during which Scravio processes Customer Personal Data according to the Agreement, this DPA, workspace settings, retention practices, or applicable law.

C. Nature and purpose of processing

Scravio may process Customer Personal Data to:

  1. receive Customer instructions, URLs, domains, lists, files, filters, prompts, and task inputs;
  2. access public sources based on Customer instructions;
  3. discover publicly available business contact data and related business metadata;
  4. validate, enrich, de-duplicate, organize, and display results;
  5. generate Outputs and exports;
  6. store, retrieve, transmit, and delete Customer Personal Data;
  7. provide APIs, workflows, logs, and integrations;
  8. provide support, troubleshooting, and account administration;
  9. secure the Service and prevent abuse, fraud, spam, and unlawful use;
  10. comply with law and enforce the Agreement; and
  11. perform other processing documented in the Agreement or Customer instructions.

D. Categories of Data Subjects

Data Subjects may include:

  1. Customer users and administrators;
  2. Customer employees, contractors, agents, and representatives;
  3. business contacts, prospects, leads, website owners, company representatives, public business profile holders, and other individuals whose business contact data is processed under Customer instructions;
  4. individuals appearing in Customer-uploaded lists, files, URLs, or records; and
  5. individuals contained in support communications or task records.

E. Categories of Customer Personal Data

Customer Personal Data may include:

  1. name;
  2. business email address;
  3. company name;
  4. job title;
  5. business profile URL;
  6. public social or professional profile URL;
  7. public website URL;
  8. business phone number where publicly available and processed under Customer instructions;
  9. business location or region;
  10. domain, organization, and role metadata;
  11. validation, enrichment, status, confidence, or deliverability metadata;
  12. task IDs, logs, timestamps, and workflow metadata;
  13. Customer-uploaded records, lists, and files; and
  14. support information submitted by Customer.

F. Sensitive data

The Service is not designed to process sensitive personal data, special category data, children's data, protected-class data, government identifiers, financial account data, health data, biometric data, or precise geolocation. Customer must not submit or instruct Scravio to process such data.

G. Frequency of transfer

Continuous or as initiated by Customer through the Service, API, Workspaces, tasks, exports, and support requests.

H. Retention

As described in Section 11 of this DPA, the Agreement, Service settings, and the Privacy Policy.

Annex 2: Technical and organizational measures

Scravio maintains technical and organizational measures designed to protect Customer Personal Data appropriate to the nature of the processing and the risks involved.

1. Access control

  • Role-based access controls for internal systems where feasible.
  • Least-privilege access practices.
  • Access limited to personnel and service providers with a business need.
  • Authentication controls for administrative systems.
  • Periodic access review practices for sensitive systems.

2. Encryption and transmission security

  • Encryption in transit using TLS or similar protocols for Service communications where supported.
  • Encryption at rest where supported by hosting, database, or storage providers.
  • Secure handling of credentials, tokens, and secrets using appropriate technical controls.

3. Logging and monitoring

  • Security, access, error, and operational logging appropriate to the Service.
  • Monitoring for suspicious activity, abuse, errors, and security issues.
  • Investigation procedures for security alerts and anomalies.

4. Segregation and tenant controls

  • Logical separation of customer workspaces and data.
  • Access controls designed to prevent unauthorized cross-tenant access.
  • Separation of production and development environments where feasible.

5. Backup and recovery

  • Regular backups or provider-managed durability controls for critical systems where feasible.
  • Backup retention and overwrite schedules designed to support continuity and data recovery.
  • Recovery processes appropriate to the Service.

6. Vulnerability and patch management

  • Reasonable vulnerability monitoring and patching practices.
  • Dependency and infrastructure updates where appropriate.
  • Review and remediation of material security issues.

7. Secure development

  • Code review or equivalent change review practices where feasible.
  • Separation of duties for sensitive production changes where feasible.
  • Secure configuration practices for production systems.

8. Personnel security

  • Confidentiality obligations for personnel with access to Customer Personal Data.
  • Access provided based on role and business need.
  • Removal or modification of access when personnel roles change or end.

9. Incident response

  • Procedures to identify, investigate, contain, remediate, and notify affected customers of Security Incidents.
  • Internal escalation paths for security events.
  • Post-incident review where appropriate.

10. Subprocessor management

  • Due diligence of Subprocessors appropriate to the nature of services provided.
  • Written contracts with data protection and confidentiality obligations.
  • Maintenance of a Subprocessor list.

Annex 3: Subprocessors

Scravio's Subprocessors are listed on the Subprocessor Page, which is incorporated into this DPA by reference.

Subprocessor categories may include:

  1. cloud hosting and infrastructure;
  2. database and storage;
  3. logging, monitoring, and error tracking;
  4. email and transactional communications;
  5. customer support tooling;
  6. payment and billing providers;
  7. analytics used for Service operations;
  8. security, fraud prevention, and abuse prevention; and
  9. other vendors reasonably necessary to provide, secure, and support the Service.