Data Processing Agreement
Last updated: June 16, 2026
This Data Processing Agreement ("DPA") forms part of the Scrapeer Terms of Service for business customers who use Scrapeer to process personal data on behalf of their own customers, users, employees, prospects, or other data subjects. If we sign a separate data processing agreement with you, that signed agreement controls for the covered processing.
Scrapeer is operated by Intuitive Systems Novesia UG (haftungsbeschränkt), a German company. Questions about this DPA can be sent to privacy@scrapeer.com .
1. Parties, Roles, and Scope
This DPA applies when Scrapeer processes personal data contained in customer flows, files, browser sessions, screenshots, run logs, extracted output, or other automation content only to provide the Service.
| Processing context | Customer role | Scrapeer role |
|---|---|---|
| Customer automation content and workflow output | Controller | Processor |
| Managed Flow setup data provided by the customer | Controller | Processor, where we act on documented instructions |
| Scrapeer account, billing, tax, security, abuse, and support records | Data subject or business contact | Controller |
The customer decides what websites to automate, what data to collect, the legal basis for that processing, and what retention or export settings to apply. Scrapeer processes customer personal data only as instructed through the Service, this DPA, the Terms, support requests, or other documented instructions.
2. Processing Details
| Subject matter | Visual browser automation, web scraping workflow creation, cloud workflow execution, result storage, support, and managed Flow setup where requested. |
|---|---|
| Nature and purpose | Hosting, storing, transmitting, retrieving, displaying, executing, securing, supporting, and deleting customer workflow content as necessary to provide Scrapeer and related support. |
| Duration | For the term of the customer's use of Scrapeer, plus any deletion, backup, legal, security, or abuse-response retention periods described in the Privacy Policy or this DPA. |
| Data subjects | End users, employees, contractors, customers, prospects, website visitors, public website contacts, and any other individuals whose data the customer chooses to process through Scrapeer. |
| Personal data types | Flow definitions, URLs, selector and page metadata, uploaded files, screenshots, run logs, extracted output, delivery destinations, integration tokens, secret labels, and other data submitted or generated by the customer's workflows. Secret values are encrypted and stored separately from application data. |
| Special categories | Scrapeer is not designed for processing special-category data, criminal-offense data, or data about children. The customer must not intentionally submit that data unless the parties agree additional written safeguards first. |
3. Customer Responsibilities
The customer is responsible for:
- having a lawful basis for the data it processes through Scrapeer;
- providing notices, obtaining consents, and handling data subject requests where required;
- ensuring each automation complies with applicable law and any target website terms that bind the customer;
- configuring workflows, integrations, secrets, exports, and retention settings appropriately; and
- avoiding unnecessary personal data and not using Scrapeer for prohibited or high-risk processing without a separate written agreement.
4. Scrapeer Processing Obligations
Scrapeer will:
- process customer personal data only on documented instructions unless EU or Member State law requires otherwise, including documented instructions for transfers of customer personal data to a third country or international organization;
- ensure personnel authorized to process customer personal data are bound by confidentiality obligations;
- implement appropriate technical and organizational measures described in this DPA;
- assist the customer, taking into account the nature of the processing, with data subject requests, security obligations, data protection impact assessments, and supervisory authority consultations where legally required and reasonably possible;
- notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data;
- make information reasonably necessary to demonstrate compliance with this DPA available to the customer; and
- promptly inform the customer if, in Scrapeer's opinion, an instruction infringes applicable EU or Member State data protection law, unless law prohibits that notice.
5. Sub-processors
The customer gives Scrapeer general authorization to use sub-processors to provide the Service. The current public list is available on the Sub-processors page.
Scrapeer will impose data protection obligations on sub-processors that are appropriate for the nature of their processing. We will update the Sub-processors page when we add, remove, or replace a sub-processor. For material changes affecting customer personal data, we will also notify registered users by email where appropriate. Scrapeer remains responsible to the customer for the performance of sub-processor obligations required by this DPA.
The customer may object to a new sub-processor on reasonable data protection grounds by contacting privacy@scrapeer.com . We will work in good faith to address the objection, which may include disabling the affected optional feature or allowing termination of the affected Service.
6. International Transfers
Core account, project, and workflow execution data is hosted in the EU. Some optional features or selected operational touchpoints may involve sub-processors outside the EU, including global Copilot routing, social login, third-party integrations, payments, support, and proxy or CAPTCHA services when enabled or used.
Where customer personal data is transferred to a country without an adequacy decision and no derogation applies, Scrapeer will use appropriate transfer safeguards, such as the European Commission's Standard Contractual Clauses, together with supplementary measures where appropriate for the transfer.
7. Security Measures
Scrapeer maintains technical and organizational measures appropriate to the nature of the Service, including:
- EU-hosted core infrastructure for account, project, and run data;
- HTTPS/TLS encryption for data in transit;
- encryption and separation of secret values from regular application data;
- access controls for accounts, teams, and administrative systems;
- scoped credentials for cloud workflow execution;
- logging, rate limiting, and abuse prevention controls;
- data minimization controls, including excluding secret values and file contents from Copilot prompts; and
- backup, monitoring, and incident-response processes.
8. Deletion and Return
During the subscription term, the customer can export workflow definitions and output available in the Service. At the end of the Service, and on documented customer instruction where technically feasible, Scrapeer will return available customer personal data or delete or anonymize it within a reasonable period, unless retention is required for legal, tax, security, fraud, abuse-response, backup, or dispute purposes.
Limited operational and abuse logs may be retained for the periods described in the Privacy Policy. Backup copies are deleted through normal backup lifecycle processes.
9. Audits and Information Requests
On reasonable written request, Scrapeer will provide information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, as required by Article 28 GDPR. Audits must be reasonable in scope, scheduled in advance, and conducted in a way that does not compromise Scrapeer's systems, other customers' data, trade secrets, or security posture. Scrapeer may satisfy audit requests by providing documentation, written answers, summaries of controls, or third-party reports where available.
10. Order of Precedence and Changes
If there is a conflict between this DPA and the Terms on the processing of customer personal data, this DPA controls. We may update this DPA from time to time. Material changes will be posted on this page and, if appropriate, notified to registered users by email.
To request a signed copy or ask a data protection question, contact privacy@scrapeer.com .