Scriptlane← Back to site

Data Processing Addendum

Effective: April 2026.

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between BID Partners LLC (“Processor”) and the Customer (“Controller”) using the Scriptlane Service. It reflects the parties’ agreement regarding the processing of personal data governed by the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and analogous frameworks.

1. Subject matter and duration

Processor processes personal data on behalf of Controller solely to provide the Scriptlane Service for the term of the agreement and subsequent wind-down period described herein.

2. Nature, purpose, and categories

Nature and purpose

Delivery of self-serve campaign scoping, brokered-execution referrals, transactional email, billing, and support.

Categories of data subjects

  • Customer’s employees and authorized users (Scope users).
  • Operator-side staff of BID Partners LLC.
  • Business contacts submitted via contact forms.

Categories of personal data

  • Name, work email, phone (if provided), company name, role.
  • Stripe customer and subscription identifiers.
  • Audit records of user actions within the Service.

Processor does not process special categories of data under GDPR Article 9, nor PHI as defined under HIPAA. See the Privacy Policy for additional detail.

3. Obligations of Processor

  • Process personal data only on documented instructions from Controller, including the instructions embedded in Controller’s use of the Service.
  • Ensure that personnel authorized to process personal data are subject to appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures per Article 32, as described on the Trust & Security page.
  • Assist Controller in responding to data-subject requests and in fulfilling Controller’s obligations under Articles 32-36.
  • Notify Controller without undue delay upon becoming aware of a personal data breach.
  • Delete or return personal data after the end of the service provision, subject to retention obligations described in the Privacy Policy.

4. Subprocessors

Controller authorizes the subprocessors listed on the Trust & Security page. Processor will notify Controller at least 30 days before adding or replacing a subprocessor. Controller may object on reasonable data-protection grounds; the parties will work in good faith to resolve the objection.

5. International transfers

Processor and its subprocessors primarily operate in the United States. Where personal data is transferred from the EEA, UK, or Switzerland to the United States, the parties rely on the Standard Contractual Clauses as adopted by the European Commission (decision 2021/914) and the UK International Data Transfer Addendum, which are incorporated by reference into this DPA.

6. Data subject rights

Processor will, taking into account the nature of the processing, provide reasonable assistance to enable Controller to respond to requests to exercise rights under Articles 15-22 of the GDPR.

7. Audits

On reasonable prior written notice and no more than once per year (unless required by a supervisory authority), Processor will make available information necessary to demonstrate compliance, including the applicable portions of third-party audit reports when available.

8. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal data.

Questions about this document? Email ben@scriptlanedata.com. Scriptlane is a product of BID Partners LLC.