Last updated: June 17, 2026
ScrambleSync Data Processing Agreement (DPA)
Processor terms governing ScrambleSync's processing of personal data on behalf of the Customer (tournament organizer).
Preamble & Document Status
This Data Processing Agreement (the "DPA") supplements and forms part of the agreement under which Coyote Valley Technology Solutions, LLC, operating the ScrambleSync service ("ScrambleSync", "Processor", "we"), provides golf scramble tournament software to the customer (the "Customer", "Organizer", "Controller", "you") (the "Principal Agreement" or "Terms of Service").
This DPA governs ScrambleSync's processing of Personal Data on the Customer's behalf in connection with the ScrambleSync service (the "Service"). Where this DPA conflicts with the Principal Agreement on matters of data protection, this DPA controls.
This DPA forms part of, and is incorporated into, the Terms of Service / Principal Agreement and reflects ScrambleSync's actual architecture and controls. A counter-signed copy is available on request (see Section 16).
Core posture (stated accurately): ScrambleSync is a Processor. We store and process the Personal Data necessary to run tournaments on the Organizer's documented instructions. We do not sell Personal Data, we do not use it for advertising, profiling, model training, or any purpose of our own, and we apply data minimization and purpose limitation. We do NOT claim to "store no data" — we store exactly what is needed to operate the tournament service and nothing more.
1. Definitions
For the purposes of this DPA:
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and equivalent U.S. state privacy laws.
- "Controller" means the entity that determines the purposes and means of processing Personal Data — here, the Customer / Organizer.
- "Processor" means the entity that processes Personal Data on behalf of the Controller — here, ScrambleSync. Under CCPA/CPRA, ScrambleSync acts as a "Service Provider."
- "Personal Data" means any information relating to an identified or identifiable natural person that ScrambleSync processes on the Customer's behalf under the Principal Agreement, as itemized in Section 5.
- "Data Subject" means the individual to whom Personal Data relates (e.g., a registrant, player, sponsor, or organizer staff member).
- "Processing" means any operation performed on Personal Data (collection, storage, retrieval, use, disclosure, erasure, etc.).
- "Sub-processor" means any third party engaged by ScrambleSync to process Personal Data on the Customer's behalf, as listed in Section 8.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
- "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission (Decision 2021/914) and, for the UK, the UK International Data Transfer Addendum.
- "TOMs" means the technical and organizational measures described in Section 7.
- "Documented Instructions" means the instructions set out in the Principal Agreement, this DPA, the configuration choices the Customer makes within the Service, and any further written instructions agreed by the parties.
2. Roles & Subject Matter
2.1 Roles. As between the parties, the Customer is the Controller (and the "business" under CCPA/CPRA) and ScrambleSync is the Processor (and the "service provider" under CCPA/CPRA) for the Personal Data processed under this DPA. Where the Customer is itself acting as a processor for a further controller, ScrambleSync acts as a sub-processor and the same obligations flow down.
2.2 Subject matter. The subject matter of the processing is the provision of the ScrambleSync golf scramble tournament platform, including registration, payment processing, team and cart management, live scoring, side games, sponsor display, messaging, integrity review, reporting/exports, and associated security and observability functions.
2.3 Customer responsibilities. The Customer is solely responsible for: (a) establishing a valid lawful basis for the processing and for any required consents from Data Subjects; (b) the accuracy and lawfulness of Personal Data it (or its registrants) submit; (c) responding to Data Subjects as the primary point of contact; and (d) ensuring its instructions to ScrambleSync comply with Applicable Data Protection Law.
2.4 ScrambleSync's role boundary. ScrambleSync determines the technical means of providing the Service but does not determine the purposes of processing the Customer's tournament data. ScrambleSync will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law (without obligation to provide legal advice).
3. Duration
3.1 Term. This DPA takes effect on the effective date of the Principal Agreement (or, if later, the date the Customer first uses the Service) and remains in force for as long as ScrambleSync processes Personal Data on the Customer's behalf.
3.2 Survival. Provisions that by their nature should survive termination — including confidentiality (Section 6), return and deletion (Section 13), liability (Section 14), and governing law (Section 15) — survive expiry or termination of this DPA and the Principal Agreement.
3.3 Duration of processing. Processing continues for the duration of the Principal Agreement, plus the limited retention periods described in Section 13, after which Personal Data is deleted or anonymized in accordance with this DPA.
4. Nature & Purpose of Processing
4.1 Purpose. ScrambleSync processes Personal Data solely to provide and support the Service on the Customer's Documented Instructions. This includes:
- Creating and managing organizer accounts and authentication (including MFA);
- Accepting and managing registrations and rosters;
- Processing payments and producing payment/registration records;
- Generating teams, cart assignments, and tournament configuration;
- Recording and displaying live hole-by-hole scores and side games;
- Displaying sponsor/advertiser content;
- Sending transactional email (confirmations, reminders, resets, codes, invites);
- Operating integrity review, messaging, audit logging, reporting, and data export features;
- Providing, at the Customer's option, programmatic access to the Customer's own data through an authenticated REST API (OAuth 2.0 client credentials, scoped per the Customer's configuration). The API exposes only the Customer's own data, introduces no additional Sub-processor, and is subject to the same security measures in Section 7;
- Providing, at the Customer's option, an in-product AI assistant ("Scramble AI", off by default and enabled per organization) that processes the Customer's own data to answer questions and, only with the organizer's explicit confirmation, perform live-day actions. The assistant operates under a short-lived, least-privilege, organization-scoped token and the same tenant isolation as every other request; it engages one additional Sub-processor (Anthropic, Section 8) only when enabled and in use; the data is NOT used to train any model;
- Maintaining security, rate limiting, fraud/abuse prevention, and service observability.
4.2 Prohibited purposes. ScrambleSync will NOT: (a) sell or "share" Personal Data (as those terms are defined under CCPA/CPRA); (b) use Personal Data for advertising, marketing, profiling, or behavioral targeting; (c) use Personal Data to train machine-learning models for ScrambleSync's own purposes; or (d) combine Personal Data received under this DPA with data from other sources except as strictly necessary to provide the Service or as permitted by Applicable Data Protection Law.
4.3 Nature. Processing operations include collection, recording, structuring, storage, retrieval, consultation, use, transmission to Sub-processors, restriction, erasure/anonymization, and deletion, performed by automated and manual means.
5. Categories of Data & Data Subjects
5.1 Categories of Data Subjects: tournament organizers, administrators, and invited staff; tournament registrants, golfers, players, and team members; tournament sponsors/advertisers; and (indirectly) recipients of broadcast messages.
5.2 Categories of Personal Data processed (per ScrambleSync's data inventory):
- Organizer account data — full name, email address, MFA/passkey credentials, password hashes, session tokens, organization name (auth managed by Supabase Auth; TOTP secrets encrypted at rest).
- Registrant personal information — name, email address, team name, phone number (if collected), optional imported rosters/player names.
- Player/golfer data — player names, team assignments, hole-by-hole scores, handicaps (if tracked), player type (captain/member), cart assignments.
- Payment transaction data — registration amount, payment status, Stripe session ID, payment intent ID, currency, item/product descriptions and prices. Card data (PAN/CVV) is never received or stored by ScrambleSync — it is handled entirely by Stripe (SAQ-A scope).
- Sponsor/advertiser data — sponsor/company name, logo URL, advertisement text, link URLs, sponsor access code.
- Tournament & event data — tournament/course name, slug, status, timezone, hole configuration, rules, side-game rules, logos (may reference individuals indirectly).
- Audit & compliance logs — actor email/ID, action type, tournament/target ID, IP address, request ID, timestamp, metadata with anonymized PII counts (immutable).
- Communication & messaging — message text, direction, type, read status, team/tournament association.
- Integrity & compliance flags — flag type, severity, observed hole, reviewer notes, IP addresses and user agents from attestations.
- Usage & performance telemetry — web vitals (LCP, FCP, CLS, FID, INP, TTFB), page URL, structured logs (request ID, pseudonymized user ID, action, duration, HTTP status). Telemetry is pseudonymized by request ID; auto-pruned after 30 days.
- Technical & security identifiers — IP addresses (x-forwarded-for), user agents, request IDs, session tokens, admin HMAC session cookies, WebAuthn/passkey attestations, ephemeral rate-limit state.
5.3 Special categories. ScrambleSync does not require special-category data and instructs Customers not to submit it. The Customer must not upload sensitive personal data into free-text fields.
6. Processor Obligations
ScrambleSync will:
6.1 Process only on Documented Instructions. Process Personal Data only on the Customer's Documented Instructions, including for international transfers, unless required by law to act otherwise (in which case it will inform the Customer unless legally prohibited).
6.2 No sale, no secondary use. Not sell or share Personal Data and not retain, use, or disclose it for any purpose other than providing the Service as set out in Section 4, including not for any commercial purpose of its own. ScrambleSync certifies it understands and will comply with these restrictions (CCPA/CPRA § 1798.140).
6.3 Data minimization & purpose limitation. Collect and process only the Personal Data necessary to operate tournaments, and only for the purposes in Section 4. Telemetry is pseudonymized; erasure anonymizes registrant PII to an `[erased]` placeholder while preserving an immutable, PII-free audit record.
6.4 Confidentiality. Ensure that persons authorized to process Personal Data are bound by confidentiality obligations and access it only on a need-to-know basis.
6.5 Security. Implement and maintain the TOMs described in Section 7.
6.6 Sub-processors. Engage Sub-processors only in accordance with Section 8.
6.7 Assistance. Assist the Customer with Data Subject requests (Section 10), breach notification (Section 11), and data protection impact assessments and prior consultations, taking into account the nature of processing and information available.
6.8 Deletion. Return or delete Personal Data on termination as set out in Section 13.
6.9 Records & demonstrable compliance. Maintain records of processing and make available the information necessary to demonstrate compliance (Section 12).
7. Security Measures (Technical & Organizational Measures)
ScrambleSync maintains the following measures, verified against its codebase. These reflect the current state honestly; controls not yet in place are marked as such.
Authentication & access control.
- MFA enforced for all organizer routes via Authentication Assurance Level 2 (AAL2), checked in `middleware.ts` using Supabase Auth `getAuthenticatorAssuranceLevel()`. Passkey (WebAuthn) satisfies MFA; otherwise TOTP is required, with forced setup at `/settings/mfa`.
- Administrative area protected by passkey (WebAuthn) authentication with HMAC-signed session cookies (`verifyAdminSession`), separate from organizer auth.
Database access control.
- Row-Level Security (RLS) enforced on application tables; organizers can access only tournaments they own (`owner_id = auth.uid()`).
- Cross-user isolation verified by an automated Playwright security suite (e.g., User2 receives 404 when accessing User1's tournament).
Encryption.
- In transit: TLS enforced; HSTS header `max-age=63072000; includeSubDomains; preload` set in `next.config.mjs`.
- At rest: Supabase/AWS encryption at rest; MFA TOTP secrets encrypted by Supabase Auth.
Network & application hardening.
- Strict security headers in `next.config.mjs`: Content-Security-Policy, `X-Frame-Options: SAMEORIGIN`, `X-Content-Type-Options: nosniff`, `Referrer-Policy: strict-origin-when-cross-origin`, and a restrictive Permissions-Policy.
- Rate limiting (`lib/ratelimit.ts`): 60 requests/min per IP general, 10/min on auth endpoints (sliding window), Upstash-backed with in-memory fallback.
- Circuit breakers and retry/timeout wrappers for external dependencies (Stripe, Supabase) to contain failures.
Logging & audit.
- Immutable, insert-only `audit_events` audit trail for key actions (create, delete, team generation, score deletion, data erasure, etc.), capturing actor, IP, request ID, timestamp, and anonymized metadata.
- Structured JSON logs with pseudonymized user IDs; no passwords or raw PII logged. The erasure endpoint records only an email length, never the email itself.
Secrets & input handling.
- No hardcoded secrets; all sensitive configuration via environment variables. Stripe webhook signatures verified (HMAC-SHA256). Email/HTML inputs escaped; uploads use secure filename handling.
Dependency & vulnerability management.
- `npm audit --audit-level=high` enforced in CI (`.github/workflows/ci.yml`); Dependabot configured for automated patch PRs.
- No formal third-party penetration test has been performed (planned, not yet conducted).
Backups & resilience (stated accurately).
- Supabase managed PostgreSQL with automated daily backups; RPO ~24 hours, RTO target ~4 hours.
- Point-in-time recovery (PITR) is available from Supabase but is NOT currently enabled.
- Periodic/quarterly restore tests are NOT currently performed (not claimed).
Observability.
- Health endpoint (`/api/health`) reports Supabase, Stripe, and circuit-breaker status. Production observability is structured application logging (to DigitalOcean) and error capture (Sentry), plus operator push alerts on background-job (cron) failures. Distributed tracing and external metrics export are NOT currently enabled — a custom OpenTelemetry pipeline was removed for stability and has not been re-introduced, so no trace/metric data is sent to any external APM today.
8. Sub-processors
8.1 Authorization. The Customer provides general written authorization for ScrambleSync to engage the Sub-processors listed below to process Personal Data to provide the Service.
8.2 Current Sub-processors:
- Supabase — PostgreSQL database, authentication, RLS, real-time, and file storage. Receives all Personal Data categories (no card data). Location: AWS us-west-1. Automated daily backups; PITR available but not enabled.
- Stripe — payment processing, checkout, settlement. Receives payment amount/currency, session and payment-intent IDs, product descriptions, and customer email if captured. Handles all card data directly (PCI-DSS Level 1; ScrambleSync is SAQ-A). Location: Stripe global infrastructure.
- Resend — transactional email delivery. Receives recipient email and name, event/course/team names, codes, and links. Location: Resend global infrastructure (GDPR-compliant). Optional: if `RESEND_API_KEY`/`EMAIL_FROM` are unset, email is silently skipped.
- Cloudflare — CDN, DNS proxy, DDoS protection, TLS termination, edge caching. Receives HTTP request metadata (IP, user agent, referrer, path). Location: global edge network.
- Sentry — error and performance monitoring. Receives stack traces, request context (request ID, user ID, URL), exception details, and breadcrumbs. Location: Sentry.io SaaS.
- Upstash — distributed rate limiting and optional circuit-breaker/cache state (Redis). Receives ephemeral rate-limit counters (IP + window state). Location: managed Redis (us-east-1 default; configurable). No long-term PII at rest.
- DigitalOcean — application hosting (App Platform) and log capture. Receives application logs (pseudonymized) and organizer-set environment variables (via dashboard). Location: per deployment config (default us-west).
- Anthropic, PBC — powers the optional Scramble AI assistant (off by default; engaged only when the assistant is enabled and in use). Receives the content of the organizer's request and the scoped data needed to fulfill it. Inputs and outputs submitted through Anthropic's commercial API are not used to train Anthropic's models; content may be retained briefly only for safety/abuse monitoring, not training. Location: United States.
_No external APM / tracing sub-processor is engaged today: distributed tracing and external metrics export are not currently enabled (the custom OpenTelemetry pipeline was removed for stability). If such a provider is later added, it will be disclosed here with the 30-day sub-processor change notice in Section 8.4._
8.3 Flow-down. ScrambleSync imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for each Sub-processor's performance.
8.4 Change notice & objection. ScrambleSync will give the Customer at least 30 days' prior notice before adding or replacing a Sub-processor (by email and/or in-product notice). The Customer may object on reasonable, good-faith data-protection grounds within that 30-day window. The parties will work in good faith to resolve the objection; if it cannot be resolved, the Customer may terminate the affected portion of the Service as its sole remedy, without penalty for the unused, prepaid period.
9. International Transfers
9.1 Transfer locations. Personal Data is primarily stored in AWS us-west-1 (United States) via Supabase. Certain Sub-processors operate globally (Cloudflare, Stripe, Resend, Sentry) and Upstash defaults to us-east-1. The Service is operated from the United States.
9.2 Transfer mechanism. Where Applicable Data Protection Law requires a transfer mechanism for Personal Data leaving the EEA, UK, or Switzerland, the parties rely on the EU Standard Contractual Clauses (Commission Decision 2021/914), which are incorporated into this DPA by reference, with the module reflecting the parties' roles (typically Module Two, controller-to-processor; or Module Three where the Customer is itself a processor). For UK transfers, the UK International Data Transfer Addendum applies; for Swiss transfers, the SCCs apply as adapted by the Swiss FDPIC.
9.3 SCC operative details. For the SCCs: (a) the optional docking clause applies; (b) for Clause 9, the general authorization of Sub-processors in Section 8.4 with 30-day notice applies; (c) for Clause 11, the independent-dispute-resolution option does not apply; (d) the governing law and forum are those of Section 15 where permitted, otherwise as required by the SCCs; (e) Annexes I, II, and III are populated by Sections 2, 4, 5, 7, and 8 of this DPA respectively.
9.4 Supplementary measures. ScrambleSync maintains the TOMs in Section 7 (including encryption in transit and at rest) as supplementary measures supporting lawful transfers. A signed copy of the SCCs is available on request (Section 16).
10. Data-Subject-Rights Assistance
10.1 Primary responsibility. As Controller, the Customer is the first point of contact for Data Subjects exercising rights of access, rectification, erasure, restriction, portability, and objection.
10.2 Self-service tooling. ScrambleSync provides Customer-operated tooling so the Customer can satisfy most requests directly:
- Erasure / right to be forgotten — `POST /api/organizer/erase` anonymizes a registrant's name and email to `[erased]` across the organizer's tournaments and logs an immutable, PII-free erasure event.
- Access / portability — `/api/export/registrations` (names, emails, teams, amounts) and `/api/export/results` (scores/results), available to authenticated organizers.
- Rectification & deletion — organizers can edit tournament data and delete tournaments (cascade-deleting related Personal Data) directly in the product.
10.3 ScrambleSync assistance. Where a request cannot be fulfilled through self-service, ScrambleSync will, taking into account the nature of processing, provide reasonable assistance to enable the Customer to respond, including by appropriate technical and organizational measures.
10.4 Forwarding. If a Data Subject contacts ScrambleSync directly, ScrambleSync will not respond substantively (except to acknowledge and redirect) and will promptly forward the request to the relevant Customer, unless legally required to act otherwise.
11. Personal-Data-Breach Notification
11.1 Notice to Customer. ScrambleSync will notify the Customer without undue delay, and in any event aiming for within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
11.2 Contents. The notification will include, to the extent known and as it becomes available: (a) the nature of the breach and, where possible, the categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) the measures taken or proposed to address it and mitigate harm; and (d) a contact point for further information. ScrambleSync may provide information in phases as the investigation progresses.
11.3 Cooperation. ScrambleSync will reasonably cooperate with the Customer and take reasonable steps to investigate, contain, and remediate the breach. Detection is supported by structured logging, the immutable audit trail, Sentry error monitoring, and health monitoring described in Section 7.
11.4 Customer obligations. The Customer is responsible for any notifications to supervisory authorities and Data Subjects required of it as Controller. ScrambleSync's notification is not an acknowledgment of fault or liability.
12. Audits & Information Rights
12.1 Documentation. On reasonable written request (no more than once per 12-month period absent a Personal Data Breach or regulator requirement), ScrambleSync will make available information reasonably necessary to demonstrate compliance with this DPA — including a description of its TOMs (Section 7), Sub-processor list (Section 8), and available compliance evidence such as the CI security gate (`npm audit`), the automated security test suite, and audit-log architecture.
12.2 Audits. Where Applicable Data Protection Law grants an audit right, the Customer (or an independent auditor it appoints, bound by confidentiality and not a competitor of ScrambleSync) may audit ScrambleSync's compliance. The parties will agree scope, timing, and duration in advance; audits will be conducted during business hours, with reasonable prior notice (at least 30 days absent a breach), in a manner that minimizes disruption, and at the Customer's cost.
12.3 Sub-processor audits. For Sub-processors, ScrambleSync will use available third-party reports and certifications (e.g., Stripe's PCI-DSS status, Sub-processor DPAs) to satisfy audit requests where direct audit is impractical.
12.4 Honest limits. ScrambleSync does not currently hold SOC 2, ISO 27001, or PCI-DSS Level 1 certifications and has not undergone a formal third-party penetration test. ScrambleSync will not represent otherwise and will update this DPA if that status changes.
13. Return & Deletion on Termination
13.1 On termination. On expiry or termination of the Principal Agreement, and at the Customer's choice, ScrambleSync will return and/or delete the Personal Data it processes on the Customer's behalf, subject to the retention rules below and any legal retention obligations.
13.2 Customer self-service. Before or after termination, the Customer may export its data via the export endpoints (Section 10.2) and delete tournaments to cascade-delete related Personal Data.
13.3 Retention schedule (as configured in the Service):
- Registrant personal data (names, emails, team names): retained for the duration of the tournament plus up to 90 days post-event (organizer-controlled), or until earlier erasure via the erasure endpoint. Erasure anonymizes to `[erased]`.
- Player/golfer data (scores, participation): retained with the tournament until tournament deletion (cascade) or organizer-initiated erasure; forms part of the financial audit trail for paid events.
- Payment transaction records (Stripe IDs, amounts, items): retained as financial/tax records; Stripe independently retains transaction history under its own policies.
- Audit logs (`audit_events`): retained as an immutable compliance record; contains no raw erased PII.
- Web vitals & command metric samples: auto-pruned after 30 days via pg_cron.
- Rate-limit state: ephemeral (in-memory reset on restart; Upstash keys expire per window).
- Application logs: DigitalOcean ~30 days (platform default); Sentry ~90 days (configurable per plan).
- Organizer account data: retained for the account lifecycle; deleted on account deletion, cascading to tournaments and related records.
13.4 Post-termination deletion window. After the chosen return/deletion is completed, ScrambleSync will delete remaining copies within a commercially reasonable period, typically within 30 days, except for data ScrambleSync is legally required to retain or that remains in routine backups until those backups expire on their normal cycle (after which it is overwritten).
13.5 Backups. Personal Data persisting in backups is isolated from active processing, subject to the same TOMs, and overwritten/expired on the normal backup rotation.
14. Liability
14.1 Cap. Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the Principal Agreement, and any reference there to the liability of a party means the aggregate liability of that party under both the Principal Agreement and this DPA combined.
14.2 Allocation. As between the parties, liability for damage caused by processing is allocated according to each party's responsibility for the event giving rise to the damage. ScrambleSync is liable only for damage caused by processing where it has not complied with obligations specifically directed to processors under Applicable Data Protection Law, or where it acted outside or contrary to the Customer's lawful Documented Instructions.
14.3 No new heads of liability. Nothing in this DPA creates additional categories of liability beyond those agreed in the Principal Agreement, except where Applicable Data Protection Law (including the SCCs) mandates otherwise, in which case the mandatory provisions prevail.
14.4 SCC liability. Where the SCCs apply, the liability provisions of the SCCs govern claims by Data Subjects as third-party beneficiaries to the extent required by law, notwithstanding the cap in 14.1.
15. Governing Law
15.1 Governing law. This DPA is governed by the same governing law and subject to the same jurisdiction and venue as the Principal Agreement, except where Applicable Data Protection Law or the SCCs require a specific governing law or forum, in which case those mandatory requirements prevail for the matters they cover.
15.2 SCC interaction. Where the EU SCCs apply, the governing law and forum for the SCCs are those specified in the SCCs (typically an EU Member State), and nothing in this Section overrides those mandatory choices. For the UK Addendum, UK law and courts govern as required.
15.3 Order of precedence. In the event of conflict, the order of precedence is: (1) the SCCs / mandatory Applicable Data Protection Law, (2) this DPA, (3) the Principal Agreement.
16. Requesting a Signed Copy
To request a counter-signed copy of this DPA, the incorporated Standard Contractual Clauses, or ScrambleSync's current Sub-processor list and security documentation, contact:
- Email: [email protected]
- Subject line: "DPA Request — [Your Organization Name]"
- Processor legal entity: Coyote Valley Technology Solutions, LLC (a Utah limited liability company), 9011 N Clubhouse Lane, Eagle Mountain, UT 84005, USA
Please include the legal entity name, the email associated with your ScrambleSync account, and the jurisdiction(s) relevant to your processing so the correct transfer mechanism and module of the SCCs can be selected. ScrambleSync will respond and, where appropriate, return a counter-signed copy within a reasonable period.