SMEEnterprise
Servita Logo

Data Processing Addendum (DPA)

Last Updated: 10 February 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between Servita SME Limited ("Servita") and the Customer identified in the Agreement ("Customer").

This DPA applies to the extent that Servita processes Personal Data on behalf of the Customer in the course of providing the Services.

1. Definitions

  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR (EU General Data Protection Regulation 2016/679), the UK GDPR (Data Protection Act 2018), and the CCPA/CPRA (California Consumer Privacy Act).
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Servita on behalf of the Customer ("Customer Data").
  • "Sub-processor" means any third party appointed by Servita to process Personal Data.
  • "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission (Decision 2021/914) or the UK International Data Transfer Addendum ("IDTA").

2. Roles and Scope

2.1. Roles

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller (or Business) and Servita is the Processor (or Service Provider).

2.2. Scope

Servita shall process Personal Data only in accordance with Customer's documented instructions, which include the processing necessary to provide the Services as described in the Agreement (e.g., generating Assessments, powering the AI Assistant).

2.3. Details of Processing

The parties acknowledge and agree that the following describes the processing of personal data by Servita on behalf of the Customer:

  • Subject Matter: The provision of access to and support for the Servita SME Transformation Platform, the Website Chatbot, and related AI-powered services.
  • Duration: The term of the Agreement and any additional period until all Customer Data is deleted or returned, as required under this DPA.
  • Nature and Purpose of Processing: The storage, retrieval, analysis (including via AI or machine learning models), aggregation, and transmission of Customer Data for the purpose of delivering business intelligence, transformation planning, customer engagement tools, system recommendations, platform functionality, website chatbot interactions, and related support services.
  • Types of Personal Data: This may include, depending on Customer's use of the Services:
    • Contact details (e.g. name, email address, phone number)
    • Employment details (e.g. job title, department)
    • Communication metadata (e.g. system activity logs, chat transcripts)
    • Website Chatbot conversation data (e.g. enquiry content, messages submitted by website visitors)
    • Uploaded or submitted content containing personal data
    • System usage data linked to identifiable users
    • Any other personal data uploaded by or on behalf of the Customer in the course of using the Services.
  • Categories of Data Subjects:
    • Employees and representatives of the Customer
    • Contractors and consultants of the Customer
    • End users or clients of the Customer (if personal data is submitted or uploaded by the Customer)
    • Website visitors who interact with the Website Chatbot

3. Servita's Obligations

3.1. Confidentiality:

Servita shall ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2. Security:

Servita shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. These measures shall include, at a minimum:

  • Encryption of data in transit (TLS) and at rest.
  • Role-based access controls and strong authentication.
  • Regular vulnerability scanning and security testing.

3.3. Data Subject Rights:

Taking into account the nature of the processing, Servita shall assist the Customer (at Customer's expense) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the data subject's rights (e.g., access, deletion).

3.4. Government Requests:

If Servita receives a request from a government agency or law enforcement authority for access to Customer Data, Servita shall (unless legally prohibited) promptly notify Customer and redirect the authority to request the data directly from Customer.

4. Customer's Obligations

4.1. Compliance:

Customer is responsible for complying with all Data Protection Laws, including ensuring it has a lawful basis (such as consent or legitimate interest) to transfer the Personal Data to Servita.

5. Sub-processing

5.1. Authorization:

Customer grants Servita a general authorization to engage Sub-processors to provide the Services.

5.2. Current Sub-processors:

Customer acknowledges and agrees to the engagement of the following critical Sub-processors:

  • AI Models: OpenAI, Google (Gemini), Anthropic.
  • Chatbot Platform: Botpress, Inc. (which powers the Website Chatbot and may use third-party LLM providers like OpenAI as sub-processors).
  • Infrastructure: Amazon Web Services (AWS), Microsoft Azure.
  • Platform Services: HubSpot, Circle.so, Rewardful, Calendly, Stripe.

5.3. Changes:

Servita will provide notice (via the Platform or email) of any addition or replacement of Sub-processors. Customer may object to a new Sub-processor on reasonable data protection grounds within 10 days. If the parties cannot resolve the objection, either party may terminate the Agreement.

5.4. Liability:

Servita remains fully liable to the Customer for the performance of its Sub-processors' obligations.

6. International Transfers

6.1. Transfer Mechanisms:

Where Servita transfers Personal Data outside the UK or EEA to a country not deemed to ensure an adequate level of protection (such as the US or UAE), such transfers shall be governed by the Standard Contractual Clauses (SCCs).

6.2. SCC Incorporation:

The SCCs are hereby incorporated by reference into this DPA. For the purposes of the SCCs:

  • Customer is the "Data Exporter" and Servita is the "Data Importer."
  • Module Two (Controller to Processor) applies.
  • The UK IDTA applies for transfers from the UK.

7. Data Breaches

7.1. Notification:

Servita shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Data.

7.2. Assistance:

Servita shall provide reasonable assistance to Customer in complying with its notification obligations to supervisory authorities and data subjects.

8. Audit Rights

8.1. Third-Party Audits:

Upon request, Servita will provide Customer with its most recent third-party security audit reports (e.g., SOC 2 Type II or ISO 27001 certification) or equivalent documentation to verify compliance.

8.2. Customer Audit:

Only if the documentation in 8.1 is insufficient to demonstrate compliance, Customer may (at its own expense and subject to strict confidentiality obligations) conduct an audit of Servita's processing activities. Such audits must be scheduled at least 30 days in advance and may not disrupt Servita's business operations.

9. Deletion and Return

Upon termination or expiration of the Agreement, Servita shall (at Customer's election) delete or return all Personal Data to Customer, unless applicable law requires storage of the Personal Data (e.g., for tax or legal records).

10. US Specific Provisions (CCPA/CPRA)

10.1. Service Provider Status

The parties agree that Servita is acting as a "Service Provider" as defined in the CCPA.

10.2. Restrictions:

Servita shall not:

  • Sell or share Personal Data (as defined by CCPA).
  • Retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement.
  • Combine Personal Data with personal data it receives from or on behalf of another person or persons, except as permitted by the CCPA.

11. Limitation of Liability

Each party's liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement (Terms of Service).

12. Future AI Regulation & Compliance

12.1. Evolving Landscape

The parties acknowledge that the legal and regulatory landscape governing Artificial Intelligence is rapidly evolving.

12.2. Regulatory Changes

In the event that new laws or regulations are enacted that materially impact the use of AI solutions provided under this Agreement (e.g., the EU AI Act), both parties agree to negotiate in good faith to amend this DPA or the Agreement to ensure continued compliance.

12.3. Termination for Non-Compliance

If such regulatory changes render the continued provision of the Services unlawful or commercially unviable, and the parties cannot agree on a compliant amendment within thirty (30) days, either party may terminate the affected portion of the Services upon written notice to the other party.