Data Processing Agreement

SERVADRA COMPANY LIMITED
Last updated: 10 March 2026

1. Purpose

This Data Processing Agreement (“DPA”) forms part of the service relationship between SERVADRA COMPANY LIMITED (“Processor”, “we”, “us”, “our”) and the client organisation (“Controller”, “Client”).

This agreement applies where SERVADRA COMPANY LIMITED processes personal data on behalf of a client in connection with the provision of Servadra services.

This agreement is intended to comply with the requirements of Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Roles of the Parties

For the purposes of this agreement:

  • The Client acts as the Data Controller.
  • SERVADRA COMPANY LIMITED acts as the Data Processor.

The Controller determines the purposes and means of the processing of personal data.

The Processor processes personal data solely on behalf of and under the documented instructions of the Controller.

3. Nature and Purpose of Processing

Processing activities may include the handling of operational communication and service interaction data within the Servadra system environment.

Servadra is a structured operational system that governs customer interaction workflows under deterministic operational rules.

Processing may include:

  • storage of operational interaction data
  • structured routing of enquiries
  • system logging and operational monitoring
  • processing necessary for service delivery

4. Categories of Personal Data

The categories of personal data processed may include:

  • business contact information
  • names and business email addresses
  • operational enquiry messages
  • system interaction metadata

Special category personal data must not be processed unless explicitly agreed in writing.

5. Categories of Data Subjects

Data subjects may include:

  • employees or representatives of the Client
  • customers or prospective customers of the Client
  • individuals submitting enquiries to the Client

6. Processor Obligations

The Processor shall:

  • process personal data only on documented instructions from the Controller
  • ensure personnel are subject to confidentiality obligations
  • implement appropriate technical and organisational security measures
  • assist the Controller in meeting UK GDPR obligations where reasonably required

The Processor shall not process personal data for its own purposes.

7. Security Measures

The Processor implements appropriate technical and organisational measures including:

  • access control and authentication controls
  • system monitoring and logging
  • restricted operational access
  • security review and infrastructure protection

8. Sub-Processors

The Processor may engage third-party service providers (“Sub-processors”) where necessary to deliver and secure the service.

These may include:

  • cloud hosting providers
  • infrastructure providers
  • security monitoring providers
  • AI model providers used strictly for controlled processing

All sub-processors are required to maintain appropriate data protection standards and confidentiality obligations.

9. International Transfers

Where personal data is processed outside the United Kingdom, appropriate safeguards such as UK-approved standard contractual clauses or equivalent legal mechanisms are applied.

10. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting data processed on behalf of the Controller.

11. Assistance to the Controller

The Processor shall provide reasonable assistance to the Controller in relation to:

  • data subject access requests
  • data protection impact assessments
  • regulatory enquiries where relevant to processing

12. Data Retention and Deletion

Upon termination of the service agreement, the Processor shall delete or return personal data to the Controller unless retention is required by law.

13. Audit and Compliance

The Processor shall make available information necessary to demonstrate compliance with this agreement where reasonably requested by the Controller.

14. Duration

This DPA remains in effect for the duration of the service agreement between the parties.

Obligations relating to confidentiality and data protection shall continue after termination where personal data remains in processing.

This Data Processing Agreement forms part of the contractual relationship between SERVADRA COMPANY LIMITED and its clients where personal data is processed on behalf of the client organisation.