Skip to main content
Sign in
Updated: May 15, 20266 min read10 sections

Data Processing Agreement

The standard data-processing terms under which Exoserva processes customer data on your behalf, as required by GDPR Article 28 and CCPA service-provider rules.

1. Overview

This Data Processing Agreement (DPA) supplements the Terms of Service and forms part of the contract between you (the Customer, acting as the data controller) and Exoserva (acting as the data processor). It governs how Exoserva processes Personal Data on your behalf when you use the platform. The full security posture is described separately on Security & Trust.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person that the Customer routes through the platform — typically end-customer contact details, job descriptions, conversation transcripts, and payment metadata.
  • Controller / Processor: per GDPR Article 4(7)–(8); the Customer determines the purposes and means of processing, Exoserva processes on the Customer's documented instructions.
  • Sub-processor: a third party engaged by Exoserva to process Personal Data on the Customer's behalf. The current list is maintained at /sub-processors.
  • Standard Contractual Clauses (SCCs): the European Commission's 2021/914 SCCs incorporated by reference for any transfer of Personal Data outside the EEA.

3. Processor Role and Instructions

As your data processor, Exoserva will:

  • Process Personal Data only on your documented instructions, including those given through the platform configuration (e.g. enabling AI features, configuring data retention).
  • Ensure that personnel with access to Personal Data are bound by confidentiality and trained in secure handling.
  • Provide reasonable assistance to help you meet your obligations under GDPR Articles 32 to 36 (security, breach notification, impact assessments, regulator consultation).
  • Promptly notify you if, in our opinion, an instruction infringes applicable data protection law.
  • Make available to you the information necessary to demonstrate compliance with this DPA, including, where reasonable, allowing for and contributing to audits.

This DPA gives effect to Article 28 of the GDPR for any Customer subject to it, and to the corresponding service-provider rules under the CCPA and similar laws.

4. Sub-processors

You consent to Exoserva engaging the sub-processors listed at /sub-processors. Each sub-processor is bound by a written contract containing terms substantially the same as those in this DPA. Exoserva remains fully liable to you for any sub-processor failure. We will notify you of any intended changes at least 30 days in advance and you may object on reasonable data-protection grounds.

5. Technical and Organisational Measures

Exoserva implements appropriate technical and organisational measures (TOMs) per GDPR Article 32. The full list is described in our Security & Trust page — encryption at rest and in transit, per-tenant key envelopes, role-based access control, two-factor authentication, incident-response process, and a compliance roadmap covering SOC 2 / ISO 27001 / HIPAA-compatible controls.

6. Breach Notification

Exoserva will notify you in writing of a confirmed Personal Data breach affecting your tenant without undue delay and, where feasible, within 72 hours of becoming aware (mirroring the GDPR Article 33 timeline regardless of your jurisdiction). The notice will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address and mitigate it.

7. Data Subject Requests

Taking into account the nature of the processing, Exoserva will provide reasonable assistance to help you respond to data subject requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Most requests are self-service through your tenant administration; for cases that require Exoserva intervention, please contact privacy@exoserva.com.

8. International Transfers

Personal Data is hosted in the United States by default. Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, such transfer is governed by the European Commission's 2021/914 Standard Contractual Clauses, incorporated by reference into this DPA, with the UK Addendum and the Swiss FDPIC supplement applied where relevant.

9. Term and Data Deletion

This DPA remains in force for as long as Exoserva processes Personal Data on your behalf. Upon termination of the underlying agreement, Exoserva will, at your option, return or delete all Personal Data within thirty (30) days, except where retention is required by applicable law. Backups containing Personal Data follow a defined retention schedule and are deleted in the ordinary course.

10. Contact and Signature

Customers signing up through the platform accept this DPA as part of the Terms of Service. Enterprise customers that require a counter-signed copy on company letterhead can request one from privacy@exoserva.com; please include the legal entity name and the name and title of the signatory.