Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between ServGrid Ltd (“Processor”) and the organisation registering for the Service (“Controller”). It supplements the Terms of Service and governs the processing of personal data under GDPR (EU 2016/679) Article 28.
1. Subject Matter and Duration
The Processor provides a software-as-a-service platform for service catalog management. This DPA applies for the duration of the Controller account and terminates when the account is deleted or the Terms of Service expire.
2. Nature and Purpose of Processing
The Processor processes personal data on behalf of the Controller solely to provide the agreed service functions: user authentication, service catalog storage, notifications, and reporting. Processing is limited to what is necessary for these purposes.
3. Categories of Data and Data Subjects
Data subjects: staff members and customer representatives of the Controller. Categories: names, email addresses, role information, and usage metadata entered by the Controller into the platform.
The Controller must not upload special category personal data (GDPR Art. 9) to the platform on the Community or Trial tier.
4. Processor Obligations
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process data are bound by confidentiality
- Implement appropriate technical and organisational measures (see our Privacy Policy)
- Assist the Controller with data subject rights requests within 30 days
- Delete or return all personal data upon termination of the service
- Make available all information necessary to demonstrate compliance
5. Sub-processors
The Processor uses the following sub-processors:
- Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage) — EU (Finland, europe-north1). DPA
The Controller accepts these sub-processors by accepting this DPA. The Processor will notify the Controller of any changes to sub-processors at least 14 days in advance via email.
6. Data Transfers
All personal data is stored in the European Economic Area (GCP europe-north1, Finland). No transfers outside the EEA occur unless explicitly agreed in writing.
7. Security Measures
The Processor has implemented: TLS 1.2+ in transit, GCP-managed encryption at rest, access controls, brute-force lockout, session management, audit logging, and field-level encryption for sensitive credentials.
8. Audit Rights
On the Community and Trial tier, audit rights are satisfied by the Processor providing this documentation and responding to written queries at privacy@servgrid.net. On-site audits are available on the Enterprise tier.
9. Acceptance
This DPA is accepted electronically when the Controller accepts it during account registration. The acceptance is recorded with a timestamp. For Enterprise tier DPAs with custom terms, contact privacy@servgrid.net.
10. Contact
Data Protection queries: privacy@servgrid.net