Serval Legal

This Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the terms and conditions of the Serval Master Services Agreement (the “Agreement”) by and between Customer and Serval.

1. SUBJECT MATTER AND DURATION.

1.1. Subject Matter.

This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Serval’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

1.2. Duration and Survival.

This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is executed after the effective date of the Agreement. Serval will Process Customer Personal Data until the relationship terminates as specified in the Agreement.

2. DEFINITIONS.

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
2.1. “Customer Personal Data” means all Personal Data contained within Customer Materials Processed by Serval on behalf of Customer.

2.2. “Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); any other applicable U.S. state data privacy or data protection law; the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time), in each case solely to the extent applicable to Serval’s Processing of Customer Personal Data.

2.3. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws and in any event, includes any information that identifies or could reasonably be used to identify a natural person.

2.4. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2.5. “Security Incident(s)” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Serval or its Subprocessor(s).

2.6. “Subprocessor(s)” means Serval’s authorized vendors and third-party service providers that Process Customer Personal Data on behalf of Serval in connection with the provision of the Services.

3. PROCESSING TERMS FOR CUSTOMER PERSONAL DATA.

3.1. Documented Instructions.

Serval shall Process Customer Personal Data only on the documented instructions of Customer, including with respect to transfers of Personal Data to a third country, as set forth in the Agreement, this Addendum, any applicable Statement of Work, and any further documented instructions mutually agreed by the parties in writing. Serval will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that any instruction from Customer infringes applicable Data Protection Laws.

3.2. Authorization to Use Subprocessors.

To the extent necessary to fulfill Serval’s contractual obligations under the Agreement, Customer hereby provides general written authorization to Serval to engage Subprocessors.

3.3. Serval and Subprocessor Compliance.

Serval shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are no less protective than or consistent with those set out in this Addendum; and (ii) remain responsible to Customer for Serval’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.

3.4. Right to Object to Subprocessors.

Where required by Data Protection Laws, Serval will notify Customer prior to engaging any new Subprocessors that Process Customer Personal Data by updating its Subprocessor list available at: trust.serval.com (“Subprocessor Website”). The Subprocessor Website also contains a mechanism for Customer to subscribe to notifications of new Subprocessors. If Customer subscribes to such notifications, Serval will email Customer new Subprocessor notifications at the email address provided. Serval will allow Customer fifteen (15) days to object to the new Subprocessor(s) after notice has been provided on the Subprocessor Website (the “Objection Window”). Customer may reasonably object to a new Subprocessor only if such Subprocessor would cause (i) Customer to be in material breach of Data Protection Laws, or (ii) Serval to be in breach of Section 3.3 of this Addendum. If Customer objects to the appointment of a new Subprocessor during the Objection Window as contemplated in the preceding sentence, then Serval will (a) resolve the grounds for the objection, or (b) not allow the new Subprocessor to Process Customer Personal Data.

3.5. Confidentiality.

Any person authorized to Process Customer Personal Data must be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.

3.6. Personal Data Inquiries and Requests.

Serval agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.

3.7. Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation.

Where required by Data Protection Laws, Serval agrees to provide reasonable assistance and information to Customer where, in Customer’s judgement, the type of Processing performed by Serval requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Customer shall reimburse Serval for non-negligible costs Serval incurs in performing its obligations under this Section beyond Serval’s standard support obligations.

3.8. Demonstrable Compliance.

Serval agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Customer’s reasonable request.

3.9. California Specific Terms.

To the extent that Serval’s Processing of Customer Personal Data is subject to the CCPA, this Section shall also apply. Customer discloses or otherwise makes available Customer Personal Data to Serval for the limited and specific purpose of Serval providing the Services to Customer in accordance with the Agreement and this Addendum. Serval shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Serval; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that Serval (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Customer may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that Serval Processes Customer Personal Data in a manner consistent with Customer’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by Serval.

3.10. Service Optimization.

Serval may process Customer Personal Data: (i) for its internal operational purposes necessary to provide, maintain, and support the Services, including responding to support requests, diagnosing and resolving technical issues, and maintaining the security and integrity of the Services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity. For the avoidance of doubt, Serval shall not Process Customer Personal Data to develop, train, or improve machine learning or artificial intelligence models or algorithms for use beyond the provision of the Services to Customer.

3.11. Aggregation and De-Identification/Anonymization.

Serval may: (i) compile aggregated, de-identified, and/or anonymized information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated, De-Identified, and/or Anonymized Data”); and (ii) use Aggregated, De-Identified, and/or Anonymized Data for its lawful business purposes.

4. INFORMATION SECURITY PROGRAM.

Serval shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data from Security Incidents. Serval’s current security measures are described at trust.serval.com and include the controls validated by Serval’s SOC 2 report. Serval shall not materially decrease the overall security of the Services during the term of the Agreement.

5. SECURITY INCIDENTS.

5.1. Notice.

Upon confirming a Security Incident has occurred, Serval shall provide written notice without undue delay and within seventy-two (72) hours to Customer’s Designated POC. To the extent then known, such notice will include: (i) the nature of the Security Incident, including the categories and approximate number of data subjects and records concerned; (ii) the measures taken or proposed to address the Security Incident; and (iii) a contact point from whom Customer may obtain further information. Where Serval cannot provide all information simultaneously, it shall provide information in phases without undue delay.

5.2. Investigation.

Serval shall use commercially reasonable efforts to investigate the Security Incident and provide Customer with information concerning the scope, cause, impact of, and remediation measures referenced in Section 5.3 below taken with respect to such Security Incident upon the initial notification referenced in Section 5.1 above, or, if not available at such time, promptly thereafter upon Customer’s written request.

5.3. Remediation.

Serval shall use commercially reasonable efforts to remediate the Security Incident as it relates to Serval’s impacted systems.

5.4. Exceptions.

Serval will not have any obligations under Section(s) 5.2 – 5.3 if a Security Incident is attributable to Customer.

6. CROSS-BORDER TRANSFERS OF CUSTOMER PERSONAL DATA.

6.1. Cross-Border Transfers of Customer Personal Data.

Customer authorizes Serval and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.

6.2. EEA, Swiss, and UK Standard Contractual Clauses.

If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Serval in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Where the Standard Contractual Clauses are applicable and Customer acts as a controller of Customer Personal Data with Serval acting as a processor of Customer Personal Data, each party shall comply with its obligations under Module Two of the Standard Contractual Clauses. Where the Standard Contractual Clauses are applicable and Customer acts as a processor of Customer Personal Data with Serval acting as a (sub)processor of Customer Personal Data, each party shall comply with its obligations under Module Three of the Standard Contractual Clauses. Each party’s execution of the Agreement or the Addendum (as applicable) shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

7. AUDITS AND ASSESSMENTS.

Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of Serval’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be: (i) conducted during Serval’s regular business hours; (ii) with reasonable advance notice to Serval; (iii) carried out in a manner that prevents unnecessary disruption to Serval’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority having proper jurisdiction. To satisfy its audit obligations under this Section, Serval shall make available to Customer, upon request, copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports), subject to reasonable confidentiality restrictions. Customer agrees that the provision of such reports shall satisfy Customer’s audit rights under this Section unless Customer can demonstrate, in writing, that the report does not adequately address Customer’s specific compliance concerns, in which case Customer may exercise its on-site audit rights as described above, at Customer’s sole cost and expense.

8. CUSTOMER PERSONAL DATA RETRIEVAL AND DELETION.

Customer may retrieve Customer Personal Data through the standard functionality of the Services during the term of the Agreement. At the expiry or termination of the Agreement, Serval will delete all Customer Personal Data (excluding any backup or archival copies which shall be deleted no later than ninety (90) days after expiry or termination), except where Serval is required to retain copies under applicable laws, in which case Serval will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws. Serval shall confirm deletion in writing upon Customer’s written request.

9. PROCESSING DETAILS.

9.1. Subject Matter.

The subject matter of the Processing is the provision of Serval’s AI-native IT service management platform, including help desk ticketing, knowledge base queries, access provisioning, workflow automation, and related support services, pursuant to the Agreement.

9.2. Duration.

The Processing will continue until the expiration or termination of the Agreement.

9.3. Categories of Data Subjects.

Customer’s employees, contractors, and other authorized users of Customer’s IT systems who interact with the Services.

9.4. Nature and Purpose of the Processing.

The Processing is carried out for the purpose of providing the Services, including: receiving and routing help desk requests; querying knowledge bases; executing automated workflows at Customer’s direction; provision and deprovisioning access to Customer’s designated applications; and related operational support.

9.5. Types of Customer Personal Data.

Contact and professional information (name, email address, employee ID, job title, department); IT help desk ticket content including communications submitted through the Services; access management records including application entitlements and approval records; and any other personal Data submitted to the Services by or on behalf of Customer.

CONTACT INFORMATION.

Customer and Serval agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for each party is:

• Customer Designated POC: As set forth in the order form.

• Serval Designated POC: security@serval.com

EXHIBIT A TO THE DATA PROCESSING ADDENDUM

This Exhibit A forms part of the Addendum and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

1. SUPPLEMENTAL TERMS.

The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

2. ANNEX I.

Annex I to the Standard Contractual Clauses shall read as follows:

A. List of Parties
Data Exporter: Customer.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: Customer Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Controller.

Data Importer: Serval.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: Serval Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Processor.

B. Description of the Transfer:
Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses including, but not limited to, users of data exporter’s or its client’s IT systems.

Categories of personal data transferred: Data exporter may submit personal data to the Services, the extent of which is determined and controlled by data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: name, email address, phone number, professional details.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Any sensitive data that is transferred under the Clauses, the extent of which is determined and controlled by data exporter in its sole discretion.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

Nature of the processing: The Services.
Purpose(s) of the data transfer and further processing: The Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature, and duration as described in Section 9 of the Addendum.

C. Competent Supervisory Authority:
The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause

D. Clarifying Terms:
The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; and (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request.

3. ANNEX II.

Annex II of the Standard Contractual Clauses shall read as follows:

Data importer shall implement and maintain technical and organizational measures designed to protect personal data in accordance with the Addendum.

Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.

4. ANNEX III.

A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.