Skip to main content
Sign in
Updated: May 15, 20266 min read11 sections

Data Processing Agreement

The standard data-processing terms under which Exoserva processes customer data on your behalf, as required by GDPR Article 28 and CCPA service-provider rules.

1. Overview

This Data Processing Agreement (DPA) supplements the Terms of Service and forms part of the contract between you (the Customer, acting as the data controller) and Exoserva (acting as the data processor). It governs how Exoserva processes Personal Data on your behalf when you use the platform. The full security posture is described separately on Security & Trust.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person that the Customer routes through the platform — typically end-customer contact details, job descriptions, conversation transcripts, and payment metadata.
  • Controller / Processor: per GDPR Article 4(7)–(8); the Customer determines the purposes and means of processing, Exoserva processes on the Customer's documented instructions.
  • Sub-processor: a third party engaged by Exoserva to process Personal Data on the Customer's behalf. The current list is maintained at /sub-processors.
  • Standard Contractual Clauses (SCCs): the European Commission's 2021/914 SCCs incorporated by reference for any transfer of Personal Data outside the EEA.

3. Processor Role and Instructions

As your data processor, Exoserva will:

  • Process Personal Data only on your documented instructions, including those given through the platform configuration (e.g. enabling AI features, configuring data retention).
  • Ensure that personnel with access to Personal Data are bound by confidentiality and trained in secure handling.
  • Provide reasonable assistance to help you meet your obligations under GDPR Articles 32 to 36 (security, breach notification, impact assessments, regulator consultation).
  • Promptly notify you if, in our opinion, an instruction infringes applicable data protection law.
  • Make available to you the information necessary to demonstrate compliance with this DPA, including, where reasonable, allowing for and contributing to audits.

This DPA gives effect to Article 28 of the GDPR for any Customer subject to it, and to the corresponding service-provider rules under the CCPA and similar laws.

4. Sub-processors

You consent to Exoserva engaging the sub-processors listed at /sub-processors. Each sub-processor is bound by a written contract containing terms substantially the same as those in this DPA. Exoserva remains fully liable to you for any sub-processor failure. We will notify you of any intended changes at least 30 days in advance and you may object on reasonable data-protection grounds.

5. Technical and Organisational Measures

Exoserva implements appropriate technical and organisational measures (TOMs) per GDPR Article 32. The full list is described in our Security & Trust page — encryption at rest and in transit, per-tenant key envelopes, role-based access control, two-factor authentication, incident-response process, and a compliance roadmap covering SOC 2 / ISO 27001 / HIPAA-compatible controls.

6. Breach Notification

Exoserva will notify you in writing of a confirmed Personal Data breach affecting your tenant without undue delay and, where feasible, within 72 hours of becoming aware (mirroring the GDPR Article 33 timeline regardless of your jurisdiction). The notice will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address and mitigate it.

7. Data Subject Requests

Taking into account the nature of the processing, Exoserva will provide reasonable assistance to help you respond to data subject requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Most requests are self-service through your tenant administration; for cases that require Exoserva intervention, please contact contact@exoserva.com.

8. International Transfers

Personal Data is hosted in the United States by default. Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, such transfer is governed by the European Commission's 2021/914 Standard Contractual Clauses, incorporated by reference into this DPA, with the UK Addendum and the Swiss FDPIC supplement applied where relevant.

9. Term and Data Deletion

This DPA remains in force for as long as Exoserva processes Personal Data on your behalf. Upon termination of the underlying agreement, Exoserva will, at your option, return or delete all Personal Data within thirty (30) days, except where retention is required by applicable law. Backups containing Personal Data follow a defined retention schedule and are deleted in the ordinary course.

10. Subject Matter, Duration, and Categories

This Annex specifies the processing details required by GDPR Article 28(3) so that the DPA can stand on its own without reference to the underlying agreement for these particulars.

Subject matter

Provision of the Exoserva platform — a multi-tenant SaaS for field-service operations including customer-relationship management, scheduling and dispatch, voice and SMS communications, invoicing and payments, and AI-assisted workflow automation — on the Customer's behalf and under the Customer's documented instructions.

Duration

The duration of the processing is the term of the underlying agreement plus the retention period defined in Section 9 (return or deletion within thirty (30) days of termination, with backups deleted in the ordinary course on their defined schedule), and any longer period required by applicable law.

Nature and purpose

Collection, storage, organisation, retrieval, transmission, and erasure of Personal Data for the purposes of operating the Customer's field-service business through the platform — including call routing and recording, appointment scheduling, customer record management, invoice generation and payment processing, automated messaging, and AI-assisted analysis of operational data.

Categories of data subjects

  • The Customer's end customers, prospects, and leads (the contractor's clients who book or receive services).
  • The Customer's employees, contractors, and field technicians who use the platform as authenticated users.
  • The Customer's vendors, sub-contractors, and other business contacts whose details are stored for operational purposes.
  • Authorised representatives of any of the above (e.g. property managers, building occupants, points of contact) who may appear in service records.

Categories of personal data

  • Identification & contact: name, email, phone numbers, postal and service addresses, role/title.
  • Authentication: hashed passwords, session tokens, two-factor secrets, OAuth identifiers for connected integrations.
  • Service & commercial: job records, estimates, invoices, payment history, scheduling history, equipment and property details supplied by the Customer.
  • Communications: SMS and email message content, voice-call recordings and AI-generated transcripts and summaries, in-platform conversation history.
  • Operational telemetry: geolocation (technician check-in / route data when enabled), device identifiers, access logs, audit trail entries.
  • Payment metadata: tokenised card references and Stripe customer identifiers; full PAN/CVV are processed by the payment processor and never stored on Exoserva systems.

Special categories of data (GDPR Art. 9) are not processed by the platform by design; if the Customer chooses to enter such data in free-text fields it does so on its own authority and remains the controller in respect of that data.

GDPR Article 28(3)(a)–(h) cross-reference

  • (a) process only on documented instructions: Section 3 (Processor Role and Instructions) — Exoserva processes Personal Data only on the Customer's documented instructions, including those given through the platform configuration.
  • (b) confidentiality: Section 3 — personnel with access to Personal Data are bound by confidentiality and trained in secure handling.
  • (c) security of processing: Section 5 (Technical and Organisational Measures) — Exoserva implements appropriate technical and organisational measures per GDPR Article 32; see the Security & Trust page for the full list.
  • (d) sub-processors: Section 4 — sub-processors are listed at /sub-processors; each is bound by a written contract with terms substantially the same as this DPA, and the Customer is notified of intended changes at least 30 days in advance.
  • (e) assist the controller with data-subject requests: Section 7 (Data Subject Requests) — Exoserva provides reasonable assistance to help the Customer respond to requests under GDPR Chapter III.
  • (f) assist the controller with security, breach notification, DPIAs, and prior consultation: Section 3 + Section 6 (Breach Notification) — Exoserva provides assistance under GDPR Articles 32–36, including breach notice without undue delay and within 72 hours of becoming aware.
  • (g) deletion or return of Personal Data: Section 9 (Term and Data Deletion) — at the Customer's option, Personal Data is returned or deleted within thirty (30) days of termination, except where retention is required by law.
  • (h) make available information and contribute to audits: Section 3 — Exoserva makes available to the Customer the information necessary to demonstrate compliance with this DPA, including allowing for and contributing to audits where reasonable.

11. Contact and Signature

Customers signing up through the platform accept this DPA as part of the Terms of Service. Enterprise customers that require a counter-signed copy on company letterhead can request one from contact@exoserva.com; please include the legal entity name and the name and title of the signatory.