Data Processing Agreement

1. Definitions

• "Controller" means you, the Servegalo account holder, who determines the purposes and means of processing personal data.
• "Processor" means Servegalo, Inc., acting on your instructions.
• "Personal Data", "Processing", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR.
• "GDPR" means Regulation (EU) 2016/679 and, where applicable, the UK GDPR as defined in the UK Data Protection Act 2018.

2. Roles and Scope

You are the Controller of personal data relating to your end-clients (e.g. names, phone numbers, email addresses, appointment history) entered into or processed by the platform. Servegalo acts as Processor when processing such data on your behalf.

3. Processor Obligations

Servegalo agrees to:

• Process personal data only on documented instructions from you, unless required by applicable law.
• Ensure that personnel authorised to process the data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures as required by Article 32 of the GDPR.
• Not engage sub-processors without your prior general or specific authorisation.
• Assist you in responding to Data Subject requests within the timeframes set by the GDPR.
• Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data Breach affecting your data.
• Delete or return all personal data upon termination of the Services, at your option.
• Make available all information necessary to demonstrate compliance and allow for audits on reasonable notice.

4. Your Obligations as Controller

You agree to:

• Ensure you have a lawful basis for all personal data you provide to Servegalo for processing.
• Provide all required privacy notices to data subjects.
• Respond to data subject requests in a timely manner.
• Notify Servegalo promptly if any instructions would cause Servegalo to violate applicable law.

5. Sub-processors

You grant general authorisation for Servegalo to engage the following sub-processors. We will notify you of any changes to this list with at least 10 days' notice, giving you the opportunity to object.

6. International Transfers

Where personal data is transferred from the EEA or UK to the USA, such transfers are made on the basis of the EU Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission, which are incorporated into this DPA by reference. For UK transfers, the UK International Data Transfer Addendum (IDTA) applies.

7. Security Measures

Servegalo implements and maintains the following measures, at minimum:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and least-privilege principles.
• Multi-factor authentication for administrative access.
• Automated security monitoring and alerting.
• Regular penetration testing and vulnerability assessments.
• Formal incident response procedures.

8. Data Breach Notification

In the event of a Personal Data Breach, Servegalo will notify you at the email address on your account without undue delay. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Subject Rights

Where Servegalo receives a data subject request directly, it will promptly forward the request to you. Servegalo will assist you, taking into account the nature of the processing, in fulfilling your obligations to respond to such requests.

10. Termination

Upon termination of the Services, Servegalo will, at your election, delete or return all personal data processed on your behalf, and delete existing copies unless retention is required by applicable law.

11. Governing Law

This DPA is governed by the same law as the Terms of Service, except to the extent required otherwise by applicable data protection law.

12. Contact

Data protection enquiries: privacy@servegalo.com