Serova Data‑Processing Addendum (DPA)
Version 2025-09-18 · v1.0
(Incorporated by reference into the Serova Assistant Terms & Conditions and Master Terms of Service.)
1. Parties
"Company" — Serova OÜ (reg 17252303), Soo 2, 10414 Tallinn, Estonia, info@serova.ai.
"Customer" — The legal entity or individual that activates a Serova AI assistant ("Service") and agrees to the underlying agreement (the "Main Agreement").
2. Definitions
- "Applicable Law" — EU GDPR, South‑African POPIA, and any local privacy laws that apply to Customer Data.
- "Customer Data" — personal data processed via the Service (WhatsApp messages, voice notes, images, phone numbers, profile names).
- "Sub‑processor" — third‑party processor engaged by Company.
3. Roles & Scope
- The parties acknowledge that Customer is the Controller and Company is the Processor of Customer Data.
- This DPA applies solely to processing performed in connection with the Service and supersedes any conflicting data‑processing terms in the Main Agreement.
4. Purpose & Nature of Processing
| Item | Detail |
|---|---|
| Subject‑matter | Moderation, Q&A, workflow automation inside WhatsApp chats. |
| Duration | Term of the Main Agreement + up to 30 days post‑termination for deletion. |
| Types of personal data | Whatsapp Phone number (hashed for AI calls), profile display name, message text, voice‑note audio, images, timestamps. |
| Data subjects | WhatsApp group members, admins, end‑users. |
| Frequency | Continuous, real‑time processing. |
| Processing activities | Receipt, storage, transformation (ASR/OCR), classification, alerting, deletion. |
| Retention | Raw content ≤ 36 months; aggregated analytics ≤ 5 years; may be extended if legally required. |
| No model training | Company shall not use Customer Data to train or fine‑tune any machine‑learning models without the Customer's prior written consent. |
5. Security Measures
Company implements the technical and organisational measures summarised below (full document available on request):
- AES‑256 encryption at rest; TLS 1.3 in transit.
- PII tokenisation: phone numbers & names hashed with salt before external AI calls.
- Role‑based access control; MFA for privileged users.
- Monthly vulnerability scanning; annual third‑party penetration test.
- 99% monthly uptime target; geographically redundant EU data centres (AWS eu‑central‑1 + eu‑west‑1).
- 24h internal incident‑response SLA.
6. Sub‑processors
| Provider | Function | Location | Safeguard |
|---|---|---|---|
| Meta (WhatsApp) | Message transport | Various | End‑to‑end encryption; Meta DPA |
| 360dialog | WhatsApp BSP (API relay) | EU & US | Standard Contractual Clauses (SCC) |
| OpenAI (Whisper / GPT) | ASR & language model | US | SCC + de‑identification |
| Amazon Web Services | Hosting | EU | ISO 27001; SCC not required (EU region) |
| SendGrid | Transactional email | US | SCC |
Company will notify Customer at least 30 days before adding or replacing a Sub‑processor, giving Customer the right to object on reasonable grounds.
7. International Transfers
- Customer Data is stored in the EU.
- When Company transfers Customer Data to a Sub‑processor outside the EEA, it relies on SCCs or an EU adequacy decision.
- De‑identification is applied before any transfer to non‑adequate countries.
8. Data Subject Rights & Requests
Company shall assist Customer in fulfilling data‑subject requests (access, correction, deletion, portability, objection). Company will notify Customer without undue delay if it receives a request directly.
9. Personal‑Data Breach
Company will notify Customer without undue delay and, in any event, within 24 hours of confirming a personal‑data breach. Notification will include the nature of the breach, likely consequences, and remediation steps.
10. Audits
Upon written request once per calendar year, Company will provide (i) a summary copy of its latest penetration‑test report and (ii) a signed statement of compliance. On‑site audits available at Customer's expense with 30 days' notice.
11. Return & Deletion
Within 30 days of termination, Company will (at Customer's choice) delete or return all Customer Data. Any backups will be securely deleted within a further 30 days.
12. Liability
Liability limits in the Main Agreement apply equally to this DPA.
13. Governing Law
This DPA is governed by Estonian law and is subject to the dispute‑resolution clause in the Main Agreement.
Signed electronically by authorised representatives upon acceptance of the Main Agreement.