Data Processing Agreement

1. Parties and definitions

This Data Processing Agreement ("DPA") is entered into between Serviceform Oy, business ID 2713896-6, Linnaistentie 20 B, 01640 Vantaa, Finland ("Serviceform" or the "Processor") and the customer that has entered into a Service Agreement with Serviceform (the "Customer" or the "Controller"). It forms part of, and is incorporated by reference into, the Service Agreement.

For the purposes of this DPA:

• "Personal Data" has the meaning given to "personal data" under the GDPR and equivalent national law.
• "Customer Data" means Personal Data that the Customer (or its end-users acting through the Services) provides to Serviceform, or that Serviceform processes on the Customer's behalf, in connection with the Services. Customer Data does not include (i) data that Serviceform processes as a controller, such as billing-contact details, support correspondence, security telemetry, audit logs and aggregated or anonymised data derived from use of the Services; or (ii) the configuration choices the Customer makes within the Services.
• "Services" means the products and tools provided by Serviceform under the Service Agreement, including the Mira platform, embeddable widgets, the WordPress / WooCommerce plugin, the Shopify app, and mobile applications.
• "Sub-processor" means any third party engaged by Serviceform to process Customer Data on Serviceform's behalf, as listed at /subprocessors.
• "Data Subject", "Processing", "Personal Data Breach", "Special Categories of Personal Data" and "Supervisory Authority" have the meanings given in the GDPR.
• "Data Protection Laws" is defined in Section 2.
• "EU SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.

2. Subject matter and instructions

Serviceform processes personal data on behalf of the Customer to provide the Services described in the Service Agreement. Processing is carried out on the Customer's documented instructions, on the terms of this DPA, and in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Finnish Data Protection Act (Tietosuojalaki, 1050/2018), the Finnish Act on Electronic Communications Services (Sähköisen viestinnän palveluista annettu laki, 917/2014)and other applicable data-protection law (together, "Data Protection Laws"). If Serviceform considers that an instruction infringes Data Protection Laws, it will inform the Customer in writing without undue delay (Article 28(3)(h) GDPR).

3. Categories of data and data subjects

Categories of data subjects include website visitors, end-users and the Customer's staff. Categories of personal data include identity and contact details, technical identifiers, content of communications with Serviceform-powered tools, and other data the Customer chooses to collect through the Services. Special categories of data are not knowingly processed; the Customer must not submit them without a separate written annex.

4. Sub-processors

The Customer authorises Serviceform to engage sub-processors. Our sub-processors are listed at /subprocessors in two parts:

• Core sub-processors — engaged for every Customer. The only core sub-processor is Google Cloud / Firebase hosted in Finland, which provides the underlying hosting, database and authentication infrastructure of the Services.
• Optional sub-processors — engaged only when the Customer enables a feature, integration or configuration choice that requires them (for example, AI providers when AI features are enabled; Twilio when voice or SMS messaging is enabled; Meta when Meta business accounts are connected; Zapier when the Customer enables Zapier-based forwarding). The Customer may request a configuration that excludes any optional sub-processor.

Serviceform will give at least 30 days' notice of new sub-processors we control (or the longest period reasonably available where an upstream provider gives a shorter window) and the Customer may object on reasonable grounds in accordance with Data Protection Laws. Serviceform binds each sub-processor to data-protection obligations no less protective than those in this DPA and remains liable for sub-processor acts and omissions to the same extent as for its own.

Objection and exit.If the Customer objects on reasonable grounds, Serviceform will in good faith offer one of: (i) cancelling the use of the new sub-processor, (ii) implementing corrective steps, (iii) ceasing to provide the affected feature, or (iv) allowing the Customer to stop providing the relevant Customer Data. If none of these is commercially feasible and the objection cannot be resolved within thirty (30) days, either party may terminate the affected portion of the Service Agreement on written notice, and Serviceform will refund any pre-paid fees pro rata for the un-served period. Such termination is the Customer's sole and exclusive remedy in respect of the new sub-processor.

Agency, reseller and white-label arrangements.Where the Customer is an agency, reseller or white-label partner contracting on behalf of an underlying brand, the Customer warrants that it has authority to bind that brand to this DPA on the brand's behalf and that the brand is the underlying controller of the end-user data. Where Serviceform is engaged as the underlying controller's sub-processor (the Customer being its processor), this DPA is deemed entered into between Serviceform and the Customer in that capacity, and the brand may exercise the rights of a controller under it through the Customer.

5. International transfers

Personal data is processed primarily within the EEA. Limited transfers occur to (i) Serviceform Private Limited, our wholly-owned Sri Lanka subsidiary, on the basis of the EU Standard Contractual Clauses (Decision 2021/914) supported by a Transfer Impact Assessment, and (ii) Google LLC (United States) for support-only access to data hosted in EU regions, also under the SCCs. Where the Customer connects optional integrations to providers outside the EEA, the SCCs or another valid transfer mechanism apply.

6. Security measures

Serviceform implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, role-based access control, multi-factor authentication for administrators, automatic redaction of personal data before forwarding to AI providers, vulnerability management, dependency scanning, periodic penetration testing and a documented incident-response process. Detailed measures are described in our Privacy Policy §16.

7. Confidentiality

Personnel authorised to process personal data are bound by written confidentiality obligations and receive periodic data-protection training.

8. Personal data breach notification

Serviceform notifies the Customer in writing without undue delay, and at the latest within 72 hours of becoming aware, of any personal data breach affecting Customer data, providing the information required under Article 33(3) GDPR. Serviceform reasonably assists the Customer in meeting its own breach-notification obligations.

9. Data-subject requests

Serviceform forwards any data-subject request it receives directly to the Customer without responding to it on the Customer's behalf, and provides reasonable technical and organisational assistance to enable the Customer to fulfil access, rectification, erasure, restriction, portability and objection requests.

10. Audit rights

On reasonable prior notice, no more than once per calendar year (and additionally where required by a supervisory authority or following a confirmed personal data breach), the Customer or an independent auditor it appoints may audit Serviceform's compliance with this DPA. The audit must be conducted during business hours, in a manner minimally disruptive to operations, subject to confidentiality, and at the Customer's expense. Serviceform may discharge audit obligations by providing summary third-party audit reports where available.

11. Term, data return and deletion

This DPA remains in force for the term of the Service Agreement. Default retention for lead and live-chat data is two (2) years from creation, or shorter if the Customer requests. On termination, Serviceform retains personal data for up to six (6) months unless otherwise agreed, after which all Customer personal data is returned or deleted at the Customer's discretion, except where applicable law requires longer retention.

12. Customer warranties and obligations

The Customer warrants and undertakes that:

• it has, and will maintain throughout the term, a valid legal basis under Article 6 GDPR (and where applicable Article 9) for the processing it instructs;
• it has provided all required privacy notices to data subjects and obtained all required consents, including for cookies and similar technologies in accordance with §205 of the Finnish Act on Electronic Communications Services (917/2014);
• its instructions to Serviceform comply with Data Protection Laws;
• it will not submit special-category data, payment-card data, or other regulated data without a written annex;
• it acknowledges that the scope of sub-processors engaged in providing the Services depends on its configuration choices — that, in the default configuration, only the core sub-processor (Google Cloud / Firebase Finland) is engaged, and that any optional sub-processor (AI providers, messaging, integrations, third-party authentication, analytics, search) is engaged only because the Customer has enabled the corresponding feature or integration; and
• it is responsible for the configuration choices it makes within the Services and for the lawful use of any output produced through the Services.

13. Customer indemnity

The Customer indemnifies and holds Serviceform harmless against any third-party claim, regulatory penalty, fine or loss arising from (i) the Customer's breach of Section 12, (ii) the Customer's instructions where Serviceform has notified the Customer of a concern under Section 2 and the Customer has nonetheless required performance, or (iii) the Customer's use of the Services in violation of Data Protection Laws or the Service Agreement. This indemnity is uncapped to the extent permitted by law.

14. Limitation of liability

To the maximum extent permitted by law, the aggregate liability of Serviceform under or in connection with this DPA, whether in contract, tort (including negligence) or otherwise, is limited to an amount equal to the fees paid by the Customer to Serviceform under the Service Agreement in the twelve (12) months preceding the event giving rise to the claim. Serviceform is not liable for indirect, consequential, special, incidental, exemplary or punitive damages, lost profits, lost revenue, lost data or business interruption. Nothing in this Section limits liability for (a) death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, (c) gross negligence or wilful misconduct, or (d) any other liability that cannot be lawfully limited under applicable law, including direct statutory liability of a processor to a data subject under Article 82 GDPR.

15. Force majeure

Neither party is liable for failure or delay in performance to the extent caused by events beyond its reasonable control, including acts of war or terrorism, civil unrest, pandemics, government action, failure of public infrastructure, denial-of-service attacks or third-party cloud-provider outages, provided the affected party gives prompt notice and uses reasonable efforts to mitigate.

16. Notice of claim, cure period and limitation

Any claim arising under this DPA must be brought within twelve (12) months of the date the claiming party first became aware (or, with reasonable diligence, ought to have become aware) of the facts giving rise to the claim, except where applicable mandatory law specifies a longer period.

Before initiating litigation, arbitration or any other formal proceeding (other than emergency injunctive relief and complaints to a Supervisory Authority), the claiming party must (i) send a written notice to the other party at asiakaspalvelu(at)serviceform.com describing the alleged breach in reasonable detail and the relief sought, and (ii) allow the receiving party at least thirty (30) daysfrom receipt of that notice to cure the alleged breach or propose a remediation plan. The parties will negotiate any unresolved dispute in good faith for a further thirty (30) days before commencing proceedings. Nothing in this Section limits a Data Subject's right to seek a remedy directly under Article 82 GDPR or Data Protection Laws.

17. No third-party beneficiaries

This DPA does not confer any rights on any third party, except that data subjects retain the rights granted to them directly under Article 82 GDPR and other Data Protection Laws.

18. Governing law and jurisdiction

This DPA is governed by Finnish law, excluding its rules on conflict of laws. Disputes are subject to the exclusive jurisdiction of the District Court of Helsinki (Helsingin käräjäoikeus), Finland, without prejudice to any mandatory consumer-protection or supervisory-authority jurisdiction.

19. Updates

Serviceform may update this DPA from time to time. Routine clarifications, drafting fixes and non-material updates take effect when published, and continued use of the Services after the effective date constitutes acceptance.

For material changes— changes that materially expand the scope of processing, materially weaken the Customer's rights, narrow Serviceform's obligations, or alter international-transfer mechanisms or sub-processor arrangements — Serviceform will provide at least 30 days' advance noticeby email to the account contact (or, where we do not have one, by a prominent notice on this page) before the change takes effect. The Customer may object on reasonable grounds within that 30-day period; if the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service Agreement and receive a pro-rata refund of pre-paid fees for the un-served period. The "Version" and date at the top of this page reflect the latest revision.

20. Survival and order of precedence

Sections 8 (breach notification, in respect of breaches occurring during the term), 11 (data return and deletion), 13 (indemnity), 14 (limitation of liability), 16 (limitation period), 17 (no third-party beneficiaries) and 18 (governing law) survive termination of this DPA. In the event of conflict between this DPA and the Service Agreement, this DPA prevails on data-protection matters; in the event of conflict between this DPA and a counter-signed bespoke DPA executed between the parties, the bespoke DPA prevails for that Customer.