servus.
Back to home

Data Processing Agreement

This Data Processing Agreement (DPA) governs how Servus processes personal data on behalf of its customers and forms part of the agreement between us.

Last updated 15 June 2026

This is a baseline document we provide for transparency — it is not legal advice. Please have it reviewed by qualified counsel before you rely on it.

Roles of the parties

For personal data that a customer submits to or processes through the Servus platform, the customer is the controller and Servus Messaging GmbH is the processor acting on the customer's documented instructions under Article 28 of the GDPR. Where the customer is itself a processor for a third party, Servus acts as a sub-processor.

Servus will process customer personal data only to provide the service, as instructed by the customer, and as required by EU or member-state law, in which case Servus will inform the customer unless prohibited from doing so.

Subject-matter, nature, purpose, and duration

The subject-matter of processing is the provision of omnichannel messaging, automation, and analytics services. The nature and purpose is the routing, delivery, receipt, storage, and reporting of messages and contact data across WhatsApp, SMS, email, and push, as configured by the customer.

Processing continues for the duration of the customer's subscription and until deletion or return of the data as set out below.

Categories of data and data subjects

The personal data processed and the categories of data subjects are determined and controlled by the customer. Typically they include:

  • Data subjects — the customer's contacts, recipients, leads, end users, and the customer's own personnel who operate the account.
  • Categories of data — identifiers and contact details (names, phone numbers, email addresses), message content, delivery and interaction metadata, and any additional contact attributes the customer chooses to store.
  • Special categories — the customer must not submit special-category or sensitive personal data unless the customer has agreed appropriate safeguards in writing with Servus.

Processor obligations

In line with Article 28 GDPR, Servus will: process personal data only on documented instructions; ensure persons authorized to process the data are under confidentiality obligations; implement appropriate technical and organizational measures; assist the controller with data-subject rights and with its obligations under Articles 32 to 36; and make available the information needed to demonstrate compliance.

Servus will promptly inform the customer if, in its opinion, an instruction infringes the GDPR or other data-protection law.

Confidentiality and security measures

Servus binds its personnel and contractors to confidentiality and grants access to personal data only on a need-to-know basis. Servus maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, tenant isolation, access controls, secrets management, logging, and monitoring.

These measures are described on our Security page and may be updated over time, provided the level of protection is not materially reduced.

Sub-processors

The customer authorizes Servus to engage sub-processors to provide the service — including cloud hosting, messaging channel providers, email delivery, and payment processing. Servus imposes data-protection obligations on each sub-processor that are substantially the same as those in this DPA and remains responsible for their performance.

Servus maintains a current list of sub-processors and will give the customer reasonable prior notice of any intended addition or replacement so the customer can object on reasonable, data-protection grounds.

Assistance, breach notification, and data-subject requests

Servus will provide reasonable assistance to the customer in responding to requests from data subjects exercising their rights, and in meeting the customer's obligations regarding security, breach notification, data-protection impact assessments, and prior consultation.

Servus will notify the customer without undue delay after becoming aware of a personal-data breach affecting customer data, and will provide the information reasonably needed for the customer to meet its own notification obligations.

Deletion or return, audits, and transfers

On termination of the service, Servus will, at the customer's choice, delete or return the customer's personal data and delete existing copies, unless EU or member-state law requires storage.

Servus will make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the customer or an auditor it mandates, subject to reasonable confidentiality and scheduling. Where personal data is transferred outside the EEA, the parties rely on the European Commission's Standard Contractual Clauses (SCCs) with supplementary measures. Questions about this DPA go to [email protected].