Home Legal Data Processing Agreement

Data Processing Agreement

GDPR Article 28 compliant agreement governing how we process personal data on your behalf.

Last updated: May 10, 2026 ConvoAI by Serverlys
Terms of Service Privacy Policy Cookie Policy Acceptable Use DPA
Summary: This DPA is required by GDPR Article 28. It governs how Serverlys (processor) processes personal data on behalf of you (controller) when you use ConvoAI. We process only on your documented instructions, maintain confidentiality, apply appropriate security measures, assist you with data subject requests, and delete your data upon termination. Sub-processors include Anthropic, Stripe, Meta, and our hosting infrastructure.

1. Introduction & Incorporation

This Data Processing Agreement ("DPA") is entered into between:

  • Controller: The customer entity or individual that has accepted ConvoAI's Terms of Service ("you", "Customer", "Controller").
  • Processor: Serverlys, the operator of ConvoAI ("we", "us", "Serverlys", "Processor").

This DPA forms part of and is incorporated into the Terms of Service between you and Serverlys. In the event of any conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA shall prevail.

This DPA applies where and to the extent that Serverlys processes Personal Data on behalf of the Customer in the course of providing the ConvoAI Service, and such processing is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, or other applicable data protection legislation.

2. Definitions

In this DPA, unless the context requires otherwise:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Serverlys on behalf of the Customer under the Terms of Service.
  • "Processing" has the meaning given in the GDPR and includes any operation performed on Personal Data.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates (primarily, your end-users who communicate via WhatsApp).
  • "Sub-processor" means any third party engaged by Serverlys to process Personal Data on behalf of the Customer.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard data protection clauses adopted by the European Commission for the transfer of personal data to third countries.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

3. Roles & Responsibilities

3.1 Controller

The Customer is the Data Controller with respect to the Personal Data of its end-users (your WhatsApp contacts) processed through the ConvoAI Service. As Controller, you determine the purposes and means of processing.

3.2 Processor

Serverlys is the Data Processor. We process Personal Data only on documented instructions from you, and only to the extent necessary to provide the ConvoAI Service as described in the Terms of Service.

3.3 Independent Controller

Serverlys acts as an independent Data Controller (not a Processor) for Personal Data collected directly about you (account data, billing data, usage metrics) as described in our Privacy Policy. This DPA does not apply to that data.

4. Subject Matter of Processing

4.1 Nature and Purpose

Serverlys processes Personal Data for the purpose of providing the ConvoAI Service: operating AI-powered WhatsApp agents that handle customer conversations, qualify leads, book appointments, manage CRM records, and run outbound campaigns on your behalf.

4.2 Duration

Processing continues for the duration of your subscription to the Service, and for 30 days after account termination (to allow data export), unless a longer retention period is required by applicable law.

4.3 Types of Personal Data Processed

The Personal Data processed on your behalf may include:

  • WhatsApp phone numbers of your end-users
  • WhatsApp display names as provided by Meta's API
  • Message content (text of WhatsApp conversations)
  • Conversation timestamps and metadata
  • CRM data derived from conversations: lead status, deal stage, tags, notes, lead scores
  • Appointment details (dates, times, services) booked through the AI agent
  • Any additional data your end-users voluntarily provide during a conversation

4.4 Categories of Data Subjects

The Personal Data relates to your end-users: individuals who send WhatsApp messages to your WhatsApp Business number that is connected to the ConvoAI Service.

4.5 Special Category Data

The Service is not designed or intended to process special category data as defined in GDPR Article 9 (health data, biometric data, data revealing racial or ethnic origin, etc.). You must not configure your AI agents to solicit or process such data. If special category data is inadvertently received, Serverlys will process it in accordance with this DPA but you accept sole responsibility for having a legal basis for its collection.

5. Processor Obligations

Serverlys, as Processor, undertakes to:

5.1 Documented Instructions

Process Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Serverlys shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5.2 Confidentiality

Ensure that all personnel authorised to process Personal Data are subject to an obligation of confidentiality, whether by contractual or statutory obligation.

5.3 Security

Implement and maintain technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Section 8 of this DPA.

5.4 Sub-processors

Not engage any Sub-processor without your prior general written authorisation. The current list of authorised Sub-processors is set out in Section 7. Serverlys shall notify you of any changes to Sub-processors and you will have 14 days to object to such changes. Serverlys shall impose equivalent data protection obligations on all Sub-processors.

5.5 Data Subject Rights

Take appropriate technical and organisational measures to assist you in fulfilling your obligation to respond to requests from Data Subjects to exercise their rights under GDPR (access, rectification, erasure, portability, restriction, objection) as described in Section 10.

5.6 Assistance with Compliance

Assist you in ensuring compliance with your obligations under GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to Serverlys.

5.7 Deletion or Return

At your choice, delete or return all Personal Data to you after the end of the provision of the Service, and delete existing copies unless required to retain them under applicable law. See Section 13.

5.8 Audit Information

Make available to you all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits and inspections conducted by you or a mandated auditor, as described in Section 12.

6. Controller Obligations

As Controller, you agree to:

  • Ensure you have a valid legal basis under GDPR Article 6 (and Article 9 where applicable) for processing your end-users' Personal Data through the Service
  • Provide your end-users with transparent notice about how their Personal Data is processed via WhatsApp, including that their messages are processed by an AI system
  • Obtain all necessary consents or comply with applicable opt-in requirements before initiating business-initiated WhatsApp messages to your end-users
  • Comply with Meta's WhatsApp Business Policy and applicable messaging regulations in your jurisdiction
  • Ensure you have a privacy policy accessible to your end-users that covers WhatsApp-based data processing
  • Not configure ConvoAI agents to collect special category data unless you have an explicit legal basis and have notified Serverlys
  • Handle data subject requests from your end-users promptly and, where you require Serverlys's assistance, make requests via hello@serverlys.com
  • Maintain your own records of processing activities as required by GDPR Article 30 for your role as Controller

7. Authorised Sub-processors

You acknowledge and consent to Serverlys engaging the following Sub-processors to provide the Service. Each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

Sub-processor Purpose Location Data Processed
Anthropic, PBC AI model inference — generating responses to WhatsApp messages United States Message content, conversation context. No sender PII is sent beyond message text.
Meta Platforms, Inc. WhatsApp Cloud API — message delivery and receipt United States (global infrastructure) Message content, phone numbers, metadata. Governed by Meta's own privacy policy and terms.
Stripe, Inc. Payment processing — subscription billing United States Customer billing data only. No end-user Personal Data is shared with Stripe.
Cloud Infrastructure Provider Hosting, database, and storage infrastructure EU / US (configurable) All Service data including conversation data, CRM records, and knowledge base content.

Serverlys will notify you at least 14 days before engaging a new Sub-processor or replacing an existing one by posting an update to this page and sending an email notification. If you object to a new Sub-processor on reasonable data protection grounds within 14 days of notice, Serverlys will use commercially reasonable efforts to provide an alternative. If no alternative is available, either party may terminate the applicable Services with 30 days' notice without penalty.

8. Technical & Organisational Security Measures

Serverlys implements and maintains the following security measures for the protection of Personal Data processed under this DPA. These measures are reviewed and updated regularly.

8.1 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced across all endpoints)
  • Sensitive fields (Meta API access tokens, webhook secrets, API keys) are encrypted at rest using AES-256 or equivalent
  • Passwords are hashed using bcrypt with an appropriate cost factor; plaintext passwords are never stored
  • Database backups are encrypted at rest

8.2 Access Control

  • Role-based access controls (RBAC) limit access to Personal Data to personnel who require it to perform their duties (principle of least privilege)
  • Administrative access to production systems requires multi-factor authentication (MFA)
  • Customer data is logically isolated by tenant; no cross-tenant data access is possible by design
  • Access logs are maintained and reviewed for anomalous activity

8.3 Application Security

  • Django Content Security Policy (CSP) headers, CSRF protection, and HTTP security headers are enforced
  • Parameterised queries and ORM abstractions are used to prevent SQL injection
  • Regular dependency updates and automated vulnerability scanning
  • Input validation and output encoding to prevent XSS and injection attacks

8.4 Organisational Measures

  • Personnel with access to Personal Data are subject to confidentiality obligations
  • Security awareness training for all staff with access to production data
  • Documented incident response procedures
  • Regular security reviews of infrastructure and application code

8.5 Availability and Resilience

  • Regular automated backups with tested restoration procedures
  • Monitoring and alerting for service availability and performance degradation

9. Data Breach Notification

In the event of a Security Incident affecting Personal Data processed under this DPA, Serverlys will:

  • Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the Security Incident
  • Provide, to the extent known at the time of notification: the nature of the incident, the categories and approximate number of Data Subjects affected, the categories and approximate number of Personal Data records affected, the likely consequences of the incident, and the measures taken or proposed to address the incident
  • Cooperate with you and provide further information as it becomes available to assist you in meeting your own notification obligations to supervisory authorities and Data Subjects under GDPR Articles 33 and 34

Notification of a Security Incident does not constitute an acknowledgement of fault or liability by Serverlys.

To report a suspected security incident or breach, contact us immediately at hello@serverlys.com with the subject line "Security Incident."

10. Assistance with Data Subject Rights

Serverlys will provide reasonable assistance to you in fulfilling your obligations to respond to Data Subject requests under GDPR Chapter III, including rights of access, rectification, erasure, portability, restriction, and objection.

To submit a data subject rights assistance request, email hello@serverlys.com with:

  • The nature of the request (e.g., access, deletion, export)
  • The Data Subject's WhatsApp phone number or other identifier
  • Your ConvoAI account email

Serverlys will respond within 5 business days. You remain responsible for communicating the outcome to the Data Subject within the statutory timeframe (typically 30 days under GDPR).

You may also exercise data management functions directly within the ConvoAI dashboard: contacts can be deleted from the CRM, conversations can be purged, and knowledge base documents can be removed at any time.

11. International Data Transfers

Some Sub-processors, including Anthropic and Stripe, are located in the United States. When Personal Data of EEA, UK, or Swiss residents is transferred to these Sub-processors, Serverlys relies on one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs): The European Commission's standard contractual clauses for controller-to-processor transfers (Module 2) or processor-to-sub-processor transfers (Module 3), as applicable, are incorporated into our Sub-processor agreements
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK, the IDTA or UK Addendum to the SCCs is used where required
  • Adequacy decisions: Where the European Commission or UK authorities have issued an adequacy decision for the destination country, transfers may rely on that decision

You instruct Serverlys to make such transfers as necessary to provide the Service. Copies of applicable transfer safeguards are available upon request at hello@serverlys.com.

12. Audit Rights

Serverlys will make available to you all information reasonably necessary to demonstrate compliance with this DPA. You may request an audit or inspection of Serverlys's data processing activities under this DPA, subject to the following conditions:

  • Audit requests must be made in writing to hello@serverlys.com with at least 30 days' notice
  • Audits are limited to once per calendar year unless a Security Incident has occurred
  • Audits must be conducted during normal business hours and must not unreasonably disrupt Serverlys's operations
  • You may appoint a reputable independent auditor, subject to Serverlys's reasonable approval; the auditor must sign a confidentiality agreement before the audit commences
  • The costs of any audit (including Serverlys's reasonable time) shall be borne by you
  • Serverlys may satisfy audit obligations by providing relevant certifications, third-party audit reports, or penetration test summaries in lieu of direct access

13. Deletion & Return of Data

Upon termination or expiry of your ConvoAI subscription for any reason, Serverlys will:

  • Provide you with a 30-day grace period during which you may export your data (conversation history, CRM contacts, knowledge base documents) from the dashboard
  • After the 30-day grace period, delete all Personal Data processed on your behalf, including from backups, within a further 30 days, unless retention is required by applicable law
  • Provide written confirmation of deletion upon request

Billing records (your own account data, not end-user data) are retained for 7 years as required by applicable financial and tax regulations.

You may also request immediate deletion of specific contact data or conversation records at any time during your subscription via the dashboard or by contacting hello@serverlys.com.

14. Term & Termination

This DPA enters into force on the date you accept the Terms of Service (by signing up for ConvoAI) and remains in force for the duration of the Terms of Service. It terminates automatically upon termination of the Terms of Service, subject to the survival of obligations relating to deletion of data (Section 13), confidentiality, and liability.

15. Governing Law

This DPA is governed by the same law as the Terms of Service. Where the GDPR or UK GDPR applies, any provisions of this DPA required by those regulations shall be construed in accordance with them. Standard Contractual Clauses are governed by the law specified therein and prevail over this DPA to the extent of any conflict in the context of international transfers.

16. Contact & Execution

This DPA is self-executing upon acceptance of the Terms of Service. No separate signature is required.

Enterprise customers requiring a countersigned, customised DPA for their procurement process may request one at:

  • Email: hello@serverlys.com — subject line: "DPA Request"
  • Response time: Within 5 business days
  • Business: ConvoAI by Serverlys

For general privacy or data protection enquiries, see our Privacy Policy.