Serviceform

— Legal

Data Processing Agreement

Last updated January 1, 2026

1. Parties and Definitions

Serviceform Oy (business ID 2713896-6, Finland) acts as the Processor, while the customer entering a Service Agreement serves as the Controller. Key terms include:

  • Personal Data: Data defined under GDPR and equivalent national law
  • Customer Data: Personal information the Customer provides to Serviceform for the Services
  • Services: Products including the Mira platform, embeddable widgets, plugins, apps, and mobile applications
  • Sub-processor: Third parties engaged by Serviceform to process Customer Data

2. Subject Matter and Instructions

Serviceform processes personal data on the Customer’s documented instructions to provide the Services. Processing complies with the GDPR, Finnish Data Protection Act (1050/2018), and Finnish Act on Electronic Communications Services (917/2014). If an instruction potentially violates Data Protection Laws, Serviceform notifies the Customer in writing without undue delay.

3. Categories of Data and Data Subjects

Data subjects include website visitors, end-users, and Customer staff. Personal data encompasses identity and contact details, technical identifiers, communication content, and data collected through the Services. Special category data should not be submitted without a separate written annex.

4. Sub-processors

Serviceform may engage sub-processors listed at /subprocessors:

  • Core sub-processors: Google Cloud/Firebase (Finland) for all customers
  • Optional sub-processors: AI providers, messaging services, integrations, and analytics—engaged only when customers enable corresponding features

The company provides at least 30 days’ notice of new sub-processors. Customers may object on reasonable grounds. If unresolved within 30 days, either party may terminate the affected service portion with pro-rata refund.

Agency and Reseller Arrangements

Agencies, resellers, and white-label partners warrant they have authority to bind underlying brands to this agreement on their behalf.

5. International Transfers

Personal data is processed primarily within the EEA. Limited transfers occur to:

  • Serviceform’s Sri Lanka subsidiary under EU Standard Contractual Clauses with Transfer Impact Assessment
  • Google LLC (US) for support-only access under SCCs

Optional integrations may involve additional valid transfer mechanisms.

6. Security Measures

Serviceform implements appropriate technical and organizational measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control and multi-factor authentication
  • Automatic redaction of personal data before AI processing
  • Vulnerability management and periodic penetration testing
  • Documented incident-response process

Detailed measures are described in the Privacy Policy.

7. Confidentiality

Personnel authorized to process personal data are bound by written confidentiality obligations and receive periodic data-protection training.

8. Personal Data Breach Notification

Serviceform notifies customers in writing without undue delay—maximum 72 hours—of any breach affecting Customer data, providing information required under Article 33(3) GDPR. The company reasonably assists customers in meeting breach-notification obligations.

9. Data-Subject Requests

Serviceform forwards data-subject requests directly to customers without responding independently. The company provides reasonable technical and organizational assistance for access, rectification, erasure, restriction, portability, and objection requests.

10. Audit Rights

Customers or appointed independent auditors may audit Serviceform’s compliance on reasonable notice, no more than once per calendar year (plus additional audits if required by supervisory authorities or following confirmed breaches). Audits must be conducted during business hours, minimally disruptive, subject to confidentiality, and at the Customer’s expense. Serviceform may discharge obligations through third-party audit reports.

11. Term, Data Return and Deletion

The DPA remains in force for the Service Agreement’s duration. Default retention for lead and live-chat data is two (2) years from creation, or shorter if requested. Upon termination, Serviceform retains personal data for up to six (6) months, then returns or deletes it at the Customer’s discretion, except where law requires longer retention.

12. Customer Warranties and Obligations

The Customer warrants and undertakes that:

  • It maintains valid legal basis under Article 6 GDPR (and Article 9 where applicable) for instructed processing
  • It has provided required privacy notices and obtained necessary consents, including for cookies
  • Instructions comply with Data Protection Laws
  • It will not submit special-category, payment-card, or other regulated data without written annex
  • It acknowledges sub-processor scope depends on configuration choices; only Google Cloud/Firebase Finland is core; optional sub-processors engage only upon feature enablement
  • It is responsible for configuration choices and lawful use of service output

13. Customer Indemnity

The Customer indemnifies Serviceform against third-party claims, regulatory penalties, and losses arising from: Customer’s breach of Section 12 warranties; Customer’s instructions despite Serviceform’s concerns; or Customer’s violation of Data Protection Laws or the Service Agreement. This indemnity is uncapped to the extent permitted by law.

14. Limitation of Liability

To the maximum extent permitted by law, Serviceform’s aggregate liability under this DPA is limited to fees paid in the preceding 12 months. The company is not liable for indirect, consequential, special, incidental, exemplary, or punitive damages, lost profits, revenue, data, or business interruption.

Exceptions include liability for death or personal injury from negligence, fraud, gross negligence, willful misconduct, or direct statutory liability under Article 82 GDPR.

15. Force Majeure

Neither party is liable for performance failure or delay caused by events beyond reasonable control—including war, terrorism, civil unrest, pandemics, government action, infrastructure failure, denial-of-service attacks, or cloud-provider outages—provided prompt notice and reasonable mitigation efforts.

16. Notice of Claim, Cure Period and Limitation

Claims must be brought within 12 months of when the claiming party became aware (or reasonably should have) of facts giving rise to the claim, except where mandatory law specifies longer periods.

Before formal proceedings (except emergency injunctive relief and supervisory authority complaints), the claiming party must send written notice describing the breach and relief sought, and allow the receiving party 30 days to cure or propose remediation. Parties negotiate unresolved disputes in good faith for another 30 days before commencing proceedings.

Nothing limits Data Subjects’ rights under Article 82 GDPR or Data Protection Laws.

17. No Third-Party Beneficiaries

This DPA does not grant rights to third parties, except that data subjects retain rights granted directly under Article 82 GDPR and other Data Protection Laws.

18. Governing Law and Jurisdiction

This DPA is governed by Finnish law, excluding conflict-of-law rules. Disputes fall under exclusive jurisdiction of the District Court of Helsinki, Finland, without prejudice to mandatory consumer-protection or supervisory-authority jurisdiction.

19. Updates

Serviceform may update this DPA. Routine clarifications, drafting fixes, and non-material updates take effect upon publication; continued service use constitutes acceptance.

For material changes—those expanding processing scope, weakening Customer rights, narrowing Serviceform obligations, or altering international transfers or sub-processor arrangements—Serviceform provides at least 30 days’ advance notice by email or prominent page notice. Customers may object within 30 days; if unresolved, they may terminate the affected service portion and receive pro-rata refund of pre-paid fees.

20. Survival and Order of Precedence

Sections 8 (breach notification for breaches during term), 11 (data return/deletion), 13 (indemnity), 14 (liability limitation), 16 (limitation period), 17 (no third-party beneficiaries), and 18 (governing law) survive DPA termination.

In conflicts: this DPA prevails over the Service Agreement on data-protection matters; a counter-signed bespoke DPA prevails over this published version for that customer.

Annex I — List of Parties and Description of the Transfer

Completed for EU SCCs Modules 2 (Controller-to-Processor) and 3 (Processor-to-Sub-processor), supplemented by UK Addendum where applicable.

A. Parties

Data exporter (Controller): The Customer as identified in the Service Agreement. Role: Controller (or Processor in agency/white-label arrangements per Section 4).

Data importer (Processor): Serviceform Oy, business ID 2713896-6, Linnaistentie 20 B, 01640 Vantaa, Finland. Contact: Jarkko Oksanen, [email protected].

B. Description of the Transfer

  • Data subjects: Website visitors, end-users, prospects, leads, and Customer staff
  • Personal data categories: Identity and contact details, technical identifiers, communication content, and Customer-selected collected data
  • Sensitive data: None intentionally; Special Categories of Personal Data require separate written annex
  • Transfer frequency: Continuous throughout the Service Agreement
  • Processing nature and purpose: Service delivery including hosting, AI inference (when enabled), messaging, lead capture, integration forwarding, analytics, and support
  • Retention period: Two (2) years default for lead and live-chat data; six (6) months post-termination or shorter upon request
  • Onward transfers: To sub-processors listed at /subprocessors under EU SCCs and UK Addendum (where applicable)

C. Competent Supervisory Authority

Office of the Data Protection Ombudsman of Finland (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki — tietosuoja.fi. For UK-origin transfers under the UK Addendum, the Information Commissioner’s Office (ICO) is also competent.

Annex II — Technical and Organisational Measures

Serviceform implements technical and organizational measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256) for primary data stores
  • Role-based access control with least-privilege defaults; mandatory multi-factor authentication for administrators
  • Per-tenant logical separation; production/non-production environment segregation
  • Network segmentation, web application firewall, DDoS protection (Cloudflare)
  • Continuous logging, monitoring, and intrusion detection
  • Automatic personal data redaction from end-user input before AI provider forwarding
  • Secure software development lifecycle, dependency scanning, periodic penetration testing
  • Vendor risk assessments and data-protection contractual terms with all sub-processors
  • GDPR Articles 33–34 compliant incident-response process with Office of Data Protection Ombudsman notification within 72 hours where required
  • Confidentiality obligations and periodic data-protection training for personnel with Customer Data access
  • Background checks (where legally permissible) for personnel with access
  • Restoration and backup procedures with overwriting within 35 days
  • Pseudonymization and anonymization by configuration (e.g., user passwords anonymized by default)

Detailed measures, third-party audit summaries, and penetration-test results are provided to Customers on reasonable request, subject to confidentiality.

Annex III — List of Sub-processors

The current authorized sub-processor list is published at /subprocessors, structured into core (Google Cloud/Firebase Finland—always engaged) and optional (engaged by Customer configuration choices). The published list is incorporated by reference and updated per Section 4.