Data Processing Agreement (DPA)
Last updated: October 5, 2025
Important: This Data Processing Agreement ("DPA") is an integral part of our service agreement with organizations. Serviro AS exclusively serves organizations. This DPA governs how we process personal data on behalf of organizations in compliance with GDPR Article 28.
This agreement should be read together with our Terms of Service and Privacy Policy.
1. Definitions and Roles
1.1 Parties
Data Controller: The organization that determines the purposes and means of processing personal data.
Data Processor: Serviro AS, acting on behalf of and under the instructions of the Controller.
1.2 Scope
This DPA governs the processing of personal data by Serviro AS when providing platform services to Controllers, in accordance with GDPR Article 28.
2. Nature and Purpose of Processing
2.1 Categories of Data
Serviro AS processes the following categories of personal data on behalf of Controllers:
- Member names and identifiers
- Email addresses
- Phone numbers
- Address
- Group and event participation information
- Chat messages
- Platform usage data
2.2 Purpose of Processing
Processing is performed solely to provide platform services including member, group, and volunteer management, event coordination, and messaging, as instructed by the Controller.
2.3 Duration
Processing continues for the duration of the service agreement. Upon termination, data will be returned or anonymized according to Section 8 of this DPA.
3. Processor Obligations
Serviro AS commits to:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Engage sub-processors only with Controller authorization
- Assist the Controller in responding to data subject requests
- Assist with security, breach notifications, and impact assessments
- Anonymize or return all personal data after service termination
- Make available information necessary to demonstrate compliance
- Submit to audits conducted by the Controller or authorized auditor
4. Sub-Processors
4.1 Authorization
The Controller provides general authorization for Serviro AS to engage the sub-processors listed below. Serviro AS will notify Controllers of any intended changes concerning sub-processors, giving the Controller opportunity to object.
4.2 Current Sub-Processors
| Service Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure & Hosting | EU (Frankfurt) | All platform data |
| Stripe | Payment Processing | EU/US | Billing contact information only |
| Firebase | Push Notifications | US | Member identifiers for notifications |
| Sentry | Error Monitoring | US | Error logs, performance data (anonymized) |
| Stream Chat | Chat Messages | EU | Chat messages and real-time messaging data |
| Plausible Analytics | Website Analytics | EU | Aggregated non-personal data only |
4.3 Sub-Processor Requirements
Serviro AS ensures all sub-processors are bound by data protection obligations no less protective than those in this DPA and remains fully liable for sub-processor performance.
5. Security Measures
5.1 Technical Measures
- Encryption of data in transit (TLS 1.2+) and at rest
- Regular security updates and patch management
- Access controls and authentication mechanisms
- Network security and firewall protection
- Regular automated backups
- Monitoring and logging of access
5.2 Organizational Measures
- Confidentiality agreements with all personnel
- Regular security training for staff
- Access on a need-to-know basis
- Incident response procedures
- Regular security assessments
- Data protection by design and default
6. Data Breach Notification
6.1 Notification Timeline
Serviro AS will notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach affecting Controller's data.
6.2 Information Provided
Breach notifications will include:
- Nature of the breach and categories of data affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for more information
7. Data Subject Rights
7.1 Assistance
Serviro AS will assist the Controller in fulfilling obligations to respond to data subject requests for:
- Access to personal data
- Rectification or erasure
- Restriction of processing
- Data portability
- Objection to processing
- Right to anonymization instead of deletion where applicable
7.2 Response Timeline
Serviro AS will respond to Controller requests for assistance within 10 business days or as required to meet regulatory deadlines.
8. Data Return and Anonymization
8.1 Upon Termination
Upon termination of services, Serviro AS will, at the Controller's choice:
- Return all personal data to the Controller in a standard format
- Anonymize all personal data, rendering it non-identifiable and non-attributable
- Both return and then anonymize the data
Anonymized data may be retained for statistical analysis and service improvement purposes.
8.2 Anonymization Process
Anonymization will be performed using industry-standard techniques to ensure data cannot be re-identified, including removing direct identifiers, generalizing quasi-identifiers, and applying statistical disclosure controls.
8.3 Retention Exceptions
Complete anonymization does not apply to data Serviro AS is required to retain under EU or Norwegian law. Such data will be protected and processing limited to legal requirements only.
9. Audits and Compliance
9.1 Audit Rights
The Controller has the right to conduct audits to verify Serviro AS's compliance with this DPA, subject to reasonable notice, regular business hours, no more than once per year unless required by regulators, and conducted by independent auditors bound by confidentiality.
9.2 Compliance Documentation
Serviro AS maintains records of processing activities and will provide relevant compliance documentation upon reasonable request.
10. Liability and Indemnification
10.1 Limitation of Liability
Liability under this DPA is subject to the limitations set forth in the main service agreement, except where prohibited by applicable law.
10.2 Indemnification
Each party will defend and indemnify the other against claims arising from that party's breach of this DPA or applicable data protection laws.
11. International Transfers
Personal data is primarily processed within the EEA. Transfers outside the EEA use appropriate safeguards, including EU Standard Contractual Clauses (SCCs) or adequacy decisions.
12. Term and Termination
This DPA remains in effect for the duration of the service agreement. Provisions relating to data protection obligations survive termination as required by law.
13. Governing Law
This DPA is governed by Norwegian law and GDPR. Disputes shall be resolved according to the dispute resolution provisions in the main service agreement.
14. Contact Information
Data Protection Contact:
Serviro AS
General Support: contact@avedio.app
15. Agreement
By using Avedio services as an organization, the Controller agrees to the terms of this Data Processing Agreement. This DPA forms part of and is incorporated into the main service agreement.