Data Processing Addendum

Effective date: June 30, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the ServeGrace Terms of Service and any Master Services Agreement or Order Form (the “Agreement”) between Pure Grace AI, LLC, doing business as ServeGrace (“ServeGrace,” the “Processor”), and the customer that accepts the Agreement (“Customer,” the “Controller”). It governs ServeGrace’s Processing of Personal Data on Customer’s behalf in connection with the Services. Capitalized terms not defined here have the meanings given in the Agreement. If there is a conflict between this DPA and the rest of the Agreement regarding the Processing of Personal Data, this DPA controls.

1. Definitions

  • “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU GDPR 2016/679, the UK GDPR and Data Protection Act 2018, and US state privacy laws including the CCPA as amended by the CPRA.

  • “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” have the meanings given in Applicable Data Protection Laws. Under the CCPA, “Controller” means “Business” and “Processor” means “Service Provider.”

  • “Customer Personal Data” means Personal Data contained in Customer Data that ServeGrace Processes on Customer’s behalf.

  • “Sub-processor” means any third party engaged by ServeGrace to Process Customer Personal Data.

  • “Standard Contractual Clauses” (“SCCs”) means the clauses approved by the European Commission for transfers of Personal Data to third countries, and the UK International Data Transfer Addendum where applicable.

2. Roles and scope of Processing

As between the parties, Customer is the Controller (or Business) and ServeGrace is the Processor (or Service Provider) of Customer Personal Data. ServeGrace will Process Customer Personal Data only to provide and support the Services and only on Customer’s documented instructions, including as set out in the Agreement, this DPA, and Customer’s configuration and use of the Services. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

3. Customer instructions and obligations

Customer is responsible for the lawfulness of the Personal Data it provides and of ServeGrace’s Processing on its instructions. Customer represents that it has established a valid legal basis, has provided all required notices, and has obtained all required consents for the Processing, and that its instructions comply with Applicable Data Protection Laws. ServeGrace will inform Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Laws (without obligation to provide legal advice).

4. ServeGrace obligations

  • Process Customer Personal Data only on Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case ServeGrace will inform Customer unless legally prohibited);

  • Not sell or share Customer Personal Data, and not retain, use, or disclose it for any purpose other than performing the Services or as otherwise permitted by Applicable Data Protection Laws;

  • Ensure persons authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations; and

  • Implement and maintain the technical and organizational security measures described in Annex II.

5. Confidentiality

ServeGrace will treat Customer Personal Data as Customer’s Confidential Information and limit access to personnel who need it to provide the Services and who are subject to binding confidentiality obligations.

6. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, ServeGrace will implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk (including, as appropriate, the confidentiality, integrity, availability, and resilience of processing systems and services), as further described in Annex II. Customer is responsible for its own configuration of the Services and for securing its accounts, credentials, and end-user access.

7. Sub-processors

Customer provides general authorization for ServeGrace to engage Sub-processors to Process Customer Personal Data. ServeGrace’s current Sub-processors are listed in Annex III. ServeGrace will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for its Sub-processors’ performance. ServeGrace will give Customer at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor — by email to Customer’s designated contact and/or by updating the sub-processor list published at servegrace.com/legal/subprocessors — and Customer may object on reasonable, documented data-protection grounds within that notice period, in which case the parties will work in good faith to resolve the objection; if they cannot resolve it, Customer may terminate the affected Services.

8. Data Subject requests

Taking into account the nature of the Processing, ServeGrace will provide reasonable assistance, including through appropriate technical and organizational measures and the features of the Services, to help Customer respond to requests from Data Subjects to exercise their rights. If ServeGrace receives such a request directly, it will, where permitted by law, advise the Data Subject to contact Customer and will not respond except on Customer’s instructions.

9. Assistance

Taking into account the nature of Processing and the information available to ServeGrace, ServeGrace will provide reasonable assistance to Customer with its obligations relating to security of Processing, Personal Data Breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

10. Personal Data Breach

ServeGrace will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its breach-notification obligations. ServeGrace’s notification is not an acknowledgment of fault or liability.

11. International transfers

Where ServeGrace Processes Customer Personal Data subject to the GDPR or UK GDPR in a country that does not provide an adequate level of protection, the parties agree that the Standard Contractual Clauses (and the UK Addendum, where applicable) are incorporated by reference and apply to that transfer, with Module Two (controller-to-processor) applying, or Module Three (processor-to-sub-processor) where Customer is itself a processor; Customer (or its controller) as data exporter and ServeGrace as data importer; and Annexes I, II, and III of this DPA populating the corresponding annexes of the SCCs. Where a different lawful transfer mechanism applies, the parties will use it.

12. Deletion and return

On termination or expiration of the Agreement, ServeGrace will, at Customer’s choice, delete or return Customer Personal Data, and delete existing copies, unless retention is required by law. Customer may export Customer Data for 30 days following termination, after which ServeGrace may delete it in the ordinary course, subject to legal retention requirements and ServeGrace’s standard backup-retention schedule, after which residual copies are deleted on expiry.

13. Audits

ServeGrace will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits. To minimize disruption, ServeGrace may satisfy this obligation by providing then-current third-party certifications, audit reports, or a written security overview; on-site audits require reasonable prior notice, are limited to once per year (absent a Personal Data Breach or regulatory or supervisory-authority requirement), and are subject to confidentiality.

14. US state privacy laws (CCPA/CPRA and equivalent state terms)

To the extent ServeGrace Processes Personal Data subject to the CCPA as a Service Provider, ServeGrace will: (a) not sell or share such Personal Data; (b) not retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, or outside the direct business relationship, except as permitted by the CCPA; (c) not combine it with Personal Data from other sources except as permitted by the CCPA; and (d) comply with applicable obligations under the CCPA and provide the same level of privacy protection required of businesses. ServeGrace certifies that it understands and will comply with these restrictions. Where ServeGrace Processes Personal Data subject to the comprehensive privacy laws of other US states (including, as applicable, Virginia, Colorado, Connecticut, Texas, Oregon, and the other states with such laws in effect), it will act as a “processor” on Customer’s behalf, Process Personal Data only on Customer’s instructions and as permitted by the Agreement, provide the assistance those laws require of processors (including reasonable assistance with data protection assessments and consumer-rights requests), and comply with applicable processor obligations and any data-processing-agreement terms those laws require, which are deemed incorporated into this DPA to the extent required.

15. Liability

Each party’s liability arising out of or related to this DPA is subject to the exclusions and limitations of liability in the Agreement, and any reference to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.

16. Term, conflict, and governing law

This DPA takes effect on the Effective Date and continues until ServeGrace has ceased all Processing of Customer Personal Data. This DPA is governed by the governing-law provisions of the Agreement, except where Applicable Data Protection Laws require otherwise. Except as amended by this DPA, the Agreement remains in full force and effect.

Annex I — Details of Processing

Item Description
Subject matter Provision of ServeGrace AI-assisted and human customer-support Services to Customer.
Duration For the term of the Agreement plus any post-termination export and deletion periods.
Nature and purpose Hosting, storage, transmission, analysis, and AI-assisted Processing of Customer Data to deliver, secure, support, and improve the Services.
Types of Personal Data Identifiers and contact details (name, email, phone), conversation and message content, support-ticket metadata, and any other Personal Data Customer or its end users choose to submit.
Categories of Data Subjects Customer’s end users and customers, Customer’s personnel and agents, and other individuals whose data Customer submits.
Special category data Not intended. Customer should not submit special-category or sensitive Personal Data — including biometric identifiers or information, or “consumer health data” (for example, data subject to the Illinois BIPA, Texas CUBI, or Washington My Health My Data Act) — through the Services unless expressly agreed in writing; such data is Processed, if at all, only on that basis.
Frequency of transfer Continuous, for the duration of the Agreement.

Annex II — Technical and Organizational Security Measures

ServeGrace maintains a security program that includes, as appropriate to the Services and risk:

  • Encryption of Customer Data in transit (TLS) and at rest;

  • Access controls, role-based permissions, and authentication for systems that Process Customer Personal Data;

  • Network and application security controls and segregation of production environments;

  • Logging, monitoring, and alerting for security events;

  • Regular patching and vulnerability management of systems under ServeGrace’s control;

  • Secure software-development practices and change management;

  • Use of reputable cloud and infrastructure providers with their own security certifications;

  • Personnel confidentiality obligations and security awareness; and

  • Backup and recovery processes and an incident-response process.

Customer is responsible for security measures within its control, including credential hygiene, access management for its users, and its configuration of the Services.

Annex III — Sub-processors

ServeGrace engages the following Sub-processors to Process Customer Personal Data. This list may be updated from time to time on notice as described in Section 7.

Sub-processor Purpose Primary location
Anthropic, PBC AI / large language model processing powering the Grace assistant United States
OpenAI OpCo, LLC Text-embedding generation for knowledge-base search and retrieval United States
Amazon Web Services, Inc. Cloud storage of uploaded files and recordings (Amazon S3) United States
Stripe, LLC Payment processing and billing United States
Twilio Inc. SMS, WhatsApp, and related messaging delivery United States
Railway Corporation Application hosting and infrastructure United States
Clerk, Inc. Authentication and user identity management United States
Resend (Plus Five Five, Inc.) Transactional and notification email delivery United States
Functional Software, Inc. (d/b/a Sentry) Application error and performance monitoring United States

Contact

For data-protection inquiries: Pure Grace AI, LLC — legal@servegrace.com.

Scroll to Top