This Data Processing Agreement ("DPA") supplements the Scrivio Terms of Service and forms part of the agreement between you ("Controller") and Serff Webdevelopment ("Processor"), KvK 51584263, Havenstraat 5a, 3441BH Woerden, Nederland. It applies whenever Processor processes personal data on behalf of Controller through the Service.
1. Definitions
Terms like "personal data", "processing", "controller", "processor", "data subject", and "sub-processor" have the meanings given in art. 4 GDPR.
2. Subject matter, duration, and nature of processing
- Subject: processing personal data so Processor can deliver the Scrivio SaaS to Controller.
- Duration: for as long as Controller has an active subscription, plus the retention periods set in our Privacy Policy.
- Nature: storage, retrieval, analysis, and transmission of content and account data; LLM-based content generation; third-party integrations triggered by Controller.
- Purpose: providing and improving the Service within the scope of the main agreement.
3. Categories of data subjects and personal data
- Data subjects: Controller's users, team members, newsletter subscribers, and any individuals identifiable from content uploaded to the Service.
- Personal data: name, email, authentication credentials, IP address, usage logs, content metadata, OAuth tokens for connected services, and any personal data included in uploaded articles, briefs, or imports.
- Special categories: none — Controller must not upload special-category data (health, biometric, etc.) without a prior written agreement amending this DPA.
4. Obligations of the Processor
- Process personal data only on documented instructions from Controller, including instructions given through configuring and using the Service.
- Ensure persons authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational measures (Annex A).
- Assist Controller, insofar as possible, in responding to data-subject rights requests.
- Assist Controller with art. 32–36 obligations (security, breach notification, DPIAs).
- At the end of the agreement, at Controller's choice, delete or return all personal data and delete copies unless EU/Member State law requires retention.
- Make available all information necessary to demonstrate compliance with art. 28 GDPR, and allow audits, including inspections, conducted by Controller or an auditor mandated by Controller (reasonable notice, once per year, at Controller's cost).
5. Sub-processors
Controller grants general authorization for Processor to engage sub-processors. A current list is in our Privacy Policy (section 4). Processor will inform Controller of any intended changes and give Controller the opportunity to object within 14 days; objections can be resolved by good-faith discussion or, failing that, by termination with a pro-rata refund.
6. International transfers
Transfers outside the EEA are made under the EU-US Data Privacy Framework (where the recipient is certified) or under Standard Contractual Clauses (Module 3, Processor-to-Processor) as incorporated by reference.
7. Personal-data breaches
Processor notifies Controller without undue delay — and in any case within 72 hours of becoming aware — of any personal-data breach affecting Controller's data, with all information Controller needs for its own notification obligations.
8. Liability
Liability under this DPA is subject to the limitations in the main Terms of Service. Administrative fines under art. 83 GDPR are allocated between the parties based on their respective responsibility.
9. Order of precedence
In case of conflict, this DPA prevails over the Terms of Service with respect to the processing of personal data.
Annex A — Technical and organizational measures
- TLS 1.2+ for all data in transit; HSTS on production.
- AES-256 encryption at rest for databases and backups (cloud-provider managed keys).
- Bcrypt hashing of passwords; encryption of third-party OAuth tokens with a dedicated application key.
- Role-based access to production; 2FA required for staff accounts.
- Production access logged; changes via code review and version control only.
- Daily encrypted backups; 30-day retention; quarterly restore tests.
- Vulnerability scanning on dependencies; production error monitoring via a third-party processor under DPA.
- Rate limiting and bot detection on authentication and sensitive endpoints.
- Incident response runbook with defined roles and escalation to the DPO.
- Onboarding and annual security training for all staff with production access.
Signature
To obtain a counter-signed copy of this DPA, email info@serff-webdevelopment.nl with your legal entity name, registered address, company number, and a signatory. We respond within 5 business days.