Data Processing Addendum

1. Definitions

“Customer Personal Data” means personal data that Servd processes on Customer's instructions through the Servd platform. “Applicable Data Protection Law” means GDPR, UK GDPR, the CCPA / CPRA, and other comparable laws. Other capitalized terms have the meanings in the MSA + applicable data-protection law.

2. Roles

Customer is the controller (or business under CCPA). Servd is the processor (or service provider under CCPA). Servd processes Customer Personal Data only on documented instructions from Customer, primarily expressed through Customer's use of the platform.

3. Purpose limitation + no model training

Servd processes Customer Personal Data solely to provide the platform, including: intake, dispatch, payment, payout, affidavit drafting, document parsing, and customer support. Servd does not use Customer Personal Data to train foundation models. Prompts and outputs may be logged in redacted form for security, debugging, and audit purposes only; the redaction pipeline strips SSNs, full bank numbers, full payment-card numbers, and direct case-party identifiers before logs leave Servd's control.

4. Subprocessors

Servd uses the subprocessors listed at servdlegal.ai/subprocessors. Customer authorizes Servd to engage those subprocessors. Servd will provide at least 30 days' advance notice before adding a new subprocessor; Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to address the concern or terminate the affected service.

5. Confidentiality

Servd ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations.

6. Security measures

Servd maintains the technical and organizational measures summarized in our public Security overview, including:

• TLS 1.2+ in transit; vendor-managed AES-256 encryption at rest.
• Postgres Row-Level Security for tenant isolation.
• Least-privilege access; servd-admin / servd-superadmin actions are audit-logged with a 7-year retention floor.
• Quarterly access review; quarterly key rotation.
• Sentry session replay with all input text + media masked by default. PostHog with autocapture PII redacted.
• Vendor managed cloud (Vercel, Neon, Cloudflare R2) each providing SOC 2 Type II assurance.

7. Personal-data breach notification

Servd will notify Customer of a personal-data breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of becoming aware, providing information that is reasonably available about scope, impact, remediation steps, and Servd's point of contact.

8. International transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a third country lacking an adequacy decision, the parties agree to the EU Standard Contractual Clauses 2021/914 (Module Two, controller-to-processor), the UK addendum issued by the ICO, and the Swiss FDPIC's SCC variant, each incorporated by reference. Country- specific annex available on request.

9. Data-subject rights

Servd will, taking into account the nature of the processing, assist Customer in responding to data-subject requests by providing the technical means available in the platform (data export, deletion, correction). Customer is responsible for responding to data-subject requests addressed to Customer.

10. Audits

At Customer's reasonable request and no more than once per year (more often if required by law or after a personal-data breach), Servd will provide a summary of its controls and may make reasonable arrangements for an on-site audit subject to mutual NDA, reasonable advance notice, and shared cost. Servd will provide SOC 2 reports as they become available.

11. Deletion / return on termination

Within 30 days of MSA termination Servd will, at Customer's choice, return or delete Customer Personal Data, subject to legal retention obligations (audit logs are retained for 7 years as a regulatory floor — see retention policy).

12. Liability

Liability under this DPA is subject to the limitations of liability in the MSA, except as required otherwise by Applicable Data Protection Law.

13. Governing law

Governed by the law specified in the MSA; for EU / UK / Swiss processing, where mandatory, by the law of the data exporter's country.

14. Execution

This page describes the standard form of our DPA. An executable PDF with countersignature blocks is available from legal@servdlegal.ai. Customers on a paid MSA may request a redlined version.