Skip to content

Data Processing Addendum

Last updated: 15 October 2025

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Eloquent Terms of Service(“TOS”). By using the Services after the Effective Date (or by executing an Order that references the TOS), Customeragrees to this DPA. If Customer needs a countersigned copy, see Section 14.6.

Parties.Processor” means Savvy.codes B.V. operating the Eloquent platform. “Controller” means the Customer identified in the TOS/Order that submits Personal Data to the Services.

Documents Incorporated by Reference:

1. Purpose & Scope

Processor will Process Personal Data on behalf of Controller to provide the Eloquent Services as described in the TOS. This DPA applies to such Processing under EU/EEA GDPR, UK GDPR, and similar laws.

2. Roles & Instructions

(a) Controller determines purposes and means of Processing.
(b) Processor Processes Personal Data only on documented instructions from Controller: this DPA, the TOS, and Controller’s configurations/usage of the Services.
(c) If an instruction is unlawful or infeasible, Processor will notify Controller (no duty to provide legal advice).

3. Confidentiality & Access

Processor ensures personnel with access to Personal Data are bound by confidentiality and limited to least-privilege, need-to-know access.

4. Security Measures

Processor maintains appropriate technical and organizational measures (TOMs) aligned to its ISO/IEC 27001 ISMS, including access control, encryption in transit/at rest, vulnerability and incident management, logging/monitoring, backup/restore, and business continuity. A summary is in Annex B. Processor may update TOMs without reducing overall protection.

5. Sub-processors

(a) Controller authorizes Processor to use Sub-processors to deliver the Services (e.g., hosting/IaaS, email, logging, AI model providers, vector/RAG infra).
(b) Processor imposes data-protection terms on Sub-processors no less protective than this DPA and remains responsible for their performance.
(c) Sub-processor list & updates. Current categories/roster: Annex C (or the URL provided therein). Processor will provide notice of material changes (email or in-product). Controller may object on reasonable privacy grounds within 10 days; if unresolved, Controller may terminate the affected Service (pro-rata refund of prepaid, unused fees for the terminated portion only).

6. International Transfers

For transfers from the EEA/UK to third countries without adequacy:

  • EU SCCs (Module 2: C→P) and, where applicable, the UK Addendum are incorporated by reference (see Annex D for details/selection).

  • Processor will ensure appropriate safeguards for any Sub-processor outside the EEA/UK.

7. Assistance

Taking into account the nature of Processing, Processor will assist Controller with:
(a) Data Subject Requests (access/erasure/etc.), via in-product tools or reasonable support;
(b) Security & DPIA support, including security information and responses to reasonable questionnaires.

8. Personal Data Breach

Processor will notify Controller without undue delay (aiming for 48 hours) after becoming aware of a Personal Data Breach affecting Controller Data, sharing details then known and updates as reasonably available, and will cooperate on mitigation and any notifications.

9. Data Use; Aggregation

Processor Processes Personal Data solely to provide the Services, per Controller’s instructions. Processor may Process Anonymized/Aggregated Data (not reasonably capable of identifying a person) for security, analytics, and service improvement, provided it does not identify Controller or Data Subjects.

10. Controller Responsibilities

Controller: (i) has all necessary notices/legal bases; (ii) submits only data that is lawful and appropriate; (iii) configures access/roles; (iv) avoids Special Categories/children’s data unless expressly agreed in writing with additional safeguards.

11. Return & Deletion

At termination/expiry, Controller may export data. Processor will delete or return Personal Data at Controller’s choice, unless retention is required by law or for standard backup cycles (during which protections in this DPA continue to apply).

12. Audits & Information

Upon written request, Processor will provide security/privacy documentation (e.g., ISO 27001 certificate, pen-test summaries, TOMs summary). If such materials reasonably fail to demonstrate compliance, Controller may conduct (no more than annually) a targeted audit during business hours, subject to confidentiality and minimal disruption.

13. Liability; Precedence

Liability limits and exclusions in the TOS apply to this DPA. If there is conflict, SCCs (if applicable) prevail over this DPA, which prevails over the TOS solely on data-protection matters.

14. General

14.1 Governing law/jurisdiction: as per the TOS; absent that, Dutch law and the competent courts of the Netherlands.
14.2 Changes: Processor may update this standard DPA to reflect legal/operational changes; material changes will be notified in advance. Continued use after the effective date constitutes acceptance.
14.3 Order of documents: SCCs (if applicable) → this DPA → TOS.
14.4 Severability: If any provision is invalid, the remainder remains effective.
14.5 Entire agreement (privacy): This DPA and the SCCs (if any) are the Parties’ entire agreement on data processing for the Services.
14.6 Countersigned copy (optional): If Controller needs a signed PDF, Processor will provide a countersigned version of this standard DPA upon request (terms unchanged).

Annex A — Description of Processing

Subject matter & duration. Processing of Personal Data to provide Eloquent under the TOS, for the subscription term plus lawful retention/backups.
Nature & purpose. Hosting, storage, retrieval, transmission, AI inference (prompt/response handling), RAG, logging/monitoring, support, and integrations via API/webhooks.
Categories of Data Subjects. Controller’s authorized users, customers/clients, and other individuals whose data Controller submits.
Categories of Personal Data. Identifiers (name, email), account/profile data, conversation content/metadata, knowledge-base content supplied by Controller, usage logs, and integration payloads.
Special Categories. Not intended; only with prior written agreement and additional safeguards.
Transfers. As described in Section 6 and Annex D.

Annex B — Security Measures (Summary)

Processor maintains an ISO/IEC 27001-aligned ISMS, including: governance & risk management; role-based access and MFA; encryption in transit and at rest; vulnerability management and pen-testing; secure SDLC and change control; network segmentation and monitoring; logging/alerting; incident response and breach notification; backup/restore and DR; personnel screening/training; and periodic independent audits/certification. Processor may enhance/modify controls without reducing overall protection.

Annex C — Sub-processors

Categories: EU hosting/IaaS; email delivery/inbound; observability/logging; AI model providers and vector/RAG infrastructure; ticketing/support tooling.
Live list & updates: [Insert URL to public sub-processor page or help center]. Material changes will be notified per Section 5(c).

Annex D — International Transfers

EEA→Non-EEA. The Parties incorporate the EU Standard Contractual Clauses (Controller→Processor, Module 2)by reference.

  • Annex I(A–C): satisfied by Annex A.
  • Annex II: satisfied by Annex B.
  • Annex III: satisfied by Annex C (where used).
    Clause 17 law/forum: Netherlands/Ireland law & courts (choose one and state here).
    UK transfers. The UK Addendum to the EU SCCs is incorporated by reference for UK GDPR transfers (select the same annex mapping).

Annex E — Service-Specific Disclosures

  • Data residency: Primary hosting in the EU (Netherlands). Certain Sub-processors or model endpoints may operate globally subject to safeguards.
  • Model providers: If Controller enables third-party models, prompt/content may be transmitted to those providers solely to deliver the Service (with privacy-protective settings where available).
  • Retention: Conversation and knowledge-base data are retained per Controller configuration and standard backup policies; deletion/export available via the product or support.
  • Policies: Further details in the Privacy Policy and TOS (see links above).