Last updated: May 1, 2026 · Version 1.4
Data Processing Agreement (DPA)
For customers subject to GDPR, UK GDPR, or CCPA.
1. Definitions
"Personal Data", "Data Subject", "Data Controller", "Data Processor", "Processing", and other capitalized terms have the meanings given in Regulation (EU) 2016/679 ("GDPR").
2. Subject matter and roles
Customer is the Data Controller. ServiceHub Inc. is the Data Processor. ServiceHub processes Personal Data only on Customer's documented instructions, including those embodied in the Service Agreement and the operation of the Service itself.
3. Duration
This DPA is effective from the date Customer accepts the Service Agreement and remains in effect for as long as ServiceHub processes Personal Data on Customer's behalf.
4. Nature and purpose of processing
ServiceHub processes Personal Data for the purpose of providing the booking, scheduling, payments, analytics, and communications features of the Service. Specifically, Personal Data is used to: (a) authenticate users; (b) deliver booking confirmations and reminders; (c) compute pricing and commissions; (d) generate analytics reports; (e) provide customer support.
5. Types of Personal Data
- Identification: name, email, phone, business name
- Contact details: addresses (service and billing)
- Financial: invoices, payment method tokens (PANs never stored — handled by Stripe)
- Operational: bookings, service notes, photos uploaded by technicians
- Authentication: hashed passwords, IP addresses, session metadata
6. Categories of Data Subjects
- Customer's end customers (people booking services)
- Customer's employees, contractors, and staff
- Customer's administrators
7. Sub-processors
Customer authorizes ServiceHub to engage the sub-processors listed at servicehub.app/subprocessors. ServiceHub will give Customer at least 30 days' notice before engaging a new sub-processor. Customer may object during this period; if no resolution is found, Customer may terminate the affected portion of the Service for cause.
8. International transfers
For transfers of Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, ServiceHub relies on the EU Standard Contractual Clauses (SCCs) 2021/914 and the UK Addendum. Customers may request executed copies.
9. Security measures
ServiceHub implements appropriate technical and organizational measures, including: row-level data isolation at the database layer; encryption at rest (AES-256) and in transit (TLS 1.3); SOC 2 Type II certification; access controls based on least-privilege; quarterly security reviews; annual third-party penetration tests; documented incident-response procedures.
10. Data subject requests
ServiceHub will assist Customer in fulfilling its obligations to respond to Data Subject Requests (access, deletion, portability, rectification) — typically by providing self-service tools in the Service. For requests requiring engineering work, ServiceHub will respond within 30 days.
11. Data breach notification
ServiceHub will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting Customer's data. The notification will include the nature, scope, and likely consequences, plus the measures taken to address it.
12. Return or deletion
On termination, ServiceHub will, at Customer's choice, return or delete all Personal Data within 30 days. Customer can export data at any time via API or the dashboard. After 30 days from termination, data is permanently deleted from production systems and from backups within 90 days.
13. Audits
Customer may audit ServiceHub's compliance with this DPA once per year. ServiceHub will satisfy this obligation by providing its SOC 2 Type II report and responses to security questionnaires (SIG, CAIQ). On-site audits are available for Enterprise customers under reasonable scoping.
14. Contact
Data Protection Officer: privacy@servicehub.app · ServiceHub Inc., 1234 SW Morrison St, Floor 4, Portland, OR 97205, USA.