Skip to content
ACTServ Technology Ltd
Legal
Data Processing

ACTServ GRC Data Processing Agreement

GDPR processor terms for Customer Data processed through the ACTServ GRC Platform.

Version 1.0Approved as of 01 January 2026Contractual document

Scope and roles

This Data Processing Agreement forms part of the MSA. Customer is Controller and ACTServ is Processor for personal data contained in Customer Data, except where Customer acts as Processor, in which case ACTServ is Subprocessor. ACTServ is an independent Controller for its own account, billing, security and business-administration data.

Processing details

ItemDescription
Subject matterProvision, support, security and operation of the ACTServ GRC Platform and subscribed integrations.
DurationSubscription Term plus the export and deletion period.
Nature and purposeHosting, organisation, retrieval, display, transmission, backup, support, security, integration synchronisation and deletion for GRC purposes.
Data subjectsCustomer personnel, users, control owners, vendor contacts, auditors, advisers, external evidence contributors and other persons represented in Customer Data.
Personal dataNames, business contact details, identifiers, roles, departments, assignments, authentication metadata, audit activity, integration inventory and evidence content selected by Customer.
Sensitive dataNot intended unless strictly necessary and expressly authorised. Customer must minimise uploads.

Instructions and confidentiality

ACTServ will process personal data only on documented Customer instructions, including this Data Processing Agreement, the MSA, Order Form and Customer’s use of Platform functionality, unless law requires otherwise. Where a legal requirement prevents ACTServ from following an instruction, ACTServ will inform Customer before processing unless prohibited by law. ACTServ will inform Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

Persons authorised to process personal data are bound by confidentiality and receive access only on a need-to-know basis.

Security

ACTServ will maintain appropriate technical and organisational measures, including access control, mandatory MFA for registered users, tenant-aware authorisation, encryption of integration credentials, logging, secure development practices, daily backups with seven-day retention, incident response and controlled personnel access.

Subprocessors

Customer gives general authorisation for the subprocessors listed in the Subprocessor Schedule. ACTServ will impose materially equivalent data-protection obligations and remains responsible for its processor obligations.

ACTServ will provide 30 days’ notice of a material new or replacement subprocessor where practicable. Customer may object within 15 days on substantiated data-protection grounds. The Parties will seek mitigation; where unavailable, Customer may terminate the affected Service.

International transfers

Production Customer Data is intended to be hosted in the European Union as stated in the Subprocessor Schedule. Where a lawful ancillary transfer outside the EEA occurs, ACTServ will ensure an applicable transfer mechanism is in place — including the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or an adequacy decision — together with supplementary measures where required.

If ACTServ receives a request from a public authority for access to Customer personal data, ACTServ will, unless legally prohibited, redirect the authority to Customer or notify Customer before disclosure, will disclose only what is legally required and will not disclose personal data to public authorities voluntarily.

Data-subject requests

Taking into account the nature of processing, ACTServ will provide reasonable assistance through Platform functionality or support to enable Customer to respond to data-subject requests. ACTServ will not independently respond except on Customer instruction or where required by law.

Personal Data Breaches

ACTServ will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data and will provide available information reasonably required for Customer’s notification and assessment duties. Notification is not an admission of fault, and these obligations do not apply to the extent a Personal Data Breach results from Customer’s own actions or omissions.

DPIAs and prior consultations

ACTServ will provide reasonable information and assistance for DPIAs and prior consultations concerning the Services, taking account of available information and the nature of processing. Extensive bespoke assistance may be chargeable unless caused by ACTServ’s breach.

Return and deletion

At Customer’s choice, personal data is returned through the Platform’s self-service export functionality — available during the Subscription Term and for 30 days afterwards — or deleted. If Customer requests return in another manner, ACTServ may provide a copy of available Customer Data in a standard machine-readable format as a chargeable service. After the export window, ACTServ may delete active Customer Data, subject to law and backup cycles. Backup copies expire through the normal retention cycle.

Audit

ACTServ will make available information reasonably necessary to demonstrate compliance, including relevant certifications, policies, questionnaires and independent reports where available. Where such materials are insufficient under applicable data-protection law, Customer may conduct an audit subject to reasonable prior written notice, no more than once per calendar year (except following a Personal Data Breach affecting Customer or where required by a supervisory authority), during Business Hours, without unreasonable disruption, restricted to information relevant to Customer, and subject to confidentiality and security controls. Customer bears the costs of such audits, including reasonable reimbursement of ACTServ time expended. Mandatory regulatory rights are not restricted.

Liability

Liability under this Data Processing Agreement is subject to the MSA, except to the extent applicable law prohibits limitation.