Data Processing Addendum

Last updated: 28 December 2025

We process Client data only on documented instructions and with appropriate security and safeguards.

Related documents: This Addendum forms part of the agreement between the parties and sits alongside the Terms and Conditions, Client Confidentiality Policy and Privacy Policy. In the event of any inconsistency relating to data protection, this Addendum shall prevail.

1. Definitions

“Applicable Data Protection Law” means UK GDPR, the Data Protection Act 2018, PECR, and binding guidance from competent authorities.

“Client” means the counterparty to the client’s contract or other written agreement with Savoire.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” have the meanings in UK GDPR.

“Services” means the services Savoire provides to the Client as described in the MSA or scope of work.

“Subprocessor” means another processor engaged by Savoire to process Personal Data for the Services.

“UK IDTA” means the UK International Data Transfer Addendum to the EU SCCs, as amended or replaced.

2. Role of the Parties

Controller–Processor: For Personal Data processed in delivering the Services, the Client is the Controller and Savoire is the Processor. For Savoire’s own business records (e.g., billing, client relationship management), Savoire is an independent Controller.

3. Subject Matter, Nature and Duration

Subject matter. Processing Personal Data as necessary to deliver executive assistance, business concierge, travel, events and lifestyle management Services.

Nature and purpose. Collection, storage, organisation, retrieval, transmission and other operations strictly to perform the Services and Client instructions.

Duration. For the term of the MSA (and any retention required by law), unless otherwise agreed.

Types of Personal Data. Contact details, identification data, travel and itinerary data, communications, scheduling information, transactional data, and other data provided by the Client or its Data Subjects.

Categories of Data Subjects. Client personnel (founders, executives, employees, contractors), Client customers, suppliers, private client household members and other individuals involved in the Services.

4. Client Instructions

Savoire shall process Personal Data only on documented instructions from the Client, including with respect to international transfers, unless required to do so by Applicable Data Protection Law, in which case Savoire shall notify the Client of that legal requirement unless prohibited by law.

The Client warrants that its instructions comply with Applicable Data Protection Law and that it has all necessary rights, consents and lawful bases to provide the Personal Data to Savoire for processing.

Where Savoire reasonably believes that an instruction infringes Applicable Data Protection Law, it shall promptly inform the Client and may suspend the relevant processing until the instruction is confirmed or amended.

5. Confidentiality

Savoire ensures that persons authorised to process Personal Data are bound by confidentiality obligations and receive appropriate privacy and security training.

6. Security

Savoire implements appropriate technical and organisational measures to ensure a level of security appropriate to risk, including (as applicable): access controls, least-privilege permissions, encryption in transit, secure configuration, activity logging, device and account hygiene, and regular reviews of third-party platform settings.

Further details: On request, Savoire will provide a summary of key controls relevant to the Services.

7. Personal Data Breach

Savoire shall notify the Client without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed for the Client, and provide information reasonably required for the Client to meet its notification obligations.

8. Assistance

Taking into account the nature of the processing, Savoire shall assist the Client by appropriate technical and organisational measures, insofar as reasonably possible, to respond to requests to exercise Data Subject rights and to meet the Client’s obligations under Articles 32–36 UK GDPR (including security, breach notification, DPIAs and regulatory consultation).

Where such assistance requires material additional work beyond the scope of the Services, Savoire may charge reasonable fees or agree a separate scope of work with the Client.

9. Subprocessors

The Client grants Savoire a general authorisation to engage Subprocessors in connection with the Services. Savoire shall ensure that any Subprocessor is subject to written data protection obligations no less protective than those set out in this Addendum and remains fully responsible for the Subprocessor’s performance.

The Client acknowledges that Subprocessors may change over time and that Savoire is not required to obtain specific approval for individual Subprocessors unless required by Applicable Data Protection Law.

Savoire currently uses, including but not limited to, the following platforms in providing the Services:

Provider	Purpose	Data location / transfer safeguards
Microsoft 365 (incl. SharePoint, Teams)	Email, files, collaboration, calendars, communications	Regional data centres; may involve international transfers with UK IDTA / UK-approved Standard Contractual Clauses / adequacy
Adobe	Document and media processing	As per Adobe regional hosting; appropriate transfer safeguards applied
Canva	Design asset creation and management	International transfers may occur; appropriate safeguards applied
Xero	Invoicing and accounting	As per Xero hosting; appropriate transfer safeguards applied
Trello	Project and task management	International transfers may occur; appropriate safeguards applied

10. International Transfers

Where Savoire or its Subprocessors transfer Personal Data outside the United Kingdom, Savoire shall ensure that such transfers are subject to a valid transfer mechanism under Applicable Data Protection Law, including an adequacy regulation, the UK International Data Transfer Addendum, or UK-approved Standard Contractual Clauses, as applicable. Savoire shall assess and document transfer risks where required and implement supplementary measures where necessary to ensure an essentially equivalent level of protection.

11. Data Return and Deletion

Upon termination or expiry of the Services, and at the Client’s written request, Savoire shall either return or securely delete Personal Data processed on behalf of the Client within a reasonable period following termination, taking into account the nature of the Services and any legal or regulatory retention obligations, unless retention is required by law or for legitimate business records (such as invoicing and compliance). Where deletion is not feasible, Savoire shall securely archive the Personal Data, protect it from further processing, and apply appropriate access restrictions.

12. Audit

On reasonable prior written notice, the Client may request information necessary to demonstrate Savoire’s compliance with this Addendum. Where an audit is required by Applicable Data Protection Law, such audit shall be limited to once per year, conducted during normal business hours, subject to confidentiality, and shall not unreasonably interfere with Savoire’s operations. The Client shall bear its own costs and, where applicable, Savoire’s reasonable costs incurred in connection with any audit.

13. Records of Processing

Savoire shall maintain records of processing activities carried out on behalf of the Client in accordance with Article 30(2) UK GDPR and shall make such records available to the Information Commissioner’s Office upon request.

14. Liability and Precedence

Each party’s aggregate liability arising out of or related to this Addendum is subject to the exclusions and limitations set out in the client’s contract. In the event of a conflict between this Addendum and the client’s contract, this Addendum shall prevail to the extent of the conflict on matters of data protection.

15. Miscellaneous

This Addendum is governed by the law and jurisdiction specified in the client’s contract (failing which, the laws of England and Wales and the courts of England and Wales). If any provision is held invalid, the remainder remains in effect. This Addendum may be updated to reflect changes in Applicable Data Protection Law.

16. Contact

For questions about this Addendum, please contact privacy@savoire.co.uk.

Appendix: Data Summary

Categories of Data Subjects: Client representatives and personnel (including founders, executives, employees, contractors); Client customers, suppliers and professional contacts; Private client household members and guests where relevant to the Services.

Types of Personal Data: Identity and contact data; scheduling and communications data; travel and event data; administrative and transactional data; any other data provided by the Client to enable the Services.

Processing Operations: Collection, storage, organisation, retrieval, consultation, disclosure by transmission; alignment, restriction, erasure and destruction as instructed by the Client.