Service Bureau Agreement Template for England and Wales
Generate a bespoke document
What is a Service Bureau Agreement?
A service bureau agreement governs the outsourcing of processing, data-handling, or document-management services to a specialist bureau. In England and Wales, the Supply of Goods and Services Act 1982 implies baseline performance standards, and UK GDPR mandates written data processing terms where personal data is handled. The agreement defines service levels, liability, data protection, security, subcontracting rights, and business continuity obligations.
Frequently Asked Questions
What is a service bureau agreement and what services does it typically cover?
A service bureau agreement governs the provision of outsourced processing or data-handling services by a specialised bureau on behalf of client businesses. Typical services include payroll processing, document management, data entry, print and mail fulfilment, and accounting bureau functions. The agreement covers service scope, processing timescales, data handling obligations, and fees.
What data protection obligations arise under a service bureau agreement?
Where the bureau processes personal data on the client's instructions, it acts as a data processor under UK GDPR and the Data Protection Act 2018. The agreement must include mandatory data processing clauses covering purpose limitation, security measures, sub-processor authorisation, data breach notification, and return or deletion of data at contract end. Omitting these clauses is a regulatory breach.
How should service levels be defined in a service bureau agreement?
The agreement should include a service level schedule with measurable targets such as processing turnaround times, error rates, system availability percentages, and response times for corrections. It should specify service credits or other remedies for breaches of service levels, and a process for raising and escalating performance issues. Vague quality descriptions invite disputes.
Who is liable if the bureau makes an error that causes financial loss to the client?
The bureau is liable for losses caused by its failure to meet the standard of reasonable care and skill implied by the Supply of Goods and Services Act 1982. Many bureau agreements cap liability at a multiple of the fees paid in a given period. Clients should assess whether the cap is adequate for the scale of potential losses and consider requiring professional indemnity insurance from the bureau.
Can a service bureau subcontract work to third parties?
Subcontracting is permissible if the agreement allows it, but the bureau remains primarily liable to the client for the subcontractor's performance. For data processing subcontracting, UK GDPR requires the client's (data controller's) prior specific or general authorisation. The bureau should flow down all relevant obligations to any sub-processors it appoints.
What security obligations should a service bureau agreement impose?
The agreement should require the bureau to maintain appropriate technical and organisational measures to protect client data and systems, including encryption, access controls, regular security testing, and incident response procedures. These obligations align with Article 32 of UK GDPR for personal data and reflect best practice for all sensitive client information regardless of whether it constitutes personal data.
How are intellectual property rights handled in a service bureau agreement?
Data, reports, and outputs generated from the client's data typically remain the client's property. Bureau-proprietary processing software and methodologies remain the bureau's property. The agreement should grant the client a licence to use any bureau tools embedded in the outputs, and should address what happens to the client's data on termination, including export formats and timescales.
What business continuity obligations should a service bureau agreement include?
Bureau services are often business-critical for the client. The agreement should require the bureau to maintain a tested business continuity plan, specify recovery time and recovery point objectives, and grant the client the right to audit continuity arrangements. Transition assistance obligations on termination, allowing the client to migrate to a new provider without disruption, are also essential.
About the Service Bureau Agreement
A Service Bureau Agreement is a comprehensive contract that governs the relationship between your organization and an external service provider when outsourcing critical business functions or technical services. Under United States law, this agreement serves as the foundation for defining service expectations, performance standards, and legal obligations between parties engaged in outsourcing arrangements.
When do you need this document?
You need a Service Bureau Agreement when your organization plans to outsource data processing, IT services, customer support, payroll administration, or other business functions to a specialized provider. This is particularly critical in regulated industries such as healthcare, financial services, or telecommunications where federal compliance requirements apply. The agreement is essential when handling sensitive data, managing customer information, or when service disruptions could significantly impact your business operations. You also need this document when establishing long-term relationships with service providers who will have access to your systems, data, or proprietary information.
Key legal considerations
Service level agreements (SLAs) form the backbone of your contract, establishing measurable performance standards and remedies for non-compliance. Data security and privacy clauses are crucial, especially given federal requirements under laws like the Computer Fraud and Abuse Act and Electronic Communications Privacy Act. You must address intellectual property ownership, particularly for any developments or improvements created during service delivery. Liability limitations and indemnification provisions protect both parties from potential losses, while termination clauses ensure smooth transitions when ending the relationship. Confidentiality obligations protect your sensitive business information and trade secrets throughout the engagement.
Legal requirements in United States
Federal law imposes specific obligations depending on your industry and the nature of services provided. If your agreement involves financial data, Gramm-Leach-Bliley Act compliance is mandatory, requiring explicit data protection measures and customer notification procedures. Healthcare-related services must comply with HIPAA requirements for protected health information handling and breach notification. The Federal Trade Commission Act governs fair dealing and consumer protection aspects of service delivery. All agreements must address Computer Fraud and Abuse Act provisions when granting system access to service providers. Electronic Communications Privacy Act compliance is required when handling email, communications, or stored electronic data. Your agreement should include specific audit rights, compliance reporting requirements, and breach notification procedures to meet federal regulatory standards across applicable industries.
GOVERNING LAW
Applicable law
This Service Bureau Agreement is drafted to comply with England and Wales law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it