Data Processing Agreement

This Data Processing Agreement (DPA) supplements our Terms of Service and describes how we process personal data on your behalf in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).

1. Parties

This agreement is made between:

2. Subject Matter and Purpose

We process personal data for the following purpose:

3. Types of Data Processed

We process the following personal data on your behalf:

• •Basic data: Names, email addresses, phone numbers
• •Business data: Company name, business ID, address
• •Usage data: Login data, service usage information
• •Content data: Data you store in deployed applications

Note: We do not process special categories of personal data (sensitive data) without separate agreement.

4. Data Subjects

Data processing may involve the following categories of data subjects:

• •Customer's employees and contacts
• •Customer's customers and end users
• •Other individuals whose data the customer stores in the service

5. Processor Obligations

We (Innovategy Oy) commit to:

• ✓Processing personal data only according to your documented instructions
• ✓Ensuring that our personnel are committed to confidentiality
• ✓Implementing appropriate technical and organizational security measures
• ✓Engaging subprocessors only with your consent
• ✓Assisting with data subject rights requests
• ✓Notifying you of data breaches without undue delay
• ✓Deleting or returning data upon termination of the agreement
• ✓Providing information necessary to demonstrate compliance

6. Subprocessors

We use the following subprocessors for personal data processing:

SCCs = EU Standard Contractual Clauses. We will notify you of changes to the subprocessor list at least 14 days in advance.

7. Data Transfers

Your personal data is primarily stored in Finland (Tuusula). Data is not transferred outside the EU/EEA without appropriate safeguards.

If transfer outside the EU/EEA is necessary (e.g., via a subprocessor), we ensure the transfer's legality through EU Standard Contractual Clauses (SCCs) or other GDPR-compliant safeguards.

8. Security Measures

We implement the following technical and organizational security measures:

• ✓Encryption in transit (TLS 1.3)
• ✓Encryption at rest
• ✓Access control and two-factor authentication
• ✓Regular security updates
• ✓Logging and monitoring
• ✓Backups (Business tier)

For more details about our security measures, see our Security page.

9. Data Breach Notification

If we detect a personal data breach, we will notify you without undue delay, no later than 48 hours after becoming aware of the breach. The notification will include:

• •Description of the breach
• •Nature of the data involved
• •Likely consequences
• •Measures taken or proposed

10. Audit Rights

You have the right to verify our compliance with this agreement. Audits are conducted:

• •With reasonable advance notice (at least 30 days)
• •During normal business hours
• •No more than once per year (unless a breach requires otherwise)

Alternatively, we can provide you with a summary of our security measures and compliance status.

11. Duration and Termination

This DPA is effective for as long as you use the vaivatta. service. Upon termination:

• •You may request data export before service termination
• •We will delete personal data within 30 days of termination
• •Backups are deleted within 90 days
• •We may retain data if required by law (e.g., accounting)

12. Accepting This Agreement

This DPA takes effect automatically when you accept our Terms of Service and start using the vaivatta. service.

If you need a signed version for your records or company requirements, contact:

Questions?

For questions about this DPA and data protection, contact: