This data processing agreement (DPA) supplements our service terms and describes how we process personal data on your behalf in accordance with Article 28 of the EU General Data Protection Regulation (GDPR). It enters into force automatically when you start using the Vaivatta service.
1. Parties
Data controller ("Customer")
You or the company using the Vaivatta service under this agreement.
Data processor
Innovategy Oy (Business ID 3281265-2), PL 10, 15101 Lahti, Finland.
2. Subject and purpose
Vaivatta provides a human-concierge service for Finnish small businesses to manage their digital tools. We process personal data only to perform the service contract — onboarding and ongoing operation of tools, customer communication, monitoring, incident management, and billing.
3. Types of data processed
We process the following personal data on your behalf:
- Contact basics: name, email, phone, role
- Company data: name, business ID, address
- Service usage data: sign-ins, usage log, user preferences
- Concierge conversation contents: messages and attachments you send us
- Managed-tool metadata: tool inventories, vendors, contract details
We don't process special categories of data (sensitive data) under GDPR without a separate written agreement.
4. Data subjects
Processing may concern the following groups of individuals:
- Customer's employees and contact persons
- Administrators of the tools the customer uses
- Other individuals whose data the customer chooses to share via concierge conversations
5. Processor obligations
Innovategy Oy commits to:
- Processing personal data only on your documented instructions
- Ensuring our personnel are bound by confidentiality
- Implementing appropriate technical and organisational safeguards (described on the Security page)
- Engaging subprocessors only under the conditions listed below
- Assisting you in responding to data-subject rights requests
- Notifying you of personal-data breaches within 72 hours of detection
- Deleting or returning personal data when the agreement ends
- Providing reasonable information to demonstrate compliance
6. Subprocessors
We use the following subprocessors to process personal data. By using the service you accept this subprocessor list. We'll notify you of any changes at least 14 days in advance and you have the right to object on reasonable grounds.
| Subprocessor | Purpose | Location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Server infrastructure and storage | Finland (Tuusula), Germany (backups) | EU |
| Stripe Payments Europe Ltd. | Payment processing | Ireland | EU |
| Meta Platforms Ireland Ltd. | WhatsApp Business messaging | Ireland | EU |
| Cloudflare, Inc. (R2) | Media storage | EU region | EU + SCCs |
| Twilio Sendgrid Ireland | Outbound email | Ireland | EU |
Mosparo (bot protection) and the per-customer Passbolt vault run on our own servers inside Hetzner and are not separate subprocessors. SCCs = EU Standard Contractual Clauses.
7. Data transfers
Your personal data is processed and stored primarily in Finland. Backups may live elsewhere within the EU. Data is not transferred outside the EU/EEA. If a transfer were to become necessary in the future, we would notify you in advance and ensure its lawfulness via EU Standard Contractual Clauses or another GDPR-recognised safeguard.
8. Technical and organisational measures
We apply the following safeguards, among others:
- Encryption in transit (TLS 1.3) and at rest on disk
- Access control on a least-privilege basis with two-factor authentication
- Prompt installation of security updates and vulnerability scanning
- Audit logging of significant events
- Regular testing of recovery from backups
A full description is on the Security page.
9. Breach notification
If we detect a personal-data breach affecting your data, we'll notify you without undue delay, within 72 hours of detection at the latest. The notice will include:
- A description of the breach and when it occurred
- The nature of the affected data and data subjects
- Likely consequences
- Measures we've taken or intend to take
- A contact for follow-up information
10. Audit rights
You have the right to verify that we comply with this agreement. Audits will be carried out:
- With reasonable advance notice (at least 30 days)
- During normal working hours and without disrupting the service
- At most once per year, unless a security incident or regulatory requirement demands otherwise
Alternatively, on request we can provide a summary of our safeguards and most recent audits.
11. Duration and termination
This DPA remains in force as long as you use the Vaivatta service. When the agreement ends:
- You may request an export of your data in machine-readable form before the service ends
- We delete personal data in active use within 30 days of termination
- Backup data is deleted within 90 days according to our recovery schedule
- We may retain data if specifically required by law (e.g. accounting law)
12. Accepting this agreement
This DPA enters into force automatically when you accept Vaivatta's service terms and start using the service. It is part of your service package and does not require a separate signature.
If you need a signed version for your archives or internal requirements, please contact us — we'll send a PDF on request.
Questions?
For privacy and contract enquiries:
- Privacy enquiries
- [email protected]
- Contracts
- [email protected]