DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of and supplements the Terms of Service concerning Commslayer (the “Service”) and the agreement between Actuals Oy (Business ID 3369432-8), a company incorporated and existing under the laws of Finland (“Processor”, “Company”, “we”, “us”), and the customer identified in the applicable order form, subscription form, or similar document (“Controller”, “Customer”, “you”) (together, the “Agreement”).
Terms defined in the Agreement have the same meaning when used in this DPA unless otherwise expressly stated. Capitalised terms not otherwise defined in this DPA shall have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 (“GDPR”). References to a “Member State” mean a Member State of the European Union.
1.
Purpose and Scope
This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service and sets out the Parties’ respective obligations under the GDPR. In the event of any conflict between this DPA and the Agreement concerning the processing of personal data, this DPA shall prevail to the extent of such conflict.
The Processor shall process Personal Data solely on the documented instructions of the Controller and only for the purposes, duration, and to the extent necessary for performing the Service and fulfilling its obligations under the Agreement.
The Processor shall comply with all applicable data-protection legislation, including the GDPR and the Finnish Data Protection Act (1050/2018), and shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The details of the processing operations, including subject matter, duration, nature, purposes, categories of data, and Data Subjects, are set out in Annex 1 (Details of Processing), which forms an integral part of this DPA.
2.
Roles of the Parties
The Controller determines the purposes and means of the processing of Personal Data.
The Processor processes Personal Data solely on behalf of the Controller and in accordance with this DPA, the Agreement, and the Controller’s documented instructions, for the purposes of providing, maintaining, and improving the Service.
The Processor shall not determine the purposes or means of the processing, combine Personal Data with its own data, or process Personal Data for its own purposes or for any purpose other than those expressly authorised by the Controller.
3.
Categories of Data and Data Subjects
The categories of Personal Data processed depend on the Service configuration and may include: (a) identification and contact details (e.g., name, email address, role, organisation, and account information); (b) communication data (e.g., messages, chat transcripts, and correspondence); (c) transactional or order-related data (e.g., order history, fulfilment, refunds, or customer interactions); and (d) technical or log data linked to user accounts (e.g., access times, activity logs, IP addresses, and browser metadata).
Data Subjects may include the Controller’s employees, customers, end-users, or other individuals whose Personal Data are transmitted through, processed within, or stored in the Service.
4.
Processor’s Obligations
The Processor shall: (a) process Personal Data only on the documented instructions of the Controller, including with respect to international transfers, unless required to do so by Union or Member State law; (b) ensure that all persons authorised to process Personal Data are subject to confidentiality obligations, whether statutory or contractual; (c) implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required under the GDPR; (d) assist the Controller, insofar as reasonably possible, in fulfilling its obligations to respond to requests for the exercise of Data Subjects’ rights under the GDPR; (e) assist the Controller in ensuring compliance with its obligations under the GDPR, including with respect to security, breach notification, data-protection impact assessments, and prior consultations with supervisory authorities; (f) upon termination or expiry of the Agreement, delete or return all Personal Data at the Controller’s written request, except where retention is required by applicable law, in which case the Processor shall ensure continued confidentiality and restrict further processing to the minimum necessary; and (g) make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to reasonable audits as set out in Section 8.
5.
Controller’s Obligations
The Controller shall ensure that: (a) all Personal Data provided to the Processor have been collected and processed in compliance with applicable data-protection legislation and that processing by the Processor has a valid legal basis under the GDPR; (b) Data Subjects have been informed of the processing in accordance with the GDPR, including the engagement of the Processor as a data processor; and (c) all instructions issued to the Processor are lawful, documented, and consistent with the Agreement and this DPA.
6.
Security Measures
The Processor shall implement and maintain documented technical and organisational measures designed to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, alteration, or damage. Such measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons.
At a minimum, these measures include: (a) access control and authentication mechanisms; (b) encryption of Personal Data in transit and at rest; (c) system logging, monitoring, and auditing; (d) incident detection and response procedures; and (e) regular vulnerability assessments and staff confidentiality and security training.
Details of the Processor’s current security measures shall be made available to the Controller upon reasonable request, subject to confidentiality restrictions necessary to protect the integrity of those measures.
7.
Sub-processing
The Controller authorises the Processor to engage its Affiliates and other third-party sub-processors to process Personal Data for the performance of the Service, subject to the following conditions: (a) each sub-processor shall be bound by a written contract imposing data-protection obligations no less protective than those set out in this DPA and required by the GDPR; (b) the Processor shall remain fully liable to the Controller for the performance of each sub-processor’s obligations as for its own; and (c) the Processor shall maintain an up-to-date list of authorised sub-processors, available at Annex 2 attached to this DPA.
The Processor shall notify the Controller in advance of any intended addition or replacement of sub-processors. The Controller may object to such change on reasonable and documented grounds relating to data protection. If the Controller objects, the Parties shall discuss in good faith to resolve the objection. If no resolution is reached within thirty (30) days, either Party may terminate the affected processing activities without liability.
8.
Audit and Compliance
Upon written request, and no more than once in any twelve (12) month period, the Controller may audit the Processor’s compliance with this DPA. Audits shall be conducted by the Controller or an independent third party mutually agreed upon by the Parties, bound by confidentiality obligations, and acting at the Controller’s sole cost. Such audit rights are provided to enable the Controller to verify the Processor’s compliance with the GDPR.
The Processor may satisfy the audit requirement by providing current, independent third-party certifications, audit reports, or other documentation (including ISO/IEC 27001, SOC 2, or equivalent) that demonstrate the adequacy of its technical and organisational measures. Such documentation shall be deemed sufficient evidence of compliance unless a reasonable basis exists to believe that the controls are inadequate or the audit report is outdated.
Audits shall be conducted in a manner that minimises disruption to the Processor’s operations and shall not compromise the security or confidentiality of other customers’ data.
9.
Data Breach Notification
The Processor shall notify the Controller without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.
The notification shall include all information reasonably available to the Processor to assist the Controller in meeting its obligations under the GDPR, including, to the extent known: (a) the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the likely consequences of the breach; and (c) the measures taken or proposed to address and mitigate its possible adverse effects.
Where complete information cannot be provided at once, the Processor shall provide updates as further details become available. The Processor shall cooperate fully with the Controller and take all reasonable steps to mitigate the effects of the breach and prevent recurrence.
10.
International Data Transfers
The Processor shall not transfer, or permit the transfer of, Personal Data outside the European Union (“EU”) or the European Economic Area (“EEA”) without the prior written authorisation of the Controller.
Where such transfer is authorised, the Processor shall ensure that the transfer is carried out in full compliance with the GDPR, including implementation of one of the following mechanisms: (a) an adequacy decision by the European Commission; (b) appropriate safeguards pursuant to the GDPR, such as the Standard Contractual Clauses (“SCCs”) adopted or approved by the European Commission; or (c) another lawful transfer mechanism recognised under the GDPR.
Where transfers rely on SCCs or other contractual safeguards, the Processor shall make the executed safeguards available to the Controller upon request and shall ensure that any sub-processor engaged in such transfer provides equivalent protection.
The Processor shall notify the Controller in advance of any intended transfer of Personal Data to a country outside the EU/EEA and shall not proceed without the Controller’s documented approval, except where such transfer is required by EU or Member State law.
Where SCCs are used, the Parties agree that the Controller acts as data exporter and the Processor (and, where applicable, its sub-processors) as data importer. The Parties shall execute such clauses as required under the GDPR and ensure their incorporation by reference into this DPA.
11.
Liability
The Parties’ respective liabilities arising out of or in connection with this DPA, whether in contract, tort, or otherwise, shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall exclude or limit either Party’s liability to the extent that such limitation or exclusion is prohibited under applicable mandatory law, including liability for breach of obligations under the GDPR.
12.
Term and Termination
This DPA enters into force on the effective date of the Agreement and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.
Upon termination or expiry of the Agreement, or upon the Controller’s written request, the Processor shall delete or return all Personal Data in accordance with this DPA. Where applicable law requires continued retention, the Processor shall ensure the continued confidentiality of such data and shall process it only to the extent and for the duration required by that law.
13.
Governing Law and Dispute Resolution
This DPA shall be governed by and construed in accordance with the laws of Finland, excluding its choice-of-law principles.
Any dispute, controversy, or claim arising out of or in connection with this DPA shall be resolved in accordance with the Governing Law and Dispute Resolution provisions set out in the Agreement.
Subject Matter
Processing of Personal Data for the provision, operation, maintenance, and improvement of the Service application and related services.
Duration
For the duration of the Agreement and any additional period during which the Processor retains Personal Data in accordance with the Agreement or applicable law.
Nature and Purpose of Processing
Processing operations include collection, storage, organisation, consultation, transmission, analysis, hosting, display, and other operations necessary for providing, maintaining, securing, and improving the Service, as well as providing customer support and automation functions.
Types of Personal Data
As described in Section 3 of this DPA, including identification data, contact data, communication records, transactional or order-related data, and log or usage data linked to user accounts.
Categories of Data Subjects
As described in Section 3 of this DPA, including the Controller’s employees, customers, end-users, or other individuals whose Personal Data are transmitted through or stored in the Service.
Processing Location
Processing is primarily carried out within the European Union (EU) and the European Economic Area (EEA). Transfers outside the EU/EEA may occur only in accordance with Section 10 of this DPA, subject to appropriate safeguards such as the Standard Contractual Clauses (SCCs).
This annex lists all sub-processors authorised by Actuals Oy (Commslayer) to process Personal Data on behalf of the Controller. The Controller authorises the engagement of these sub-processors, subject to the conditions set out in Section 7 of the Data Processing Agreement. Changes to this list will be communicated to the Controller at least thirty (30) days in advance via email, during which time the Controller may object on reasonable data protection grounds.