IconResources

Data Processing Agreement

Last updated June 29, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Customer” or “Controller”) and Supernomial Oy (“Supernomial” or “Processor”). This DPA governs the processing of personal data by Processor on behalf of Controller in connection with the t0 Service.

Capitalized terms used but not defined herein have the meanings set forth in Section 1.

1. Definitions

  • “Agreement” means the Terms of Service, including this DPA.
  • “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
  • “Processor” means the entity that Processes Personal Data on behalf of the Controller, namely Supernomial Oy.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” (and “Process”) means any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, or deletion.
  • “Sub-processor” means any third party appointed by Processor to Process Personal Data on behalf of Controller.
  • “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed under this DPA.

2. Roles & Responsibilities

  • 2.1 Controller Obligations. Controller shall:

    • Obtain all necessary consents and notices for the Processing of Personal Data.
    • Provide Processor with accurate instructions regarding the Processing.
    • Maintain a record of Processing activities as required by applicable law.

  • 2.2 Processor Obligations. Processor shall:

    • Process Personal Data only in accordance with Controller’s documented instructions (including the Agreement).
    • Ensure its personnel are bound by confidentiality obligations.
    • Implement appropriate technical and organizational measures to protect Personal Data (see Section 5).
    • Notify Controller without undue delay of any Personal Data breach.
    • Assist Controller in responding to Data Subject requests and compliance obligations.

3. Subject-Matter, Duration, Purpose, and Data Types

  • 3.1 Subject-Matter: Provision of the t0 cloud service and related support.
  • 3.2 Duration: For the Term of the Agreement and until deletion of all Customer data thereafter.
  • 3.3 Nature and Purpose: Storage, hosting, and operation of Personal Data to enable use of t0.
  • 3.4 Categories of Data Subjects: End users of Controller’s t0 applications, Controller’s employees and contacts.
  • 3.5 Types of Personal Data: Names, email addresses, usage metadata, and any other data uploaded by Controller.

4. Security Measures

Processor shall implement and maintain, as part of its standard practices, appropriate technical and organizational measures, including:

  • Pseudonymization and encryption of Personal Data in transit and at rest.
  • Access controls, authentication, and authorization policies.
  • Regular vulnerability testing, monitoring, and incident response procedures.
  • Physical security of any data centers or hardware used to Process Personal Data.

5. Sub-processors

  • 5.1 Authorization. Controller authorizes Processor to engage Sub-processors to assist in fulfilling the Services.
  • 5.2 Sub-processor Obligations. Processor shall enter into written agreements with each Sub-processor imposing obligations no less protective than this DPA.

6. Data Subject Rights

Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise any rights (access, rectification, erasure, portability, objection). Processor will cooperate to enable Controller to comply with such requests.

7. Breach Notification

In the event of a Personal Data breach, Processor will:

  1. Notify Controller without undue delay (and, where feasible, within 48 hours).
  2. Provide sufficient information to allow Controller to meet any regulatory obligations.
  3. Cooperate in the investigation and remediation of the breach.

8. Return and Deletion of Data

Upon termination or expiration of the Agreement, Processor shall, at Controller’s choice, delete or return all Personal Data to Controller and delete any remaining copies, unless retention is required by law.

9. Audit Rights

Controller may audit Processor’s compliance with this DPA once per calendar year upon 30 days’ notice. Processor will cooperate and provide reasonable evidence of its security and processing practices.

10. International Transfers

Processor may transfer Personal Data outside the EEA only under the safeguards of the European Commission’s Standard Contractual Clauses (Controller-to-Processor), as set out in Commission Implementing Decision (EU) 2021/914, incorporated herein by reference.

11. Liability

Each party’s liability under this DPA shall be subject to the limitations and exclusions set forth in the Agreement.

12. General Provisions

  • Governing Law & Venue: Finland; courts of Helsinki.
  • Amendments: Processor may amend this DPA with 30 days’ notice; changes are effective upon posting.
  • Severability: If any provision is invalid, the remainder shall remain in force.
  • Entire Agreement: This DPA, together with the Agreement, constitutes the entire agreement regarding Processing of Personal Data.

13. Contact Information

For DPA inquiries or notices, contact:

Supernomial Oy
Bulevardi 21, 00180 Helsinki, Finland
Email: privacy@supernomial.co

Previous

Privacy Policy

Next

Security

On this page