Skip to content

Data Processing Agreement (DPA)

This data processing agreement describes how Vahti Service Oy processes the customer's personal data on behalf of the customer in the provision of the vahti.ai service. The agreement supplements the terms of service and defines, among other things, the purposes of the processing, the responsibilities of the parties, the sub-processors, data security measures and the deletion of data at the end of the agreement.

Data Processing Agreement (DPA)

Last updated: 24.4.2026

This Data Processing Agreement ("DPA" or "Agreement") forms part of the Vahti Service Oy Terms of Service and is automatically applicable when Vahti Service Oy processes personal data on behalf of a customer in connection with the vahti.ai service.

Terms of Service.
Privacy Policy: Privacy Policy
Subcontractors: Subcontractors
Cookie Policy: Cookie Policy

1.

This Agreement applies to the processing of personal data where the Customer is the controller and Vahti Service Oy is the processor.

Controller: the customer who uses the vahti.ai service ("Customer").
Processor: Vahti Service Oy, business ID 3598836-2, Kauppakatu 39, 40100 Jyväskylä, Finland ("Vahti Service Oy" or "Processor").

This Agreement applies to the extent that Vahti Service Oy processes personal data on behalf of the Customer for the purpose of providing the vahti.ai service.

2.

Data protection terms used in this Agreement, such as "personal data", "controller", "processor", "data subject", "processing", "personal data breach" and "sub-processor" shall have the meaning as defined in the EU General Data Protection Regulation (EU) 2016/679 ("GDPR").

"Master Agreement" means the service agreement, terms of use, order, quotation, order confirmation or other agreement between the Customer and Vahti Service Ltd. under which the Customer uses the vahti.ai Service.

3. Purpose of the Agreement and relationship to the Main Agreement

The purpose of this Agreement is to agree on the terms and conditions under Article 28 of the GDPR under which Vahti Service Ltd processes personal data on behalf of the Customer.

This Agreement supplements the Main Agreement and will automatically apply as part of the Main Agreement when Vahti Service Ltd processes personal data on behalf of the Customer.

In the event of any conflict between this Agreement and the Main Agreement in relation to the processing of Personal Data, this Agreement shall prevail. Commercial terms, liabilities and use of the Service shall be governed by the Main Agreement, unless otherwise expressly agreed in this Agreement.

4. Subject matter, nature and purpose of processing

Vahti Service Ltd processes personal data for the purpose of providing, maintaining, protecting and developing the vahti.ai service in accordance with the Main Agreement.

The Service is a continuous monitoring service for the security and compliance of Microsoft 365 environments. The processing may relate, for example, to user, configuration, event, detection, security and technical data relating to the use of the service, obtained from the Microsoft 365 environment.

For a more detailed description of the processing, see Annex 1.

5. Duration of processing

Vahti Service Oy will process personal data for as long as the Main Agreement is in force and the processing is necessary for the provision of the service.

Upon termination of the Main Contract, the personal data will be deleted or restored in accordance with Section 18 and Annex 3, unless applicable law requires longer retention.

6. Categories of personal data

The categories of personal data processed are described in Annex 1. The categories of data may include, for example, user identification and contact information, access and role information, security and compliance information related to the Microsoft 365 environment, and technical log and usage data related to the service.

In principle, Vahti Service Ltd does not need information from specific categories of personal data in order to provide the service. The Customer is responsible for not providing unnecessary special categories of personal data or other sensitive material to the Service, unless otherwise agreed.

7. Categories of data subjects

The categories of data subjects are described in Annex 1. These may include, for example, Customer's employees, users, administrators, consultants, subcontractors and other persons connected with the Microsoft 365 environment.

8. Obligations of the controller

The Customer, as the controller, is responsible for ensuring that the processing of personal data is lawful and in compliance with applicable data protection legislation.

In particular, the Customer is responsible for:

  • The Customer has the right to have the personal data processed by Vahti Service Oy.
  • The data subject shall be provided with the necessary data protection information.
  • Instructions given by the Customer to Vahti Service Ltd are in accordance with the law.
  • The Customer shall specify who in its organisation may use the service.
  • The Customer is responsible for the access rights of its own users and for keeping them up to date.
  • The Customer shall not provide the Service with unnecessary personal data.

9. Responsibilities of the processor

Vahti Service Ltd will process personal data only in accordance with the Customer's documented instructions, unless applicable law requires Vahti Service Ltd to process the data in any other way.

Vahti Service Oy undertakes:

  • Process personal data only in accordance with this Agreement, the Main Agreement and the Customer's documented instructions;
  • To implement appropriate technical and organisational security measures;
  • Ensure that the persons processing the personal data are bound by confidentiality obligations;
  • use sub-processors in accordance with this Agreement;
  • reasonably assist the Customer in matters relating to data subjects' rights, data breaches and data protection assessments;
  • delete or return the Personal Data upon termination of the Agreement in accordance with Clause 18.

10. Documented instructions

The Customer's documented instructions are this Agreement, the Master Agreement, the service settings, the choices made by the Customer in the Service and any other instructions agreed in writing.

If Vahti Service Ltd considers that a Customer instruction violates data protection legislation, Vahti Service Ltd will notify the Customer without undue delay, unless the law prohibits such notification.

11. Confidentiality of personnel

Vahti Service Ltd shall ensure that the persons who process personal data are bound by confidentiality or are subject to an appropriate legal obligation of confidentiality.

Access to personal data is limited to persons who have a need to process the data on the basis of their job duties.

12. Data security measures

Vahti Service Oy implements appropriate technical and organisational security measures in relation to the processing. The security measures are designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

These security measures are described in more detail in Annex 3.

Vahti Service Ltd may update its security measures as the service, technology and threat environment evolve, as long as the overall level of data protection is not materially compromised.

13. Subcontractors / sub-processors

The Customer gives Vahti Service Ltd general permission to use sub-processors for the processing of personal data.

Vahti Service Ltd maintains a list of relevant sub-processors. The current known sub-processors are described in Appendix 2 and on the public sub-processors page.

Vahti Service Ltd shall ensure that sub-processors are bound by substantially equivalent data protection obligations to those binding on Vahti Service Ltd under this Agreement.

If Vahti Service Ltd intends to introduce a new material sub-processor to process Customer's personal data, Vahti Service Ltd will endeavour to give at least 30 days' notice of the change, unless the change is urgent, for example for security, availability or legal reasons.

The Customer may raise a legitimate data protection objection to the new sub-processor within the notification period. The parties will then endeavour to find a reasonable solution. If no solution can be found, the Customer may have the right to terminate the part of the service covered by the new sub-processor in accordance with the Main Agreement.

14. International transfers

Vahti Service Ltd processes data related to the core infrastructure of the Service primarily within the EU/EEA.

However, some sub-processors, such as payment, email delivery or other support services, may involve processing or access to personal data from outside the EU/EEA.

If personal data is transferred outside the EU/EEA, Vahti Service Ltd will ensure that there is an applicable transfer basis under applicable data protection legislation, such as the standard contractual clauses adopted by the European Commission, the EU-U.S. Data Privacy Framework or other applicable mechanism.

15. Assistance in relation to data subject rights and DPIA

Vahti Service Ltd will provide reasonable assistance to the Customer, taking into account the nature of the processing, in the exercise of the data subject's rights, such as requests for information, requests for rectification, requests for erasure and requests for restriction of processing.

Vahti Service Ltd shall also reasonably assist the Customer in connection with data protection impact assessments and prior consultation of the supervisory authority in so far as such assistance relates to the processing carried out by Vahti Service Ltd and to data held by Vahti Service Ltd.

If the data subject directly contacts Vahti Service Ltd in relation to the Customer's role as data controller, Vahti Service Ltd will refer the request to the Customer, unless otherwise required by law.

16.

Vahti Service Ltd shall notify the Customer without undue delay upon becoming aware of a personal data breach involving personal data processed by Vahti Service Ltd on behalf of the Customer. Vahti Service Ltd aims to make a notification within 48 hours of the breach being detected and a preliminary assessment of its material impact on the Customer's personal data.

The notification will include available information about the nature of the breach, the likely impact, the remedial actions taken or proposed, and a point of contact for further information. If not all information is available immediately, Vahti Service Ltd may provide the information in stages.

The customer is responsible as the controller for any notifications to the supervisory authority and the data subjects. Vahti Service Ltd shall reasonably assist the Customer in fulfilling these obligations.

17. Audits and obligation to provide proof

Vahti Service Ltd shall provide the Customer with reasonably available information necessary to demonstrate its obligations under this Agreement.

The Customer may request additional information about Vahti Service Ltd's processing activities and security measures. Vahti Service Ltd may fulfil this obligation by, for example, providing written descriptions, security documentation, a sub-processor list or other reasonable explanations.

If the Customer has a statutory need for an audit, the audit must be agreed in writing in advance. The inspection shall be carried out within a reasonable time, in a manner that does not compromise other Customer's information, Vahti Service Ltd's trade secrets, security or continuity of service.

Vahti Service Ltd may charge reasonable costs for extensive, recurring or above normal customer support audit requests, unless otherwise required by mandatory law.

18. Deletion or return of data at the end of the contract

Upon termination of the main contract, Vahti Service Ltd will delete or return the personal data processed by it on behalf of the Customer, at the Customer's option, unless applicable law requires retention of the data.

The Customer shall have 30 days after termination to request the return or export of reasonably available data, unless otherwise agreed in the Main Contract.

Vahti Service Ltd will delete the Personal Data from its active systems within a reasonable time, but no later than 90 days after termination of the Agreement or the Customer's request for deletion. Data in backups will be deleted in accordance with the normal life cycle of backups and will not be returned to production use except in the event of a recovery or continuity situation.

19. Assignment of liability

The parties are responsible for their respective obligations under data protection legislation.

The Customer, as data controller, is responsible for the lawfulness of the processing, the purposes of the processing, the information of data subjects and the provision of personal data to the Service.

Vahti Service Ltd, as the processor, is responsible for processing the Personal Data in accordance with this Agreement, the Main Agreement and the Customer's documented instructions.

This Agreement does not modify the limitations of liability set out in the Main Agreement, unless otherwise required by mandatory data protection legislation.

20. Applicable law and disputes

This Agreement shall be governed by Finnish law, excluding its conflict of law provisions.

Disputes arising out of this Agreement shall be settled in accordance with the dispute resolution procedure set out in the Main Agreement. In the absence of a dispute settlement procedure in the Main Agreement, disputes shall be settled by the competent Finnish general court.

Annex 1 - Description of the procedure

1. Purpose of the proceedings

Personal data is processed for the purpose of providing the watch.ai service to the Customer. The purpose of the service is to monitor the security and compliance of the Microsoft 365 environment and to provide findings, views, notifications and instructions for the Customer's use.

Processing may include, for example:

  • Retrieving, receiving and storing information from the Microsoft 365 environment;
  • Analysis of user, role, access, permission, configuration, security and event data;
  • generating security and compliance findings;
  • displaying findings and recommendations in the service;
  • technical logging, maintenance, troubleshooting and security monitoring;
  • sending service messages and system alerts.

2. Duration of processing

Processing will continue for the duration of the Main Contract.

At the end of the Main Contract, the personal data will be deleted or returned in accordance with Section 18 of the DPA, unless a longer retention period is required by law or other agreed obligation.

3. Categories of personal data

The categories of personal data processed may include the following:

  • Name of the user;
  • email address;
  • e-mail address. user name or other unique identifier;
  • Microsoft 365 / Entra ID user and role information;
  • User ID, user ID, user name, user name and password, user ID, user name and password, user ID, user name and password, user name and password;
  • login, log, transaction and security information;
  • Information related to Microsoft 365 environment settings and security mode;
  • technical information related to the use of the service;
  • findings, risks, recommendations and status information generated by the provision of the service;
  • information relevant to the use of the service by contacts in the customer organisation.

The service is not intended to process specific categories of personal data. It is the responsibility of the customer not to provide the service with unnecessary data belonging to special categories of personal data.

4. Categories of data subjects

The categories of data subjects may include:

  • Customer's employees;
  • Customer's users and administrators;
  • Customer's consultants, subcontractors or other partners who have access to Customer's Microsoft 365 environment;
  • Other persons whose information appears in the security, access or transaction records of the Customer's Microsoft 365 environment.

Annex 2 - Sub-processors

1. Current sub-processors

Sub-providers Purpose Location / data residency Note
Google Cloud / Google Cloud EMEA Limited Infrastructure, hosting, database, logging, technical runtime and Google Vertex AI / Gemini processing to explain observations and generate instructions. The main production infrastructure for the watch is located in the EU, primarily in the europe-north1 region. Google Vertex AI / Gemini is configured for use in the EU. Processes data necessary for the core operation of the service.
Stripe / Stripe Payments Europe, Limited and Stripe Technology Europe, Limited Payments, orders, billing and transaction processing. In the EEA via Irish Stripe companies; possible processing or access outside the EU/EEA. Mainly processes billing and payment data, not actual Microsoft 365 tenant data.
Postmark / AC PM, LLC Delivery of emails, including system messages, invitations and notifications. United States / possible processing outside the EU/EEA. Processes data and delivery logs for sending emails.
HubSpot / HubSpot Ireland Limited Website forms, lead and demo request processing, CRM, sales process and customer communication management. The HubSpot account is in the EU1 environment. HubSpot's service may still involve processing or access outside the EU/EEA. HubSpot primarily processes website, sales and customer relationship data. By default, HubSpot does not process actual Microsoft 365 tenant data.

2. Change notification mechanism

Vahti Service Oy maintains an up-to-date list of sub-managers at:

Subreporters

Vahti Service Ltd. will endeavour to notify a new relevant sub-processor at least 30 days before the change takes effect, unless the change is urgent, for example for security, availability or legal reasons.

The customer may raise a legitimate data protection objection within the notification period.

3. Logging

The Service may collect technical logs to support the operation of the Service, security, troubleshooting and detection of misuse.

Logs may include, for example, event timestamps, user or system identifiers, IP addresses, technical event information and error logs. Storage of logs shall be limited to the time necessary for the purpose for which they are intended.

4. Encryption

Personal data will be protected by appropriate encryption and protection methods during transmission and in storage where the infrastructure used and the technical implementation of the service support this.

Connections to the service are made through encrypted connections. Cloud infrastructure storage solutions will make use of the security mechanisms provided by the service provider.

5. Recovery and backups

Vahti Service Ltd uses technical backup and recovery procedures to support service continuity and recovery.

Backup and recovery procedures are managed in such a way that the service can be reasonably restored in the event of a disruption. The exact recovery time targets or service levels will be determined by the Main Contract, if separately agreed.

6. Vulnerability management

Vahti Service Ltd will seek to identify, assess and remediate vulnerabilities in the Service on a risk-based basis.

Vulnerability management may include, for example, dependency updates, security updates, log monitoring, development practices and hardening of the technical environment of the service.

7. Removal and recovery

Upon termination of the Master Agreement, the deletion and restoration of personal data is governed by Section 18 of the DPA.

At the Customer's request, Vahti Service Ltd will return reasonably available Personal Data in the agreed format, if technically and reasonably possible. Thereafter, the data will be deleted from the active systems within a maximum of 90 days.

Data in backups will be deleted in accordance with the normal life cycle of backups.