Skip to content

Data Processing Agreement (DPA)

This data processing agreement describes how Vahti Service Oy processes the customer's personal data on behalf of the customer in the provision of the vahti.ai service. The agreement supplements the terms of service and defines, among other things, the purposes of the processing, the responsibilities of the parties, the sub-processors, data security measures and the deletion of data at the end of the agreement.

Data Processing Agreement (DPA)

Last updated: 24 April 2026

This Data Processing Agreement (“DPA” or “Agreement”) forms part of Vahti Service Oy’s Terms of Service and applies automatically when Vahti Service Oy processes personal data on behalf of a customer in connection with the vahti.ai service.

Terms of Service: Terms of Service
Privacy Policy: Privacy Policy
Subprocessors: Subprocessors
Cookie Policy: Cookie Policy

1. Parties

This Agreement concerns the processing of personal data where the customer acts as the controller and Vahti Service Oy acts as the processor.

Controller: the customer using the vahti.ai service (“Customer”).
Processor: Vahti Service Oy, Business ID 3598836-2, Kauppakatu 39, 40100 Jyväskylä, Finland (“Vahti Service Oy” or “Processor”).

This Agreement applies to the extent Vahti Service Oy processes personal data on behalf of the Customer for the purpose of providing the vahti.ai service.

2. Definitions

Data protection terms used in this Agreement, such as “personal data”, “controller”, “processor”, “data subject”, “processing”, “personal data breach” and “sub-processor”, have the meanings given to them in the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”).

“Main Agreement” means the service agreement, terms of service, order, offer, order confirmation or other agreement between the Customer and Vahti Service Oy under which the Customer uses the vahti.ai service.

3. Purpose of this Agreement and Relationship with the Main Agreement

The purpose of this Agreement is to set out the terms required under Article 28 of the GDPR for Vahti Service Oy’s processing of personal data on behalf of the Customer.

This Agreement supplements the Main Agreement and applies automatically as part of the Main Agreement when Vahti Service Oy processes personal data on behalf of the Customer.

If this Agreement and the Main Agreement conflict in matters relating to the processing of personal data, this Agreement takes precedence. Commercial terms, liability and use of the Service are governed by the Main Agreement unless expressly agreed otherwise in this Agreement.

4. Subject Matter, Nature and Purpose of Processing

Vahti Service Oy processes personal data to provide, maintain, protect and develop the vahti.ai service in accordance with the Main Agreement.

The Service is a continuous security and compliance monitoring service for Microsoft 365 environments. Processing may relate, for example, to user, configuration, event, finding and security data obtained from the Microsoft 365 environment, as well as technical data related to the use of the Service.

The processing is described in more detail in Annex 1.

5. Duration of Processing

Vahti Service Oy processes personal data for as long as the Main Agreement is in force and the processing is necessary to provide the Service.

After the Main Agreement ends, personal data will be deleted or returned in accordance with Section 18 and Annex 3, unless applicable law requires longer retention.

6. Categories of Personal Data

The categories of personal data are described in Annex 1. The categories may include, for example, user identification and contact details, access rights and role data, security and compliance data related to the Microsoft 365 environment, and technical log and usage data related to the Service.

Vahti Service Oy does not generally need special categories of personal data to provide the Service. The Customer is responsible for ensuring that it does not provide unnecessary special categories of personal data or other sensitive material to the Service unless separately agreed.

7. Categories of Data Subjects

The categories of data subjects are described in Annex 1. These may include, for example, the Customer’s employees, users, administrators, consultants, subcontractors and other persons connected to the Customer’s Microsoft 365 environment.

8. Obligations of the Controller

As controller, the Customer is responsible for ensuring that there is a lawful basis for the processing of personal data and that the processing complies with applicable data protection legislation.

The Customer is responsible in particular for ensuring that:

  • the Customer has the right to provide personal data to Vahti Service Oy for processing;
  • data subjects are provided with the necessary privacy information;
  • the instructions given by the Customer to Vahti Service Oy are lawful;
  • the Customer determines who within its organisation may use the Service;
  • the Customer maintains and updates its Users’ access rights;
  • the Customer does not provide unnecessary personal data to the Service.

9. Obligations of the Processor

Vahti Service Oy processes personal data only in accordance with the Customer’s documented instructions, unless applicable law requires Vahti Service Oy to process the data otherwise.

Vahti Service Oy undertakes to:

  • process personal data only in accordance with this Agreement, the Main Agreement and the Customer’s documented instructions;
  • implement appropriate technical and organisational security measures;
  • ensure that persons processing personal data are bound by confidentiality obligations;
  • use sub-processors in accordance with this Agreement;
  • reasonably assist the Customer with matters relating to data subject rights, personal data breaches and data protection assessments;
  • delete or return personal data upon termination of the Agreement in accordance with Section 18.

10. Documented Instructions

The Customer’s documented instructions consist of this Agreement, the Main Agreement, the Service settings, choices made by the Customer in the Service and any other written instructions agreed between the parties.

If Vahti Service Oy considers that an instruction from the Customer infringes data protection legislation, Vahti Service Oy will notify the Customer without undue delay, unless prohibited by law.

11. Staff Confidentiality

Vahti Service Oy ensures that persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

Access to personal data is limited to persons who need to process the data for their work duties.

12. Security Measures

Vahti Service Oy implements technical and organisational security measures appropriate to the processing. The purpose of the security measures is to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The security measures are described in more detail in Annex 3.

Vahti Service Oy may update its security measures as the Service, technology and threat environment develop, provided that the overall level of data protection is not materially weakened.

13. Subcontractors / Sub-processors

The Customer grants Vahti Service Oy a general authorisation to use sub-processors in the processing of personal data.

Vahti Service Oy maintains a list of material sub-processors. The current known sub-processors are described in Annex 2 and on the public subprocessors page: Subprocessors.

Vahti Service Oy ensures that sub-processors are bound by data protection obligations that are materially equivalent to those binding Vahti Service Oy under this Agreement.

If Vahti Service Oy intends to engage a new material sub-processor that processes the Customer’s personal data, Vahti Service Oy aims to notify the Customer at least 30 days in advance, unless the change is urgent for reasons such as security, availability or legal requirements.

The Customer may object to a new sub-processor on reasonable data protection grounds within the notice period. The parties will then seek a reasonable solution. If no solution is found, the Customer may have the right to terminate the part of the Service affected by the new sub-processor in accordance with the Main Agreement.

14. International Transfers

Vahti Service Oy processes data related to the Service’s core infrastructure primarily within the EU/EEA.

However, some sub-processors, such as services relating to payments, email delivery or other support functions, may involve processing of or access to personal data from outside the EU/EEA.

If personal data is transferred outside the EU/EEA, Vahti Service Oy ensures that the transfer is based on an appropriate transfer mechanism under data protection legislation, such as Standard Contractual Clauses approved by the European Commission, the EU-U.S. Data Privacy Framework or another applicable mechanism.

15. Assistance with Data Subject Rights and DPIAs

Vahti Service Oy reasonably assists the Customer, taking into account the nature of the processing, in responding to requests relating to data subject rights, such as access requests, rectification requests, erasure requests and requests to restrict processing.

Vahti Service Oy also reasonably assists the Customer with data protection impact assessments and prior consultations with supervisory authorities to the extent the assistance relates to processing performed by Vahti Service Oy and information available to Vahti Service Oy.

If a data subject contacts Vahti Service Oy directly in a matter relating to the Customer’s role as controller, Vahti Service Oy will direct the request to the Customer, unless otherwise required by law.

16. Personal Data Breaches

Vahti Service Oy will notify the Customer without undue delay after becoming aware of a personal data breach concerning personal data processed by Vahti Service Oy on behalf of the Customer. Vahti Service Oy aims to provide the notification within 48 hours after the breach has been detected and its material effects on the Customer’s personal data have been preliminarily assessed.

The notification will include available information about the nature of the breach, likely consequences, corrective measures taken or proposed, and a contact point for further information. If all information is not immediately available, Vahti Service Oy may provide the information in phases.

As controller, the Customer is responsible for any notifications to the supervisory authority and data subjects. Vahti Service Oy will reasonably assist the Customer in meeting these obligations.

17. Audits and Accountability

Vahti Service Oy provides the Customer with reasonably available information necessary to demonstrate compliance with the obligations under this Agreement.

The Customer may request additional information about Vahti Service Oy’s processing activities and security measures. Vahti Service Oy may fulfil this obligation, for example, by providing written descriptions, security documentation, the sub-processor list or other reasonable information.

If the Customer has a statutory need to conduct an audit, the audit must be agreed in advance in writing. The audit must be carried out at a reasonable time and in a manner that does not compromise other customers’ data, Vahti Service Oy’s trade secrets, security or continuity of the Service.

Vahti Service Oy may charge reasonable costs for extensive, repeated or non-standard audit requests, unless mandatory law requires otherwise.

18. Deletion or Return of Data upon Termination

Upon termination of the Main Agreement, Vahti Service Oy will delete or return the personal data it processes on behalf of the Customer, at the Customer’s choice, unless applicable law requires retention of the data.

After termination, the Customer has 30 days to request the return or export of reasonably available data, unless otherwise agreed in the Main Agreement.

Vahti Service Oy will delete personal data from its active systems within a reasonable time and in any event no later than 90 days after termination of the agreement or the Customer’s deletion request. Data in backups will be deleted according to the normal backup lifecycle and will not be restored to production use except in recovery or continuity situations.

19. Allocation of Responsibility

Each party is responsible for its own obligations under data protection legislation.

As controller, the Customer is responsible for the lawfulness of processing, the purposes of processing, informing data subjects and providing personal data to the Service.

As processor, Vahti Service Oy is responsible for processing personal data in accordance with this Agreement, the Main Agreement and the Customer’s documented instructions.

This Agreement does not alter the limitations of liability agreed in the Main Agreement, unless mandatory data protection legislation requires otherwise.

20. Governing Law and Disputes

This Agreement is governed by the laws of Finland, excluding its conflict of law rules.

Disputes arising from this Agreement will be resolved in accordance with the dispute resolution procedure agreed in the Main Agreement. If no dispute resolution procedure has been agreed in the Main Agreement, disputes will be resolved by the competent Finnish general court.

Annex 1 – Description of Processing

1. Purpose of Processing

Personal data is processed to provide the vahti.ai service to the Customer. The purpose of the Service is to monitor the security and compliance of the Microsoft 365 environment and to provide findings, views, notifications and guidance for the Customer.

Processing may include, for example:

  • retrieving, receiving and storing data from the Microsoft 365 environment;
  • analysing user, role, access right, configuration, security and event data;
  • creating security and compliance findings;
  • displaying findings and recommendations in the Service;
  • technical logging, maintenance, troubleshooting and security monitoring;
  • sending service messages and system notifications.

2. Duration of Processing

Processing continues for the term of the Main Agreement.

Upon termination of the Main Agreement, personal data will be deleted or returned in accordance with Section 18 of the DPA, unless law or another agreed obligation requires longer retention.

3. Categories of Personal Data

The categories of personal data processed may include the following:

  • user name;
  • email address;
  • username or other unique identifier;
  • Microsoft 365 / Entra ID user and role data;
  • data relating to access rights, groups and administrator roles;
  • sign-in, log, event and security data;
  • data relating to Microsoft 365 environment settings and security posture;
  • technical data relating to use of the Service;
  • findings, risks, recommendations and status data generated in the Service;
  • data of the Customer organisation’s contact persons necessary for use of the Service.

The Service is not intended to process special categories of personal data. The Customer is responsible for ensuring that it does not provide unnecessary special categories of personal data to the Service.

4. Categories of Data Subjects

Categories of data subjects may include:

  • the Customer’s employees;
  • the Customer’s users and administrators;
  • the Customer’s consultants, subcontractors or other partners who have access to the Customer’s Microsoft 365 environment;
  • other persons whose data appears in the Customer’s Microsoft 365 environment security, access right or event data.

Annex 2 – Sub-processors

1. Current Sub-processors

Sub-processor Purpose Location / data residency Note
Google Cloud / Google Cloud EMEA Limited Infrastructure, hosting, database, logging, technical operation and Google Vertex AI / Gemini processing for explaining findings and producing guidance. Vahti’s main production infrastructure is located in the EU, primarily in the europe-north1 region. Google Vertex AI / Gemini is configured to be used in the EU. Processes data necessary for the core operation of the Service.
Stripe / Stripe Payments Europe, Limited and Stripe Technology Europe, Limited Payments, subscriptions, billing and payment transaction processing. Through Irish Stripe entities in the EEA; possible processing of or access to data outside the EU/EEA. Primarily processes billing and payment data, not actual Microsoft 365 tenant data.
Postmark / AC PM, LLC Email delivery, such as system messages, invitations and notifications. United States / possible processing outside the EU/EEA. Processes data needed for sending emails and delivery logs.
HubSpot / HubSpot Ireland Limited Website forms, leads and demo requests, CRM, sales process and customer communication management. The HubSpot account is in the EU1 environment. HubSpot’s service may still involve processing of or access to data outside the EU/EEA. HubSpot primarily processes website, sales and customer relationship data. HubSpot does not generally process actual Microsoft 365 tenant data.

2. Change Notification Mechanism

Vahti Service Oy maintains an up-to-date sub-processor list at:

Subprocessors

Vahti Service Oy aims to notify the Customer of a new material sub-processor at least 30 days before the change takes effect, unless the change is urgent for reasons such as security, availability or legal requirements.

The Customer may object to the new sub-processor on reasonable data protection grounds within the notice period.

Annex 3 – Description of Technical and Organisational Security Measures

1. Access Control

Vahti Service Oy limits access to personal data to persons who need to process the data for their work duties.

Access control is based on roles and access rights. Access rights are reviewed and removed where necessary, for example when duties change or an employment or assignment ends.

2. Confidentiality

Persons processing personal data are bound by confidentiality obligations or equivalent duties of confidentiality.

The confidentiality obligation covers personal data as well as the Customer’s confidential information and information obtained in connection with the use of the Service.

3. Logging

The Service may collect technical logs to support service operation, security, troubleshooting and detection of misuse.

Logs may include, for example, event timestamps, user or system identifiers, IP addresses, technical event data and error logs. Log retention is limited to the period necessary for the relevant purpose.

4. Encryption

Personal data is protected using appropriate encryption and security methods during transmission and at rest where supported by the infrastructure and the technical implementation of the Service.

Connections to the Service are implemented through encrypted connections. The storage solutions of the cloud infrastructure use security mechanisms provided by the service provider.

5. Recovery and Backups

Vahti Service Oy uses technical backup and recovery procedures to support the continuity and recovery of the Service.

Backups and recovery procedures are managed so that the Service can reasonably be restored in disruption situations. Specific recovery time objectives or service levels are determined by the Main Agreement if separately agreed.

6. Vulnerability Management

Vahti Service Oy aims to identify, assess and remediate vulnerabilities related to the Service on a risk-based basis.

Vulnerability management may include, for example, updating dependencies, applying security updates, monitoring logs, development practices and hardening the technical environment of the Service.

7. Deletion and Return

Upon termination of the Main Agreement, deletion and return of personal data is governed by Section 18 of the DPA.

Upon the Customer’s request, Vahti Service Oy will return reasonably available personal data in an agreed format if technically and reasonably possible. Thereafter, the data will be deleted from active systems no later than within 90 days.

Data in backups will be deleted according to the normal backup lifecycle.