Skip to content

Data Processing Agreement (DPA)

This data processing agreement describes how Vahti Service Oy processes the customer's personal data on behalf of the customer in the provision of the vahti.ai service. The agreement supplements the terms of service and defines, among other things, the purposes of the processing, the responsibilities of the parties, the sub-processors, data security measures and the deletion of data at the end of the agreement.

Data Processing Agreement (DPA)

Last updated: 28 May 2026

This Data Processing Agreement (“DPA” or “Agreement”) forms part of Vahti Service Oy’s Terms of Service and applies automatically when Vahti Service Oy processes personal data on behalf of the customer in connection with the vahti.ai service.

Terms of Service: Terms of Service
Privacy Policy: Privacy Policy
Subprocessors: Subprocessors
Cookie Policy: Cookie Policy

1. Parties

This Agreement applies to processing of personal data where the customer acts as controller and Vahti Service Oy acts as processor.

Controller: the customer using the vahti.ai service (“Customer”).
Processor: Vahti Service Oy, Business ID 3598836-2, Kauppakatu 39, 40100 Jyväskylä, Finland (“Vahti Service Oy” or “Processor”).

This Agreement applies to the extent Vahti Service Oy processes personal data on behalf of the Customer to provide the vahti.ai service.

2. Definitions

Data protection terms used in this Agreement, such as “personal data”, “controller”, “processor”, “data subject”, “processing”, “personal data breach”, and “subprocessor”, have the meanings given to them in the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”).

“Main Agreement” means the service agreement, Terms of Service, order, offer, order confirmation, or other agreement between the Customer and Vahti Service Oy under which the Customer uses the vahti.ai service.

3. Purpose of the Agreement and Relationship With the Main Agreement

The purpose of this Agreement is to agree on the terms required under Article 28 GDPR for Vahti Service Oy’s processing of personal data on behalf of the Customer.

This Agreement supplements the Main Agreement and applies automatically as part of the Main Agreement when Vahti Service Oy processes personal data on behalf of the Customer.

If this Agreement and the Main Agreement conflict in matters concerning the processing of personal data, this Agreement takes precedence. Commercial terms, liabilities, and use of the service are governed by the Main Agreement unless expressly agreed otherwise in this Agreement.

4. Subject Matter, Nature, and Purpose of Processing

Vahti Service Oy processes personal data to provide, maintain, secure, troubleshoot, and assure the quality of the vahti.ai service in accordance with the Main Agreement.

The service is a continuous security and compliance monitoring service for Microsoft 365 environments. Processing may relate, for example, to user, configuration state, event, finding, and security data obtained from the Microsoft 365 environment, as well as technical data related to the use of the service.

During the first 30 days of onboarding, processing may include limited service quality assurance where Vahti Service Oy verifies that key service user interface views, scan pipeline, onboarding status information, and operational summaries work based on the Customer's tenant data. This processing is carried out only for service onboarding and quality assurance purposes, is limited to the necessary scope, and does not authorize general browsing of the Customer's Microsoft 365 content or copying of data without a separate justification.

For general service development, Vahti Service Oy uses de-identified, anonymized, aggregated, or otherwise transformed data from which the Customer or a natural person cannot be identified, unless otherwise separately agreed with the Customer in writing.

Vahti Service Oy does not use the Customer’s identifiable tenant data to train general AI models. AI may be used to explain findings, generate guidance, and summarize security content, but AI does not create, modify, close, or prioritize risk state.

A more detailed description of the processing is provided in Annex 1.

5. Duration of Processing

Vahti Service Oy processes personal data for as long as the Main Agreement is in force and the processing is necessary to provide the service.

After termination of the Main Agreement, personal data will be deleted or returned in accordance with Section 18 and Annex 3, unless applicable law requires longer retention.

6. Categories of Personal Data

The categories of personal data are described in Annex 1. The categories may include, for example, user identity and contact information, access and role information, security and compliance information related to the Microsoft 365 environment, and technical log and usage data related to the service.

Vahti Service Oy does not generally need special categories of personal data to provide the service. The Customer is responsible for ensuring that it does not provide unnecessary special categories of personal data or other sensitive material to the service unless separately agreed.

If the Customer enables a feature that analyzes file content, supported files may be processed in a limited manner to perform the analysis. Raw document content, text matches, or detected personal data values are not stored in the Vahti service unless separately agreed in writing.

7. Categories of Data Subjects

The categories of data subjects are described in Annex 1. They may include, for example, the Customer’s employees, users, administrators, consultants, subcontractors, and other persons related to the Customer’s Microsoft 365 environment.

8. Controller Obligations

The Customer is responsible as controller for ensuring that there is a lawful basis for the processing of personal data and that the processing complies with applicable data protection laws.

The Customer is responsible in particular for ensuring that:

  • the Customer has the right to provide personal data to Vahti Service Oy for processing;
  • data subjects are provided with the required privacy information;
  • the instructions given by the Customer to Vahti Service Oy are lawful;
  • the Customer determines who within its organization may use the service;
  • the Customer manages its own users’ access rights and keeps them up to date;
  • the Customer does not provide unnecessary personal data to the service;
  • the Microsoft 365 / Entra permissions granted to the service have been approved through the Customer’s appropriate organizational governance process.

9. Processor Obligations

Vahti Service Oy processes personal data only on the documented instructions of the Customer, unless applicable law requires Vahti Service Oy to process the data otherwise.

Vahti Service Oy undertakes to:

  • process personal data only in accordance with this Agreement, the Main Agreement, and the Customer’s documented instructions;
  • implement appropriate technical and organizational security measures;
  • ensure that persons processing personal data are bound by confidentiality obligations;
  • use subprocessors in accordance with this Agreement;
  • reasonably assist the Customer with matters related to data subject rights, personal data breaches, security measures, data protection impact assessments, and prior consultation with a supervisory authority to the extent the assistance relates to processing carried out by Vahti Service Oy;
  • delete or return personal data upon termination of the Agreement in accordance with Section 18.

10. Documented Instructions

The Customer’s documented instructions consist of this Agreement, the Main Agreement, the service settings, choices made by the Customer in the service, and other written instructions agreed between the parties.

The Customer's documented instructions also include limited service quality assurance during the first 30 days of onboarding as described in Section 4.

The documented instructions also cover transfers of personal data to a third country or international organization to the extent such transfers are made based on this Agreement, the Main Agreement, or choices made by the Customer in the service.

If Vahti Service Oy considers that an instruction from the Customer infringes data protection law, Vahti Service Oy will notify the Customer without undue delay unless prohibited by law.

11. Personnel Confidentiality

Vahti Service Oy ensures that persons processing personal data are committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.

Access to personal data is limited to persons who need to process the data based on their duties.

12. Security Measures

Vahti Service Oy implements technical and organizational security measures appropriate to the processing. The purpose of the measures is to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

The security measures are described in more detail in Annex 3.

Vahti Service Oy may update its security measures as the service, technology, and threat environment evolve, provided that the overall level of data protection is not materially weakened.

13. Subcontractors / Subprocessors

The Customer grants Vahti Service Oy general authorization to use subprocessors for the processing of personal data.

Vahti Service Oy maintains an up-to-date list of material subprocessors on the public subprocessor page: Subprocessors. The current public subprocessor list is the primary source. Annex 2 describes the subprocessor situation as of the latest update of this Agreement.

Vahti Service Oy ensures that subprocessors are bound by at least equivalent data protection obligations as those binding Vahti Service Oy under this Agreement, to the extent the obligations apply to the processing carried out by the subprocessor.

Vahti Service Oy remains liable to the Customer for a subprocessor’s processing of personal data under this Agreement as if it were Vahti Service Oy’s own processing, to the extent the subprocessor processes personal data on behalf of Vahti Service Oy.

If Vahti Service Oy intends to engage a new material subprocessor that processes the Customer’s personal data, Vahti Service Oy will notify the Customer of the change at least 30 days before the change takes effect, unless the change is urgent for security, availability, or legal reasons.

The Customer may object to a new subprocessor on justified data protection grounds during the notice period. The parties will then seek a reasonable solution. If no solution is found, the Customer may have the right to terminate the part of the service affected by the new subprocessor in accordance with the Main Agreement.

14. International Transfers

Vahti Service Oy primarily processes data related to the service’s core infrastructure within the EU/EEA.

Some subprocessors, such as services related to payments, email delivery, or other support functions, may involve processing of personal data or access to personal data from outside the EU/EEA.

If personal data is transferred outside the EU/EEA, Vahti Service Oy ensures that there is an applicable transfer mechanism under data protection law, such as European Commission standard contractual clauses, the EU-U.S. Data Privacy Framework, or another applicable safeguard.

15. AI Services and Use of Customer Data for Model Training

Vahti Service Oy does not use the Customer’s personal data or Customer service data to train Vahti Service Oy’s own AI models or third-party AI models.

Vahti Service Oy may use Google Cloud Vertex AI for limited service functions, such as explaining security findings, producing guidance, and improving the service experience. In such cases, data is processed to fulfil the request and provide the service, not to train AI models.

Under Google Cloud’s terms, customer data is not used to train or fine-tune Google AI/ML models without the customer’s prior permission or instruction.

16. Assistance With Data Subject Rights and DPIAs

Vahti Service Oy reasonably assists the Customer, taking into account the nature of the processing, with fulfilling data subject rights, such as requests for access, rectification, erasure, and restriction of processing.

Vahti Service Oy also reasonably assists the Customer with the obligations referred to in Articles 32–36 GDPR concerning security measures, personal data breaches, data protection impact assessments, and prior consultation with a supervisory authority, to the extent the assistance relates to processing carried out by Vahti Service Oy and information available to Vahti Service Oy.

If a data subject contacts Vahti Service Oy directly regarding a matter where the Customer acts as controller, Vahti Service Oy will direct the request to the Customer unless the law requires otherwise.

17. Personal Data Breaches

Vahti Service Oy will notify the Customer without undue delay after becoming aware of a personal data breach concerning personal data processed by Vahti Service Oy on behalf of the Customer.

Vahti Service Oy’s target is to provide an initial notification within 48 hours after Vahti Service Oy becomes aware of the personal data breach. This target does not limit Vahti Service Oy’s obligation to notify the Customer without undue delay.

The notification will include available information about the nature of the breach, likely consequences, corrective measures taken or proposed, and a contact point for further information. If not all information is available immediately, Vahti Service Oy will provide additional information in phases without undue delay.

The Customer, as controller, is responsible for any notifications to the supervisory authority and data subjects. Vahti Service Oy will reasonably assist the Customer in fulfilling these obligations.

18. Audits and Demonstrating Compliance

Vahti Service Oy will provide the Customer with reasonably available information necessary to demonstrate compliance with the obligations under this Agreement.

The Customer has the right to request reasonable information and, where necessary, an audit to assess compliance with this Agreement. Vahti Service Oy may primarily satisfy such requests by providing written descriptions, security documentation, the subprocessor list, audit reports, or other reasonable evidence.

If written evidence is not reasonably sufficient and the Customer has a justified need to conduct an audit, the audit must be agreed in advance in writing. The audit must be carried out at a reasonable time and in a manner that does not endanger other customers’ data, Vahti Service Oy’s trade secrets, security, or service continuity.

Vahti Service Oy may charge reasonable costs for broad, repeated, or support-intensive audit requests, unless mandatory law requires otherwise.

19. Deletion or Return of Data Upon Termination

Upon termination of the Main Agreement, Vahti Service Oy will delete or return personal data processed on behalf of the Customer according to the Customer’s choice, unless applicable law requires retention.

After termination, the Customer has 30 days to request return or export of reasonably available data, unless otherwise agreed in the Main Agreement.

Vahti Service Oy deletes personal data from active systems within a reasonable time, and in any event no later than 90 days after termination of the agreement or the Customer’s deletion request. Data in backups expires according to the normal backup lifecycle and is not restored into production use except in recovery or continuity situations.

If a backup restore would reintroduce previously deleted or anonymized Customer personal data into active use, Vahti Service Oy will delete or anonymize that data again before normal service use continues, to the extent technically and reasonably possible.

20. Allocation of Responsibility

Each party is responsible for its own obligations under data protection law.

The Customer is responsible as controller for the lawfulness of processing, the purposes of processing, informing data subjects, and providing personal data to the service.

Vahti Service Oy is responsible as processor for processing personal data in accordance with this Agreement, the Main Agreement, and the Customer’s documented instructions.

This Agreement does not modify the limitations of liability agreed in the Main Agreement unless mandatory data protection law requires otherwise.

21. Governing Law and Disputes

This Agreement is governed by the laws of Finland, excluding its conflict of law rules.

Disputes arising from this Agreement will be resolved according to the dispute resolution procedure agreed in the Main Agreement. If no dispute resolution procedure has been agreed in the Main Agreement, disputes will be resolved by the competent Finnish general court.

Annex 1 – Description of Processing

1. Purpose of Processing

Personal data is processed to provide the vahti.ai service to the Customer. The purpose of the service is to monitor the security and compliance of the Microsoft 365 environment and to produce findings, views, notifications, and guidance for the Customer.

Processing may include, for example:

  • retrieving, receiving, and storing data obtained from the Microsoft 365 environment;
  • analyzing user, role, permission, configuration state, security, and event data;
  • creating security and compliance findings;
  • showing findings and recommendations in the service;
  • creating reports, notifications, and audit trail data;
  • technical logging, maintenance, troubleshooting, and security monitoring;
  • limited service quality assurance during the first 30 days of onboarding to verify that user interface views, scan pipeline, onboarding status information, and operational summaries work based on the Customer's tenant data;
  • sending service messages and system notifications;
  • AI-assisted explanation of findings and generation of guidance, provided that AI does not create, modify, close, or prioritize risk state;
  • limited processing by separately enabled file content analysis features to perform the relevant analysis.

2. Duration of Processing

Processing continues for the duration of the Main Agreement.

Upon termination of the Main Agreement, personal data will be deleted or returned in accordance with Section 18 of this DPA, unless law or another agreed obligation requires longer retention.

3. Categories of Personal Data

The categories of personal data processed may include the following:

  • user name;
  • email address;
  • user account or other unique identifier;
  • Microsoft 365 / Entra ID user and role information;
  • information related to permissions, groups, and administrative roles;
  • sign-in, log, event, and security data;
  • information related to Microsoft 365 environment settings and security posture;
  • information related to applications, OAuth consents, sharing, and service settings;
  • document-related metadata, such as owner, path, identifier, sharing information, and deterministic finding data generated by analysis, if such feature is enabled;
  • technical data related to use of the service;
  • findings, risks, recommendations, actions, reports, and status data generated in the service;
  • information about customer organization contacts necessary for use of the service.

The purpose of the service is not to process special categories of personal data. The Customer is responsible for ensuring that it does not provide unnecessary special categories of personal data to the service.

If Content Compliance Scan or another file content analysis feature is enabled, raw document content, text matches, or detected personal data values are not stored in the Vahti service or returned in the user interface unless separately agreed in writing.

4. Categories of Data Subjects

Categories of data subjects may include:

  • the Customer’s employees;
  • the Customer’s users and administrators;
  • the Customer’s consultants, subcontractors, or other partners who have access to the Customer’s Microsoft 365 environment;
  • other persons whose data appears in the Customer’s Microsoft 365 environment security, permission, or event data.

Annex 2 – Subprocessors

1. Current Subprocessors

The current subprocessor list is available at Subprocessors. This annex describes the subprocessor situation as of the latest update of this Agreement.

Subprocessor Purpose Location / Data Residency Note
Google Cloud / Google Cloud EMEA Limited Infrastructure, hosting, database, logging, monitoring, technical runtime, and Google Vertex AI / Gemini processing for explaining findings and producing guidance. Vahti’s primary production infrastructure is located in the EU. Google Vertex AI / Gemini is configured to be used in EU locations. Processes data necessary for the core operation of the service. Google Cloud / Vertex AI processes data to provide the service. Customer data is not used to train or fine-tune Google AI/ML models without the customer’s prior permission or instruction.
Stripe / Stripe Payments Europe, Limited and Stripe Technology Europe, Limited Payments, subscriptions, billing, and payment transaction processing. Through Irish Stripe entities in the EEA; possible processing or access from outside the EU/EEA. Processes primarily billing and payment data, not actual Microsoft 365 tenant data.
Postmark / AC PM, LLC Email delivery, such as system messages, invitations, and notifications. United States / possible processing outside the EU/EEA. Processes data necessary to send emails and related delivery logs.
HubSpot / HubSpot Ireland Limited Website forms, lead and demo request processing, CRM, sales process, and customer communication management. The HubSpot account is in the EU1 environment. HubSpot’s service may still involve processing or access from outside the EU/EEA. HubSpot primarily processes website, sales, and customer relationship data. HubSpot does not generally process actual Microsoft 365 tenant data.

2. Change Notification Mechanism

Vahti Service Oy maintains an up-to-date subprocessor list at:

Subprocessors

Vahti Service Oy will notify the Customer of a new material subprocessor at least 30 days before the change takes effect, unless the change is urgent for security, availability, or legal reasons.

The Customer may object to the new subprocessor on justified data protection grounds during the notice period.

Annex 3 – Description of Technical and Organizational Security Measures

1. Access Control

Vahti Service Oy limits access to personal data to people, systems, and service accounts that need to process the data based on their duties or the technical operation of the service.

Access control uses role- and permission-based procedures. Access rights are reviewed and removed as needed, for example when duties change or employment or engagement ends.

Application use is tenant-authorized. Customer users can only access their own organization’s data in the service according to their role.

2. Internal Operator and Support Access

Vahti Service Oy’s internal operator and support access to customer data is limited to approved purposes, such as onboarding support, limited service quality assurance during the first 30 days of onboarding, incident or service issue investigation, customer support requests, billing investigation, security incident handling, or customer-requested data export, deletion, or anonymization.

Internal access is limited according to the principle of least privilege. Intentional user interface, database, log, or metadata inspection targeting a customer tenant is recorded in an internal support access record, including at least the purpose, reason, goal, scope, access method, operator, time limit, and work outcome. Access is removed or restricted again when the processing need ends.

3. Confidentiality

Persons processing personal data are bound by confidentiality obligations or an equivalent duty of confidentiality.

The confidentiality obligation applies to personal data as well as the Customer’s confidential information and information obtained in connection with use of the service.

4. Environment Separation and Tenant Isolation

Production, test, and development environments are kept separate from each other. Production data is not used for development or testing without a separate justification and appropriate safeguards.

Customer data is isolated at the application layer by tenant. The service user interface and API layers verify the tenant context and the user’s permissions before performing customer-data-related operations.

5. Logging and Monitoring

The service collects technical logs to support service operation, security, troubleshooting, abuse detection, and audit trail needs.

Logs may include, for example, event timestamps, user or system identifiers, tenant or run identifiers, IP addresses, technical event data, error categories, and metadata related to the operation of the service. Log retention is limited to the time necessary for the relevant purpose.

Logs are not intentionally used to record Microsoft Graph secrets, access tokens, full payment card details, plaintext invitation tokens, raw Graph error bodies if they contain sensitive data, or Content Compliance Scan raw material, text matches, or detected personal data values.

6. Encryption and Secrets Management

Personal data is protected with appropriate encryption and security methods in transit and at rest where supported by the infrastructure and technical implementation of the service.

Connections to the service are implemented using encrypted connections. Cloud infrastructure storage solutions use the protection mechanisms provided by the service provider.

Production secrets, such as technical service credentials and integration secrets, are stored in a dedicated secrets management service and are not stored in version control or customer-visible data.

7. Recovery and Backups

Vahti Service Oy uses technical backup and recovery procedures to support service continuity and recovery.

Backups and recovery procedures are managed so that the service can reasonably be restored in disruption situations. Specific recovery time objectives or service levels are determined by the Main Agreement if separately agreed.

Data in backups expires according to the normal backup lifecycle. If a backup restore reintroduces previously deleted or anonymized Customer personal data into active use, deletion or anonymization will be performed again to the extent technically and reasonably possible.

8. Vulnerability Management

Vahti Service Oy aims to identify, assess, and remediate vulnerabilities related to the service on a risk-based basis.

Vulnerability management may include, for example, dependency updates, security updates, code reviews, hardening of the technical environment, log monitoring, incident investigation, and validation of changes before production use.

9. AI-Related Safeguards

AI is used in the service as an advisory layer to explain findings, produce guidance, and summarize security content. AI does not create, modify, close, or prioritize risk state.

Customer identifiable tenant data is not used to train general AI models. Data sent to AI services is limited to the context necessary for the relevant function.

10. Deletion and Return

Upon termination of the Main Agreement, deletion and return of personal data are governed by Section 18 of the DPA.

At the Customer’s request, Vahti Service Oy will return reasonably available personal data in an agreed format if technically and reasonably possible. After that, data will be deleted or anonymized from active systems within 90 days, unless law or another agreed obligation requires longer retention.

Data in backups expires according to the normal backup lifecycle.