ANNEX 3 – Data Processing Agreement (DPA)

ANNEX 3 – Data Processing Agreement (DPA)

Controller (Customer): [Name, Business ID, Address]

Processor (Supplier): Lyyli AI Oy (Business ID 3537519-5); hello@lyyli.ai

Data Protection Officer (DPO): Veikko Laitinen, veikko@lyyli.ai

1. Introduction & Applicable Terms

This DPA supplements the Order Confirmation. GDPR and national data protection law apply, as do IT2022 General Terms mutatis mutandis.

2. Subject-matter & Duration

Processing is necessary to provide, maintain and support the Service for the term of the main agreement and up to 30 days thereafter for deletion/return.

3. Nature & Purpose; Data Subjects & Categories

Operations: collection, storage, organisation, structuring, restriction, retrieval, use, disclosure on instruction, logging, backup & restoration, deletion/anonymisation.

Data subjects: Customer employees, contractors and other users (no Customer’s customers).

Data categories: name, email, role/title, usage and log data, metadata and content of messages as instructed by Customer.

No special category data unless separately agreed in writing.

4. Controller & Processor Obligations

Controller ensures lawfulness, legal basis, transparency and instructions; manages users and access.

Processor follows documented instructions, ensures confidentiality, implements Annex 4 TOMs, assists with data subject rights and incidents, maintains records and enables audits.

5. Subprocessors

Processor may engage subprocessors. Current list in Annex 5. Processor imposes equivalent obligations on subprocessors.

6. International Transfers

No transfers outside the EU/EEA. Any future transfers will use GDPR Chapter V safeguards and be added to the annexes.

7. Personal Data Breaches

Notification to Controller without undue delay and no later than 48 hours after becoming aware, including description, impact, actions and contact point.

8. Audits

Audit right once per year with 14 business days’ prior notice during business hours without undue disruption. Costs borne by Controller unless a material breach is found.

9. Deletion or Return

Upon termination, Processor will delete or return personal data as requested; backups overwritten after the retention period. Deletion certificate available upon request.

10. Liability & Governing Law

Liabilities per the main agreement and IT2022 General Terms. Governing law: Finland. Disputes: Helsinki District Court.