ANNEX 3 – Data Processing Agreement (DPA)

ANNEX 3 – Data Processing Agreement (DPA)

Data Controller (Customer): [Name, Business ID, Address]

Processor (Provider): Lyyli AI Oy; hello@lyyli.ai

DPO: Veikko Laitinen, veikko@lyyli.ai

1. Introduction and Applicable Terms

GDPR and national legislation; IT2022 YSE where applicable.

2. Subject and Duration of Processing

Duration of main agreement + maximum 30 days after termination for deletion/return purposes.

3. Nature and Purpose

Collection, storage, organization, restriction, retrieval, use, disclosure based on instructions, logging, verification/return, deletion/anonymization.

4. Data Subjects and Data Categories

Employees/workers; name, email, role/position, usage and log data, message metadata and content according to Data Controller's instructions.

No special categories of personal data without separate agreement. No customers' customers.

5. Data Controller's Obligations

Lawfulness, legal basis, information; user and rights management.

6. Processor's Obligations

Compliance with instructions, confidentiality, Annex 4 TOMs, assistance with requests and breaches, logs and documentation, enabling audits.

7. Subprocessors

List in Annex 5; at least equivalent obligations.

8. International Transfers

Not outside EU/EEA. Possible future transfers with GDPR Chapter V safeguards.

9. Data Breaches

Notification without delay and at the latest within 48 hours.

10. Audits

Once per year, 14 business days advance notice, without unreasonable disruption.

11. Deletion or Return

Upon termination deletion/return; backups overwritten after retention period; deletion certificate upon request.

12. Liability and Law

Main agreement & IT2022; Finnish law; Helsinki District Court.