DATA PROCESSING AGREEMENT

1. PARTIES

  • 1.1 ZenTreasury Oy (hereinafter "Processor")
    Business ID: 2762104-2
    Aalto Start-Up Center Otakaari 5, 02150 Espoo, Finland

  • 1.2 The party who has concluded the Agreement with the Processor on the use of the Processor's Service (hereinafter "Controller" or "Customer")

2. DEFINITIONS

  • 2.1 "Agreement" means the main agreement between the Parties that includes this Data Processing Agreement.

  • 2.2 “Data Processing Agreement” means this agreement.

  • 2.3 "Data Protection Laws" means the Personal Data Act of Finland (523/1999), the General Data Protection Regulation of the European Parliament and of the Council (679/2016) and any other data protection legislation in force and any legally valid instructions or orders given by the data protection authorities.

  • 2.4 ”Party” or ”Parties” mean the Controller or/and the Processor.

  • 2.5 “Personal Data” means any information relating to an identified or identifiable natural person for which the Controller or the Controller’s customer or another affiliate acts as the controller. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • 2.6 “Service” means the SaaS service offered by the Processor and used by the Controller.

3. SUBJECT-MATTER AND DURATION OF THE PROCESSING

  • 3.1 The Parties agree in this Data Processing Agreement on the terms and conditions of the processing of Personal Data that stem from the Agreement.

  • 3.2 The Agreement includes the processing of Personal Data the Controller is in charge of.

  • 3.3 The Processor has the right to process the Personal Data for as long as the Agreement is in force, unless the Controller decides otherwise.

4. NATURE AND PURPOSE OF THE PROCESSING

  • 4.1 The purpose of the Service is to provide the Customer with a SaaS service related to treasury management. The Processor processes Personal Data only when and if the Controller discloses such data to the Service.

5. TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

  • 5.1 The categories of data subjects consist of the data subjects whose Personal Data the Controller discloses to the Service.

  • 5.2 The register, that consists of the Personal Data, may include: (i) contact information, such as full name, address, phone numbers and e-mail addresses; (ii)nationality, age, gender, title or profession and language skills; (iii) possible registration information, such as username, pseudonym, password and other unique identification; (iv) information regarding the customer relationship, such as billing and payment information, product-, service- and ordering information, information regarding customer feedback and contacts and cancellation information; (v) information relating to the implementation of communications and information relating to use of services, such as browsing and search information; and (vi) possible other data the Controller discloses to the Service.

6. OBLIGATIONS AND RIGHTS OF THE CONTROLLER

  • 6.1 The Processor shall process the Personal Data according to the Data Protection Laws and by following good data processing practices, other relevant legislation and compulsory guidance of the authorities.

  • 6.2 When necessary, the Controller may give the Processor binding additional instructions concerning the processing of Personal Data. Such instructions must be given in written form.

  • 6.3 The Controller reserves the right to monitor the Personal Data.

  • 6.4 The Controller reserves the ownership of the Personal Data and any immaterial rights and other rights relating to the Personal Data, unless the Controller notifies the Processor that such ownerships belong to the Controller’s customer or another affiliate company.

7. INSTRUCTIONS FROM THE CONTROLLER IN REGARD TO THE PROCESSING OF PERSONAL DATA

  • 7.1 The Processor is not allowed to process the Personal Data for any other purposes than what the Parties have specifically agreed on in the Agreement.

  • 7.2 When processing the Personal Data, the Processor has an obligation to follow the Data Protection Laws.

  • 7.3 The Controller gives the Processor a general permission to hand over, transfer or in any similar way process Personal Data outside the EU/EEA. Upon such processing, the Processor has an obligation to follow the Data Protection Laws, the instructions of the Controller and the Agreement (including this Data Processing Agreement). If any of the prerequisites of the approval seize to exist, the Processer has an obligation to immediately: (i) perform an action that ensures the lawful processing of the Personal Data and that the processing is conducted according to the instructions given by the Controller and the Agreement; or (ii) seize the transfer of Personal Data outside the EU/EEA and return the Personal Data transferred outside the EU/EEA to the Controller.

8. CONFIDENTIALITY

  • 8.1 The Processor is under an appropriate statutory obligation of confidentiality when it processes Personal Data.

  • 8.2 The Controller has the right to require from the Processor’s Employees separate confidentiality agreements or any other such measures related to Personal Data’s security.

9. SECURITY OF PROCESSING

  • 9.1 Taking into account the risks related to the nature of the Agreement, the Processor ensures appropriate technical and organizational measures when it processes Personal Data. Those measures shall especially aim to prevent the accidental, unauthorized or unlawful processing of Personal Data, monitor the processing, disappearance, destruction, alteration or impairment of Personal Data and prevent unauthorized access to the Personal Data.

  • 9.2 The Processor shall ensure that its employees do not process the Personal Data against the instructions given by the Controller.

  • 9.3 In the case of a personal data breach, the Processor shall immediately notify the personal data breach to the Controller. In addition, the Processor shall, not later than 24 hours after having become aware of the data breach, provide the Controller with all relevant information relating to the data breach (for example descriptions of the security breach, the consequences of the breach and the actions that have been taken by the Processor as a result of a security breach). The Controller needs such information to meet its statutory obligations, investigate the matter, prevent similar violations and make legal notifications. The Processor has the obligation to present the Controller with any relevant information the Controller requires from the Processor in the case of the Data Breach.

10. SUBPROCESSORS

  • 10.1 The Processor has a right to use other processors (e.g. cloud services providers) (hereinafter “Subprocessor”) to process Personal Data.

11. OBLIGATION OF THE PROCESSOR TO ASSIST THE CONTROLLER

  • 11.1 The Processor shall without delay assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the rights of its customers. Upon written request from the Processor, the Controller shall without undue delay reimburse the Processor for any costs arising from this Section 11.1.

  • 11.2 The Processor shall assist the controller in ensuring compliance with the obligations pursuant to the General Data Protection Regulations Articles 32 to 36, taking into account the nature of the processing and the information available to the Processor.

12. DELETION OR RETURN OF THE PERSONAL DATA

  • 12.1 After the Agreement is no longer in force, the Processor and its subcontractor shall return, at their own expense and without delay, the Personal Data to the Controller or the Controller’s customer if it acts as the controller, by following the instructions given by the Controller. If the return of Personal Data is not possible, then the Parties must agree on the destruction of the material in a separate agreement.

13. RECORDS OF PROCESSING ACTIVITIES

  • 13.1 The Processor shall keep records (hereinafter “Records”) of its processing activities that relate to this Agreement and the processing of Personal Data. The Records must have at least the following information:

    • (a) the name and contact details of the Processor and, if possible, the name and contact details of the Processor’s data protection officer;

    • (b) the description of the processing activities of the Personal Data conducted on behalf of the Controller and the categories of data subjects and personal data;

    • (c) if the Personal Data is transferred outside the EU/EEA, the information of the transfer and a demonstration that the transfer was conducted according to the Data Protection Laws;

    • (d) a description of the technical and organizational measures taken; and

    • (e) reports of possible audits conducted by the Processor or third parties.

14. INDEMNITY AND LIABILITY

  • 14.1 Each party hereby indemnifies the other party against any and all losses, damages, liabilities, claims, penalties, fines, awards, costs and expenses (including reasonable legal fees) caused by any breach of the warranties contained in this Agreement.

  • 14.2 The Controller has an obligation to defend the Processor where a claim is filed against the Processor on the basis of the Processor’s processing activities relating to the Personal Data. The Processor has the aforementioned obligation if the Controller informs the Processor of the matter in a written form and without undue delay.

  • 14.3 The Parties’ liability for damages shall be determined on the basis of the General Data Protection Regulation (679/2016).

15. MISCALLENEOUS

  • 15.1 If there is a conflict between the Data Processing Agreement and the Agreement, the terms of the Data Processing Agreement shall prevail.

  • 15.2 The Processor has a right to transfer the Data Processing Agreement and a part of its rights and obligations derived from the Data Processing Agreement to third parties without a prior written approval of the Controller.

  • 15.3 The Controller has a right to transfer the Data Processing Agreement and a part of its rights and obligations derived from the Data Processing Agreement to third parties without a prior written approval of the Processor.

  • 15.4 If any court of law, having the jurisdiction to decide on this matter, rules any provision of the Data Processing Agreement invalid, then that provision will be removed from the Data Processing Agreement without affecting the rest of the Data Processing Agreement. The remaining provisions will continue to be valid and enforceable.

  • 15.5 The Data Processing Agreement is governed by the laws of Finland without regard to its rules and principles on conflict of laws.

  • 15.6 Any dispute arising between the Parties out of, or in connection with, the Data Processing Agreement, their validity, interpretation or performance shall be finally settled in accordance with the Arbitration Rules of the Finland Chamber of Commerce in Helsinki, Finland. The arbitration tribunal shall consist of one (1) arbitrator. The language of the arbitration shall be English or Finnish.