Aito.ai SaaS Platform Service Agreement
Aito.ai is a Software-as-a-Service, where the Aito platform is managed by us. You will get an API endpoint that exposes all the functionality provided by the platform. The service is mainly intended as a secondary index for Machine Learning functionality. Aito.ai is not meant to be used as the main datastore or data warehouse. There are other tools better optimised for these purposes.
Aito.ai operates the service, which includes managing the servers and resources needed by the service as a whole, as well as individual customer environments. Customer support is provided on a best effort basis.
The service does not include consultancy or implementation work on behalf of or for the customer.
Aito SaaS is subscription based. Once you subscribe, you will get your own endpoint and the access keys for it within the next working day. We're working on our full self-service tool, but for now we want you to contact us on firstname.lastname@example.org and provide us with contact details. We will contact you back.
The Aito subscription will start with a two-week free period. During this time, you can use the service free of charge, with limitations on the allowed API calls. After the trial period the subscription is changed to a paid subscription automatically.
The paid subscription is invoiced on a per day basis, meaning that we will count your invoicing balance per starting 24h of use. If you are not satisified with us the subscription can be cancelled at any time. The invoicing will also be discontinued at the start of the next full day. The day is calculated against the wall-clock time of your subscription start. The invoices are sent to you on a monthly basis.
An Aito subscription will always contain all the functionality the platform offers. We are constantly improving the old features as well as implementing new ones, and you are entitled to using the latest version of the software. We will roll out new versions of the software on a regular basis, without any downtime on the environment.
The Aito platform is built around the privacy of your data. The data you store in the database is your own, and we don't use it or even look at it without explicit permission from you. We don't log data in the customer messages, nor do we gather any statistics of the internals of the data. We, however, will monitor the API-usage (quantity of calls, response times, message sizes) in order to guarantee the quality of service for you, as well as to improve the service for the future.
We are interested to hear about bugs, feature requests or any other feedback. We aim to improve the service, but features we implement, even on request will be made available to all our customers on the same terms.
In case of questions, bugs or technical problems, please send a message to email@example.com. We'll get back to you as soon as possible.
We will take care of running the service and the software, monitoring it and making sure things are working as expected. You, as our customer, are responsible for the actual data being stored in Aito. This means you need to have the permissions to store and use the data in Aito. In GDPR terms you are the Controller of the data, responsible for how, when and why you process the data. Under GDPR Aito is the Processor, i.e. we provide the software for you, but do not use the data in any way, besides making sure it's available for your use.
Aito must not be used for purposes, which are illegal in the EU or Finland. We reserve the right to terminate the subscription immediately without prior notice, and notify the police if the service is used for any illegal purposes.
We also expect you to make sure you use Aito in a way that does not harm or disturb other users of the service. Any purposeful attempts to break the software, circumvent any security measures in place, or to Aito in a way that can be interpreted as malice will lead to immediate termination of the subscription. We will also report any such incidents to the authorities.
We also expect that you notify us immediately in case you notice that someone is acting malevolently in your name, eg. if your software has been cracked, or someone else is causing you harm. We will take necessary means to solve the problem for you.
The limits to the service usage are set to guarantee the level of the service, both for individual users as well as for the collective of all users. There are soft limits, which are monitored but do not immediately prevent usage, and hard limits which cannot be exceeded.
CPU and RAM constraints are reserved, and thus in effect hard limits. The environment cannot use more than the allocated share of RAM or CPU capacity. While the exact amount is not public information, we aim to always guarantee sufficient capacity for the size of the data you have reserved.
The number of API calls is limited on a daily basis, as well as setting burst and rate limits for momentary use.
The daily limit of API calls is set to 1.000.000 (1M) calls per day, per environment, corresponding roughly to 700 requests per minute.
The burst limit restricts the momentary number of calls to the API and is set to 900 requests per second. This is the highest allowed throughput within one to a few seconds. The calls are also counted against the weekly limit.
The rate limit, i.e. the average requests per second for an extended period of time, is set to 300 requests per second. The calls are counted against the weekly limit. In summary:
|Max calls per day||1 000 000||The cumulative number of requests within a wall-clock day|
|Short time burst limit||900 rps||The momentary max burst rate (within a few seconds)|
|Average rate limit||300 rps||Steady rate limit, averaged over a longer period of time (minutes)|
The limits are enforced, but configurable. Contact sales if you want to change the allowed throughput.
Payload size is limited to 10MB per message. This includes data and all headers. For uploading larger datasets to the database, the file upload API can be used to overcome this limit.
API access limits cannot be enforced on an IP or hostname basis. The authentication is based on an API key. The API is served only over HTTPS.
Confidential Information means any information and material in whatever form disclosed to one Party by the other Party and either marked as confidential or should be understood to be confidential.
Customer Data means information or material transferred by the Customer to Service or information or material otherwise provided or made available to the Supplier for Customer’s benefit and for purposes of the Service or other information or material specified as Customer Data by the Parties.
Customer Equipment means the hardware and software which the Customer is required to have in use in order to use and enable the Service to be provided in accordance with this Agreement.
Customer Support shall mean the support functions provided by the Supplier to the Customer as further specified in Section 9.
Effective Date is the date when the Agreement is duly signed by both Parties.
Intellectual Property Right means any and all patents, utility models, designs, copyright, domain names, trademarks, trade names and any other intellectual property rights, whether registered or not and applications for any of the aforementioned respectively as well as any trade secrets.
Service means the Service specified in the Service Description attached hereto provided by the Supplier to the Customer via public data networks.
Service Fee means the agreed fee which covers the provision of the Service for the term of this Agreement.
User means personnel and contractors of the Customer and any third parties acting on Customer’s behalf for the Customer’s normal business purposes during the term of this Agreement.
The following Annexes form an integral part of this Agreement:
Annex 1 Data Processing Annex
In the event of any discrepancy between the content of the body of this Agreement and the Data Processing Annex, the Data Processing Annex shall prevail.
The Customer wishes to acquire access to the Service provided by the Supplier and the Supplier is willing to grant the access pursuant to the terms and conditions of this Agreement.
The Supplier undertakes to perform the tasks for which it is responsible in conformity with this Agreement, with due care and with the professional skills reasonable expected from an experienced service provider.
The Supplier shall deliver to the customer in writing the necessary API keys and other instructions for operating the environment.
The Customer is responsible for all use of the Service by its Users and shall comply with all applicable laws and regulations in connection with the Customer’s use of the Service, including those related to data privacy and the transmission of personal data as described in more detail in Annex 1 to this Agreement.
The Customer shall be responsible for ensuring that the Service fulfils Customer’s intended purpose. The Supplier specifically excludes any liabilities and warranty for a particular purpose.
The Customer shall be responsible for acquiring and maintaining the functional status of the Customer Equipment that the Customer needs to use the Service. The Customer shall be responsible for the protection of Customer’s data environment and comparable costs related to use of the Service.
The Customer shall notify the Supplier immediately of any unauthorized use of the Service or any other known or suspected breach of security.
Customer shall permit access to and use of the Service only by those employees, contractors or other third parties who fall within limiting definition of a User.
Customer shall not transfer, lease, loan, resell, distribute or otherwise make the Service or materials contained in the Service available in whole or in part in any form whatsoever to any third parties.
Customer shall not attempt to gain access to any parts of the Service to which the Customer has not acquired access rights nor will the Customer attempt to modify, copy, decompile, adapt, reverse engineer or otherwise attempt to derive source code of the Service or any computer software programs the Service is based upon.
The Service and content of the Service are set forth in the Service Description attached to this Agreement.
This Agreement may also be used in cases where the Customer wishes to test the Service or its new features before committing to using them. This Agreement shall by default apply to all such trials and tests, and the Parties may agree on additional case-by-case terms in writing in regard to such trials or tests. Such additional terms shall supersede the stipulations of this Agreement if in conflict until otherwise stated in the terms themselves.
The Supplier shall provide the Customer with reasonable technical and use related Customer Support on a best efforts basis, using the means and channels in its sole discretion. The Supplier shall separately communicate to the Customer the support channels and appropriate contact details for them.
For the avoidance of doubt, the Supplier shall not be obliged under this Agreement to provide support, assistance or maintenance concerning third party equipment or software.
The Supplier shall be entitled to make such change to the Service that is necessary to prevent or mitigate severe data security risk to the Service. If the supplier makes a change to the Service due to data security risk and which has an effect on the Service, the Supplier shall inform the Customer of the change in good time before making it or, if this is not reasonably possible, without delay after the Supplier has learned of such matter.
The Supplier shall be entitled to make a change to the Service other than specified above in this Section after notifying the Customer in advance. If the contemplated change has a material effect on the contents of the Service or the agreed Service Level, the Supplier must inform the customer about the change in writing at least 60 days before the effective date of the change and the Customer shall have the right to terminate this Agreement by giving 30 days prior notice. The termination notice shall be given in writing no later than 14 days following the receipt of the notification of the change.
The Supplier shall have the right to suspend delivery of the Service for scheduled maintenance breaks as notified to the Customer at least 14 days in advance.
The Supplier shall have the right to suspend delivery of the Service due to installation, change or maintenance work of general data network outside Supplier’s control or due to severe data security risk to the Service or if required by mandatory law or competent authorities.
The Supplier shall have the right to prevent Customer’s access to the Service without prior notice, if the Supplier reasonably suspects that the Customer burdens or uses the Service in such a manner as to jeopardize the delivery of the Service to other users.
The Supplier shall also have the right to restrict the Customer’s access to and use of the Service in cases where the customer’s momentary or long-term use of the Service causes unexpected or unreasonable stress on the Service and its background systems. The Supplier reserves the right to specify such unexpected on unreasonable use, but shall base its assessment i.a. on the technical limits outlined under the Service Description above.
The Service Fees and other prices are specified in the Pricing document attached to this Agreement and the Service Description.
The Supplier may change the prices by giving the Customer prior written notice 60 days in advance. The price change has no effect on payments which are due before the change becomes effective. Should the Customer not accept the price change, the Customer has the right to terminate this Agreement upon the coming into force of the price change by giving the Supplier a prior written notice 14 days in advance.
Unless otherwise agreed in writing, the prices specified in this Agreement shall include all public charges determined by the authorities and effective on the Effective Date, with the exception of value added tax. Value added tax shall be added to the prices in accordance with the then current regulations.
Neither Party may set off other Party’s claim or receivables.
The terms of payment are 14 days net from the date of the invoice. Interest on overdue payments shall accrue in accordance with the Interest Act of Finland.
The Supplier shall have the right to subcontract its obligations under this Agreement. The Supplier shall ensure that its sub-contractors comply with the confidentiality provisions specified in section 13. Each Party shall be liable for the work of its subcontractor as for its own.
Each Party shall keep in confidence all Confidential Information and shall not disclose the Confidential Information to any third party or use the Confidential Information for any purpose other than for the purpose of this Agreement.
A receiving Party shall have the right to:
a) copy Confidential Information only to the extent necessary for the purpose of this Agreement; and
b) disclose Confidential Information only to those of its employees and sub-contractors fulfilling the obligations of this Agreement who need to know Confidential Information for the purpose of this Agreement.
c) disclose Confidential Information to its own legal and financial advisors provided that such advisors are bound by confidentiality provisions at least as restrictive as contained in this Section 13.
Notwithstanding the foregoing the confidentiality obligation shall not be applied to any material or information:
a) which is generally available or otherwise public other than by a breach of this Agreement on the part of the receiving Party; or
b) which the Party has received from a third party without any obligation of confidentiality; or
c) which was in the possession of the receiving Party prior to receipt of the same from the other Party without any obligation of confidentiality related thereto; or
d) which a Party has developed independently without using material or information received from the other Party; or
e) which a Party shall disclose pursuant to a law, decree, or other order issued by the authorities or judicial order.
Each Party shall cease using Confidential Information received from the other Party promptly upon termination of this Agreement or when the Party no longer needs the Confidential Information in question for the purpose of this Agreement and, unless the Parties separately agree on the destruction of such material, return the material in question and all copies thereof. Each Party shall, however, be entitled to retain copies required by law or regulations.
Each Party warrants the observance and proper performance of this section 15 by all of its subcontractors and other parties to which Confidential Information has been disclosed.
Each Party is entitled to use the professional skills and experience acquired in connection with this Agreement.
The rights and obligations under this Section 13 shall survive the termination or expiration of this Agreement and shall remain in force for a period of 5 years from the Effective Date, or if the Confidential Information is disclosed after the Effective Date, for a period of 5 years from the date of disclosure.
Notwithstanding anything in contrary in Section 13, both Parties may use the other Party’s graphical logo and company name on its website and in marketing materials to represent that the other is a customer or supplier, as applicable, and shall respect any procedures and/or guidelines provided by the other Party for the use of such graphical logo.
If a Party finds that a delay will occur or is likely, the Party shall without delay inform the other Party in writing of the delay and of the effects of the delay on the Agreement.
If any performance of the other Party is delayed by more than 30 days from the due date despite a written reminder, the other Party shall be entitled to suspend its performance without any liability until the Party in delay has fulfilled its obligations under the Agreement.
Force Majeure Event means any failure by a Party to perform its obligations under this Agreement caused by an impediment beyond its control, which it could not have taken into account at the time of the conclusion of this Agreement, and the consequences of which could not reasonably have been avoided or overcome by such Party. If not proven otherwise such impediments may include, but are not limited to, acts of government in its sovereign or contractual capacity, fires, disturbance of data networks, floods, epidemics, quarantine restrictions, strikes, lock-outs, industrial disputes, riots, acts of terror or specific threats of terrorist activity, transportation or energy. Strike, lock-out, boycott and other industrial action shall constitute a Force Majeure Event also when the Party concerned is the object or a party to such an action
Save for the obligation to pay money properly due and owing, neither Party shall be liable for delays and damages caused by a Force Majeure Event.
A Force Majeure Event suffered by a subcontractor of a Party shall also discharge such a Party from liability if subcontracting from other source cannot be made without unreasonable costs or a significant loss of time.
A Party shall notify the other Party in writing without delay of a Force Majeure Event. The Party shall correspondingly notify the other Party of the termination of a Force Majeure Event.
The Intellectual Property Rights to the Service and any amendments, modifications, new versions thereto shall belong to the Supplier. The product names associated with the Service are service marks and trademarks of the Supplier or third parties, and no right or license is granted to use them. This Agreement does not grant the Customer any rights of ownership in or related to the Service or the Intellectual Property Rights owned by the Supplier. The Customer acknowledges that, except as specifically provided under this Agreement, no other right, title, or interest is granted.
The Intellectual Property Rights and the title to the Customer Data shall belong to the Customer.
This Agreement has no effect on the Intellectual Property Rights each Party had prior the Effective Date. This Agreement shall not give a Party any direct, indirect or implied right or license to use or otherwise exploit Intellectual Property Rights belonging to the other Party.
The Supplier warrants that the Service as used pursuant to this Agreement does not infringe copyrights enforceable in Finland.
The Supplier shall at its own expense defend the Customer against lawsuits claiming that the Service infringes any of the above-mentioned rights of a third party provided that the Customer promptly notifies the Supplier in writing of such lawsuits and permits the Supplier to defend or settle the lawsuits and gives to the Supplier all necessary information and assistance available and the necessary authorizations. The Supplier shall pay all damages awarded in a trial to a third party, if the Customer has acted in accordance with the foregoing.
If in the justified opinion of the Supplier the Service infringes any of the above-mentioned rights of a third party, the Supplier may at its own expense either (a) obtain the right of continued use of the Service for the Customer or (b) replace the Service with a comparable service or (c) modify the Service in order to eliminate the infringement. If none of the above-mentioned alternatives is available to the Supplier on reasonable terms, the Customer shall, at the request of the Supplier, stop using the Service.
The Supplier shall, however, not be liable if the claim (a) results from compliance with the Customer’s instructions; (b) results from the use of the Service in combination with any other service or product not supplied by the Supplier or (c) could have been avoided by the use of a released and equivalent Service offered for use to the customer without separate charge.
The liability of the Supplier for infringement of Intellectual Property Rights shall be limited to this Section 18.
The Customer may from time to time provide suggestions, comments or feedback (“Feedback”) with respect to the Service or Confidential Information provided originally by the Supplier. The Customer agrees that all Feedback is voluntary and, even if marked as confidential (unless subject to a separate written agreement), will not create a confidentiality obligation for the Supplier. The Supplier will be free to use, disclose, reproduce, license or otherwise distribute such Feedback, without obligation or restriction of any kind with relation to a Party’s Intellectual Property Rights or otherwise. Notwithstanding the above, no right shall be granted to any Intellectual Property Rights that were in existence prior to the Effective Date.
The Supplier has the right to use the Customer Data only for the purposes of this Agreement and provisioning of the Service. Notwithstanding the aforementioned, the Supplier shall have the right to use the Customer Data for purposes of statistical analysis and improving the Service.
The Customer shall be responsible for Customer Data and for ensuring that the Customer Data does not infringe third party Intellectual Property Rights or violate any legislation in force from time to time. In case of breach of the aforementioned, the Customer will be responsible for, and will indemnify and hold the Supplier harmless from all claims, suits, proceedings, losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) made against or incurred by the Supplier.
The Supplier’s responsibility to retain the Customer Data terminates 60 days from termination or expiration of this Agreement, after which the Supplier shall at its own expense destroy the Customer Data unless the Customer has requested delivery of the Customer Data. However, the Supplier shall be entitled to destroy or retain the Customer Data to the extent required by law or regulation by a competent authority.
This Agreement shall become effective on the Effective Date and shall stay in effect until further notice.
Each Party shall have the right to terminate this Agreement with immediate effect upon written notice to the other Party.
TO THE FULL EXTENT PERMITTED BY LAW, THE WARRANTY SET FORTH IN THIS SECTION 22 IS SUPPLIER’S EXCLUSIVE WARRANTY AND IS IN LIEU OF ALL OTHER WARRANTIES, CONDITIONS, UNDERTAKINGS OR TERMS OF ANY KIND, EXPRESS OR IMPLIED, WRITTEN OR ORAL, BY OPERATION OF LAW, ARISING BY STATUTE, COURSE OF DEALING, USAGE OF TRADE OR OTHERWISE, INCLUDING, WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, LACK OF VIRUSES AND BACK DOORS, TITLE, NON-INFRINGEMENT, ACCURACY OR COMPLETENESS OF RESPONSES, RESULTS, AND/OR LACK OF WORKMANLIKE EFFORT.
NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING STATEMENTS REGARDING PERFORMANCE OF THE SERVICE, WHICH IS NOT CONTAINED IN THIS AGREEMENT, WILL BE BINDING ON THE SUPPLIER. THE FOREGOING WARRANTY SPECIFICALLY EXCLUDES THIRD PARTY MODIFICATIONS.
The aggregate total liability of a Party towards the other Party in respect of any cause of action relating to or arising out of this Agreement shall not exceed the amount paid by the Customer under this Agreement during the last 6 months prior to the cause for the claim has arisen.
NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, DAMAGES RESULTING FROM DELAY OF DELIVERY OR FROM LOSS OF PROFITS, DATA, BUSINESS, OR GOODWILL, HOWEVER CAUSED AND ON WHATEVER THEORY, WHETHER BASED ON BREACH OF CONTRACT OR WARRANTY, TORT (INCLUDING NEGLIGENCE), THE FAILURE OR ASSERTED FAILURE OF A PARTY TO PERFORM ITS OBLIGATIONS HEREUNDER, OR OTHERWISE, AND WHETHER OR NOT THE PARTY ALLEGED TO HAVE CAUSED SUCH DAMAGES HAS BEEN ADVISED OR IS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
Both Parties shall be responsible for taking back-up copies of data and data files and for verifying the functionality of such back-up copies. Neither Party shall be liable for the loss of, damage to, nor alteration of data or data files of the other Party due to any cause and the resulting damages and expenses incurred, such as expenses based on the re-creation of data files.
The limitations of liability shall not apply to:
a) damages caused by willful misconduct or gross negligence; or
b) breach of confidentiality provisions in section 13; or
c) claims and costs covered by section 18.
Neither Party shall have the right to assign this Agreement or any of its rights or obligations hereunder to any third party without the prior written consent of the other Party. Notwithstanding the foregoing each Party may transfer its receivables under this Agreement to a third party.
The Supplier may transfer this Agreement and the rights and obligations hereunder to such a third party to which the business activities related to this Agreement has been transferred.
This Agreement and all matters arising out of or in connection with this Agreement shall be interpreted, construed and governed exclusively in accordance with the laws of Finland without reference to its choice of law rules. The United Nations Convention on Contracts for the International Sale of Goods done at Vienna April 11, 1980 is excluded.
In the event no settlement can be reached by means of negotiations, any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or validity thereof shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitration of the Finnish Central Chamber of Commerce. The arbitration shall take place in Helsinki, Finland. The arbitration shall be conducted and the arbitration award shall be given in the English language. The Parties agree that the arbitration procedure and all thereto related material and information shall be treated as Confidential Information in accordance with Section 15 of this Agreement.
The Parties have nevertheless right to claim for outstanding receivables under this Agreement at the courts of the other Party’s registered domicile.
Both Parties act in their own name and on their own behalf. Neither Party has a right to enter into any agreements or other commitments on behalf of the other Party.
A failure of a Party to insist upon the performance of any or more of the terms or conditions of this Agreement or a waiver of any term or condition of this Agreement will not be deemed to be a waiver of any rights or remedies the Party may have in subsequent similar situations.
If any provision in this Agreement is found or becomes invalid, unlawful, or unenforceable to any extent, the provision in question will be severed from the remaining provisions of this Agreement, which will continue to be valid and enforceable to the fullest extent permitted by law.
This Agreement together with its Annexes specified in Section 2 constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, proposals, undertakings, and other representations and communications between the Parties.
No modification of this Agreement will be valid unless in writing.
This Agreement has been executed in two originals, one for each Party.
Aito’s pricing is based on two parameters:
1) the capacity we reserve for your environment and
2) the number of API-calls you perform.
The invoiced cost of the service is the sum of these two separate parts.
The pricing is calculated with an SLA-guarantee, so if we fail to meet the SLA during a given day, we charge neither infrastructure cost nor API-calls for that day.
Since we guarantee the responsiveness and stability of your environment, we keep capacity reserved for it throughout the subscription. The reserved capacity is based on the amount of data you store in the database, and it is calculated and recorded daily. This amount is calculated based on the actual size of the JSON data you have stored in the database. This translates to the cumulative size for each row of (unformatted JSON) data in every table in the database. We will report this to you with the invoices, so you can see the basis for the cost calculation.
We charge you for the max amount of data stored per day, according to the table below.
|Size in GB||/day||/month (30d)|
|over 16GB||Contact sales (firstname.lastname@example.org)|
We will calculate the number of individual API-calls per month, and invoice you based on the total number. A discount is applied to the usage, so the bigger the usage, the less an individual API-call costs:
If you plan to use the API with over 10M calls per month, you should contact us at email@example.com, to discuss individual rates.
We reserve the right to interrupt the service for maintenance purposes, but the downtime will not exceed 30 minutes on any given day during business hours. This also includes any unexpected interruption due to problems in the service or the software (excluding force majeure reasons).
Normal maintenance is performed outside business hours (Finland 08:00 - 20:00), so the effective uptime is expected to be higher.
The purpose of this Annex is to agree on the privacy and data protection of the Personal Data of the Controller in the services of the Provider. This Annex constitutes a written agreement in accordance with the EU General Data Protection Regulation (679/2016) (“Regulation”) concerning the processing of personal data. Those obligations and rights that are directly based on the EU General Data Protection Regulation shall enter into force only when the application of the EU General Data Protection begins on 25 May 2018.
If the terms concerning the Processing of Personal Data of the Annex and the Agreement are in conflict, the parties shall primarily apply the terms of this Annex.
In accordance with the EU General Data Protection Regulation, the terms below are defined as follows:
“Controller” shall mean the Customer or the Customer’s client, who shall define the purposes and methods of Personal Data Processing.
“Processor” shall mean the Provider, who shall Process Personal Data on behalf of the Controller based on the Agreement.
“Processing” or “Processing Activities” shall mean any operation or set of operation which is performed on Personal Data or sets of personal data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal Data” shall mean any information relating to an identified or identifiable natural person, hereafter “Data Subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
The Provider shall process the Personal Data of the Controller on behalf of, and commissioned by the Customer, on the grounds of the Agreement. The Personal Data that the Provider Processes may relate to, e.g. employees or customers. The Customer or the Customer’s client shall be the Controller and the Provider shall be the Processor of the Personal Data Processed in the service. The parties undertake to abide by the legislation, decrees and authority orders and guidelines concerning Processing of Personal Data in force from time to time both in Finland and EU.
The Controller is entitled and obligated to define the purpose and methods of the Processing of Personal Data. The subject, character and purpose of Processing is defined in more detail in the Agreement. The types of Personal Data and sets of data subjects Processed in the services have been defined in the form specifying the Processing operations, Annex 1.
The Provider is entitled to Process the Personal Data and other data of the Controller only on the grounds of the Agreement, this Annex and according to the written guidelines of the Customer and only to the extent and in a manner, it is necessary in order to provide services. The Provider shall notify the Customer if any conflict with the data protection legislation of EU or Finland is detected in the guidelines and in such a case, the Provider may immediately decline and stop the application of the guidelines of the Customer.
The Provider shall maintain the service description or other record of the Processing Activities of the service in cases where it is required to do so by the EU General Data Protection Regulation. The Provider is entitled to collect anonymous and statistic data of the use of the services pursuant to the Agreement, that does not specify the Customer nor data subjects and uses it for analyzing and developing its services.
After the expiry of the Agreement, the Provider shall return or delete, according to the guidelines of the Customer, all the personal data of the Controller and delete all duplicates, unless applicable legislation requires the retention of the Personal Data.
The Provider may use subcontractors for Processing the Controller’s Personal Data. The Provider is responsible for its subcontractor’s actions as for its own and shall draft written agreements with the subcontractors concerning the Processing of Personal Data. If requested, the Provider shall inform the Customer beforehand of subcontractors the Provider intends to use in processing the personal data pursuant to the Agreement. The Customer is entitled to oppose the use of a new subcontractor on reasonable grounds. If the Parties are unable to reach an agreement concerning the use of a new subcontractor, the Customer is entitled to terminate the Agreement with thirty (30) days’ notice, in so far as the change of subcontractor affects the Processing of Personal Data pursuant to the Agreement.
The Provider shall immediately forward all requests to inspect, rectify, erase or object to the Processing of Personal Data or other requests received from the Data Subjects, to the Customer. If requested by the Customer, the Provider shall support the Customer in fulfilling the requests of the Data Subjects.
The Provider is obligated, taking into account the nature of the Processing of Personal Data and the data available, to assist the Customer in ensuring that the Customer complies with its legal obligations. These obligations may include requirements related to data security, notifying of data breaches, data protection impact assessments as well as obligations regarding prior consultations. The Provider is obligated to assist the Customer only to the extent that applicable legislation obligates the Processor of Personal Data. Unless otherwise agreed, the Provider is entitled to invoice the expenses incurred from action pursuant to this section 3.4 according to the Provider’s valid price list.
The Provider shall forward all inquiries made by data protection authorities directly to the Customer and shall await further guidance from the Customer. Unless otherwise agreed, the Provider is not authorized to represent the Customer or act on behalf of the Customer in relation to the authorities supervising the Customer.
The Provider and its subcontractors may Process personal data outside the EU/EEA area. In case such transfers or Processing take place, the Provider ensures that the EU Commission standard contractual clauses 2010/87/EU concerning the transfer of Personal Data to outside the EU/EEA, or a similar legal safeguard approved by the Regulation, will apply to such transfer or Processing.
By signing this Annex the Customer grants a power of attorney to the Provider to represent the Customer in signing the contractual clauses on behalf of and in the name of the Customer. Furthermore, the Customer explicitly accepts that the Provider may also represent the subcontractor in question in relation to the contractual clauses.
The Customer or an auditor authorized by the Customer (however, not a competitor of the Provider) is entitled to audit the activities pursuant to the Annex. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 14 days before the inspection. The auditing shall be carried out in a way that does not impede the obligations of the Provider or its subcontractors in regard to third parties. The representatives of the Customer and the auditor must sign conventional non-disclosure commitments.
The Customer shall be responsible for its own and the Provider’s expenses caused by the auditing. If notable defects are perceived during auditing, the Provider shall be liable for the costs incurred from the auditing.
The Provider shall implement the appropriate technical and organizational measures to protect the Personal Data of the Controller, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosures or access to Personal Data that has been transferred, saved or otherwise Processed. When organizing the security measures, the technical options and their costs shall be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data Processed.
The Customer shall be obligated to ensure that the Provider is notified of all the circumstances concerning the Personal Data the Customer has delivered, such as risk assessments and the Processing of special sets of Data Subjects that affect the technical and organizational measures pursuant to this Annex. The Provider shall ensure that the personnel of the Provider or a subcontractor of the Provider shall abide by the appropriate non-disclosure commitments.
The Provider must notify the Customer of all Personal Data Breaches without undue delay after receiving information of the breach or after a subcontractor of the Provider has received information of the breach.
If requested by the Customer, the Provider shall, without undue delay give the Customer all relevant information concerning the data breach. In so far as the information in question is available to the Provider, the Provider shall describe at least the following to the customer:
(a) the occurred data breach,
(b) if possible, the sets of data subjects and the number thereof, as well as the sets of personal data types and estimated numbers,
(c) a description of the likely consequences caused by the data breach, and
(d) a description of reparative measures, that the Provider has implemented or shall implement in order to prevent data breaches in the future, and if necessary, the measures to minimize the harmful effects of the data breach.
The Provider shall document and report the results of the inquiry and the implemented measures to the Customer.
The Customer shall be liable for the necessary notifications to the data protection authorities.
If any tangible or intangible damage is caused to a person due to a breach against the EU General Data Protection Regulation or the Annex, the Provider shall be liable for the damage only in so far that it has not explicitly abided by the obligations directed to Personal Data Processors in the EU General Data Protection Regulation or this Annex.
Both parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage confirmed in the final decision of a data protection authority or a court of law. In all cases the liability of the parties shall be determined pursuant to the Agreement.
The Provider shall notify the Customer in writing of all changes that may affect its ability or chances to abide by this Annex and the written guidance of the Customer. The Parties shall agree on all additions and amendments to this Annex writing.
This Annex shall enter into force after both parties have signed the Agreement. The Annex shall remain in force (i) as long as the Agreement is in force or (ii) the parties have obligations concerning personal data processing activities towards one another.
Those obligation that due to their nature are meant to survive the expiry of this Annex shall remain in force after the expiry of the Annex.
This Processing specification form is an inseparable part of the Annex concerning Personal Data Processing. The Processing Specification Form specifies a processing assignment the Processor performs for the benefit of the Controller in the manner provided for in the Agreement and this Annex.
|1 Services||The Processing shall concern the following services (fill out the service description) |
Machine learning SaaS service
|2 Geographical Location of Personal Data||The Personal Data is Processed in the following countries or areas: |
|3 Sets of Data Subjects||The Personal Data Processed concerns the following sets of Data Subjects: |
Any Data Subjects whose Personal Data the Customer will Process in the Service
|4 Types of Personal Data||The Personal Data Processed in the service consists of the following types of Personal Data: |
Any Personal Data the Customer will Process in the Service
Special sets of Personal Data:
Any Personal Data the Customer will Process in the Service