EN
Data Processing Agreement
Parties
Data Controller (Customer): The entity that has agreed to the Suunta.ai Terms of Use and is using the Services.
Data Processor (Suunta.ai): Y4 Works Oy, Business ID: 2978296-6, Address: Finland, Email: privacy@suunta.ai
1. Definitions
- Personal Data means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
- Processing means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.
- Data Subject means the identified or identifiable natural person to whom Personal Data relates.
- Subprocessor means any third party engaged by Suunta.ai to process Personal Data on behalf of the Customer.
- Services means the Suunta.ai platform and related services as described in the Terms of Use.
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
- Standard Contractual Clauses (SCCs) means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
- Security Incident means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Purpose
2.1 Scope This DPA applies to all Processing of Personal Data by Suunta.ai on behalf of the Customer in connection with the Services.
2.2 Roles The Customer acts as the Data Controller. Suunta.ai acts as the Data Processor. Where Suunta.ai determines the purposes and means of Processing (e.g., for service improvement analytics), Suunta.ai acts as an independent Controller and will process such data in accordance with its Privacy Policy.
2.3 Purpose of Processing Suunta.ai processes Personal Data solely for the purpose of providing the Services as described in the Terms of Use, including:
- User account management and authentication
- Providing AI-powered strategic planning features
- Processing and storing business data submitted by Users
- Generating AI-assisted analysis and recommendations
- Billing and subscription management
- Customer support
- Service security and abuse prevention
3. Categories of Data and Data Subjects
3.1 Categories of Data Subjects
- Customer's employees and contractors who use the Services
- Other individuals whose Personal Data is submitted to the Services by the Customer
3.2 Categories of Personal Data
| Category | Data Elements | Purpose |
|---|---|---|
| Account Data | Name, email, phone (optional), job title, role | User identification and access |
| Authentication Data | Password hash, SSO identifiers, session data | Secure access |
| Organization Data | Organization name, country, city, industry, size | Service customization |
| Usage Data | IP address, user agent, login timestamps, activity logs | Security and audit |
| Business Data | Strategy documents, OKRs, KPIs, projects, tasks | Core service delivery |
| Communication Data | Chat messages, AI interactions | Service features |
| Billing Data | Stripe Customer ID, subscription details | Payment processing |
3.3 Special Categories of Data The Customer agrees not to submit special categories of Personal Data (as defined in GDPR Article 9) to the Services without Suunta.ai's prior written consent.
4. Processor Obligations
4.1 Processing Instructions Suunta.ai shall process Personal Data only on documented instructions from the Customer, inform the Customer if an instruction infringes GDPR, and ensure authorized persons are bound by confidentiality.
4.2 Security Measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 (AWS RDS) |
| Encryption in transit | TLS 1.2+ |
| Access control | Role-based access, organization isolation |
| Authentication | Password hashing (PBKDF2-SHA256), session management |
| Audit logging | Comprehensive activity logging with retention policies |
| Backup | Automated daily backups with point-in-time recovery |
| Infrastructure | AWS EU (Stockholm, eu-north-1) |
4.3 Subprocessing Suunta.ai may engage Subprocessors subject to the conditions in Section 6.
4.4 Assistance to Controller Suunta.ai shall assist the Customer in responding to Data Subject requests, ensuring compliance with GDPR Articles 32-36, and providing information necessary to demonstrate compliance.
4.5 Deletion and Return Upon termination of the Services or upon Customer request: (a) the Customer may request export of Customer Data within 30 days of termination; (b) Suunta.ai shall delete Personal Data within 90 days of termination, unless retention is required by law; (c) Data export is provided in JSON and CSV formats via the Services.
5. AI-Specific Data Handling
5.1 AI Processing When Customer Data is processed through AI features: (a) prompts and responses are transmitted to Third-Party AI Providers for processing; (b) Suunta.ai does NOT store AI prompts or responses in its database; (c) only usage metadata (tokens, latency, model, cost) is logged for billing and analytics; (d) chat conversation history is stored to enable conversation continuity.
5.2 No Training on Customer Data Suunta.ai will NOT use Customer Data to train, fine-tune, or improve AI models without explicit written consent. Suunta.ai configures Third-Party AI Providers to disable data retention where available, opt out of training data usage, and apply zero data retention policies where supported.
5.3 RAG Document Processing Uploaded documents are processed to extract text, converted to vector embeddings, and raw document text is cleared within 24 hours after indexing. Chunk content and embeddings are retained for service functionality; upon source deletion, all associated chunks and embeddings are removed.
6. Subprocessors
6.1 Authorized Subprocessors The Customer provides general authorization for Suunta.ai to engage the Subprocessors listed in Appendix A.
6.2 Subprocessor Requirements Suunta.ai shall enter into written agreements with Subprocessors imposing data protection obligations no less protective than this DPA, remain liable for Subprocessor compliance, and conduct appropriate due diligence.
6.3 Changes to Subprocessors Suunta.ai shall maintain an up-to-date list of Subprocessors at https://suunta.ai/legal/subprocessors, notify the Customer at least 30 days before engaging a new Subprocessor, and provide the Customer an opportunity to object on reasonable data protection grounds.
6.4 Objection Process If no resolution is reached within 30 days, the Customer may terminate the affected Services without penalty. Such termination is the Customer's sole remedy for Subprocessor objections.
7. Data Subject Rights
7.1 Assistance Suunta.ai shall assist the Customer in responding to Data Subject requests to exercise their rights under GDPR Chapter III, including access, rectification, erasure, restriction, data portability, and objection.
7.2 Data Subject Requests If Suunta.ai receives a request directly from a Data Subject, Suunta.ai shall promptly notify the Customer, not respond directly unless authorized or required by law, and provide reasonable assistance.
7.3 Self-Service Features The Services include self-service features enabling Users to:
- View and export their Personal Data
- Correct account information
- Delete their user account
- Request organization data export
- Request organization deletion
8. Security Incidents
8.1 Notification Suunta.ai shall notify the Customer of any Security Incident without undue delay and in any event within 72 hours of becoming aware, providing a description of the incident, affected data subjects and records, contact point, likely consequences, and measures taken.
8.2 Cooperation Suunta.ai shall cooperate with the Customer's investigation, take reasonable steps to mitigate effects, provide updates, and assist with notifications to supervisory authorities and Data Subjects.
8.3 Records Suunta.ai maintains an immutable compliance audit log for security-relevant events with extended retention.
9. International Transfers
9.1 Processing Locations Primary data processing occurs in the EU (AWS eu-north-1, Stockholm). Some processing may occur in the USA through Third-Party AI Providers.
9.2 Transfer Mechanisms For transfers to countries without an EU adequacy decision, Suunta.ai relies on Standard Contractual Clauses (Module 2: Controller to Processor, Module 3: Processor to Processor), supplementary measures, and Subprocessor certifications where applicable.
9.3 Transfer Impact Assessment Suunta.ai has conducted transfer impact assessments for transfers to the USA, considering:
- Nature of data transferred (primarily prompts/queries, not bulk Personal Data)
- Technical measures (encryption, zero data retention configurations)
- Legal framework of the destination country
- Contractual protections with Subprocessors
10. Audit Rights
10.1 Audit Information Upon Customer's written request (no more than once per year), Suunta.ai shall provide a summary of security measures, third-party audit results (subject to confidentiality), confirmation of Subprocessor compliance, and records of Security Incidents affecting Customer Data.
10.2 On-Site Audits On-site audits require 30 days' advance written notice, are conducted during business hours with minimal disruption, at Customer's cost, under confidentiality, and limited to DPA compliance.
10.3 Certifications Suunta.ai is working toward SOC 2 Type II and ISO 27001 certifications. Upon achievement, audit reports will be made available to Customers under NDA.
11. Data Retention
11.1 Retention Periods
| Data Category | Retention Period | Notes |
|---|---|---|
| Active account data | Duration of Services | Deleted upon account deletion |
| Deleted user accounts | Anonymized immediately | 90-day backup retention |
| AI usage metadata | 365 days | Token counts, costs |
| Audit logs (standard) | 24 months | CRUD operations |
| Audit logs (critical) | 36 months | Deletions, security events |
| Compliance audit logs | 7 years | Immutable, regulatory retention |
| Billing records | 6 years | Finnish accounting law |
| Backups | 30 days | Automated rotation |
11.2 Deletion Process Organization deletion follows a structured process: deletion request with password confirmation; 30-day grace period (cancellable); Stripe subscription cancellation; systematic deletion of all organization data; immutable compliance audit log entry.
12. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Use. Each party shall indemnify the other for losses arising from the indemnifying party's breach of this DPA or applicable data protection laws.
13. Term and Termination
This DPA remains in effect for the duration of the Terms of Use. Sections 5 (AI-Specific Data Handling), 8 (Security Incidents), 11 (Data Retention), and 12 (Liability) survive termination.
14. Governing Law
This DPA is governed by the laws of Finland. Disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Use.
15. Contact
For data protection inquiries: Y4 Works Oy (Suunta.ai), Email: privacy@suunta.ai
Appendix A: Authorized Subprocessors
Last Updated: January 27, 2025. See the full list at https://suunta.ai/legal/subprocessors.
Appendix B: Technical and Organizational Measures
1. Access Control
- Role-based access control (RBAC)
- Organization-level data isolation (multi-tenant architecture)
- Unique user accounts with secure authentication
- Session management with configurable timeouts
- Brute-force protection with account lockout
2. Encryption
- Data at rest: AES-256 encryption (AWS RDS)
- Data in transit: TLS 1.2+ for all connections
- Password storage: PBKDF2-SHA256 hashing
3. Availability and Resilience
- AWS infrastructure with high availability
- Automated daily backups with point-in-time recovery
- Disaster recovery procedures
4. Monitoring and Logging
- Comprehensive audit logging of user activities
- AI usage tracking (metadata only)
- Security event monitoring
- Log retention per Section 11
5. Incident Response
- Documented incident response procedures
- 72-hour breach notification commitment
- Immutable compliance audit trail
6. Personnel
- Confidentiality obligations for all personnel
- Security awareness training
- Principle of least privilege
7. Vendor Management
- Due diligence on Subprocessors
- Contractual data protection requirements
- Regular review of Subprocessor compliance