Lentävä liitutaulu Oy

DATA PROCESSING TERMS

Version: May 13, 2020

Applicability

These terms become applicable between Lentävä liitutaulu Oy (“SEPPO”) and a customer with whom SEPPO has concluded an agreement, if SEPPO is considered as data processor and customer data controller in the meaning as given in EU General Data Protection Regulation.

Definitions

The terms used herein shall have the same meaning as given in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”). Such terms include without limitation controller, processor, personal data, data subject, processing and personal data breach.

Purpose

With these terms, the parties agree that customer, the controller, appoints SEPPO as its processor to process customer’s personal data during the term of an agreement under the terms agreed herein.

Processor shall process the personal data only to further its obligations set forth in a consultancy services agreement and in accordance with the written instructions provided by controller.

The controller shall be the sole controller for the personal data and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller’s documentation obligations and ensuring that the data is kept accurate. If and to the extent the legal basis for processing personal data is individual’s consent, the controller is liable for obtaining the consent and managing it as provided in the Regulation.

Processor is not entitled to process personal data for any other purpose or for anyone else. Processor is entitled to transfer personal data outside the EU or EEA, provided that the transfer is made in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers. Processor must immediately notify controller, if it considers that the written instructions provided by controller for processing personal data are in violation of the Regulation or national data protection laws. In addition to the terms of this annex, the parties agree to comply with the Regulation as applicable to each party.

Additional details regarding processing may be described in the agreement or in a separate document.

Sub-processing

Processor is entitled to use sub-processors for processing personal data. Additional information about sub-processors can be provided at request. If the processor plans to make changes to its subprocessors, it will notify the controller by giving at least 5-days written notice. Processor’s obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, controller has the right to object the intended change in the use of a sub-processor. If the controller objects the intended change and the data processor cannot reasonably use another sub-processor or another method in processing the personal data, then the processor is not liable for damages or harm caused by such objection. In this situation the processor is entitled to terminate the agreement by giving at least 1-month’s written notice to the controller.

When using sub-processors for processing personal data, processor agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Annex. Processor is fully liable that its sub-processors comply with the requirements of this Annex.

Confidentiality

All personal data processed by processor on behalf of controller is considered controller’s confidential information and processor shall not disclose the personal data to anyone or use it for any other than agreed purpose. Processor ensures that only such people shall have access to the personal data that is necessary for furthering processor’s obligations relating to the purpose and that such people shall be 2 subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal who is not under such a duty of confidentiality. The duties of confidentiality shall survive the termination or expiration of the Agreement.

Security

Processor shall implement appropriate technical and organisational measures to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for natural persons’ rights and freedoms.

Such measures can include, as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Personal data breaches

Processor must notify controller without undue delay about personal data breaches it becomes aware of, so that controller can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits. When notifying controller, processor must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the controller. Processor must also take all such other necessary measures to mitigate or remedy the effects of the personal data breach and to prevent further breaches.

Data protection impact assessment

If processor becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons it must notify controller about this and assist the controller, if necessary, in conducting a data protection impact assessment.

Data subject’s rights

Taking into consideration the nature of the data processing, processor must reasonably and without undue delay assist controller, including by applicable technical and organisational measures, to fulfill any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability. If such requests are made directly to processor, it must notify controller about the request without undue delay.

Audits

Processor shall permit controller to audit processor’s compliance with these terms, and shall provide access and make available to controller all systems, premises, resources, information and staff as necessary for controller to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to processor’s business operation as reasonably possible. Controller must also provide reasonable advance notification of planned audits. Both parties are responsible for their own costs and expenses relating to an audit.

Other terms

If the processor must assist the controller in fulfilling the controller’s obligations related to data breaches, data subjects’ rights and data protection impact audits, are these assistance tasks performed within the scope and time limitations provided in the parties’ service agreement. If the parties have not concluded a service agreement or the time required exceeds what is included in the agreement, the processor is entitled to invoice the reasonable actual time used for the assistance tasks in accordance with the hourly rates agreed between the parties. Invoicing the time used for the assistance tasks requires that the controller has accepted that the processor can use time to perform assistance tasks. Processor is not liable to the controller for any indirect or consequential loss or damage or third party claims.

Term and effects of termination

These terms enter into force on the same date as the 3 agreement between the parties and shall thereafter remain in force until the agreement is terminated or expires under its terms.

Within a reasonable time after the termination or expiration of the agreement, processor shall delete or return all personal data to controller and delete also all copies of the personal data, unless national or EU or member state law requires processor to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.

If the controller has not notified the processor about deletion or return of data within 6 months from the termination or expiration of the agreement, the processor shall delete all personal data in its possession, including any copies, unless national or EU or member state law requires processor to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.

Description of the Processing

Nature of processing:

Provision of SEPPO's services and related support to its customers. SEPPO collects, processes and stores personal data relating to its customers in accordance with the agreement, applicable laws and these terms. Personal data may include for instance the following categories of personal data: name, email address and other data. The personal data mainly relates to such data subjects that are potential or existing clients of the customer, employees or job applicant’s of the customer, business partners of the customer or users of the customer’s own services.

DATA PROCESSING AGREEMENT – SeppoQ

Version: June 30, 2026

Between:

[Customer organization name], [business ID], [address] ("Controller")

and

Lentävä Liitutaulu Oy, Business ID 2500405-9, Päivöläntie 52, 00730 Helsinki, Finland ("Processor")

together referred to as the "Parties".

1. Background and purpose

The Parties have entered into a subscription agreement for the SeppoQ workplace learning platform (the "Service Agreement"). In the course of providing the SeppoQ service, the Processor will process personal data on behalf of the Controller.

This Data Processing Agreement ("DPA") sets out the terms and conditions under which the Processor processes personal data on behalf of the Controller, in accordance with Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR").

In the event of any conflict between this DPA and the Service Agreement, the terms of this DPA shall prevail with respect to the processing of personal data.

2. Definitions

"Personal data", "processing", "data subject", "controller", "processor", "sub-processor", "personal data breach", and "supervisory authority" have the meanings given in the GDPR.

"Customer data" means all personal data submitted to or generated within SeppoQ by the Controller or its learners, including simulation responses, self-assessments, AI-generated evaluation results, and skill snapshots.

"Applicable data protection law" means the GDPR and any national implementing legislation in force from time to time.

3. Subject matter, nature, and purpose of processing

Subject matter: Processing of personal data relating to the Controller's employees and other designated learners in connection with the SeppoQ workplace learning service.

Nature of processing: Collection, storage, structured evaluation (including AI-assisted evaluation), aggregation, and reporting of learner performance data; transmission to sub-processors as set out in Section 7.

Purpose: Delivering the SeppoQ service as described in the Service Agreement, including running scenario-based simulations, generating individual skill results, and producing organizational readiness reports.

Duration: This DPA is in force for the duration of the Service Agreement and terminates when all Customer data has been deleted or returned in accordance with Section 11.

4. Types of personal data processed

The Processor processes the following categories of personal data on behalf of the Controller:

Category Examples
Identity and contact data Full name, work email address
Organizational data Employer name, team, division, region, job role within SeppoQ
Simulation response data Written responses to scenario tasks, answers in AI-chat exercises, self-assessment ratings
AI-generated evaluation data Skill scores (knowledge, communication, decision-making), AI-generated feedback narratives, skill snapshots
Participation data Simulation start/completion status, phase progression
Technical data Session identifiers (for authentication purposes only; not used for tracking)

Special categories of personal data (Article 9 GDPR) are not intentionally processed. The Controller must not use SeppoQ to collect sensitive personal data such as health data, racial or ethnic origin, religious beliefs, or trade union membership.

5. Categories of data subjects

The personal data concerns the following categories of data subjects:

  • The Controller's employees or other persons designated by the Controller to participate in SeppoQ simulations ("learners")
  • The Controller's administrators and managers who have been granted access to SeppoQ

6. Processor's obligations

The Processor undertakes to:

6.1 Process only on documented instructions

Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or member state law; in that case the Processor will inform the Controller before processing, unless the law prohibits such information.

6.2 Confidentiality

Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security

Implement the technical and organizational security measures described in Section 9.

6.4 Sub-processors

Engage sub-processors only in accordance with Section 7 of this DPA.

6.5 Assistance with data subject rights

Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising data subjects' rights under Chapter III of the GDPR. The Processor will forward any data subject requests received directly from learners to the Controller within 5 business days.

6.6 Assistance with compliance obligations

Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.

6.7 Deletion or return of data

Delete or return all Customer data at the end of the service provision, in accordance with Section 11, and delete existing copies unless EU or member state law requires storage.

6.8 Audit and demonstration of compliance

Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

6.9 Notification of unlawful instructions

Immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law.

7. Sub-processors

7.1 Authorized sub-processors

The Controller provides general authorization for the Processor to engage the following sub-processors:

Sub-processor Purpose Location Safeguards
Supabase, Inc. Database, authentication, serverless edge functions EU (Stockholm, Sweden — eu-north-1) EU hosting; Supabase DPA at supabase.com/dpa
Microsoft Corporation (Azure OpenAI Service) AI evaluation of learner simulation responses, AI-chat, feedback and report generation EU (Sweden North) EU hosting; Microsoft DPA with SCCs
Mailjet (Sinch Sweden AB) Transactional email delivery (invitations, notifications, reports) EU (France) EU hosting; Mailjet DPA at mailjet.com/legal

7.2 Azure OpenAI Service — AI processing

Learner response text submitted to simulation tasks and AI-chat exercises is transmitted to Microsoft's Azure OpenAI Service, deployed in the Sweden North region (EU). Microsoft processes this data solely to return the evaluation result. Per Microsoft's Azure OpenAI Service terms, customer data submitted via the API is not used to train AI models, is not shared with OpenAI, and is not used to improve any third-party products or services. All AI processing occurs within the EU.

7.3 Changes to sub-processors

The Processor will notify the Controller at least 30 days in advance of any intended changes concerning the addition or replacement of sub-processors. The Controller may object to the change within that period on reasonable data protection grounds. If the Parties cannot resolve the objection, either party may terminate the Service Agreement with respect to the affected processing.

7.4 Processor's responsibility for sub-processors

The Processor remains fully responsible for the acts and omissions of its sub-processors as if they were the Processor's own acts and omissions. The Processor will impose data protection obligations on sub-processors that are equivalent to those set out in this DPA.

8. Controller's obligations and instructions

The Controller is responsible for:

  • Ensuring it has a lawful basis for providing learner personal data to SeppoQ (typically consent or the performance of an employment contract)
  • Informing learners about the processing of their data in SeppoQ, in accordance with Articles 13–14 GDPR (the Controller may reference the SeppoQ Privacy Policy for the AI processing specifics)
  • Not submitting special categories of personal data to SeppoQ
  • Issuing processing instructions to the Processor through the Service Agreement and this DPA; additional instructions may be issued in writing

9. Technical and organizational security measures

The Processor maintains the following security measures in accordance with Article 32 GDPR:

Infrastructure and hosting

  • All Customer data stored in EU (Supabase eu-north-1, Stockholm)
  • Encryption at rest: AES-256
  • Encryption in transit: TLS 1.2 or higher

Access control

  • Role-based access control: learners, managers, customer admins, and Seppo staff each have access only to data relevant to their role
  • Multi-factor authentication required for all Seppo internal staff with access to production systems
  • Access is reviewed and revoked promptly when staff change roles or leave

Data segregation

  • Each customer organization's data is logically separated; customer admins and managers can only access data belonging to their own organization

Audit logging

  • Administrative actions (data access, exports, configuration changes) are logged

Vulnerability management

  • Security patches applied on a regular schedule
  • No unencrypted storage of credentials; secrets managed via environment-level secrets management

Backup and recovery

  • Automated backups stored within the EU (eu-north-1)
  • Backup integrity tested periodically

The Processor will maintain documentation of these measures and update them as necessary. The Processor will notify the Controller of any material changes that may affect the security of Customer data.

10. Personal data breaches

In the event of a personal data breach affecting Customer data, the Processor will:

  1. Notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach
  2. Provide, at minimum, the following information: the nature of the breach; the categories and approximate number of data subjects and records concerned; likely consequences; measures taken or proposed to address the breach and mitigate its effects
  3. Cooperate fully with the Controller in the Controller's breach notification obligations to supervisory authorities and affected data subjects

Notification shall be sent to the contact email provided by the Controller in the Service Agreement.

11. Deletion and return of data

Upon termination of the Service Agreement, the Processor will:

  1. Upon the Controller's written request, provide an export of all Customer data in a machine-readable format (JSON or CSV) within 30 days of the request
  2. Delete all Customer data from Seppo's systems within 30 days of termination (or of delivering the export, whichever is later), including data held by sub-processors, unless EU or member state law requires retention
  3. Provide written confirmation of deletion upon request

During the active subscription, the Controller may request deletion of specific data sets at any time; the Processor will fulfill such requests within 30 days.

12. Data transfers outside the EU/EEA

Customer data is stored and processed within the EU. All sub-processors listed in Section 7.1 operate within the EU for the purposes of this agreement. No Customer data is transferred to countries outside the EU/EEA for storage or routine processing.

Sub-processors with US-based parent companies (Supabase, Inc.; Microsoft Corporation) operate under Data Processing Agreements that include EU Standard Contractual Clauses covering any incidental access by personnel outside the EU/EEA.

No transfers outside the EU/EEA take place without the Controller's prior written consent, unless required by applicable law.

13. Audit rights

The Controller (or an auditor appointed by the Controller) may conduct audits or inspections of the Processor's processing of Customer data, subject to:

  • At least 14 days' written notice
  • Reasonable confidentiality obligations to protect Seppo's other customers' data and Seppo's proprietary information
  • Audits conducted during normal business hours and in a manner that minimizes disruption
  • Costs borne by the Controller unless the audit reveals a material breach of this DPA

As an alternative to an on-site audit, the Processor may provide relevant third-party audit reports or certifications (such as SOC 2 reports from Supabase) where these cover the scope of the requested audit.

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Service Agreement. Where a party is responsible for damage caused by a breach of this DPA or applicable data protection law, it shall be liable to the other party in accordance with the Service Agreement terms.

Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under the GDPR.

15. Governing law and disputes

This DPA is governed by Finnish law. Disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Service Agreement.

16. Amendments

This DPA may only be amended by written agreement signed by both Parties. Where an amendment is required by changes in applicable data protection law, the Processor will provide at least 30 days' advance notice of the proposed amendment.

17. Signatures

This DPA enters into force when both Parties have signed it, or — where incorporated by reference into the Service Agreement — when the Service Agreement enters into force.

Controller Processor
[Customer organization name] Lentävä Liitutaulu Oy
Signed by: _______________ Signed by: _______________
Name: _______________ Name: _______________
Title: _______________ Title: _______________
Date: _______________ Date: _______________

Annex A — Sub-processor list (current as of June 30 2026)

Sub-processor Legal entity Purpose Location Legal basis for transfer
Supabase Supabase, Inc. Database, auth, edge functions EU (Stockholm, eu-north-1) EU hosting; SCCs cover incidental US staff access
Azure OpenAI Service Microsoft Corporation AI evaluation, chat, feedback, reports EU (Sweden North) EU hosting; SCCs cover incidental US staff access
Mailjet Sinch Sweden AB Transactional email EU (France) EU hosting; no transfer outside EU

Lentävä Liitutaulu Oy — support@seppo.ioseppoq.seppo.io