Data Processing Agreement (DPA)

1. Purpose of the agreement and parties

This DPA concerns personal data that Fronterak (the "Processor") processes on behalf of the contractor (the "Controller") when the Controller uses the Fronterak service to manage the data of its own customers, i.e. consumers (e.g. requests for quotes, project data, messages).

The Controller decides on the purposes and means of processing personal data for its own business. The Processor processes data solely on the basis of the Controller's documented instructions, unless required otherwise by law.

2. Subject matter, duration, nature and purpose of processing

Subject matter: personal data of the Controller's customers collected through the Fronterak service (requests for quotes, project data, messages, documents).

Duration: processing lasts as long as the Controller has an active Fronterak subscription, plus the period necessary after termination to return and delete the data (no more than 90 days).

Nature and purpose: providing the Processor's service and related operations such as data storage, message delivery, backups and service maintenance.

3. Types of personal data and categories of data subjects

Personal data processed: name, email, phone number, address, project data, content of communications, images and other information related to the request for quote or the project.

Categories of data subjects: the Controller's current and prospective customers (consumers) and the Controller's own employees and representatives who use the service on the Controller's behalf.

Special categories of personal data (Art. 9 GDPR) are not processed as a rule. If the Controller enters special category data into the service, the Controller is separately responsible for the lawfulness of that processing.

4. Obligations of the Processor and confidentiality

The Processor commits to: (a) processing personal data only on the Controller's documented instructions; (b) ensuring that persons involved in processing have undertaken to maintain confidentiality or are subject to an appropriate statutory obligation of secrecy; (c) implementing all security measures required by Article 32 GDPR; (d) assisting the Controller in fulfilling its obligations.

The Processor will inform the Controller without delay if, in the Processor's view, any instruction given by the Controller infringes data protection law.

5. Technical and organisational measures (TOM)

The Processor implements appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised processing, accidental loss, destruction or damage. At a minimum, these include:

(a) Encryption: TLS 1.2+ in transit and encryption of data at rest; (b) Access control: role-based access control (Supabase RLS), two-factor authentication for administrative users; (c) Logging and monitoring: logging of critical actions and regular monitoring; (d) Backups: daily backups whose restoration is tested at least once a year; (e) Staff training: regular data protection and information security training for staff involved in processing; (f) Incident response process: a documented process for detecting, assessing and reporting personal data breaches.

A detailed description of current TOMs is available on request at info@fronterak.fi.

6. Use of subprocessors

The Controller grants the Processor general written authorisation to engage subprocessors for the provision of the service. The up-to-date list of subprocessors is published on the subprocessor list.

The Processor will notify the Controller of new or replacement subprocessors at least 30 days before the change takes effect. The Controller has the right to object to a change on reasonable grounds — in case of an objection, the parties will negotiate in good faith for a solution, and where necessary the Controller may terminate the agreement.

The Processor enters into a written agreement with each subprocessor that imposes data protection obligations equivalent to those in this DPA. The Processor remains fully liable to the Controller for the acts of its subprocessors.

7. International transfers

Personal data is, as a rule, stored within the EU/EEA. Where data is transferred outside the EEA, the transfer is based on a legal ground under Chapter V GDPR, primarily the EU Commission's Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework.

The Processor implements supplementary measures (e.g. encryption, anonymisation) where necessary to ensure an adequate level of protection.

8. Assistance with data subject rights

The Processor assists the Controller by appropriate technical and organisational measures in responding to data subjects' requests under Articles 12–22 GDPR (including access, rectification, erasure, restriction of processing, portability and objection).

If a data subject sends a request directly to the Processor, the Processor will promptly forward the request to the Controller and will not respond to the request without the Controller's express authorisation.

9. Personal data breaches and notification

The Processor will notify the Controller without undue delay and at the latest within 48 hours of becoming aware of a personal data breach affecting personal data. The notice will contain the information set out in Article 33(3) GDPR: nature of the breach, consequences, measures taken and contact details.

The Processor will assist the Controller in fulfilling its obligations under Articles 33 and 34 GDPR to notify the supervisory authority and, where applicable, the data subjects.

10. Data protection impact assessment (DPIA)

The Processor will reasonably assist the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations as required by Articles 35 and 36 GDPR when the processing is likely to result in a high risk to the rights and freedoms of data subjects.

11. Audit rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR. The Controller has the right to request, no more than once a year, information about the Processor's current security measures and certifications.

If the Controller requires a more extensive on-site audit, the parties will separately agree on the schedule and the allocation of costs. As an alternative to an audit, the Processor may provide independent third-party audit reports (e.g. ISO 27001 or SOC 2 audit reports).

12. Termination and return of data

On termination of the agreement, the Processor will — at the Controller's option — either return all personal data to the Controller in a machine-readable format or permanently delete it within 90 days of termination.

The Processor may, however, retain personal data to the extent and for the period necessary to fulfil statutory retention obligations (e.g. accounting law). In such cases the Processor will protect the data appropriately and process it only for the purpose of retention.

13. Liability and damages

The parties are liable for their own conduct under Article 82 GDPR and applicable national law. The Processor's total liability to the Controller under this DPA is determined in accordance with the limitation of liability clause in the contractor terms of service.

However, the limitations of liability do not apply to damages caused by the Processor's wilful misconduct or gross negligence, or to mandatory GDPR liability towards data subjects.

14. Governing law, entry into force and amendments

This DPA is governed by Finnish law. The DPA enters into force when the contractor registers for the Fronterak service and accepts the contractor terms of service.

If the contractor needs a signed version of the DPA, it can be requested at info@fronterak.fi. The Processor may update this DPA in connection with changes to legislation or material changes to the service by giving notice of the changes at least 30 days before they take effect.