Skip to main content

Data Processing Agreement

Last updated: 2024-12-30

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tiketti Oy ("Processor", "we", "us") and the Customer ("Controller", "you") for the use of the Tiketti service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, or deletion.
  • "Data Subject" means the individual whose Personal Data is processed.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).

2. Scope and Purpose

This DPA applies when we process Personal Data on your behalf as a Processor under GDPR. You act as the Controller determining the purposes and means of processing.

The purpose of processing is to provide the Tiketti ticketing service, including:

  • Managing support tickets and customer communications
  • Storing and organizing customer contact information
  • Processing email content for ticket creation
  • Time tracking and reporting
  • User authentication and access control

3. Types of Personal Data

Categories of Personal Data we process on your behalf may include:

  • Contact details (name, email, phone number)
  • Communication content (ticket messages, email content)
  • Organization information (company name, job title)
  • Technical data (IP addresses, browser information)
  • Attachments uploaded to tickets

4. Categories of Data Subjects

  • Your customers and contacts
  • Your employees and team members
  • Third parties who communicate with you via email

5. Processor Obligations

We shall:

  • Process Personal Data only on your documented instructions
  • Ensure persons authorized to process have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage Sub-processors without your prior authorization
  • Assist you in responding to Data Subject rights requests
  • Assist you in ensuring compliance with data protection obligations
  • Delete or return Personal Data at the end of the service
  • Make available information necessary to demonstrate compliance

6. Controller Obligations

You shall:

  • Ensure you have a lawful basis for processing Personal Data
  • Provide Data Subjects with required privacy information
  • Respond to Data Subject rights requests with our assistance
  • Ensure instructions to us comply with applicable laws
  • Notify us of any changes affecting the processing

7. Security Measures

We implement appropriate security measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Employee security training and confidentiality agreements
  • Incident detection and response procedures
  • Regular backups and disaster recovery capabilities
  • Physical security of data center facilities

8. Sub-processors

We use the following categories of Sub-processors to provide the service:

  • Cloud Infrastructure: EU-based hosting providers for data storage and processing
  • Email Delivery: Transactional email service for notifications
  • Payment Processing: Payment provider for subscription billing
  • Analytics: Privacy-focused analytics for service improvement

A current list of Sub-processors is available upon request. We will notify you of any intended changes to Sub-processors, giving you the opportunity to object.

9. Data Subject Rights

We will assist you in responding to requests from Data Subjects to exercise their rights under GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

If we receive a request directly from a Data Subject, we will promptly notify you unless prohibited by law.

10. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (and within 48 hours where feasible)
  • Provide information about the nature of the breach
  • Describe likely consequences and measures taken
  • Cooperate with you in notifying supervisory authorities and Data Subjects if required

11. International Transfers

Personal Data is primarily processed within the European Economic Area (EEA). If transfers outside the EEA are necessary, we ensure appropriate safeguards such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other legally recognized transfer mechanisms

12. Audits

We will make available information necessary to demonstrate compliance with this DPA. You may conduct audits (or appoint an auditor) with reasonable notice, during business hours, and subject to confidentiality obligations.

13. Data Retention and Deletion

Upon termination of the service, we will:

  • Provide you the opportunity to export your data
  • Delete Personal Data within 90 days of termination
  • Retain data only as required by law or for legitimate business purposes
  • Ensure Sub-processors also delete data

14. Liability

Our liability under this DPA is subject to the limitations set forth in our Terms of Service. Each party is liable for damages caused by its breach of GDPR.

15. Term and Termination

This DPA is effective for the duration of your use of the service. It automatically terminates when you cease using the service, subject to our data retention obligations.

16. Changes to This DPA

We may update this DPA to reflect changes in our practices or legal requirements. Material changes will be notified to you with reasonable advance notice.

17. Contact

For questions about this DPA or to exercise rights under it:

Tiketti Oy
Data Protection Contact
Email: dpo@tiketti.app
Helsinki, Finland