Lyyli.ai - Viestinnän hallintajärjestelmäLyyli
Back to list
Annexes

ANNEX 3 – Data Processing Agreement (DPA)

Version v1.1Last updated April 20, 2026

ANNEX 3 – Data Processing Agreement (DPA)

Data Controller (Customer): [Name, Business ID, Address]

Processor (Provider): Lyyli AI Oy; hello@lyyli.ai

DPO: Veikko Laitinen, veikko@lyyli.ai

1. Introduction and Applicable Terms

GDPR and national legislation; IT2022 YSE where applicable.

2. Subject and Duration of Processing

Duration of main agreement + maximum 30 days after termination for deletion/return purposes.

3. Nature and Purpose

Collection, storage, organization, restriction, retrieval, use, disclosure based on instructions, logging, verification/return, deletion/anonymization. Processing may include AI-assisted operations (e.g., drafting, analysis, communication support) within the Data Controller's instructions and the main agreement.

4. Data Subjects and Data Categories

Employees/workers; name, email, role/position, usage and log data, message metadata and content according to Data Controller's instructions.

No special categories of personal data without separate agreement. No customers' customers.

5. Data Controller's Obligations

Lawfulness, legal basis, information; user and rights management.

6. Processor's Obligations

Compliance with instructions, confidentiality, Annex 4 TOMs, assistance with requests and breaches, logs and documentation, enabling audits.

7. Subprocessors

List in Annex 5; at least equivalent obligations.

8. International Transfers

Personal data may be transferred outside the EU/EEA where a subprocessor or technical implementation (e.g., AI or cloud services) requires it. Transfers are carried out using GDPR Chapter V safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) and/or the EU–US Data Privacy Framework where applicable, together with supplementary technical and organizational measures as required by the relevant subprocessor and service description.

9. Data Breaches

Notification without delay and at the latest within 48 hours.

10. Audits

Once per year, 14 business days advance notice, without unreasonable disruption.

11. Deletion or Return

Upon termination deletion/return; backups overwritten after retention period; deletion certificate upon request.

12. Liability and Law

Main agreement & IT2022; Finnish law; Helsinki District Court.