Data Processing Agreement

Last updated: 20 March 2026  ·  Effective: 20 March 2026

Parties

Controller and Processor are hereinafter referred to individually as a “Party” and collectively as the “Parties”.

1. Definitions

As used in this DPA:

• “Controller”: Pauhu Ltd (Pauhu Oy), determining the purposes and means of processing of Personal Data.
• “Processor”: Pauhu AI Ltd (Pauhu AI Oy), processing Personal Data on behalf of the Controller.
• “Personal Data”: As defined in GDPR Article 4(1) - any information relating to an identified or identifiable natural person.
• “Processing”: As defined in GDPR Article 4(2).
• “Data Subject”: An identified or identifiable natural person to whom Personal Data relates.
• “Subprocessor”: A third-party processor engaged by the Processor.
• “SCCs”: EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914.
• “Supervisory Authority”: The competent data protection authority per GDPR Article 51 - in Finland: the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).
• “GDPR”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
• “Services”: The AI platform services, translation cascade, CPV specialist APIs, and associated microservices operated by Processor under pauhu.ai and pauhu.dev.

2. Scope and Roles

2.1 Controller–Processor Relationship

This DPA establishes a controller–processor relationship within the meaning of GDPR Article 28. The Controller determines the purposes and means of processing; the Processor processes Personal Data solely on documented instructions from the Controller.

Controller (Pauhu Ltd) determines:

• What Personal Data is processed
• Purposes of processing
• Legal basis for processing (GDPR Article 6)
• Retention periods
• Responses to Data Subject rights requests

Processor (Pauhu AI Ltd) processes Personal Data solely:

• To provide the Services under the applicable service agreement
• As documented in the Controller’s instructions
• Within the EU data residency boundaries defined in Section 2.2
• With technical and organisational security measures per GDPR Article 32

2.2 Processing Details

2.3 Processing Restrictions

Processor will NOT:

• Use Controller Personal Data to train AI or machine learning models
• Share Controller Personal Data with third parties (except authorised Subprocessors listed in Section 5)
• Transfer Personal Data outside the EEA without explicit Controller instruction and applicable safeguards (SCCs)
• Process for any purpose beyond service delivery
• Retain data longer than contractually required

Exception: Aggregate, anonymised usage statistics (e.g., “translation API called 1 M times”) may be used for product improvement without identifying any individual.

3. Controller Instructions

3.1 Documented Instructions

Processor processes Personal Data only pursuant to documented instructions from Controller, including:

• This Data Processing Agreement
• The applicable service agreement or terms of service
• Controller’s use of Services (API calls, file uploads, configurations)
• Written instructions submitted via dpo@pauhu.eu

3.2 Unlawful Instructions

If Processor believes a Controller instruction violates GDPR or applicable EU law, Processor will:

• Immediately inform Controller in writing
• Suspend processing of the relevant data until the instruction is clarified or withdrawn
• Terminate the service agreement if the instruction cannot be lawfully executed

4. Security Measures (GDPR Article 32)

4.1 Technical and Organisational Measures

Processor implements state-of-the-art technical and organisational security measures:

4.2 ISO 27001

Status: Certification in progress (target Q2 2026). Current controls follow the ISO 27001:2022 framework.

4.3 Security Audits

Controller may request:

• Security questionnaire (annual, no charge)
• SOC 2 Type II report when available (target Q3 2026)
• On-site audit (Enterprise/Government tiers only, 30 days advance notice required)

5. Subprocessors

5.1 Authorised Subprocessors

Processor maintains an up-to-date list of Subprocessors. Controller may request the current list at any time by contacting dpo@pauhu.eu.

5.2 Subprocessor Changes

• New Subprocessor: Controller will be notified by email at least 30 days before engagement of a new Subprocessor.
• Controller objection: Controller may object within 14 days by stating reasonable, documented grounds.
• Resolution: Processor will either not engage the Subprocessor or Controller may terminate the service agreement without penalty.

5.3 Subprocessor Agreements

Processor ensures all Subprocessors:

• Are bound by a GDPR-compliant data processing agreement
• Implement technical and organisational security measures equivalent to those required under this DPA
• Process data only within the EEA or under applicable safeguards (SCCs)
• Are auditable for compliance on request

6. Data Subject Rights (GDPR Chapter III)

6.1 Controller Responsibility

Controller (Pauhu Ltd), as the entity with a direct relationship to Data Subjects, is primarily responsible for responding to Data Subject rights requests under GDPR Chapter III:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (“right to be forgotten”, Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

6.2 Processor Assistance

Upon written request, Processor will assist Controller by:

• Access: Providing export of relevant data within 7 business days
• Rectification: Enabling Controller to correct data via API or support portal
• Erasure: Deleting specified data within 30 days of confirmed instruction
• Portability: Machine-readable JSON export, no charge for first 2 requests per year; €500 per request thereafter

6.3 Automated Decision-Making

Services may involve automated processing (AI inference, annotation scoring). Controller must:

• Inform Data Subjects per GDPR Article 13(2)(f)
• Provide opt-out or human review where a decision produces legal or similarly significant effects
• Comply with GDPR Article 22

7. Personal Data Breach (GDPR Articles 33–34)

7.1 Notification Timeline

Upon becoming aware of a Personal Data breach, Processor will:

• Notify Controller within 72 hours via email to the Controller’s designated contact
• Include: nature of breach, categories and approximate number of Data Subjects affected, categories and approximate volume of records affected, likely consequences, and measures taken or proposed to address the breach

7.2 Processor Obligations

Processor will:

• Investigate the cause and scope of the breach without undue delay
• Implement containment and remediation measures
• Document the breach per GDPR Article 33(5)
• Cooperate fully with Controller’s breach response
• Provide forensic logs upon Controller’s request

7.3 Controller Obligations

Controller (as data controller) determines:

• Whether notification to the Supervisory Authority is required (within 72 hours of Controller’s awareness, per Article 33)
• Whether notification to affected Data Subjects is required (where high risk, per Article 34)
• Communication strategy and content of any notifications

8. Data Protection Impact Assessment (GDPR Article 35)

Upon request, Processor will provide information to assist Controller with a DPIA, including:

• Description of processing operations and purposes
• Technical and organisational security measures implemented
• Current Subprocessor list and data flow overview
• Compliance documentation (certifications, audit reports)

Fee: No charge for first DPIA assistance request. €2,000 for detailed DPIA consultancy support (covers specialist time).

9. International Data Transfers (GDPR Chapter V)

9.1 EU-Only Processing (Default)

By default, all Personal Data is processed within the European Economic Area: Hetzner HEL1-DC1 (Helsinki, Finland) and Cloudflare EU regions. No transfers to third countries occur under standard service configurations.

9.2 Standard Contractual Clauses (if applicable)

If Controller instructs Processor to process data outside the EEA (e.g., for an air-gapped deployment in a non-EEA country):

• EU Standard Contractual Clauses, Module 2 (Controller-to-Processor), apply by default
• Based on Commission Implementing Decision (EU) 2021/914
• Lead Supervisory Authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutettu)

Current status: Not applicable (EEA-only processing).

10. Cooperation with Supervisory Authorities

Processor will:

• Cooperate with the Finnish Data Protection Ombudsman or any competent Supervisory Authority
• Respond to regulatory inquiries within 30 days unless a shorter statutory deadline applies
• Provide access to processing facilities and documentation (with 14 days advance notice)
• Submit to lawful audits by Supervisory Authorities

11. Deletion and Return of Data

11.1 Upon Contract Termination

Within 30 days of termination of the service agreement, Controller may elect:

Option A - Return of Data:

• Complete data export in JSON format
• Delivered within 30 days of written request
• One-time export at no charge

Option B - Deletion:

• Active systems: deletion within 30 days of termination
• Backup systems: deletion within 60 days of termination
• Immutable audit logs: retained for 90 days (security and compliance requirement), then deleted

Default: If Controller does not request export within 30 days of termination, data is deleted automatically.

11.2 Certificate of Deletion

Upon request, Processor provides a signed certificate of deletion within 90 days of termination.

11.3 Legal Retention

Processor may retain Personal Data where required by:

• Finnish law (e.g., accounting records: 6 years under the Finnish Accounting Act)
• EU law (e.g., AML obligations)
• Court order or legal hold

Such retained data is isolated, not actively processed, and deleted when the applicable retention period expires.

12. Records of Processing Activities (GDPR Article 30)

Processor maintains records of processing activities on behalf of Controller, including:

• Processor name and contact: Pauhu AI Ltd (Pauhu AI Oy), dpo@pauhu.eu
• Controller name and contact: Pauhu Ltd (Pauhu Oy), 0768171-8, dpo@pauhu.eu
• Purposes of processing: Service delivery as described in Section 2.2
• Categories of Data Subjects: Controller’s end-users and employees
• Categories of Personal Data: As per Section 2.2
• Recipients: Controller; authorised Subprocessors (Cloudflare, Hetzner, Stripe)
• Transfers to third countries: None (EEA-only, unless otherwise instructed)
• Retention: Service agreement term + 60 days
• Security measures: As per Section 4

Records are available to Controller upon request and to the Supervisory Authority upon lawful inquiry.

13. Confidentiality

Processor ensures that all personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require it for performance of the Services.

14. Liability and Indemnification (GDPR Article 82)

14.1 Joint Liability to Data Subjects

Per GDPR Article 82, Controller and Processor are jointly and severally liable to Data Subjects for damage caused by processing that violates GDPR. A Party is exempt if it proves it was not in any way responsible for the damage.

14.2 Allocation Between Parties

• Processor liable: Where Processor has failed to comply with GDPR obligations specifically directed at processors, or acted outside or contrary to lawful Controller instructions.
• Controller liable: Where damage arises from unlawful instructions, Controller’s failure to comply with GDPR obligations as controller, or Controller’s failure to inform Processor of relevant restrictions.

14.3 Liability Cap

Liability between the Parties is capped at the aggregate fees paid by Controller to Processor in the 12 months preceding the event giving rise to the claim, except in cases of gross negligence, wilful misconduct, or fraud, and except for obligations that cannot be limited by law (including GDPR Article 82 liability to Data Subjects).

15. Term and Termination

15.1 Effective Date

This DPA takes effect upon the later of: (i) the date first set out above, or (ii) the commencement of processing of Personal Data by Processor on behalf of Controller.

15.2 Duration

This DPA remains in force for as long as Processor processes Personal Data on behalf of Controller under any service agreement.

15.3 Survival

Sections 7 (Personal Data Breach), 11 (Deletion and Return), 12 (Records), 13 (Confidentiality), and 14 (Liability) survive termination of this DPA and any underlying service agreement.

16. Amendments

Processor may update this DPA to reflect:

• Changes in GDPR or applicable EU law
• Guidance or decisions from Supervisory Authorities or the European Data Protection Board
• New Subprocessors (with 30 days notice per Section 5.2)

Material changes will be communicated with 60 days advance written notice. Continued use of the Services after the notice period constitutes acceptance.

17. Governing Law and Dispute Resolution

This DPA is governed by the laws of Finland and the European Union. Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the applicable service agreement between the Parties. The mandatory provisions of GDPR and Finnish data protection law prevail in any conflict.

18. Contact and Data Protection Officer

Data Protection Officer (both entities)
Email: dpo@pauhu.eu
Address: PL 292, 00101 Helsinki, Finland

Controller - Pauhu Ltd (Pauhu Oy)
Legal: legal@pauhu.eu
Business ID: 0768171-8

Processor - Pauhu AI Ltd (Pauhu AI Oy)
Support: support@pauhu.ai

Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: https://tietosuoja.fi
Address: P.O. Box 800, 00521 Helsinki, Finland
Email: tietosuoja@om.fi

© 2026 Pauhu Ltd. All rights reserved.