Web1
Legal Documents

Data Processing Agreement (DPA)

Last updated: March 16, 2026

1. Introduction

This Data Processing Agreement (DPA) supplements the service agreement between Web1 Oy (hereinafter "Processor") and the customer (hereinafter "Controller"). The agreement concerns the processing of personal data in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).

2. Definitions

  • Controller: The customer who determines the purposes and means of processing personal data
  • Processor: Web1 Oy, which processes personal data on behalf of the Controller
  • Personal data: Any information relating to an identified or identifiable natural person

3. Subject matter and duration of processing

The Processor processes personal data only for the purpose of providing services under the service agreement. Processing lasts for the duration of the service agreement.

Personal data processed may include:

  • Contact details of the customer's end users
  • Technical identifiers (IP addresses, usernames)
  • Data stored by the customer in the services

4. Processor obligations

The Processor agrees to:

  • Process personal data only in accordance with the Controller's documented instructions
  • Ensure that persons processing personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Use sub-processors only with the Controller's prior approval
  • Assist the Controller in fulfilling data subjects' rights
  • Delete or return personal data upon termination of the agreement

5. Technical and organisational security measures

The Processor implements at least the following security measures:

  • Encryption: Data encryption in transit (TLS 1.2+) and at rest
  • Access control: Role-based access management and multi-factor authentication
  • Logging: Maintenance and monitoring of access logs
  • Physical security: Datacenter access control, CCTV and environmental monitoring
  • Backups: Regular backups and recovery tests
  • Personnel: Security training and background checks

6. Sub-processors

The Processor maintains a list of sub-processors and notifies the Controller of new sub-processors at least 14 days in advance. The Controller has the right to object to a new sub-processor on reasonable grounds.

7. Data breaches

The Processor will notify the Controller of a data breach without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include:

  • Description of the nature and extent of the breach
  • Likely consequences
  • Measures taken and planned to address the breach
  • Contact person details

8. Audit

The Controller has the right to audit the Processor's activities to verify compliance with this agreement. Audits are agreed in advance and carried out during the Processor's normal business hours.

9. Data transfers

Personal data is processed primarily within the EU/EEA. Transfers to third countries require appropriate safeguards (e.g. EU Standard Contractual Clauses or an adequacy decision).

10. Termination of agreement

Upon termination of the service agreement, the Processor will:

  • Return all personal data to the Controller upon request
  • Delete personal data within 30 days unless legislation requires retention
  • Provide written confirmation of deletion

11. Contact

Questions regarding data processing:
support@web1.fi