Data Processing Addendum

Version: 1.0
Effective date: 17th May 2026
Last updated: 17th May 2026

How this Addendum applies

This Data Processing Addendum (the "DPA") forms part of the agreement between Oiva AI Solutions Oy (Business ID 3554896-5, Helsinki, Finland) ("Oiva", "we", "us") and the customer entity that has accepted Oiva's Terms of Service or has otherwise entered into a service agreement with Oiva (the "Customer", "you") (the "Principal Agreement").

By accepting the Principal Agreement and using the Services, the Customer accepts this DPA. No separate signature is required. This DPA is incorporated into the Principal Agreement by reference. Where a customer requires a counter-signed copy, Oiva will execute the version published at this URL on request, without negotiation of its terms.

If you are accepting this DPA on behalf of a customer entity, you represent that you have authority to bind that entity to it.

In case of conflict between this DPA and the Principal Agreement, this DPA prevails in respect of the Processing of Personal Data.

1. Definitions

1.1 Capitalized terms not defined here have the meaning given in Regulation (EU) 2016/679 (the "GDPR").

1.2 In this DPA:

"Customer Personal Data" means Personal Data that Oiva Processes on behalf of the Customer in providing the Services, as further described in Annex 1. Customer Personal Data does not include data for which Oiva is itself the controller, as listed in Annex 4.
"Data Subject" means a natural person whose Personal Data is included in the Customer Personal Data, including End Users and Authorized Users.
"End User" means a visitor to the Customer's website who interacts with Oiva's embedded chat application.
"Authorized User" means an employee or contractor of the Customer who is authorized to access Oiva's administrative dashboard.
"Personal Data Breach" has the meaning in Article 4(12) GDPR.
"Services" means the AI-powered customer support chat application and associated administrative dashboard provided by Oiva, as described in the Principal Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021.
"Sub-Processor" means a third party engaged by Oiva to Process Customer Personal Data.
"Sub-Processor List" means the list of Sub-Processors maintained at https://www.oivasolutions.ai/legal/sub-processors.
"TOMs" means the technical and organizational measures described in Annex 3.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK ICO.

2. Roles and Scope

2.1 Roles. The Customer is the controller and Oiva is the processor of Customer Personal Data. If the Customer acts as a processor for a third-party controller, Oiva is deemed a sub-processor and the Customer warrants it has authority to engage Oiva on these terms.

2.2 Oiva as controller. Oiva acts as an independent controller for the data described in Annex 4 (account, billing, telemetry, support, audit data). That Processing is governed by Oiva's Privacy Notice, not this DPA.

2.3 Subject matter, nature and purpose, duration, types of data, categories of Data Subjects. Set out in Annex 1.

3. Processing on Documented Instructions

3.1 Oiva will Process Customer Personal Data only on the Customer's documented instructions. The Principal Agreement, this DPA (including its Annexes), and the Customer's configuration and use of the Services constitute the Customer's complete and final documented instructions.

3.2 Oiva will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

3.3 Oiva will not Process Customer Personal Data for any other purpose, except as required by Union or Member State law to which Oiva is subject.

4. Confidentiality

Oiva ensures that all personnel authorized to Process Customer Personal Data are bound by confidentiality obligations and have received internal data protection and security briefing in line with Annex 3.

5. Security

5.1 Oiva implements and maintains the TOMs in Annex 3 to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

5.2 Oiva may update its TOMs from time to time provided the overall level of security is not materially diminished.

6. Sub-Processors

6.1 General authorization. The Customer grants Oiva general authorization to engage Sub-Processors, subject to this Section 6.

6.2 Current Sub-Processors. The current list is published at the Sub-Processor List URL.

6.3 Changes to Sub-Processors. Oiva will update the Sub-Processor List when adding or replacing a Sub-Processor. Oiva will provide notice of changes by:

(a) updating the Sub-Processor List with the effective date of the change; and

(b) sending an email notification to the email address registered for the Customer's account administrator, or providing notice via the dashboard.

For the addition of a new Sub-Processor processing Customer Personal Data in a new category (i.e., a Sub-Processor that introduces a category of Processing not already present in the Sub-Processor List, such as a new analytics, data warehouse, content moderation, or speech-to-text provider), Oiva will provide such notice at least ten (10) days before the new Sub-Processor begins Processing Customer Personal Data.

For replacement of a Sub-Processor with another providing equivalent functionality, or for changes required for security, legal compliance, or service continuity, Oiva may make the change without advance notice and will update the Sub-Processor List as soon as reasonably practicable.

The Customer may object to a new Sub-Processor on reasonable data protection grounds within fifteen (15) days of notice. If the Parties cannot resolve the objection in good faith, the Customer's sole and exclusive remedy is to terminate the affected portion of the Services.

6.4 Flow-down. Oiva will impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA, and remains liable to the Customer for each Sub-Processor's performance.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, Oiva will assist the Customer through appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligations to respond to Data Subject requests under Chapter III GDPR. The Customer may submit such requests to Oiva at the contact address in Section 15. End User data is pseudonymous; locating a specific Data Subject's conversation requires identifying information from the End User such as the approximate date, time, and topic of the conversation. The Customer agrees to forward such information to Oiva when relaying requests.

7.2 If Oiva receives a request directly from a Data Subject relating to Customer Personal Data, Oiva will promptly notify the Customer and will not respond except to acknowledge and direct the Data Subject to the Customer, unless required by law or instructed by the Customer.

8. Personal Data Breach

8.1 Oiva will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 The notification will include the information specified in Article 33(3) GDPR to the extent known, and may be provided in phases as the investigation progresses.

8.3 Oiva will provide reasonable cooperation in the Customer's investigation, mitigation, and notification obligations under Articles 33 and 34 GDPR.

9. DPIAs and Prior Consultation

Oiva will provide reasonable assistance with Data Protection Impact Assessments and prior consultations under Articles 35 and 36 GDPR, taking into account the nature of the Processing and information available to Oiva. Such assistance is limited to information already documented or readily available; bespoke assessments are out of scope and may be subject to additional fees.

10. International Transfers

10.1 Customer Personal Data is stored within the European Economic Area. The primary database is located in Ireland (Supabase), and LLM observability traces are stored in Germany (Langfuse Cloud). Processing may also occur on Sub-Processor edge infrastructure in third countries (in particular, Cloudflare's global edge network) and via AI inference services as identified in the Sub-Processor List.

10.2 Where Processing involves a transfer to a third country without an adequacy decision, the Parties enter into the SCCs, which are incorporated into this DPA as follows:

(a) Module Two (Controller to Processor) applies between the Customer and Oiva for any onward transfers from Oiva to non-EEA Sub-Processors;

(b) the docking clause does not apply;

(d) in Clause 11, the optional independent dispute resolution language does not apply;

(e) in Clause 17, the governing law is Finland;

(f) in Clause 18(b), the courts of Helsinki, Finland have jurisdiction;

(g) Annexes I, II, and III to the SCCs are populated by Annexes 1, 3, and the Sub-Processor List respectively.

10.3 For Personal Data subject to UK GDPR, the UK Addendum is incorporated and completed by Part 1 of the UK Addendum based on the corresponding sections of this DPA.

10.4 Oiva will make transfer impact assessments for material non-EEA Sub-Processors available on reasonable request.

11. AI-Specific Provisions

11.1 No training on Customer Personal Data. Oiva will not, and will not permit its Sub-Processors to, use Customer Personal Data to train, fine-tune, or otherwise improve general-purpose AI models, except to operate Customer-specific features the Customer explicitly enables.

11.2 AI Sub-Processor terms. Oiva uses third-party large language model providers as listed in the Sub-Processor List. Oiva contracts with these providers on terms that prohibit their use of Customer Personal Data for training or other purposes beyond serving Oiva's API requests, in line with each provider's standard API/enterprise terms.

11.3 Customer transparency obligations. End User chat conversations are processed by AI systems including third-party LLM providers. The Customer is responsible for disclosing this to End Users in its own privacy notice and obtaining any required transparency or consent.

11.4 Automated decision-making. The Services are not designed to produce legal or similarly significant effects on Data Subjects within the meaning of Article 22 GDPR. If the Customer configures the Services to produce such effects, the Customer is responsible for the legal basis and any required safeguards.

11.5 AI output limitations. AI-generated outputs may be inaccurate or fabricated. They are not warranties of fact, and the Customer remains responsible for any decisions made about Data Subjects based on such outputs.

12. Demonstrating Compliance

12.1 Oiva will make available, on reasonable request, information necessary to demonstrate compliance with Article 28 GDPR and this DPA. Oiva's standard means of demonstrating compliance are:

(a) this DPA (including the technical and organizational measures in Annex 3) and the Sub-Processor List; and

(b) responses to standardized security questionnaires (e.g., SIG Lite, CAIQ), provided no more than once per twelve-month period.

12.2 The Customer may, no more than once per twelve-month period, mandate an independent third-party auditor to audit Oiva's compliance, subject to: (a) at least sixty (60) days' prior written notice; (b) a confidentiality agreement; (c) audits limited to information and systems strictly relevant to the Services; (d) the Customer bearing all costs, including Oiva's reasonable costs of supporting the audit; and (e) audits not extending to other customers' data, Oiva's commercially sensitive information, or systems unrelated to the Services.

12.3 In the event of a confirmed Personal Data Breach affecting the Customer or a documented direction from a competent supervisory authority, the limitations in Section 12.2 do not apply.

13. Deletion or Return

13.1 On termination or expiry of the Principal Agreement, the Customer may, within thirty (30) days, export Customer Personal Data using the conversation export function available to Authorized Users in the dashboard, or request export from Oiva.

13.2 After the export window in Section 13.1 (or earlier on Customer instruction), Oiva will delete Customer Personal Data within thirty (30) days, except for backups, which are retained for no longer than thirty (30) days in line with Oiva's documented backup retention schedule. Current backup retention is seven (7) days of daily backups, as provided by Oiva's database Sub-Processor. During the backup retention period, the data is not accessed except for backup integrity, restoration, or as required by law, and remains subject to the security measures in Annex 3.

13.3 Oiva may retain Customer Personal Data to the extent required by law, processing it only for the purpose and duration of that legal requirement.

13.4 Oiva will confirm deletion in writing on request.

14. Liability

14.1 Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

14.2 Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law, including liability under Article 82 GDPR.

14.3 The Parties' liability under Article 82 GDPR is apportioned in accordance with Article 82(4) and 82(5) GDPR.

15. General

15.1 Order of precedence. (i) the SCCs; (ii) this DPA; (iii) the Principal Agreement.

15.2 Term. This DPA is effective from the date the Customer accepts the Principal Agreement and remains in effect for as long as Oiva Processes Customer Personal Data on behalf of the Customer. Sections 8, 12, 13, and 14 survive termination.

15.3 Amendments. Oiva may update this DPA from time to time. Material changes will be notified to the Customer at least thirty (30) days in advance by email to the account administrator and/or via the dashboard. Changes that are required by law, that are non-material, or that are favorable to the Customer take effect on publication.

15.4 Governing law and jurisdiction. This DPA is governed by Finnish law. The courts of Helsinki, Finland have exclusive jurisdiction, subject to mandatory provisions of Data Protection Laws regarding Data Subjects' rights and supervisory authorities' competence.

15.5 Severability. If any provision is found to be invalid or unenforceable, the remainder remains in effect.

15.6 No third-party beneficiaries. Except as required by Article 82 GDPR or the SCCs, this DPA does not confer rights on any third party.

15.7 Contact. Data protection matters relating to this DPA, including Data Subject requests forwarded by the Customer and notices under this DPA, may be sent to privacy@oivasolutions.ai.

Annex 1 — Description of Processing

Subject matter and nature

Provision of an AI-powered customer support chat application embedded on the Customer's website, and an administrative dashboard for the Customer's Authorized Users to configure the service and review conversations.

Purpose

(a) Enabling End Users to obtain customer support via AI-driven conversation. (b) Storing and surfacing conversation history to Authorized Users for review, quality assurance, and configuration of the AI assistant. (c) Generating responses using third-party large language model APIs.

Duration

For the term of the Principal Agreement, plus the deletion period in Section 13.

Categories of Data Subjects

End Users: visitors to the Customer's website who interact with the embedded chat application. Typically pseudonymous (no account required) but identifiable through technical identifiers and any personal data they voluntarily disclose in conversation.
Authorized Users: employees or contractors of the Customer who access the administrative dashboard.

Categories of Personal Data

End Users:

Technical identifiers: IP address, session ID, user-agent, browser fingerprint, cookies
Conversation content: free-text, attachments, or structured input provided by the End User during a chat session, which may incidentally include names, contact details, account numbers, complaint details, or other personal data
Inferred data: AI-generated metadata associated with the conversation (e.g., topic classification, sentiment)

Authorized Users:

Email address, name, role
Authentication tokens and session identifiers (handled by Supabase Auth; Oiva does not use password-based authentication and does not store passwords)
Authentication event entries (sign-ins, password resets, and similar)

Data flows to specific Sub-Processors

LLM inference (OpenAI via Vercel AI Gateway): prompts and completions, which may include End User conversation content.
LLM observability (Langfuse Cloud, EEA — Germany): prompts and completions including any conversation content; used for tracing and evaluation only, not for model training.
Error and performance telemetry (Sentry, EEA — Frankfurt): technical error context such as stack traces, browser user-agent, and request metadata. Does not include End User conversation content.

Special categories (Article 9 GDPR)

The Services are not designed for the Processing of special category data. The Customer must not knowingly cause special category data to be Processed via the Services without Oiva's prior written agreement and additional safeguards.

Frequency

Continuous and on-demand, in response to End User and Authorized User actions.

Retention

Active conversation data: for the term of the Principal Agreement, unless deleted earlier on Customer instruction
Authentication event logs (sign-ins, magic link issuance, token refresh, and similar auth events for Authorized Users): retained for up to twenty-four (24) months for security investigation and account integrity purposes
Backups: retained for no longer than thirty (30) days; current backup retention is seven (7) days of daily database backups (Supabase)

Annex 2 — Sub-Processors

The current list of Sub-Processors is published at: https://www.oivasolutions.ai/legal/sub-processors

The list is updated in accordance with Section 6 of this DPA. Customers receive notice of changes via the dashboard application and, for the addition of a new Sub-Processor processing Customer Personal Data in a new category, by email to the account administrator as described in Section 6.3.

Annex 3 — Technical and Organizational Measures

Oiva implements the following technical and organizational measures appropriate to the risk, in accordance with Article 32 GDPR. Measures may evolve provided the overall level of protection is not diminished.

1. Encryption

In transit: TLS 1.2 or higher for all connections.
At rest: Industry-standard encryption at rest (AES-256 or equivalent) for persistent storage of Customer Personal Data, including database storage and backups, applied by Oiva's Sub-Processors as part of their standard service.

2. Access Control

Role-based access control to all systems handling Customer Personal Data.
Multi-factor authentication enforced for all employee access to production systems and administrative tooling.
Principle of least privilege; access reviewed at least annually, and on any role change or departure.
Access promptly revoked on termination or role change.

3. Network Security

DDoS protection and WAF at the edge (Cloudflare).
Oiva does not operate self-managed servers; production data stores and infrastructure are accessed via Sub-Processor-provided administrative consoles (Supabase, Cloudflare) over TLS, protected by MFA-enforced authentication on Oiva personnel accounts.
Application-to-database connections use authenticated, TLS-encrypted channels.

4. Pseudonymization and Data Minimization

End User identifiers stored as opaque session IDs; Oiva does not collect End User account identifiers (such as name or email) other than what End Users voluntarily disclose in conversation.
The Service collects only data necessary for the purposes described in Annex 1.

5. Confidentiality

Written confidentiality obligations binding on all personnel processing Customer Personal Data.
Onboarding includes internal data protection and security briefing covering scope of permitted Processing, handling of Customer Personal Data, and incident reporting; refreshed at least annually.

6. Integrity and Availability

Daily database backups via Supabase; retained for no longer than thirty (30) days (currently seven (7) days).
Documented disaster recovery approach using Supabase-provided backups and restore tooling.
Service availability monitoring with on-call response by Oiva personnel.

7. Logging and Monitoring

Authentication events for Authorized Users (sign-ins, magic link issuance, token refresh, and similar) are logged by the identity layer and retained for up to twenty-four (24) months.
Deployment and edge request logs are retained by Cloudflare in line with Cloudflare's standard retention.
Application errors and performance telemetry are centralized in Sentry and retained for ninety (90) days.
Sub-Processor administrative consoles (Supabase, Cloudflare, GitHub) send new-device and unrecognized-login alerts to Oiva personnel. Cloudflare WAF and rate limiting block baseline application-layer attacks at the edge. Application availability is monitored via Sentry, with alerts routed to Oiva personnel.

8. Vulnerability Management

Automated dependency update management via Renovate, with pull requests opened for out-of-date or vulnerable third-party libraries.
Documented process for reporting and remediating security vulnerabilities.
External penetration testing is not currently in place. Oiva will introduce regular external penetration testing as the business scales.

9. Incident Response

Internal incident response process covering detection, triage, mitigation, and post-incident review, with responsibilities assigned to Oiva personnel.
Personal Data Breach notification to affected Customers within 72 hours of becoming aware, per Section 8 of the DPA.

10. Supplier Management

Sub-Processors evaluated for security posture (e.g., published certifications such as ISO 27001 or SOC 2, security documentation, data processing terms) before engagement.
Each Sub-Processor's data processing terms — accepted by Oiva as part of engaging the service — impose data protection obligations consistent with this DPA, including the SCCs where applicable. Flow-down obligations under Section 6.4 of the DPA apply.

11. Physical Security

Oiva does not operate its own data centers. Hosting is provided by Sub-Processors operating from certified data centers (ISO 27001, SOC 2, or equivalent).

12. Secure Software Development

Code review required for changes to production systems.
Production secrets are managed in GitHub Actions secrets, Cloudflare environment variables, and Terraform Cloud (for infrastructure-as-code state and credentials). Secrets are not committed to source control.
Production deployments via automated CI/CD pipelines with audit trail.

13. Data Segregation

Customer Personal Data is logically segregated by tenant identifier; every row associated with Customer Personal Data is scoped to a single Customer's tenant identifier. Tenant isolation is enforced primarily through Postgres row-level security (RLS) policies in the database, supplemented by application-layer tenant filtering on the limited set of high-throughput code paths that use a privileged database role.

Annex 4 — Data Processed by Oiva as Independent Controller

For clarity, the following categories of data are processed by Oiva as an independent controller and are not Customer Personal Data subject to this DPA. Such Processing is governed by Oiva's Privacy Notice.

Authorized User account data processed for providing them access to the Services and contacting them about the Services (name, email, role).
Billing data for the Customer and its administrators.
Service usage telemetry and logs for service operation, security, fraud prevention, and product improvement, in aggregated and/or pseudonymized form.
Support communications between Authorized Users and Oiva.
Audit logs of administrative and security-relevant actions, where Oiva is required to retain these for legal or security purposes.

Where any of the above incidentally includes Customer Personal Data, the security measures in Annex 3 continue to apply.