Last updated: November 26, 2025
This Data Processing Agreement (“DPA”) forms part of the Main Agreement (as defined below) between:
(1) Customer
The legal entity that has accepted the Main Agreement and uses the Services.
(2) Operating Solutions Oy
A limited liability company incorporated under the laws of Finland (Business ID 3189163-5), with its registered office at Käenkuja 3aA, 00500 Helsinki, Finland (“Processor”, “Operating Solutions”, “we”, “us”, “our”).
Operating Solutions Inc., a Delaware corporation and wholly-owned subsidiary of Operating Solutions Oy, may participate in providing the Services as a subprocessor or as a billing and collection agent.
Customer and Processor are individually a “Party” and together the “Parties”.
2.1 This DPA forms part of and is incorporated by reference into the legally binding agreement between Customer and Operating Solutions governing the use of the Services, including the Terms of Use and any applicable order forms or subscription agreements (collectively, the “Main Agreement”).
2.2 Capitalized terms not defined herein have the meaning given to them in the Main Agreement or the GDPR, as applicable.
2.3 If there is any conflict between this DPA and the Main Agreement relating to the processing of Personal Data, this DPA prevails, except where explicitly superseded by mandatory Data Protection Law.
2.4 The Parties agree that Operating Solutions Oy acts as Processor and Customer acts as Controller in respect of the Personal Data processed under this DPA.
“Data Protection Laws” means the GDPR and all other European Union or Member State laws applicable to the processing of Personal Data under this DPA.
“GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person that Processor processes on behalf of Customer as described in this DPA.
“Processing”, “Data Subject”, “Controller”, “Processor” and other GDPR terms have the meanings given in the GDPR.
“Purpose” means Processor’s provision of the Services and related support to Customer under the Main Agreement.
“Subprocessor” means any third party (including Operating Solutions Inc.) engaged by Processor to process Personal Data on its behalf.
May include:
May include:
The Services are not intended for processing special categories of data (Art. 9 GDPR).
Customer shall not upload such data unless GDPR conditions and safeguards are met.
Processor does not intentionally collect special category data.
For the term of the Main Agreement and until deletion or return of the Personal Data in accordance with Section 11.
Processor shall:
5.1 process Personal Data only on documented instructions from Customer, unless required to do otherwise by applicable law;
5.2 not use Personal Data for any purpose other than the Purpose;
5.3 ensure persons authorized to process Personal Data are subject to confidentiality;
5.4 implement the technical and organizational measures (“TOMs”) described in Section 8;
5.5 assist Customer (where reasonable and proportionate) in responding to Data Subject requests under Data Protection Laws;
5.6 assist Customer in meeting its GDPR obligations regarding data protection impact assessments, consultations, and security;
5.7 notify Customer without undue delay (and within the time required by law) of any legally binding request for disclosure of Personal Data by a governmental authority, unless prohibited;
5.8 keep appropriate records of its processing activities to demonstrate compliance with this DPA.
Customer shall:
6.1 ensure it has a lawful basis for processing and providing Personal Data to Processor;
6.2 not upload special category data unless GDPR conditions are met;
6.3 be solely responsible for the accuracy, quality, and legality of the Personal Data it provides;
6.4 promptly notify Processor of any instructions that might violate Data Protection Laws;
6.5 maintain all necessary notices and consents required under applicable law.
Customer grants Processor a general authorization to engage Subprocessors.
Processor shall ensure each Subprocessor:
Processor remains liable for Subprocessors’ performance of obligations under this DPA.
Operating Solutions Inc. (U.S.) may act as:
Where it accesses Personal Data as a subprocessor, such access is governed by SCCs (see Section 9).
Processor maintains a list of current Subprocessors at:
https://trust.operating.app/subprocessors
Processor will notify Customer of new Subprocessors by updating the list and/or in accordance with the Main Agreement.
Customer may object to a new Subprocessor on reasonable GDPR-related grounds.
If the Parties cannot resolve the objection, Customer may terminate the affected Services as its sole and exclusive remedy.
Processor shall implement appropriate TOMs that consider:
Measures include, as applicable:
Upon request, Processor will provide summaries or documentation of relevant TOMs (e.g., SOC 2 reports, security whitepapers).
9.1 Processor is headquartered in Finland and primarily stores and processes Personal Data within the EU/EEA.
9.2 Certain Subprocessors—including Operating Solutions Inc. (U.S.)—may be located outside the EU/EEA. Processor does not routinely transfer data outside the EU/EEA, but limited access may occur for support or administrative purposes.
9.3 Where Personal Data is transferred outside the EU/EEA, Processor shall ensure appropriate safeguards are in place under Chapter V GDPR, including:
9.4 Customer grants Processor a general authorization to make such transfers to Subprocessors, subject to this Section.
Processor shall notify Customer without undue delay (and in any event within the period required under GDPR) after becoming aware of a Personal Data Breach affecting Customer’s Personal Data.
Notifications shall include:
Processor shall document all Personal Data Breaches as required by GDPR.
Upon termination or expiry of the Main Agreement, or upon Customer’s written instruction, Processor shall:
Backup copies may be retained for a limited time per Processor’s standard retention schedule, subject to appropriate protections.
12.1 Customer may audit Processor’s compliance with this DPA no more than once per 12-month period, on reasonable notice, during normal business hours, and without disrupting Processor’s operations.
12.2 Processor may satisfy audit obligations by providing:
If a Customer-initiated on-site audit requires excessive Processor resources, Customer shall pay Processor’s reasonable costs.
Nothing in this DPA limits either Party’s liability to the extent such limitation is not permitted under applicable Data Protection Laws, including Article 82 GDPR.
To the maximum extent permitted by law:
Any commercial, contractual, or service-level liability (including uptime, performance, or indirect damages) is governed solely by the Main Agreement, and is not expanded by this DPA.
This DPA enters into force when Customer first uses the Services or otherwise accepts the Terms of Services and Main Agreement and remains in effect until Processor no longer processes Personal Data on behalf of Customer.
15.1 Amendments to this DPA shall be made as described in the Main Agreement.
15.2 Invalid or unenforceable provisions shall be replaced by valid provisions reflecting the intent.
15.3 Nothing in this DPA creates a partnership, joint venture, or employment relationship between the Parties.
For questions regarding this DPA, contact:
privacy@operating.app