timo@cansome.com
The CAN DO logo
Cansome

-The CAN-DO Network-

Home -> Data Processing Agreement
  • Pricing
  • Why Choose Us
  • Features

DATA PROCESSING AGREEMENT (DPA)

Effective Date: 10.11.2025

This Data Processing Agreement (the “DPA”) is supplemental to the Terms and Conditions - Business (the “Principal Agreement”) entered into between the Customer (Data Controller) and the Provider (Data Processor). This DPA governs the processing of Personal Data in connection with the provision of the Service.

1. Definitions and Roles

1.1. GDPR Definitions. Capitalized terms used but not defined herein have the meanings set forth in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

1.2. Roles of the Parties.

  • Data Controller: The Customer, who determines the purposes and means of processing the Personal Data (i.e., the customer is responsible for ensuring the data they upload is lawful).
  • Data Processor: The Provider, who processes the Personal Data on behalf of the Controller (i.e., we are responsible for processing it securely according to your instructions).

 

2. Details of Processing

2.1. Subject Matter. The subject matter of the processing is the Personal Data contained within the Customer Data that the Customer inputs into the Service.

2.2. Duration. Processing will occur for the duration of the Principal Agreement, plus any mandatory retention periods following termination, as detailed in Section 3.5 of the Principal Agreement.

2.3. Nature and Purpose. The nature and purpose of the processing are to provide the Service, including data storage, retrieval, processing, and display, as required to fulfill the features and functionality enabled by the Customer (e.g., to-do lists, notes, public profile pages, social media posting).

2.4. Categories of Data Subjects. Data Subjects may include:

  • The Customer's end-users (e.g., employees, team members).
  • The Customer's clients, prospects, or contacts whose data is stored within the Service.
  • Any other individual whose data the Customer chooses to upload to the Service.

2.5. Types of Personal Data Processed (Flexible). The types of Personal Data depend on the features and data the Customer chooses to input, and may include:

  • Contact details (names, email addresses, phone numbers).
  • Metadata (usage logs, device IDs).
  • User-generated content containing personal identifiers (notes, tasks, communication records).

 

3. Provider’s Obligations as Processor (GDPR Article 28)

The Provider shall comply with all requirements imposed on a Data Processor under the GDPR.

3.1. Documented Instructions. The Provider shall process the Personal Data only on documented instructions from the Customer, including those set out in the Principal Agreement and this DPA, unless required to do so by Finnish or EU Member State law.

3.2. Confidentiality. The Provider ensures that personnel authorized to process the Personal Data have committed themselves to confidentiality.

3.3. Security of Processing. The Provider shall implement appropriate technical and organizational measures (TOMS) to ensure a level of security appropriate to the risk. These measures specifically include:

  • Access Control: Strict access controls and authentication protocols are enforced for all systems processing Personal Data.

3.4. Sub-processing. The Provider shall not engage another processor (a “Sub-processor”) without the Customer’s prior written general authorization. The Provider shall maintain a list of Sub-processors available upon request and shall notify the Customer of any intended changes to this list, giving the Customer the opportunity to object. Where a Sub-processor is engaged, the Provider shall ensure that the Sub-processor is bound by contractual terms that are equivalent to those set out in this DPA.

 

4. International Data Transfers

4.1. Restriction on Transfers. The Provider commits that all storage and processing of Personal Data under this DPA shall occur solely within the European Union (EU) or European Economic Area (EEA), specifically currently in Germany, with the flexibility to use other EU/EEA locations.

4.2. No Non-EEA Component Reliance. The Provider warrants that it does not use any cloud-based components, services, or sub-processors from third-country (non-EU/EEA) companies (e.g., US companies) that would result in the transfer of Customer Personal Data outside the EU/EEA.

 

5. Assistance to the Controller

The Provider shall, taking into account the nature of the processing, assist the Customer, at the Customer's cost, in fulfilling the Customer's obligations under the GDPR relating to:

  • Responding to requests from Data Subjects exercising their rights (Rights of Access, Rectification, Erasure, etc.).
  • Data breach notification to the supervisory authority and the Data Subject, as applicable.
  • Carrying out Data Protection Impact Assessments (DPIAs) and consulting with the supervisory authority.

 

6. Audit and Deletion/Return

6.1. Audit. The Provider shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to reasonable notice and confidentiality safeguards.

6.2. Deletion or Return. Upon the termination of the Principal Agreement, the Provider shall, at the choice of the Customer, delete or return all Personal Data to the Customer, and delete existing copies, unless retention is required by EU or Finnish law. The Provider will retain data for a maximum of ninety (90) days following termination for retrieval purposes before final deletion (as per Section 3.5 of the Principal Agreement).

 

7. General Provisions

7.1. Amendment. This DPA may be amended by the Provider following the procedure set out for the amendment of the Principal Agreement (Terms and Conditions - Business, Section 6). Notwithstanding the foregoing, the Provider shall not unilaterally amend any term of this DPA in a way that would breach Article 28 of the GDPR or materially reduce the level of data protection and security provided herein.

7.2. Governing Law. This DPA is governed by the laws of Finland.

 

8. Contact Us

If you have any questions about these Terms, please contact us at:timo@cansome.com

For information about how we collect, use, and protect your personal data, please see our Privacy Policy. For information about our use of cookies, please see our Cookie Policy.

  • About Us
  • Contact
  • Investors
  • Roadmap


© 2025 cansome Oy (3328471-6). All Rights Reserved.