Data Processing Agreement
This Data Processing Agreement ("DPA") is a part of the agreement governing the use of the services ("Service") provided by Bloom Systems Oy (Business ID: 3616618-4), Munkkiniemen Puistotie 24 A 3, 00330 Helsinki, Finland ("Bloom Systems", "we", "us" or "our") to our customers ("you", "your" or the "Customer").
1. General
The agreement between Bloom Systems and the Customer ("Agreement") consists of the Bloom Systems Terms of Service ("Terms"), any applicable service order, and this DPA. If the Terms or any other document contains provisions regarding the processing of personal data that conflict with this DPA, this DPA shall have precedence.
You are the data controller under the General Data Protection Regulation (EU 2016/679, "GDPR") and we process personal data on your behalf as a processor when providing the Service. If and to the extent you act as a processor in relation to another data controller, we shall act as a subprocessor.
The data controller is responsible for the lawful processing of personal data as well as compliance with the GDPR and other legislation regarding the processing of personal data. The data controller directs and instructs the data processor to carry out the processing activities, both by this DPA and possible later instructions. Where applicable, you are responsible for acquiring and having the required rights and necessary permissions to use and disclose personal data to us for the purposes of the Agreement.
The subject matter, categories, types of data and other details of the processing are described in Schedule 1 of this DPA (Description of the Processing).
This DPA shall become effective when you enter into the Agreement and shall remain in effect for as long as processing activities continue. Upon the end of processing activities, this DPA shall automatically terminate.
2. Processing of Personal Data
We shall process personal data in accordance with this DPA and your documented instructions unless required otherwise by EU or member state legislation.
Your instructions for the processing are primarily set forth in this DPA. Any other instructions must be commercially reasonable, compliant with applicable legislation, and consistent with the Terms. In case your instructions require additional work by us, we have the right to charge reasonable costs of complying with your instructions.
You have the obligation to ensure your instructions follow the law of the European Union and all applicable member states. In case we consider any instruction given by you to be in contravention to EU or member state legislation, we shall not be obliged to comply with such instruction and shall inform you.
3. End of Processing Activities
Personal data shall be processed only for the term of the Agreement.
After the expiry or termination of this DPA, the personal data processed under the Agreement shall be deleted or anonymized or returned to you upon request.
4. Security
We shall implement appropriate technical and organisational measures to protect the personal data within our area of responsibility in order to safeguard the data against unauthorized or unlawful processing or access and against accidental loss, destruction of personal data, taking into account the costs of implementation as well as the nature, scope, context and purposes of processing carried out by us, as well as the risks for the rights and freedoms of natural persons. The measures shall include, where appropriate and depending on the context:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and the Service;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
We shall ensure the persons processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Assistance
Taking into account the nature of the processing and where possible, we shall assist you with appropriate technical and organisational measures to fulfil your obligation to respond to requests regarding the data subject's rights under Chapter III of the GDPR.
Taking into account the nature of the processing and the information available to us, we shall assist you in ensuring compliance with your obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority).
6. International Transfers
In case you operate outside the EEA or personal data is otherwise transferred outside the EEA to a country not recognized by the European Commission as having an adequate level of data protection, we shall each ensure the transfer complies with Chapter V of the GDPR by using a valid transfer mechanism, such as standard contractual clauses adopted by the European Commission, and if necessary, implementing additional safeguards and carrying out a transfer impact assessment to ensure an appropriate level of protection of the personal data.
7. Personal Data Breach
In case of a personal data breach concerning personal data processed on your behalf, we shall notify you without undue delay upon becoming aware of a breach. We shall provide you with all appropriate information we have available in order to allow you to meet your obligations under the applicable data protection legislation. If all information is not available at once, we may supplement the information later without undue delay.
8. Audits
You or an auditor appointed by you shall have the right to audit our processing activities under this DPA to assess the compliance with this DPA and the applicable data protection legislation. The audit shall take place during our ordinary business hours and with at least thirty (30) calendar days prior written notice. You shall bear all costs for any audits. Where an audit may lead to the disclosure of our business or trade secrets, you shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to our benefit.
At your request, we shall make available information necessary to support you to demonstrate compliance with the GDPR.
9. Subprocessors
You give your general authorization for us to engage subprocessors to process personal data in connection with the provision of the Service.
We shall be free to choose and change our subprocessors. The list of subprocessors included in the processing on the effective date is included in Schedule 1 of this DPA. In case there is a later change in subprocessors, we shall notify you of such change and allow you to object to the change on reasonable grounds related to data protection. If we are not willing or able to change the subprocessor objected to by you, both of us shall have the right to terminate the Agreement and this DPA.
Where we use a subprocessor for the processing of personal data, we shall ensure data protection obligations of at least the same level as set out in this DPA shall apply to the subprocessor. Where a subprocessor fails to fulfil its data protection obligations, we shall remain liable to you for the performance of the subprocessor's obligations.
Schedule 1
Description of the Processing
Subject-matter and duration
Personal data is processed to provide the Service for your use under the Agreement. Personal data shall be processed for the duration of the Agreement term.
Nature and purpose
Personal data is processed for the purpose of carrying out the obligations of the Agreement and providing the Service, including managing user rights to the Service and providing the functionalities of the Service, such as priority support and the upkeep of the support portal and other content provided by the Customer in connection with the Service ("Customer Content") that may contain personal data.
Transfers outside of the EEA
Personal data is transferred outside of the EEA. The countries where processing takes place can be found in the Subprocessors section of this Schedule. Impact on data subjects has been assessed and is estimated to be low. Personal data is processed in countries of adequate data protection as accepted by the European Commission, or otherwise secured by contractual obligations and utilization of additional security safeguards.
Categories of data subjects and types of personal data
The data subjects are the users and end users of the Service and any persons whose data is included in the Customer Content by you. The personal data consists of:
- user account details;
- contact information and usernames;
- payroll data (salary, tax information, employment details);
- social security numbers;
- bank account details;
- invoicing details and data included in invoices;
- end user interactions with the Service where the interactions are considered personal data;
- any other information you input as Customer Content that may be considered personal data.
Subprocessors
| Sub-Processor | Location | Services |
|---|---|---|
| Google Cloud Platform (Google LLC) | EU (europe-north1, Finland) | Cloud infrastructure, database services (Cloud Run, Cloud SQL) |
| Google Workspace | EU | Email and document management |
| Maventa Oy | Finland, EU | E-invoicing transmission and receipt |
| Yapily Connect UAB | Lithuania, EU | Bank account information and transaction data access (open banking API) |
| OpenAI, LLC | United States | AI processing of accounting data (transfer secured by SCCs pursuant to OpenAI DPA) |
| Plausible Insights OÜ | Estonia, EU | Cookie-free aggregate website analytics for public landing pages |
We use Plausible Analytics on this public website to measure aggregate traffic trends, outbound-link clicks, file downloads, and form-submission events. Plausible does not use cookies, does not store raw IP addresses, and does not receive the contents of submitted forms. For details, see Plausible's data policy: plausible.io/data-policy.