Data Processing Agreement

1. Purpose and Parties

This Data Processing Agreement supplements the Venuet Terms of Service. It applies to personal data that InSoHo Oy processes in the Venuet service on behalf of the operator.

The operator acts as controller for that personal data. InSoHo Oy acts as processor. If the operator grants access to its employees or other users, the operator is responsible for ensuring that those users are authorised to process personal data in the service.

2. Subject Matter and Duration

The subject matter of processing is providing the Venuet service to the operator. Processing continues for as long as the operator's service agreement is active and afterwards for as long as required for return or deletion of data, backup expiry, legal retention or handling legal claims.

3. Nature and Purpose of Processing

Processing includes storing, organising, retrieving, displaying, modifying, transmitting, analysing, retaining, backing up, deleting and securing personal data to the extent necessary to provide the service.

The purpose of processing is to enable inquiry intake, proposal creation and sending, proposal tracking, verification of acceptances and electronic signatures, customer management, attachment handling, notifications, user management, support, security and service maintenance. Optional features, such as the AI assistant, WhatsApp integration or Google Calendar sync, may involve additional processing only if the operator enables them.

4. Types of Personal Data and Categories of Data Subjects

Personal data may include names, email addresses, phone numbers, organisations, roles, event and booking details, dietary and allergy information, billing details, messages, comments, proposal content, acceptance and signature information, IP addresses, usage and log data, and attachments stored by the operator in the service.

Data subjects may include the operator's employees and users, customers, prospective customers, inquiry senders, event guests, contact persons, billing contacts and other individuals whose data the operator stores or processes in the service.

5. Controller Instructions

InSoHo Oy processes personal data only on the operator's documented instructions. These instructions include this agreement, the Terms of Service, service settings, actions taken by the operator in the service and written instructions accepted by InSoHo Oy.

If InSoHo Oy believes an instruction infringes data protection law, InSoHo Oy will inform the operator unless prohibited by law.

6. Personnel and Confidentiality

InSoHo Oy ensures that persons authorised to process personal data are committed to confidentiality or are under an appropriate statutory duty of confidentiality. Access to personal data is limited to persons who need it for their duties.

7. Security Measures

InSoHo Oy implements appropriate technical and organisational security measures, taking into account the nature, scope, context, purposes and risks of processing. Measures may include encrypted transmission, access control, role-based permissions, logging, backups, separation of production and development environments, vulnerability remediation, contractual controls for service providers and limiting personnel access.

The operator is responsible for its own users, passwords, access rights, devices, integrations and the data it chooses to store in the service.

8. Sub-processors

The operator gives InSoHo Oy general authorisation to use sub-processors for personal data processing. InSoHo Oy is responsible for imposing data protection obligations on sub-processors that are materially equivalent to those in this agreement.

Sub-processors may include providers of hosting, database, cloud storage, email, logging, security, payment processing and optional features. Current service providers may include Vercel, Neon, Cloudflare R2, Resend, Stripe, Google (Google Calendar API), Anthropic and Meta to the extent the relevant service or feature is used by the operator.

InSoHo Oy will notify the operator of material new or replacement sub-processors in a reasonable way. The operator may object on justified data protection grounds. If the parties cannot find a reasonable solution, the operator may stop using the relevant service or feature.

9. International Transfers

InSoHo Oy may transfer personal data outside the EU/EEA only where there is a lawful transfer mechanism under GDPR. Such mechanism may include the European Commission's Standard Contractual Clauses, an applicable data privacy framework or another lawful transfer mechanism.

InSoHo Oy ensures that sub-processors it uses commit to applicable transfer mechanisms where they process personal data outside the EU/EEA.

10. Data Subject Rights

InSoHo Oy assists the operator through reasonable technical and organisational measures in fulfilling data subject rights, taking into account the nature of processing and the information available to InSoHo Oy.

If a data subject contacts InSoHo Oy directly to exercise rights of access, rectification, erasure, restriction, portability or objection, InSoHo Oy will direct the request to the operator or handle it according to the operator's documented instructions, unless law requires otherwise.

11. Assistance with Security and Impact Assessment Obligations

InSoHo Oy reasonably assists the operator with GDPR obligations relating to security, data protection impact assessments and prior consultation, to the extent the assistance relates to processing performed by InSoHo Oy and information available to InSoHo Oy.

12. Personal Data Breaches

InSoHo Oy notifies the operator without undue delay after becoming aware of a personal data breach affecting the operator's personal data. The notice will include available information about the nature of the breach, its effects, likely consequences and corrective measures taken or proposed.

The operator is responsible for notifications to supervisory authorities and data subjects unless mandatory law provides otherwise. InSoHo Oy reasonably assists the operator in fulfilling these obligations.

13. Return and Deletion

After the service agreement ends, InSoHo Oy returns, deletes or anonymises the operator's personal data according to the operator's instructions, technical functionality of the service and applicable law. Unless otherwise agreed, active service data is generally deleted or anonymised within 30 days after account deletion becomes final.

Data may be retained longer where required for law, accounting, misuse investigation, security, backup rotation or the establishment, exercise or defence of legal claims.

14. Audits and Information

InSoHo Oy makes available to the operator reasonable information necessary to demonstrate compliance with this agreement. This may include documentation about security, sub-processors and processing.

The operator may request an audit on reasonable advance notice. Audits must be conducted in a way that does not compromise other customers' data, service security, trade secrets or service availability. The parties will agree separately on practical arrangements, timing and any costs.

15. Liability and Order of Precedence

The same limitations of liability and governing law as in the Venuet Terms of Service apply to this agreement, unless mandatory data protection law provides otherwise.

If this agreement conflicts with the Terms of Service on a matter concerning personal data processing, this Data Processing Agreement prevails for that conflict.

16. Changes

InSoHo Oy may update this Data Processing Agreement when the service, sub-processors, processing practices or law changes. Material changes will be notified to the operator reasonably in advance. If the operator does not accept a material change, the operator may stop using the service before the change takes effect.