Data Processing Agreement (DPA)

Data processing agreement between Attire (Processor) and the customer (Controller) in accordance with Article 28 of the EU General Data Protection Regulation (GDPR). This page corresponds to the contract template to be signed — request the official, signable version at tietosuoja@attire.fi.

Tip: Using the browser's Print function (Ctrl+P / Cmd+P) will give you a PDF version for offline use.

1. Subject and duration of the agreement

This agreement defines the terms for the processing of personal data carried out by the Processor on behalf of the Controller when using the Attire service. The agreement is valid for the duration of the Attire service usage agreement and until all personal data of the Controller has been returned or deleted from the service.

2. Nature and purpose of processing

The Processor processes personal data on behalf of the Controller that the Controller stores in the Attire service while managing its equipment and reports. The purpose of processing is to provide the Attire service in accordance with the agreed terms.

3. Types of personal data and groups of data subjects

The following types of personal data are typically processed:

  • Contact details of the Controller's users (name, email, phone, username)
  • Customer and company information (company name, business ID, contacts)
  • Vehicle information (registration number, VIN, owner details)
  • Information related to reports, such as the name of the workshop employee or the customer's signature
  • Usage logs (IP address, time of action, actions performed)

Groups of data subjects:

  • Employees of the Controller and their subcontractors
  • Contacts of the Controller's customers
  • Owners and drivers of vehicles

4. Obligations of the Processor

The Processor agrees to:

  • process personal data only in accordance with the documented instructions of the Controller, including these terms
  • ensure that persons processing personal data are committed to confidentiality
  • implement appropriate technical and organizational measures (described in section 8)
  • assist the Controller in fulfilling the rights of data subjects
  • assist the Controller in reporting and assessing the impact of data security breaches
  • notify the Controller of a data security breach without undue delay and no later than 72 hours after detection
  • upon termination of the agreement, return or delete all personal data as chosen by the Controller

5. Obligations of the Controller

The Controller:

  • is responsible for having a lawful basis for storing and processing data in the Attire service
  • is responsible for ensuring that its own data subjects have been informed about the processing
  • provides instructions to the Processor on how data is to be processed upon termination of orders

6. Sub-processors

The Data Controller grants the Processor a general authorization to use the following subprocessors to ensure the operation of the Attire service:

  • Google Cloud (Google Ireland Limited) — server capacity, database, and file storage in the EU area (europe-west3, Frankfurt)
  • Stripe (Stripe Payments Europe Ltd. / Stripe Inc.) — payment processing and invoicing
  • Plausible Analytics (Plausible Insights OÜ) — anonymized visitor analytics
  • Email service provider — sending transaction messages (e.g., notifications)

The Processor shall notify the Data Controller of new subprocessors or changes at least 30 days in advance. The Data Controller has the right to object to the change. If no agreement can be reached based on the objection, either party may terminate the order without notice.

7. Transfers outside the EU/EEA area

Personal data is stored and processed primarily in the EU/EEA area. For Stripe Inc., some payment transaction data may be transferred to the United States. Transfers are carried out based on standard contractual clauses (SCC) approved by the EU Commission.

8. Technical and organizational measures

  • Internet traffic is encrypted with the TLS 1.2+ protocol
  • Databases are stored in encrypted Google Cloud volumes (data-at-rest encryption)
  • Access control is based on roles, minimum privileges, and multi-factor authentication for administrators
  • Production keys and secrets are stored in Google Secret Manager
  • Regular backups are kept in the EU area; recovery testing is performed at least annually
  • All significant system changes are logged and retained for 12 months
  • Software code and configurations are maintained in version control; critical changes require review
  • Vulnerability updates are implemented according to risk, critical ones without undue delay

9. Right to audit

The Data Controller has the right to audit the Processor's compliance with data protection practices once per calendar year. The audit is primarily based on the audit report or certification documentation provided by the Processor. If an on-site audit is necessary, it must be agreed upon at least 30 days in advance, and the Data Controller is responsible for reasonable audit costs.

10. Termination of the agreement

Upon termination of the agreement, the Processor shall return or delete all personal data at the Data Controller's discretion, unless legislation requires data retention. Data retention required by law (e.g., accounting documents) continues for the statutory period, after which the data will be deleted.

11. Liability and terms of the agreement

The liability limitations of the Attire service terms of use apply to this agreement. In case of a conflict between this agreement and the terms of use regarding personal data processing, this agreement takes precedence. Finnish law applies to the agreement.

Updated: 29.6.2026.

The Processor is Kinttala Group (Business ID 2933129-2, Salonkyläntie 167, 21140 Rymättylä). This is the standard DPA version of Attire. A signable version with company information can be prepared upon request. Customizations (e.g., more detailed technical measures or broader audit rights) are possible in an Enterprise order.