Legal & Privacy — GDPR art. 28

Data Processing Agreement.

This Data Processing Agreement (DPA) applies to situations where Koukku Kapital Oy processes personal data on behalf of a customer. The agreement fulfils the requirements of GDPR Article 28.

Version: 1.0 — 3 May 2026·GDPR art. 28
01

Scope

This agreement applies where the customer ("controller") uses Koukku.ai's services in a manner that causes Koukku Kapital Oy to process personal data of the customer's customers or other third parties ("processor").

If you are a private individual using our services for personal purposes, this agreement does not apply to you — please read our Privacy Policy.

02

Definitions

ControllerThe customer who determines the purpose and means of processing personal data.
ProcessorKoukku Kapital Oy, processing data on behalf of the controller.
Personal dataAny information relating to an identified or identifiable natural person (GDPR art. 4(1)).
Sub-processorA third party to whom the processor sub-contracts part of the processing (e.g. Vercel, Upstash).
03

Processor obligations

Koukku Kapital Oy commits to:

  • Processing personal data only on the controller's documented written instructions
  • Ensuring that persons authorised to process personal data have committed to confidentiality
  • Implementing appropriate technical and organisational measures pursuant to GDPR art. 32
  • Assisting the controller in fulfilling data subject rights
  • Notifying the controller of any data breach without undue delay (within 72 hours)
  • Deleting or returning all personal data upon termination of the agreement
04

Sub-processors

We use the following approved sub-processors. All have a DPA in force with Koukku Kapital Oy:

Vercel Inc.Hosting (EU region). EU SCCs.
Upstash Inc.Redis / sessions (Frankfurt, EU).
Google CloudDatabase (PostgreSQL). EU–US DPF.
Resend Inc.Email service. EU SCCs.

We will notify you in writing of any changes to sub-processors at least 14 days in advance.

05

Security measures

  • HTTPS encryption for all data transmission (TLS 1.3)
  • Bcrypt password hashing (cost factor 12)
  • Encrypted database connections (Cloud SQL + TLS)
  • Access to production systems restricted to authorised personnel only
  • Regular security audits and vulnerability assessments
06

Data subject rights

We assist the controller in responding to requests from data subjects (access, rectification, erasure, portability). We undertake to provide the necessary information within 5 business days of receiving a request from the controller.

07

Termination

Upon termination of the service agreement, we will delete or return all personal data processed on the controller's behalf within 30 days, unless retention is required by law.

08

DPA requests

DPA questions or signing?john@koukku.ai →We will provide a signed DPA within 5 business days.
Read Privacy Policy →
Terms of ServicePrivacy← Home