Last updated: 23 June 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Aito Software Oy, a company registered in Finland (Business ID: 2401943-5) ("SearchKit", "Processor") and the customer entity ("Customer", "Controller").
This DPA applies where SearchKit processes Personal Data on behalf of the Customer in connection with the SearchKit service ("Service").
1. Definitions
Terms used but not defined in this DPA have the meanings given in the GDPR or the Terms of Service.
- GDPR: Regulation (EU) 2016/679.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on Personal Data as defined in the GDPR.
- Sub-processor: A third party engaged by SearchKit to process Personal Data on behalf of the Customer.
2. Roles and Scope
2.1 The Customer acts as Data Controller and SearchKit acts as Data Processor with respect to Personal Data processed on behalf of the Customer.
2.2 SearchKit processes Personal Data only on documented instructions from the Customer, including as necessary to provide the Service in accordance with the Terms of Service, this DPA, and Customer use of the Service.
2.3 This DPA does not apply to Personal Data processed by SearchKit as an independent controller (e.g. account administration, billing, or marketing data), which is governed by the Privacy Policy.
2.4 SearchKit does not determine the purposes or essential means of processing Personal Data and processes Personal Data solely on behalf of and under the instructions of the Customer.
3. Subject Matter and Duration
3.1 Subject matter
Processing consists of hosting, indexing, searching, retrieving, and otherwise processing data submitted to the Service by or on behalf of the Customer.
3.2 Duration
Processing continues for the duration of the Customer's use of the Service and any additional period required for deletion or return of data in accordance with this DPA.
3.3 Categories of Data Subjects
May include, depending on Customer use:
- employees and contractors,
- customers and business partners,
- other individuals whose data is included in Customer Data.
3.4 Categories of Personal Data
May include, depending on Customer use:
- identification and contact information,
- documents and document metadata,
- communications content,
- system and access logs.
4. Processor Obligations
SearchKit shall:
4.1 Process Personal Data only in accordance with the Customer's documented instructions and applicable law.
4.2 Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
4.3 Implement appropriate technical and organisational measures ("TOMs") to protect Personal Data, taking into account the state of the art, costs of implementation, and risks involved.
4.4 Assist the Customer, to the extent reasonably possible, in responding to requests from Data Subjects exercising their rights under the GDPR.
4.5 Assist the Customer in complying with its obligations relating to security, breach notification, and data protection impact assessments, to the extent required by the GDPR.
4.6 Make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.
4.7 Where SearchKit is required by applicable law to process Personal Data other than on Customer instructions, SearchKit shall inform the Customer of that legal requirement unless prohibited by law.
5. Security Measures
5.1 SearchKit maintains technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
5.2 Such measures include, where applicable:
- access controls and authentication,
- encryption in transit and at rest,
- logging and monitoring,
- incident response procedures,
- logical separation of customer environments.
5.3 SearchKit may update its technical and organisational measures from time to time.
6. Personal Data Breaches
6.1 SearchKit shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
6.2 The notification shall include available information reasonably required for the Customer to comply with its obligations under the GDPR.
7. Sub-processors
7.1 The Customer authorises SearchKit to engage Sub-processors for the provision of the Service.
7.2 SearchKit maintains a list of Sub-processors at /legal/subprocessors. The list identifies the Sub-processors authorised under this DPA. The list may be updated from time to time in accordance with Section 7.4.
7.3 SearchKit shall impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA.
7.4 SearchKit may update its Sub-processors. Where required by law or contract, SearchKit will provide advance notice of material changes and allow the Customer to object on reasonable and documented data protection grounds within 30 days of such notice.
7.5 If the Customer reasonably objects to a new Sub-processor on documented data protection grounds and the objection cannot be resolved, the Customer may terminate the affected Service without penalty.
8. International Data Transfers
8.1 Personal Data may be processed in regions selected by the Customer or as otherwise agreed in writing by the parties.
8.2 Where Personal Data is transferred outside the EU/EEA, SearchKit shall ensure appropriate safeguards are in place in accordance with the GDPR, including the use of Standard Contractual Clauses where applicable.
9. Deletion or Return of Data
9.1 Upon termination of the Service, SearchKit shall delete Personal Data in accordance with the Terms of Service, unless retention is required by applicable law.
9.2 Deletion may be subject to reasonable technical and operational delays.
9.3 Upon written request made within 30 days following termination, SearchKit shall make Personal Data available for return in a commercially reasonable format, unless retention or deletion is required by applicable law.
10. Audits
10.1 The Customer may request information reasonably necessary to demonstrate compliance with this DPA.
10.2 Any audits shall be subject to reasonable scope, confidentiality, and minimisation of disruption to SearchKit's operations.
Audits shall not require access to SearchKit source code or compromise the confidentiality of other customers.
Audits may be conducted no more than once per 12-month period.
The Customer shall bear its own audit costs unless the audit reveals material non-compliance with this DPA.
Nothing in this section limits audits or inspections required by a competent supervisory authority under applicable data protection law.
11. Liability
11.1 Liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
11.2 Nothing in this DPA limits either party's liability where such limitation is prohibited by applicable law, including liability under Article 82 of the GDPR.
12. Governing Law
This DPA is governed by the laws of Finland, excluding conflict-of-law principles.
13. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail solely with respect to Personal Data processing.
Annex A - Description of Processing
Nature of processing
Hosting, indexing, search, retrieval, analysis, and management of Customer-submitted data.
Purpose of processing
Provision of the SearchKit Service in accordance with the Customer's instructions.
This DPA is effective upon acceptance of the Terms of Service and does not require a separate signature unless otherwise agreed in writing.