Data Processing Agreement | LeaseAccounting.app

1. Parties

1.1 ZenTreasury Oy (hereinafter "Processor")
Business ID: 2762104-2
Itämerenkatu 3, 00180 Helsinki, Finland

1.2 The party who has concluded the Agreement with the Processor on the use of the Processor's Service (hereinafter "Controller" or "Customer").

2. Definitions

2.1 "Agreement" means the main agreement between the Parties that includes this Data Processing Agreement.

2.2 "Data Processing Agreement" means this agreement.

2.3 "Data Protection Laws" means the Data Protection Act of Finland (1050/2018), the General Data Protection Regulation of the European Parliament and of the Council (679/2016) and any other data protection legislation in force and any legally valid instructions or orders given by the data protection authorities.

2.4 "Party" or "Parties" mean the Controller or/and the Processor.

2.5 "Personal Data" means any information relating to an identified or identifiable natural person for which the Controller or the Controller's customer or another affiliate acts as the controller. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.6 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

3. Subject-Matter and Duration of the Processing

3.1 The Parties agree in this Data Processing Agreement on the terms and conditions of the processing of Personal Data that stem from the Agreement.

3.2 The Agreement includes the processing of Personal Data the Controller is in charge of.

3.3 The Processor has the right to process the Personal Data for as long as the Agreement is in force, unless the Controller decides otherwise. This DPA applies to all services provided by the Processor, including ZenTreasury and LeaseAccounting.app.

4. Nature and Purpose of the Processing

4.1 The purpose of the Service is to provide the Customer with a SaaS service related to lease accounting and associated data intelligence features (including AI-powered document extraction, analytics, forecasts, and automated calculations). The Processor processes Personal Data only when and if the Controller discloses such data to the Service.

4.2 The following sub-processing activities are performed in connection with Data Intelligence Features: telemetry event storage, extraction correction logging, workflow friction event logging, and AI token consumption tracking. Data categories processed as data processor on behalf of the Controller include: field-level extraction corrections, workflow step interactions, and AI feature usage.

4.3 For the avoidance of doubt, the Processor may generate anonymised, aggregate benchmark data and extraction accuracy improvement data that does not constitute Personal Data within the meaning of GDPR Recital 26. With respect to such anonymised data, the Processor acts as an independent controller, not as a processor on behalf of the Controller. The creation of anonymised benchmarks is subject to the safeguards described in the Terms of Service (Section 5.3a) and Privacy Policy (Section 7.3). The Controller's right to opt out of benchmark contribution does not affect the controller-processor relationship for per-tenant data.

4.4 The Controller instructs the Processor that, in connection with Data Intelligence Features: (a) raw document content shall not be retained beyond 24 hours after the processing session in which it was uploaded; (b) extraction corrections may be retained in de-identified form for up to 36 months for the purpose of improving extraction model accuracy; (c) workflow friction events shall be retained for no more than 12 months; (d) AI feature telemetry shall be retained for no more than 24 months; and (e) the Controller may withdraw from anonymised benchmark aggregation by visiting leaseaccounting.app/privacy/opt-out or emailing privacy@leaseaccounting.app, which shall take effect within 30 days.

4.5 In accordance with Regulation (EU) 2024/1689 (the EU Artificial Intelligence Act), the Processor maintains an AI system register covering Document Intelligence and AI assistant features. Controllers acting as deployers of the Service are notified of AI system use via in-application disclosures. Extraction corrections are logged with human oversight records for AI Act compliance purposes.

5. Type of Personal Data and Categories of Data Subjects

5.1 The categories of data subjects consist of the data subjects whose Personal Data the Controller discloses to the Service.

5.2 The register, that consists of the Personal Data, may include: (i) contact information, such as full name, address, phone numbers and e-mail addresses; (ii) nationality, age, gender, title or profession and language skills; (iii) possible registration information, such as username, pseudonym, password and other unique identification; (iv) information regarding the customer relationship, such as billing and payment information, product-, service- and ordering information, information regarding customer feedback and contacts and cancellation information; (v) information relating to the implementation of communications and information relating to use of services, such as browsing and search information; (vi) possible other data the Controller discloses to the Service; (vii) document content temporarily processed by Data Intelligence Features (deleted within 24 hours of processing session completion); (viii) de-identified extraction corrections, retained up to 36 months (field name, AI value, human value, confidence score, correction type, time to correct); and (ix) AI feature interaction metadata at the organisation level.

6. Obligations and Rights of the Controller

6.1 The Processor shall process the Personal Data according to the Data Protection Laws and by following good data processing practices, other relevant legislation and compulsory guidance of the authorities.

6.2 The Controller reserves the right to monitor the Personal Data.

6.3 The Controller reserves the ownership of the Personal Data and any immaterial rights and other rights relating to the Personal Data, unless the Controller notifies the Processor that such ownerships belong to the Controller's customer or another affiliate company.

7. Instructions from the Controller in Regard to the Processing of Personal Data

7.1 The Processor is not allowed to process the Personal Data for any other purposes than what the Parties have specifically agreed on in the Agreement.

7.2 When processing the Personal Data, the Processor has an obligation to follow the Data Protection Laws.

7.3 The Processor shall not transfer Personal Data outside the EU/EEA unless appropriate safeguards are in place in accordance with the Data Protection Laws, including: (i) an adequacy decision by the European Commission; (ii) Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914); or (iii) the EU-US Data Privacy Framework for certified US recipients. Where the Processor relies on Standard Contractual Clauses, the Processor shall conduct a transfer impact assessment where required and implement supplementary measures if necessary. If any of the prerequisites of the applicable transfer mechanism cease to exist, the Processor has an obligation to immediately cease the transfer and return the Personal Data transferred outside the EU/EEA to the Controller or ensure its deletion.

8. Confidentiality

8.1 The Processor is under an appropriate statutory obligation of confidentiality when it processes Personal Data.

9. Security of Processing

9.1 Taking into account the risks related to the nature of the Agreement, the Processor ensures appropriate technical and organisational measures when it processes Personal Data. Those measures shall especially aim to prevent the accidental, unauthorised or unlawful processing of Personal Data, monitor the processing, disappearance, destruction, alteration or impairment of Personal Data and prevent unauthorised access to the Personal Data.

9.2 The Processor shall ensure that its employees do not process the Personal Data against the instructions given by the Controller.

10. Subprocessors

10.1 The Controller grants the Processor general authorisation to engage other processors (hereinafter "Subprocessor") to process Personal Data.

10.2 The Processor shall maintain a list of current Subprocessors, which is available upon request at privacy@leaseaccounting.app.

10.3 The Processor shall notify the Controller at least thirty (30) days in advance of any intended addition or replacement of a Subprocessor, by email to the Controller's registered contact address. The notification shall identify the Subprocessor and describe the processing to be performed.

10.4 The Controller may object to a new Subprocessor on reasonable data protection grounds within fifteen (15) days of receiving notification. If the Controller objects and the Parties cannot resolve the objection within fifteen (15) days, the Controller may terminate the affected portion of the Agreement without penalty.

10.5 The Processor shall impose on each Subprocessor, by way of contract, data protection obligations no less protective than those set out in this Data Processing Agreement.

10.6 The Processor remains fully liable to the Controller for the performance of each Subprocessor's obligations.

11. Personal Data Breach Notification

11.1 The Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach.

11.2 The notification shall include, to the extent available:

a description of the nature of the breach, including the categories and approximate number of data subjects and records concerned;
the name and contact details of the Processor's contact point for further information;
a description of the likely consequences of the breach;
a description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.

11.3 Where it is not possible to provide all information simultaneously, the Processor shall provide information in phases without undue delay.

11.4 The Processor shall cooperate with and assist the Controller in the Controller's breach response, including notification to supervisory authorities and data subjects where required.

12. Obligation of the Processor to Assist the Controller

12.1 The Processor shall without delay assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the rights of its customers. Upon written request from the Processor, the Controller shall without undue delay reimburse the Processor for any costs arising from this Section 12.1.

12.2 The Processor shall assist the controller in ensuring compliance with the obligations pursuant to the General Data Protection Regulations Articles 32 to 36, taking into account the nature of the processing and the information available to the Processor.

13. Audit Rights

13.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this Data Processing Agreement and Article 28 of the GDPR.

13.2 The Processor shall allow and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller. Such audits shall: (i) be conducted no more than once per twelve (12) month period (unless required by a supervisory authority or in response to a Personal Data Breach); (ii) be subject to at least thirty (30) days' advance written notice; (iii) be conducted during normal business hours; (iv) be at the Controller's cost; and (v) be limited in scope to the processing activities under this Data Processing Agreement.

13.3 Where the Processor holds relevant certifications, audit reports, or third-party attestations, the Processor may offer these as an alternative to on-site audits. The Controller shall consider such alternatives in good faith before requesting an on-site audit.

14. Deletion or Return of the Personal Data

14.1 Upon termination of the Agreement and upon the Controller's written request, the Processor shall, at the Controller's choice, return all Personal Data in a standard machine-readable format or delete all Personal Data, within thirty (30) days of such request.

14.2 If no request is received within sixty (60) days of termination, the Processor shall delete all Personal Data and confirm deletion in writing.

14.3 The Processor may retain Personal Data to the extent required by EU or Member State law, provided the Processor informs the Controller and ensures the confidentiality of such data.

15. Records of Processing Activities

15.1 The Processor shall keep records (hereinafter "Records") of its processing activities that relate to this Agreement and the processing of Personal Data. The Records must have at least the following information:

the name and contact details of the Processor and, if possible, the name and contact details of the Processor's data protection officer;
the description of the processing activities of the Personal Data conducted on behalf of the Controller and the categories of data subjects and personal data;
if the Personal Data is transferred outside the EU/EEA, the information of the transfer and a demonstration that the transfer was conducted according to the Data Protection Laws; and
a description of the technical and organisational measures taken.

16. Indemnity and Liability

16.1 Each party hereby indemnifies the other party against any and all losses, damages, liabilities, claims, penalties, fines, awards, costs and expenses (including reasonable legal fees) caused by any breach of the warranties contained in this Agreement.

16.2 The Controller has an obligation to defend the Processor where a claim is filed against the Processor on the basis of the Processor's processing activities relating to the Personal Data. The Processor has the aforementioned obligation if the Controller informs the Processor of the matter in a written form and without undue delay.

16.3 The Parties' liability for damages shall be determined on the basis of the General Data Protection Regulation (679/2016).

17. Miscellaneous

17.1 If there is a conflict between the Data Processing Agreement and the Agreement, the terms of the Data Processing Agreement shall prevail.

17.2 Neither party may assign this Data Processing Agreement without the other party's prior written consent, except in connection with a merger, acquisition, or sale of all or substantially all of the assigning party's assets.

17.3 If any court of law, having the jurisdiction to decide on this matter, rules any provision of the Data Processing Agreement invalid, then that provision will be removed from the Data Processing Agreement without affecting the rest of the Data Processing Agreement.

17.4 The Data Processing Agreement is governed by the laws of Finland without regard to its rules and principles on conflict of laws.

17.5 Any dispute arising between the Parties out of, or in connection with, the Data Processing Agreement shall be finally settled in accordance with the Arbitration Rules of the Finland Chamber of Commerce in Helsinki, Finland. The arbitration tribunal shall consist of one (1) arbitrator. The language of the arbitration shall be English or Finnish.