Your Article 28 paperwork, already signed.

Questions? Write to legal@baslic.com.

Summary

Parties and scope

This Data Processing Agreement ("DPA") supplements the Terms of Service between Fidanet Solution Oy, Marinkallio 6b, 02320 Espoo, Finland, Business ID 3497432-1 ("Processor", "Baslic") and the entity that uses the Service ("Controller", "you").

It applies whenever Baslic processes personal data on behalf of the Controller in connection with the Service, and it is automatically incorporated into the Terms when the Controller signs up.

Definitions

Capitalised terms used and not otherwise defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Personal Data Breach" carry the meanings of Articles 4 and 28 GDPR.

"Customer Personal Data" means Personal Data submitted to, or generated by, the Service in the course of providing it to the Controller. The categories of data and Data Subjects are described in Annex I.

Subject matter and duration

The subject matter of the processing is the provision of the Service: ingesting receipts and invoices, extracting line items, classifying VAT and tax treatment, generating exports for accounting tools, and storing the results for the Controller and its authorised users.

The duration of the processing is the term of the underlying subscription, plus the post-termination retention period required for export and statutory record-keeping under our retention schedule.

Processing on documented instructions

Baslic processes Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do so by Union or Member State law. Where Baslic relies on such a legal requirement, it will inform the Controller of that requirement before processing, unless the law prohibits it on important grounds of public interest.

The Controller's instructions are set out in (a) the Terms and any Order, (b) this DPA, and (c) the Controller's use of the configuration options and APIs that the Service makes available. Additional instructions outside that scope require a separate written agreement.

Baslic will inform the Controller without undue delay if it considers an instruction to infringe the GDPR or other applicable data-protection law.

Confidentiality of personnel

Baslic ensures that personnel authorised to process Customer Personal Data have committed to confidentiality, either through their employment contract or through a separate written undertaking, and have received training appropriate to their role.

Security of processing (Article 32)

Baslic implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purpose of processing. A current description of these measures is set out in Annex II.

Sub-processors

The Controller grants general authorisation for Baslic to engage Sub-processors to process Customer Personal Data, subject to the obligations in this section.

The current list of authorised Sub-processors is published at baslic.com/legal/sub-processors. Controllers may subscribe to email notifications of additions and changes.

Baslic will notify the Controller of any intended addition or replacement of Sub-processors that process Customer Personal Data at least 30 days before the change takes effect. The Controller may object on reasonable grounds related to data protection by email to privacy@baslic.com within that notice period. If an objection cannot be resolved, the Controller may terminate the subscription with respect to the affected Service for convenience and receive a pro-rata refund of prepaid fees.

Baslic enters into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA. Baslic remains fully liable to the Controller for the performance of its Sub-processors' obligations.

International transfers

Customer Personal Data is stored in the European Economic Area. Where a Sub-processor processes data outside the EEA, Baslic relies on transfer mechanisms that satisfy Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), complemented where appropriate by supplementary technical and organisational measures.

By signing up, the Controller authorises Baslic to enter into the Standard Contractual Clauses with relevant Sub-processors on the Controller's behalf, in their applicable module (Module 3, processor to processor, where Baslic acts as data exporter on the Controller's instructions).

Assistance with data subject rights

The Service provides the Controller with self-service tools to access, export, correct, and delete Customer Personal Data, enabling the Controller to respond to Data Subject requests directly in most cases.

Where additional assistance is reasonably necessary, Baslic will provide it taking into account the nature of the processing. Baslic will pass any Data Subject request received directly to the Controller without undue delay, instructing the Data Subject to contact the Controller.

Personal data breach

Baslic notifies the Controller of any Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 48 hours of becoming aware of it. The notification contains, to the extent then known:

• the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and to mitigate adverse effects;
• the contact point at Baslic for further information.

Baslic assists the Controller in fulfilling its own notification obligations under Articles 33 and 34 GDPR. The notification does not constitute an acknowledgement of fault or liability.

DPIA and prior consultation

Baslic provides the Controller with reasonable assistance in carrying out data-protection impact assessments (Article 35) and prior consultations with supervisory authorities (Article 36), taking into account the nature of the processing and the information available to Baslic.

Audit rights

Baslic makes available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including the latest available third-party audit reports and security documentation.

The Controller may, no more than once per calendar year and on at least 30 days' written notice, conduct or commission an audit of Baslic's compliance with this DPA. The audit is conducted during regular business hours, subject to reasonable confidentiality obligations, and at the Controller's expense, except where the audit reveals a material breach of this DPA, in which case Baslic bears the reasonable costs.

Where the Controller's audit needs are met by an independent third-party audit report (for example, ISO 27001 surveillance reports) that Baslic provides, the Controller will accept that report in lieu of an on-site audit, except where legally required otherwise.

Return and deletion on termination

On termination of the Service, the Controller may export Customer Personal Data through the Service's self-service tools for a period of 60 days. After that period, Baslic deletes Customer Personal Data within 30 days, except to the extent that retention is required by Union or Member State law (in particular Finnish bookkeeping law).

Encrypted backups containing Customer Personal Data may persist for up to 90 days after deletion before being overwritten in line with our backup-rotation schedule. These backups remain subject to the security measures in Annex II and are restored only in documented disaster-recovery scenarios.

Liability and order of precedence

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms. Nothing in this DPA limits any liability that cannot be limited under applicable law.

In the event of a conflict between this DPA and the Terms with respect to the processing of Customer Personal Data, this DPA prevails.

Governing law

This DPA is governed by the laws of Finland. Jurisdiction follows the dispute-resolution clause of the Terms.

Annex I — Description of processing

Nature and purpose

Ingesting, parsing, classifying, storing, and exporting receipts, invoices, and travel-expense entries; calculating VAT and tax treatment; producing accounting-tool exports; providing user interfaces for review and approval; sending service-related email.

Categories of Data Subjects

• The Controller's authorised users (founders, employees, accountants, contractors).
• Third parties whose Personal Data appears on receipts and invoices (counter-parties, staff at merchants, payees).
• Travellers whose itineraries are recorded in travel-expense entries (the Matkalasku product).

Categories of Personal Data

• Identification and contact data of authorised users (name, email, role).
• Authentication data (hashed passwords, session tokens, multi-factor secrets).
• Receipt and invoice content (merchant, line items, prices, tax rates, payment method, location, time).
• Travel data (origin, destination, dates, distance, attendees).
• Usage and device data (IP address, browser, timestamps, actions).
• Support communications (email content, attachments).

Special categories

The Service is not designed to process special categories of Personal Data within the meaning of Article 9 GDPR. The Controller agrees not to submit such data to the Service unless it has a lawful basis for doing so, and acknowledges that the Service's technical and organisational measures are calibrated to ordinary business data.

Frequency and duration

Continuous, for the duration of the subscription, plus the retention windows described in the Privacy Policy.

Annex II — Technical and organisational measures

Pseudonymisation and encryption

• Personal Data in transit is protected with TLS 1.2 or higher, using modern cipher suites and HSTS.
• Personal Data at rest is encrypted with AES-256 in database-managed key stores; backups are encrypted with independently rotated keys.
• Internal datasets used for analytics and model evaluation are pseudonymised wherever the analytical task permits.

Confidentiality, integrity, availability, resilience

• Role-based access control, multi-factor authentication for administrative access, and audit logging of privileged actions.
• Production access is restricted to a small set of named engineers, granted just-in-time and revoked when no longer required.
• Continuous monitoring of integrity, latency, and error rates, with paging escalations for production incidents.
• Daily backups stored in a separate EU region and quarterly-tested restore procedures.

Vulnerability management

• Automated dependency scanning with defined response SLAs for critical and high-severity advisories.
• Annual external penetration testing of the production Service, with remediation tracked in the engineering issue tracker.
• Responsible-disclosure programme reachable at security@baslic.com.

Personnel

• Confidentiality undertakings for all personnel with access to Customer Personal Data.
• Annual security and privacy training, including phishing-awareness exercises.
• Background checks for personnel in sensitive roles, where permitted by local law.

Sub-processor due diligence

• Documented assessment of each Sub-processor's security and privacy posture before engagement, including review of public certifications and contractual commitments.
• Standard Contractual Clauses with all Sub-processors that transfer Personal Data outside the EEA.

Incident response

• Documented incident-response plan with defined severities, roles, and notification timelines aligned to Article 33 GDPR.
• Post-incident reviews shared with affected Controllers as part of breach notifications, where appropriate.