Data Processing Agreement
Last updated: 24 February 2026
1. Parties & Scope
This Data Processing Agreement ("DPA") is entered into by and between:
- Data Controller: You, the user or the organisation you represent ("Controller")
- Data Processor: ExecutESG Oy, Lapinlahdenkatu 16, 00180 Helsinki, Finland ("Processor")
This DPA forms part of the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller in connection with the VSME platform (the "Service").
This DPA is established in accordance with Article 28 of the GDPR.
2. Definitions
Terms used in this DPA (e.g., "personal data", "processing", "data subject", "supervisory authority") have the meanings given to them in the GDPR (Regulation 2016/679).
3. Subject Matter & Duration
| Subject matter | Processing of personal data to provide the ESG sustainability reporting Service |
| Duration | For the term of the Controller's use of the Service, plus any retention period described in the Privacy Policy |
| Nature & purpose | Storage, organisation, retrieval, and presentation of sustainability reporting data; payment processing; user account management |
4. Categories of Data & Data Subjects
4.1 Data Subjects
- Employees and representatives of the Controller who use the Service
- Individuals whose personal data may be included in sustainability reports (e.g., workforce statistics)
4.2 Categories of Personal Data
- Contact details (name, email address)
- Company profile information (company name, legal form, country)
- ESG questionnaire responses
- Subscription and payment identifiers
- Activity and access logs
No special categories of data (Art. 9 GDPR) are processed under this DPA.
5. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by EU or member state law
- Ensure that persons authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 7)
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where applicable
- At the Controller's choice, delete or return all personal data upon termination of the Service
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
6. Sub-Processors
The Controller authorises the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object.
Current sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Cloud hosting provider | Infrastructure, compute, storage | EU (Finland / Germany) |
| Stripe, Inc. | Payment processing | USA (EU SCCs in place) |
| Email service provider | Transactional email delivery | EU / USA (EU SCCs in place) |
The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
7. Security Measures
The Processor implements the following technical and organisational measures to ensure the security of personal data:
- Encryption: TLS encryption for data in transit; encrypted storage at rest
- Access control: Role-based access control; multi-factor authentication available
- Password security: Passwords hashed using bcrypt (one-way hashing)
- Backups: Automated daily backups with encrypted off-site storage
- Monitoring: Server health monitoring and application-level activity logging
- Incident response: Documented incident response procedures
- Staff: All personnel with access to personal data are bound by confidentiality agreements
8. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach
- Provide sufficient information for the Controller to meet its obligations under GDPR Articles 33 and 34
- Cooperate with the Controller to investigate and mitigate the breach
9. International Data Transfers
The Processor shall not transfer personal data outside the EEA except where:
- The European Commission has issued an adequacy decision for the destination country
- EU Standard Contractual Clauses (SCCs) are in place with the recipient
- Another valid GDPR transfer mechanism applies
10. Audits & Inspections
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or a mandated auditor. Such audits shall be conducted with reasonable notice and during normal business hours.
11. Return & Deletion of Data
Upon termination of the Service or upon the Controller's request, the Processor shall, at the Controller's choice:
- Return all personal data in a commonly used, machine-readable format; or
- Delete all personal data and certify such deletion in writing
Data deletion shall occur within 30 days, except where retention is required by applicable law (e.g., financial records under Finnish accounting law).
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Finland. Disputes shall be resolved in the District Court of Helsinki, Finland.
13. Contact
For questions about this DPA or to exercise rights under it, please contact:
- ExecutESG Oy
- Lapinlahdenkatu 16, 00180 Helsinki, Finland
- Email: privacy@executesg.com