Data Processing Agreement — SvereSystems

Legal

Data Processing Agreement

This Data Processing Agreement forms part of the SvereSystems Terms of Service or another applicable service agreement and applies where SvereSystems processes personal data on behalf of a customer as a processor under applicable data protection law, including the EU General Data Protection Regulation.

Last updated: 7 June 2026 SvereSystems · Sveresa TMI · Finland Article 28 GDPR · Processor terms where applicable

Related pages

Privacy Policy Cookie Policy Terms & Conditions Data Processing Agreement

1. Parties and scope

This DPA is between:

  • the customer that has entered into the SvereSystems Terms of Service, order, or other relevant service agreement (“Controller” or “Customer”); and
  • Sveresa TMI, Business ID / Y-tunnus 3592316-3, Finland, operating under the brand SvereSystems (“Processor” where this DPA applies).

This DPA forms part of the applicable Terms of Service, order, or service agreement (the “Main Agreement”). If there is a conflict between this DPA and the Main Agreement regarding the processing of personal data on behalf of the Customer, this DPA will prevail to the extent of that conflict.

This DPA does not change SvereSystems' role as an independent controller for its own business records, website operations, payments, accounting, legal compliance, direct marketing where lawful, and client relationship management. Those activities are described in the SvereSystems Privacy Policy.

Important scope note: SvereSystems normally acts as an independent controller for its own business administration, website, payment, support, and direct client communication records. This DPA applies only to personal data that a customer provides to SvereSystems for processing on the customer's behalf in connection with a requested service.

2. Subject matter and duration

This DPA covers SvereSystems' processing of personal data on behalf of the Customer where such processing is necessary to assess, prepare, deliver, or support a SvereSystems service, including Fit Check handling, Client Acquisition Review intake processing, internal draft preparation, and delivery of the agreed written service.

This DPA applies for as long as SvereSystems processes personal data on behalf of the Customer and continues to apply to post-service retention, deletion, confidentiality, security, and legal obligations described in this DPA.

3. Nature and purpose of processing

SvereSystems processes personal data only to provide, maintain, secure, document, and support the agreed service and to follow the Customer's documented instructions under the Main Agreement. Processing may include:

  • receiving and organising Fit Check or intake submissions;
  • reviewing customer-provided business, outreach, follow-up, reply-handling, or client-acquisition material;
  • preparing internal working notes or AI-assisted internal drafts;
  • creating and delivering written review documents or related service responses;
  • communicating with the Customer about the service;
  • maintaining security, access controls, logs, and limited operational records.

The service does not include lead sourcing, done-for-you outreach, campaign sending, campaign management, CRM setup, technical implementation, ads management, SEO work, or full funnel buildout unless separately and explicitly agreed in writing.

4. Categories of data and data subjects

The personal data processed on behalf of the Customer may include, depending on what the Customer submits:

  • business contact information, such as names, business email addresses, roles, company names, websites, or business pages;
  • business context and client-acquisition information submitted through forms or email;
  • outreach messages, follow-up examples, reply-handling examples, communication snippets, and related notes;
  • limited information about the Customer's prospects, leads, clients, or target client roles where included in submitted material;
  • service administration metadata, such as submission timestamps, order status, internal status notes, and delivery records;
  • technical and security metadata necessary to operate the service workflow.

The categories of data subjects may include:

  • the Customer's owners, staff, contractors, or representatives;
  • the Customer's prospects, leads, customers, or business contacts where their information is included in submitted material;
  • other individuals whose personal data is provided by or on behalf of the Customer for the agreed service.

The service is not intended for processing special categories of personal data under Article 9 GDPR, data relating to criminal convictions, passwords, access credentials, private login details, confidential credentials, or unnecessary sensitive information. The Customer must not intentionally submit such data.

5. Customer obligations

The Customer is responsible for:

  • ensuring that it has a valid legal basis for any personal data submitted to SvereSystems;
  • providing required privacy notices to relevant data subjects where necessary;
  • ensuring that all instructions to SvereSystems are lawful and consistent with the Main Agreement and this DPA;
  • submitting only information necessary for the requested service;
  • removing or anonymising unnecessary personal data before submission where practical;
  • not submitting passwords, access credentials, special-category data, criminal offence data, or other unnecessary sensitive information;
  • using SvereSystems' service outputs in a lawful and privacy-compliant manner.

6. Processor obligations

SvereSystems shall:

  • process personal data only on documented instructions from the Customer, unless required by EU or Member State law;
  • maintain confidentiality and ensure that persons authorised to process personal data are subject to confidentiality obligations;
  • use appropriate technical and organisational measures to protect personal data, taking into account the nature and risk of the processing;
  • assist the Customer, insofar as reasonably possible, with data subject requests and GDPR Articles 32 to 36 obligations, taking into account the nature of the service;
  • inform the Customer if, in SvereSystems' opinion, an instruction infringes applicable data protection law;
  • keep required records of processing activities where required by law;
  • avoid unnecessary data handling and use data minimisation in internal workflows where practical.

7. AI-assisted processing

SvereSystems may use AI-assisted drafting tools to organise submitted information and prepare internal working drafts for the agreed service. AI-assisted outputs are used as internal working material only and are not sent directly to the Customer without SvereSystems review.

SvereSystems applies data minimisation when using AI-assisted tools. Where practical, unnecessary personal data such as email addresses, personal names, payment context, or unrelated identifying details are not included in AI prompts. The Customer should not submit sensitive information or credentials in any intake or Fit Check form.

Final client-facing responses and written review documents are checked, edited, and approved by SvereSystems before delivery. The service does not rely on solely automated decision-making that produces legal or similarly significant effects for the Customer.

8. Sub-processors

The Customer gives SvereSystems a general written authorisation to use sub-processors where necessary to provide the service. Sub-processors may include providers of:

  • website hosting and page delivery;
  • form handling and workflow automation;
  • cloud storage, spreadsheets, and internal records;
  • email and communication infrastructure;
  • payment processing and order administration;
  • AI-assisted drafting and analysis tools;
  • analytics, logging, security, and consent-management tools where applicable.

Current provider categories may include tools such as website/page hosting providers, Make.com, Google services, OpenAI API, email providers, payment providers, and consent-management providers, depending on the active workflow.

SvereSystems shall:

  • use sub-processors only where reasonably necessary for the service;
  • take reasonable steps to ensure sub-processors are subject to appropriate data protection obligations;
  • remain responsible for sub-processor performance to the extent required by applicable law and the Main Agreement;
  • make information about relevant sub-processor categories reasonably available upon request.

Where required by law, the Customer may object to a new sub-processor on reasonable data protection grounds. The parties will work in good faith to find a practical solution. If no practical solution is available, the Customer may discontinue the affected service in accordance with the Main Agreement.

9. International transfers

Some sub-processors may process personal data outside the European Economic Area (“EEA”) or use infrastructure that involves international transfers.

Where personal data is transferred to a country that does not benefit from an adequacy decision, SvereSystems will aim to rely on appropriate transfer safeguards where required, such as Standard Contractual Clauses, an applicable adequacy framework, or another lawful transfer mechanism available under Chapter V GDPR.

Details may depend on the relevant provider, account configuration, and service used at the time of processing.

10. Security measures

SvereSystems shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the nature, scope, context, purpose, and risk of the processing.

Such measures may include, as appropriate:

  • encrypted connections for data in transit where supported by the relevant provider;
  • limited access to Make, Sheets, email, storage, payment, and AI-provider accounts;
  • strong passwords and multi-factor authentication where available;
  • least-privilege access and avoidance of public sharing links for client records;
  • separation of test and live data where practical;
  • retention and deletion practices for test submissions, internal drafts, and completed service files;
  • incident review and corrective action where a security issue is identified.

The Customer remains responsible for the security of its own systems, accounts, submitted materials, and use of any service outputs.

11. Data subject requests

If SvereSystems receives a data subject request relating to personal data processed on behalf of the Customer, SvereSystems will, where reasonably possible and appropriate:

  • advise the requester to contact the Customer directly; and/or
  • notify the Customer and provide reasonable assistance for the Customer's response.

The Customer is responsible for handling and responding to data subject requests where the Customer is the controller, including rights of access, rectification, erasure, restriction, portability, and objection.

12. Personal data breaches

If SvereSystems becomes aware of a personal data breach affecting personal data processed on behalf of the Customer, SvereSystems shall notify the Customer without undue delay and provide information reasonably available to SvereSystems that the Customer may need to assess and meet its legal obligations.

SvereSystems will take reasonable steps to mitigate the effects of the breach and support required notifications, taking into account the nature of the processing, the information available, and the relevant sub-processor involvement.

13. Compliance information

Upon reasonable written request and subject to confidentiality, SvereSystems shall make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. This may include:

  • this DPA and related privacy documentation;
  • summaries of relevant security and organisational measures;
  • information about provider categories and relevant data flows;
  • responses to reasonable privacy or security questions proportionate to the service.

On-site audits are not normally appropriate for a small asynchronous written service. If legally required and not satisfied by available documentation, any audit must be limited, proportionate, subject to confidentiality, at the Customer's cost, and arranged to avoid unreasonable disruption or exposure of other customers' information.

14. Return and deletion of personal data

After completion or termination of the relevant service, SvereSystems will delete or return personal data processed on behalf of the Customer upon reasonable request, unless retention is required or justified for legal, accounting, tax, security, dispute-resolution, or business record purposes.

Unless otherwise agreed, personal data may remain in active systems for a limited retention period and in backups or provider logs according to applicable provider retention cycles and technical constraints.

Practical rule: SvereSystems aims to avoid indefinite retention of unnecessary test submissions, abandoned submissions, internal AI draft emails, spreadsheet rows, and draft working material. Specific retention periods may be described in the SvereSystems Privacy Policy or internal retention rules.

15. Liability and hierarchy

The limitations of liability, exclusions, and remedies in the Main Agreement apply to this DPA, subject to any mandatory provisions of applicable law.

If documents conflict, the following order applies for data protection matters:

  • this DPA;
  • the Main Agreement or Terms of Service;
  • other related service documents, unless expressly agreed otherwise in writing.

16. Governing law and contact

This DPA is governed by the laws of Finland, without regard to conflict-of-laws rules. Disputes relating to this DPA shall be handled according to the dispute-resolution provisions in the Main Agreement, unless mandatory law requires otherwise.

For DPA, privacy, or data-protection questions, please contact SvereSystems using the contact details shown in the footer of this page.

SvereSystems – Privacy & Legal
Operated by Sveresa TMI
Business ID / Y-tunnus: 3592316-3
Finland

Appendix 1 — Processing details

Subject matter: Processing of customer-provided personal data where needed for Fit Check handling, Client Acquisition Review intake processing, internal working draft preparation, written review delivery, and related support.

Duration: For the period needed to provide the service and for any limited post-service retention required or justified for legal, accounting, tax, security, dispute-resolution, or business record purposes.

Nature and purpose: Receipt, organisation, review, storage, internal analysis, AI-assisted internal draft preparation, manual editing, delivery, communication, security, and limited record-keeping.

Types of personal data: Business contact data, business context, websites or business pages, submitted form answers, outreach/follow-up examples, reply-handling examples, prospect/client references included by the Customer, communication metadata, order status, internal notes, AI-assisted draft material, and final written delivery files.

Categories of data subjects: Customer representatives; Customer staff or contractors; Customer prospects, leads, clients, or business contacts included in submitted material; other individuals included by the Customer in the service material.

Special categories: Not intended. The Customer must not intentionally submit special-category data, criminal offence data, passwords, access credentials, or unnecessary sensitive information.

Appendix 2 — Security measures

SvereSystems maintains proportionate technical and organisational measures for a small asynchronous B2B written service. These may include:

  • use of reputable service providers for hosting, automation, storage, email, payment, and AI-assisted internal drafting;
  • HTTPS/TLS in transit where supported by the relevant platform;
  • restricted access to Make, Google Sheets, email, payment, and AI-provider accounts;
  • multi-factor authentication where available;
  • data minimisation in AI prompts and internal working materials;
  • avoidance of unnecessary passwords, credentials, and sensitive data in forms;
  • private spreadsheet/storage settings and avoidance of public sharing links;
  • manual review before any client-facing delivery;
  • periodic cleanup of test data, abandoned submissions, internal draft emails, and outdated working files where practical;
  • incident response and corrective action if a data-security issue is identified.
Security measures may evolve over time. SvereSystems will aim to keep measures appropriate to the nature and risk of the processing and aligned with GDPR Article 32.