Data Processing Agreement

Last updated: May 13, 2026

1. Parties

This Data Processing Agreement (“DPA”) is established between the Customer and Taito.hr Oy (“Supplier”).

2. Background

2.1 The Supplier provides HR-related services to the Customer through separate agreements. This DPA covers personal data processing in those services, including: automatic management of employee feedback; payroll data processing; and data synchronization from and integrations with the Customer’s systems such as the Customer’s Human Resources Information System (HRIS).

3. Terms for Data Processing

3.1 General

The Customer acts as the data controller while the Supplier functions as the processor. Terms align with the General Data Protection Regulation (2016/679/EU) (“GDPR”).

3.2 Description of Processing

Processing occurs only for stated purposes during the Agreement term. Data subject categories include Customer employees. Personal data categories processed include:

Personal identification: Full name, gender
Contact information: Email address
HR information: Role, working location, job level, team, supervisory relationships, salary and benefits, personal development plans, employee goals
Feedback data: Employee feedback
Communication data: Employee support team communications

3.3 The Supplier’s General Obligations

The Supplier shall:

Process personal data in accordance with data protection legislation (including but not limited to the GDPR)
Notify the Customer of any requests received from data subjects or supervisory authorities
Not use personal data beyond the stated purposes
Delete or return data within 30 days of Agreement termination unless otherwise required by GDPR

3.4 The Supplier’s Assistance Obligations

The Supplier shall assist the Customer in:

Responding to data subject and supervisory authority requests
Complying with GDPR requirements regarding security, breaches, impact assessments, and prior consultations with supervisory authorities

3.5 Security

The Supplier shall take appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or any other unlawful processing.

3.6 Personal Data Breaches

The Supplier shall notify the Customer without undue delay after becoming aware or having a reasonable suspicion of a personal data breach. The Supplier shall cooperate with the Customer in any investigations and supervisory authority notifications.

3.7 Sub-processors

The Supplier may use sub-processors only with prior Customer consent. By agreeing to this DPA, the Customer authorises processing by sub-processors on the authorised list. The Supplier shall:

Contractually impose the obligations of this DPA on all sub-processors
Monitor sub-processor performance
Remain fully liable to the Customer for the acts and omissions of sub-processors
Notify the Customer of any intended new sub-processors at least 30 days before they begin processing personal data. The Customer may object to a new sub-processor on reasonable data protection grounds by notifying the Supplier in writing during that period; the Supplier will work with the Customer in good faith to address the concern

The current list of authorised sub-processors is maintained at trust.taito.ai/subprocessors.

3.8 International Transfers of Personal Data

Processing or transfers of personal data outside the European Economic Area require prior written approval from the Customer. The Supplier shall ensure compliance with Chapter V of the GDPR. Processing locations for each sub-processor are described in the sub-processor list.

3.9 Auditing

The Customer may audit the Supplier’s actions and data related to personal data processing to verify compliance with this DPA. The Supplier must receive at least 14 days’ written notice prior to any audit.

Questions? Email us at legal@taito.ai.

People directory

Time‑off and attendance

Docs and eSign

Performance

People agents

For founders

For people leads

For operators