Data Processing Agreement
Version 2.3 | Last updated: 2026-04-23
Parties
Data Processor: Fintower AB
Organisation number: 559468-3913
Address: Masthamnsgatan 21, 413 29 Göteborg, Sweden
(hereinafter "Fintower" or "Processor")
Data Controller: The Customer entity that has entered into a subscription agreement with Fintower
(hereinafter "Customer" or "Controller")
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
"Controller" means the natural or legal person which determines the purposes and means of Processing of Personal Data. In this DPA, the Controller is the Customer.
"Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller. In this DPA, the Processor is Fintower.
"Sub-processor" means any entity engaged by the Processor to Process Personal Data on behalf of the Controller, as defined in Article 28(2) of the GDPR.
"Data Subject" means the individual to whom Personal Data relates.
"GDPR" means Regulation (EU) 2016/679.
"Supervisory Authority" means an independent public authority designated by a Member State.
"Security Incident" means any confirmed or suspected breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.
"Customer Data" means all Personal Data uploaded to, stored on, or Processed by the Service on the Customer's behalf.
"Service" means the AI-powered financial planning and analysis (FP&A) SaaS platform provided by Fintower.
"Data Protection Act" means the Swedish Data Protection Act (Dataskyddslagen, 2018:218).
2. Scope and purpose of processing
2.1 Purpose and instruction
Fintower shall Process Personal Data solely for the purpose of providing the Service as described in the subscription agreement. Fintower shall Process Personal Data only on the documented instructions of the Customer, unless required to do so by EU law or Swedish law.
2.2 Categories of data subjects
- Employees and contractors of the Customer
- Clients and suppliers of the Customer (indirectly, as named parties in financial records, invoices, payroll data, and accounting records)
2.3 Categories of Personal Data
- Names and identification numbers of individuals
- Financial transaction data and records
- Payroll data (including salary and benefits information)
- Invoice references and financial document data
- Contact details of the Customer's counterparties (email addresses, telephone numbers)
- User account information (usernames, email addresses)
2.4 Duration of processing
Processing shall continue for the duration of the subscription agreement. Upon termination, Personal Data shall be handled in accordance with Section 3.6 of this DPA.
3. Processor obligations
3.1 Instruction-only processing
Fintower shall Process Personal Data only on documented instructions from the Controller. If Fintower is required to Process Personal Data by law, it shall, to the extent permitted by law, notify the Controller without undue delay.
3.2 Confidentiality
Fintower shall ensure that any person authorised to Process Customer Data is placed under a binding obligation of confidentiality or is otherwise under an appropriate legal obligation of confidentiality.
3.3 Technical and organisational security measures
Fintower shall implement and maintain appropriate technical and organisational security measures to protect Personal Data in accordance with Article 32 of the GDPR. Specific measures include:
- Encryption in transit: TLS 1.2 minimum for all data in transit
- Encryption at rest: AES-256 encryption for all stored Personal Data
- Access controls: Role-based access control; principle of least privilege; MFA required for administrative access
- Tenant isolation: Logical separation of Customer Data; no cross-tenant data access
- Regular security reviews: Vulnerability assessments; penetration testing
- Backup and recovery: Automated backups; tested and documented recovery procedures
- Personnel security: Confidentiality obligations; security awareness training
- Incident response: Documented incident response plan; 72-hour notification SLA
- Audit logging: Access logs retained for 90 days; immutable audit trails
3.4 Assistance with data subject rights
Fintower shall assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to Data Subject rights requests, including requests for access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).
3.5 Assistance with controller obligations
Fintower shall assist the Controller in ensuring compliance with Articles 32–36 of the GDPR, including assisting with DPIAs, breach notification, and making available all information necessary to demonstrate compliance.
3.6 Return or deletion of Personal Data
Upon termination, the Customer may request that Fintower either delete or return all Customer Data and Personal Data. The Customer shall have a 30-day export window following termination. At the end of this 30-day period, all Customer Data shall be permanently deleted, unless retention is required by law.
3.7 Compliance and audits
Fintower shall make available all information necessary to demonstrate compliance with this DPA and the GDPR, and shall allow for audits and inspections conducted by the Controller or an independent auditor designated by the Controller, subject to the following conditions:
- The Controller shall provide at least 15 business days' written notice before any audit
- Audits shall be limited to once per calendar year, unless required by a Supervisory Authority
- The auditor shall sign a non-disclosure agreement acceptable to Fintower before accessing any systems or documentation
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt Fintower's operations
3.8 Notification of security incidents
Fintower shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a confirmed or suspected Security Incident. Notification shall include:
- A description of the nature and scope of the Security Incident, including the systems and services affected
- The categories of Personal Data concerned and the approximate number of Data Subjects and records affected
- The likely consequences of the Security Incident for the affected Data Subjects
- The measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects
4. Controller obligations
4.1 Warranty and authority
The Customer warrants that it has obtained a lawful basis for Processing the Personal Data in accordance with the GDPR and that it is authorised to instruct Fintower to Process Personal Data on its behalf.
4.2 Accuracy and legality of Customer Data
The Customer is responsible for ensuring that all Customer Data uploaded to the Service is accurate, complete, and lawfully obtained.
4.3 Data subject information
The Customer shall ensure that all Data Subjects are informed of the Processing of their Personal Data in accordance with Articles 13 and 14 of the GDPR.
5. Sub-processors
5.1 General authorisation
The Customer grants general authorisation for Fintower to engage Sub-processors to assist in providing the Service.
5.2 List of current sub-processors
A list of current approved Sub-processors is set out in Schedule 1. The Customer may request an up-to-date list at any time.
5.3 Changes to sub-processor list
Fintower shall notify the Customer of any addition or removal of Sub-processors with at least 30 days' prior written notice. The Customer may object within 14 days of receiving notification. If the parties cannot reach agreement, the Customer may terminate the affected subscription services without penalty.
5.4 Liability for sub-processors
Fintower shall remain fully liable to the Customer for the performance of any Sub-processor's obligations under this DPA.
6. International data transfers
6.1 EU-based infrastructure
Fintower's primary infrastructure is based within the European Union.
6.2 Transfers outside the EEA
For any transfers outside the EEA, Fintower shall ensure an adequate level of data protection by relying on:
- EU–US Data Privacy Framework (DPF): For transfers to the United States (Google LLC)
- Standard Contractual Clauses (SCCs): For other transfers outside the EEA (Module 3 – Processor-to-Processor transfers)
6.3 No unauthorised transfers
Fintower shall not transfer Customer Data to any jurisdiction outside the EEA without first updating Schedule 1 and notifying the Customer with at least 30 days' prior notice.
7. Artificial intelligence and model training
7.1 AI-powered analysis features
Fintower provides AI-powered financial analysis features using Amazon (EU). Customer Data is used to generate insights, forecasts, and analyses specific to the Customer's business.
7.2 Tenant isolation
Customer Data is Processed solely within the Customer's isolated environment and tenant. No cross-tenant data access is permitted.
7.3 No model training
Customer Data is never used to train, fine-tune, retrain, or otherwise improve any artificial intelligence or machine learning model, whether operated by Fintower, Amazon, or any other Sub-processor, without the prior explicit written consent of the Customer.
7.4 AI-generated outputs
All AI-generated outputs, analysis, and recommendations are based exclusively on the Customer's own Customer Data and are generated in real time within the Customer's isolated environment. No outputs are shared across Customers.
8. Confidentiality
Both Fintower and the Customer shall keep each other's confidential information strictly confidential. Neither party shall disclose the other party's confidential information to any third party without prior written consent, except as required by law or to professional advisors bound by confidentiality obligations.
9. Security incidents
9.1 Notification obligation
Fintower shall notify the Controller without undue delay upon becoming aware of any confirmed or suspected Security Incident affecting Customer Data.
9.2 Content of notification
Each notification shall include a description of the nature and scope of the incident, the categories and approximate volume of data affected, likely consequences, and measures taken or proposed to address the incident.
9.3 Incident response plan
Fintower maintains a documented incident response plan with a target notification time of 72 hours.
10. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the main subscription agreement. Nothing in this DPA shall limit or exclude either party's liability for fraud, wilful misconduct, gross negligence, breach of confidentiality obligations, violation of data protection laws, or any liability that cannot be excluded by applicable law.
11. Term and termination
This DPA is effective as of the date of the subscription agreement and continues for its duration. This DPA terminates automatically upon termination of the subscription agreement. Upon termination, the Customer may request that Fintower delete or return all Customer Data in accordance with Section 3.6.
12. Governing law and dispute resolution
This DPA is governed by Swedish law, without regard to conflicts of law principles. Any dispute shall be resolved by the courts of Sweden, with the District Court of Gothenburg (Göteborgs tingsrätt) serving as the court of first instance.
13. Order of precedence
In the event of any conflict between this DPA and the subscription agreement, this DPA shall prevail with respect to the Processing of Personal Data.
14. Amendments
This DPA may be amended only by written agreement signed by authorised representatives of both parties. Fintower may amend this DPA unilaterally to comply with changes in applicable law, provided 30 days' advance notice.
Schedule 1: Approved sub-processors
| Sub-processor | Purpose | Data location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database storage, authentication, backend infrastructure | EU | EU data residency; SCCs (Module 3) |
| Microsoft Corporation (Entra ID) | SSO and identity authentication | EU | EU data residency; SCCs (Module 3) |
| Amazon Web Services | LLM inference for AI-powered financial analysis + data storage | EU | EU data residency; SCCs (Module 3) |
| Stripe, Inc. | Payment processing for subscriptions and invoicing | EU | EU data residency; SCCs (Module 3) |
| Google LLC (OAuth) | SSO authentication | EU / US | EU–US DPF and SCCs (Module 3) |
| Resend Inc. | Transactional system email delivery | EU | EU data residency; SOC 2 Type II certified |
| Trigger.dev Inc. | Background job orchestration and task scheduling | EU | EU data residency |
| Mixpanel Inc. | Product analytics and conversion tracking | EU | EU data residency; SOC 2 Type II certified |
| PostHog Inc. | Product analytics, feature flags, experimentation | EU | EU data residency (eu.i.posthog.com); SCCs (Module 3) |
| Microsoft Corporation (Clarity) | Session replay and heatmap analytics on marketing site | US | EU–US DPF and SCCs (Module 3) |
| Chatwoot Inc. | Live chat support widget on marketing site | US | SCCs (Module 3); 30-day conversation retention |
Schedule 2: Technical and organisational security measures
Security practices are informed by ISO 27001 principles.
Encryption
- In transit: TLS 1.2 or higher for all communications
- At rest: AES-256 encryption for all Personal Data
Access controls
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) for administrative access
- Strong password policies
- Access logging retained for 90 days (immutable)
Tenant isolation
- Logical separation of Customer Data
- No cross-tenant access
- Encryption at rest applied at the storage layer using AES-256
Vulnerability management
- Regular security reviews and vulnerability assessments
- Annual third-party penetration testing
- Prompt security patch management
Backup and recovery
- Automated, regular backups
- Tested recovery procedures
- Geographically separate offsite storage
Personnel security
- Background checks for employees with access to Personal Data
- Confidentiality agreements
- Regular security awareness training
Incident response
- Documented incident response plan
- 72-hour notification SLA
- Post-incident review process
Schedule 3: Details of processing
Subject matter: Provision of AI-powered FP&A SaaS platform services.
Duration: For the term of the subscription agreement.
Nature and purpose: Fintower shall store, organise, structure, display, analyse, and manipulate Customer Data to provide planning, forecasting, budgeting, and financial analysis capabilities.
Type of Personal Data:
- Names and identification numbers
- Financial transaction data and records
- Payroll data (salary, benefits, deductions)
- Invoice references and financial document data
- Contact details (email addresses, telephone numbers)
- User account information (usernames, email addresses, IP addresses)
Categories of data subjects:
- Employees and contractors of the Customer
- Clients and suppliers of the Customer
Special categories: Fintower does not intentionally Process any special categories of Personal Data (Article 9, GDPR). The Customer warrants that it will not upload any special categories of Personal Data without obtaining prior written consent of Fintower.