Data Processing Agreement

Version 2.3 | Last updated: 2026-04-23

Parties

Data Processor: Fintower AB
Organisation number: 559468-3913
Address: Masthamnsgatan 21, 413 29 Göteborg, Sweden
(hereinafter "Fintower" or "Processor")

Data Controller: The Customer entity that has entered into a subscription agreement with Fintower
(hereinafter "Customer" or "Controller")

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.

"Controller" means the natural or legal person which determines the purposes and means of Processing of Personal Data. In this DPA, the Controller is the Customer.

"Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller. In this DPA, the Processor is Fintower.

"Sub-processor" means any entity engaged by the Processor to Process Personal Data on behalf of the Controller, as defined in Article 28(2) of the GDPR.

"Data Subject" means the individual to whom Personal Data relates.

"GDPR" means Regulation (EU) 2016/679.

"Supervisory Authority" means an independent public authority designated by a Member State.

"Security Incident" means any confirmed or suspected breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.

"Customer Data" means all Personal Data uploaded to, stored on, or Processed by the Service on the Customer's behalf.

"Service" means the AI-powered financial planning and analysis (FP&A) SaaS platform provided by Fintower.

"Data Protection Act" means the Swedish Data Protection Act (Dataskyddslagen, 2018:218).

2. Scope and purpose of processing

2.1 Purpose and instruction

Fintower shall Process Personal Data solely for the purpose of providing the Service as described in the subscription agreement. Fintower shall Process Personal Data only on the documented instructions of the Customer, unless required to do so by EU law or Swedish law.

2.2 Categories of data subjects

  • Employees and contractors of the Customer
  • Clients and suppliers of the Customer (indirectly, as named parties in financial records, invoices, payroll data, and accounting records)

2.3 Categories of Personal Data

  • Names and identification numbers of individuals
  • Financial transaction data and records
  • Payroll data (including salary and benefits information)
  • Invoice references and financial document data
  • Contact details of the Customer's counterparties (email addresses, telephone numbers)
  • User account information (usernames, email addresses)

2.4 Duration of processing

Processing shall continue for the duration of the subscription agreement. Upon termination, Personal Data shall be handled in accordance with Section 3.6 of this DPA.

3. Processor obligations

3.1 Instruction-only processing

Fintower shall Process Personal Data only on documented instructions from the Controller. If Fintower is required to Process Personal Data by law, it shall, to the extent permitted by law, notify the Controller without undue delay.

3.2 Confidentiality

Fintower shall ensure that any person authorised to Process Customer Data is placed under a binding obligation of confidentiality or is otherwise under an appropriate legal obligation of confidentiality.

3.3 Technical and organisational security measures

Fintower shall implement and maintain appropriate technical and organisational security measures to protect Personal Data in accordance with Article 32 of the GDPR. Specific measures include:

  • Encryption in transit: TLS 1.2 minimum for all data in transit
  • Encryption at rest: AES-256 encryption for all stored Personal Data
  • Access controls: Role-based access control; principle of least privilege; MFA required for administrative access
  • Tenant isolation: Logical separation of Customer Data; no cross-tenant data access
  • Regular security reviews: Vulnerability assessments; penetration testing
  • Backup and recovery: Automated backups; tested and documented recovery procedures
  • Personnel security: Confidentiality obligations; security awareness training
  • Incident response: Documented incident response plan; 72-hour notification SLA
  • Audit logging: Access logs retained for 90 days; immutable audit trails

3.4 Assistance with data subject rights

Fintower shall assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to Data Subject rights requests, including requests for access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).

3.5 Assistance with controller obligations

Fintower shall assist the Controller in ensuring compliance with Articles 32–36 of the GDPR, including assisting with DPIAs, breach notification, and making available all information necessary to demonstrate compliance.

3.6 Return or deletion of Personal Data

Upon termination, the Customer may request that Fintower either delete or return all Customer Data and Personal Data. The Customer shall have a 30-day export window following termination. At the end of this 30-day period, all Customer Data shall be permanently deleted, unless retention is required by law.

3.7 Compliance and audits

Fintower shall make available all information necessary to demonstrate compliance with this DPA and the GDPR, and shall allow for audits and inspections conducted by the Controller or an independent auditor designated by the Controller, subject to the following conditions:

  • The Controller shall provide at least 15 business days' written notice before any audit
  • Audits shall be limited to once per calendar year, unless required by a Supervisory Authority
  • The auditor shall sign a non-disclosure agreement acceptable to Fintower before accessing any systems or documentation
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt Fintower's operations

3.8 Notification of security incidents

Fintower shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a confirmed or suspected Security Incident. Notification shall include:

  • A description of the nature and scope of the Security Incident, including the systems and services affected
  • The categories of Personal Data concerned and the approximate number of Data Subjects and records affected
  • The likely consequences of the Security Incident for the affected Data Subjects
  • The measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects

4. Controller obligations

4.1 Warranty and authority

The Customer warrants that it has obtained a lawful basis for Processing the Personal Data in accordance with the GDPR and that it is authorised to instruct Fintower to Process Personal Data on its behalf.

4.2 Accuracy and legality of Customer Data

The Customer is responsible for ensuring that all Customer Data uploaded to the Service is accurate, complete, and lawfully obtained.

4.3 Data subject information

The Customer shall ensure that all Data Subjects are informed of the Processing of their Personal Data in accordance with Articles 13 and 14 of the GDPR.

5. Sub-processors

5.1 General authorisation

The Customer grants general authorisation for Fintower to engage Sub-processors to assist in providing the Service.

5.2 List of current sub-processors

A list of current approved Sub-processors is set out in Schedule 1. The Customer may request an up-to-date list at any time.

5.3 Changes to sub-processor list

Fintower shall notify the Customer of any addition or removal of Sub-processors with at least 30 days' prior written notice. The Customer may object within 14 days of receiving notification. If the parties cannot reach agreement, the Customer may terminate the affected subscription services without penalty.

5.4 Liability for sub-processors

Fintower shall remain fully liable to the Customer for the performance of any Sub-processor's obligations under this DPA.

6. International data transfers

6.1 EU-based infrastructure

Fintower's primary infrastructure is based within the European Union.

6.2 Transfers outside the EEA

For any transfers outside the EEA, Fintower shall ensure an adequate level of data protection by relying on:

  • EU–US Data Privacy Framework (DPF): For transfers to the United States (Google LLC)
  • Standard Contractual Clauses (SCCs): For other transfers outside the EEA (Module 3 – Processor-to-Processor transfers)

6.3 No unauthorised transfers

Fintower shall not transfer Customer Data to any jurisdiction outside the EEA without first updating Schedule 1 and notifying the Customer with at least 30 days' prior notice.

7. Artificial intelligence and model training

7.1 AI-powered analysis features

Fintower provides AI-powered financial analysis features using Amazon (EU). Customer Data is used to generate insights, forecasts, and analyses specific to the Customer's business.

7.2 Tenant isolation

Customer Data is Processed solely within the Customer's isolated environment and tenant. No cross-tenant data access is permitted.

7.3 No model training

Customer Data is never used to train, fine-tune, retrain, or otherwise improve any artificial intelligence or machine learning model, whether operated by Fintower, Amazon, or any other Sub-processor, without the prior explicit written consent of the Customer.

7.4 AI-generated outputs

All AI-generated outputs, analysis, and recommendations are based exclusively on the Customer's own Customer Data and are generated in real time within the Customer's isolated environment. No outputs are shared across Customers.

8. Confidentiality

Both Fintower and the Customer shall keep each other's confidential information strictly confidential. Neither party shall disclose the other party's confidential information to any third party without prior written consent, except as required by law or to professional advisors bound by confidentiality obligations.

9. Security incidents

9.1 Notification obligation

Fintower shall notify the Controller without undue delay upon becoming aware of any confirmed or suspected Security Incident affecting Customer Data.

9.2 Content of notification

Each notification shall include a description of the nature and scope of the incident, the categories and approximate volume of data affected, likely consequences, and measures taken or proposed to address the incident.

9.3 Incident response plan

Fintower maintains a documented incident response plan with a target notification time of 72 hours.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the main subscription agreement. Nothing in this DPA shall limit or exclude either party's liability for fraud, wilful misconduct, gross negligence, breach of confidentiality obligations, violation of data protection laws, or any liability that cannot be excluded by applicable law.

11. Term and termination

This DPA is effective as of the date of the subscription agreement and continues for its duration. This DPA terminates automatically upon termination of the subscription agreement. Upon termination, the Customer may request that Fintower delete or return all Customer Data in accordance with Section 3.6.

12. Governing law and dispute resolution

This DPA is governed by Swedish law, without regard to conflicts of law principles. Any dispute shall be resolved by the courts of Sweden, with the District Court of Gothenburg (Göteborgs tingsrätt) serving as the court of first instance.

13. Order of precedence

In the event of any conflict between this DPA and the subscription agreement, this DPA shall prevail with respect to the Processing of Personal Data.

14. Amendments

This DPA may be amended only by written agreement signed by authorised representatives of both parties. Fintower may amend this DPA unilaterally to comply with changes in applicable law, provided 30 days' advance notice.

Schedule 1: Approved sub-processors

Sub-processorPurposeData locationTransfer mechanism
Supabase Inc.Database storage, authentication, backend infrastructureEUEU data residency; SCCs (Module 3)
Microsoft Corporation (Entra ID)SSO and identity authenticationEUEU data residency; SCCs (Module 3)
Amazon Web ServicesLLM inference for AI-powered financial analysis + data storageEUEU data residency; SCCs (Module 3)
Stripe, Inc.Payment processing for subscriptions and invoicingEUEU data residency; SCCs (Module 3)
Google LLC (OAuth)SSO authenticationEU / USEU–US DPF and SCCs (Module 3)
Resend Inc.Transactional system email deliveryEUEU data residency; SOC 2 Type II certified
Trigger.dev Inc.Background job orchestration and task schedulingEUEU data residency
Mixpanel Inc.Product analytics and conversion trackingEUEU data residency; SOC 2 Type II certified
PostHog Inc.Product analytics, feature flags, experimentationEUEU data residency (eu.i.posthog.com); SCCs (Module 3)
Microsoft Corporation (Clarity)Session replay and heatmap analytics on marketing siteUSEU–US DPF and SCCs (Module 3)
Chatwoot Inc.Live chat support widget on marketing siteUSSCCs (Module 3); 30-day conversation retention

Schedule 2: Technical and organisational security measures

Security practices are informed by ISO 27001 principles.

Encryption

  • In transit: TLS 1.2 or higher for all communications
  • At rest: AES-256 encryption for all Personal Data

Access controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) for administrative access
  • Strong password policies
  • Access logging retained for 90 days (immutable)

Tenant isolation

  • Logical separation of Customer Data
  • No cross-tenant access
  • Encryption at rest applied at the storage layer using AES-256

Vulnerability management

  • Regular security reviews and vulnerability assessments
  • Annual third-party penetration testing
  • Prompt security patch management

Backup and recovery

  • Automated, regular backups
  • Tested recovery procedures
  • Geographically separate offsite storage

Personnel security

  • Background checks for employees with access to Personal Data
  • Confidentiality agreements
  • Regular security awareness training

Incident response

  • Documented incident response plan
  • 72-hour notification SLA
  • Post-incident review process

Schedule 3: Details of processing

Subject matter: Provision of AI-powered FP&A SaaS platform services.

Duration: For the term of the subscription agreement.

Nature and purpose: Fintower shall store, organise, structure, display, analyse, and manipulate Customer Data to provide planning, forecasting, budgeting, and financial analysis capabilities.

Type of Personal Data:

  • Names and identification numbers
  • Financial transaction data and records
  • Payroll data (salary, benefits, deductions)
  • Invoice references and financial document data
  • Contact details (email addresses, telephone numbers)
  • User account information (usernames, email addresses, IP addresses)

Categories of data subjects:

  • Employees and contractors of the Customer
  • Clients and suppliers of the Customer

Special categories: Fintower does not intentionally Process any special categories of Personal Data (Article 9, GDPR). The Customer warrants that it will not upload any special categories of Personal Data without obtaining prior written consent of Fintower.