Home · Legal · Data Processing Agreement
Appendix 2

Data Processing Agreement

This document is published online and incorporated by reference into the Howspace Order Form signed by the Customer. No separate signature is required.

Version v2026.1
Effective 1 May 2026
Permalink legal.howspace.com/legal/dpa/v2026.1/

Background

This Data Processing Agreement ("DPA") is an appendix to the Howspace Master Subscription Agreement (the "MSA"; the MSA together with this DPA and the other appendices, the "Agreement").

Under the Agreement, Howspace Oy (the "Supplier") processes personal data on behalf of the Customer in order to provide the Howspace platform and related services (the "Purpose"). This DPA sets out the data-protection terms that apply to that processing.

The categories of personal data processed, the categories of data subjects, the processing activities, and the nature, purpose and duration of the processing are described in Schedule A.

This DPA forms an integral part of the Agreement. If anything in this DPA conflicts with anything elsewhere in the Agreement on the processing of personal data, this DPA prevails. On other matters, the priority of documents set out in section 2 of the MSA applies.

Definitions

In this DPA, the terms "process", "processing", "personal data", "data controller", "data processor", "data subject", "personal data breach" and "special categories of personal data" have the meanings given in the Data Protection Laws.

"Data Protection Laws" means any applicable data-protection, privacy and security legislation that applies to personal data processed in the provision of the Service, including the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR").

Other capitalised terms used in this DPA have the meanings given in the MSA, unless otherwise stated.

This DPA applies to processing activities in which the Supplier acts as a data processor (or as a sub-processor of the Customer). It does not apply to personal data that the Supplier processes as a data controller, for example contact details of the Customer's representatives that the Supplier processes for its own purposes; that processing is governed by the Supplier's own privacy notice.

01

Supplier obligations

1.1

The Supplier shall process personal data only in accordance with the Agreement, the Data Protection Laws, and the Customer's documented and lawful instructions. Where carrying out the Customer's instructions is not mandatory under the laws applicable to the Supplier, and would require the Supplier to incur material additional cost or effort, the Supplier may invoice that cost or effort on a time-and-materials basis after agreement with the Customer.

1.2

The Supplier shall process personal data only for the Purpose, and only to the extent and for the duration necessary to provide the Service.

1.3

The Supplier shall ensure that personnel authorised to process personal data have committed to confidentiality (whether by contract, by code of conduct, or by statutory duty).

1.4

The Supplier shall reasonably assist the Customer in responding to requests from data subjects exercising their statutory rights, and to requests from supervisory authorities. If the Supplier receives such a request directly, it shall notify the Customer without undue delay and shall not respond on behalf of the Customer unless authorised.

1.5

The Supplier shall reasonably assist the Customer in meeting its obligations on security, data-protection impact assessments, breach notifications, and prior consultations with supervisory authorities, in each case to the extent required by the Data Protection Laws and to the extent the Supplier has the necessary information.

1.6

Each party shall take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. The Supplier's measures are described in Appendix 3 (Trust & Security Annex). The Supplier shall limit access to personal data to authorised and properly trained personnel on a need-to-know basis.

1.7

On the Customer's written request, the Supplier shall provide the Customer with the information it needs to demonstrate the Supplier's compliance with this DPA, in accordance with section 4 (Proof of compliance and audits).

1.8

On written request from the Customer, the Supplier shall provide the Customer with Customer Data in an electronic form commonly in use, in accordance with section 14 of the MSA (Switching and data portability).

02

Customer obligations

2.1

The Customer warrants that it is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully process the personal data for the Purpose and in accordance with the Agreement, on behalf of the Customer and where applicable as the Customer's sub-processor.

2.2

The Customer warrants that it is, and remains throughout the Term, in compliance with its obligations under the Data Protection Laws as a data controller, including in respect of informing data subjects and, where applicable, obtaining their consent.

03

Sub-processors

3.1

General authorisation. The Customer authorises the Supplier to use sub-processors for the processing of personal data under the Agreement, on the terms set out in this section 3. The Supplier remains responsible for the acts and omissions of its sub-processors as if they were its own. The Supplier shall enter into written agreements with each sub-processor on terms that are materially equivalent to those in this DPA for the protection of personal data.

3.2

Current list. The Supplier's current sub-processors are listed in Schedule B. The Supplier maintains an up-to-date list of sub-processors and publishes it on the Supplier's website. The Supplier shall notify the Customer of any addition or replacement of a sub-processor at least thirty (30) days before the change takes effect.

3.3

Objection and refund. The Customer may, on justified grounds related to data protection or privacy, object in writing to the use of a specific new or replacement sub-processor. The parties shall use reasonable efforts to find an alternative solution. If no alternative solution can be agreed within thirty (30) days of the Customer's objection, the Customer may terminate the affected Service for convenience by written notice, and the Supplier shall refund the pro-rated portion of any pre-paid Service Fees for the period after termination takes effect in respect of that Service.

3.4

Marketplace third parties. Third parties that provide integrations, services, templates or other offerings listed on the Howspace Marketplace (the "Marketplace") are not sub-processors of the Supplier under this DPA, except where the Supplier has expressly added them to Schedule B. Where the Customer activates a third-party integration that exchanges personal data with the Service, the resulting data flow is initiated by the Customer through the Marketplace, and the Customer engages the relevant third party directly. The Customer is responsible for the lawful basis of any such data transfer and for putting in place any contractual arrangement (including any data processing agreement) it requires with that third party. The Supplier's role in respect of Marketplace third parties is limited to operating the Marketplace directory, as set out in the Howspace Marketplace Terms of Service.

04

Proof of compliance and audits

4.1

Certifications and documentation. On the Customer's written request, the Supplier shall provide:

  • a current copy of the Supplier's ISO/IEC 27001:2022 certificate;
  • a summary of the technical and organisational measures set out in Appendix 3 (Trust & Security Annex), updated for the current Term; and
  • where required by the Data Protection Laws, the Supplier's then-current transfer impact assessments for international transfers under Schedule C.
4.2

Written questionnaire. The Customer may, no more than once per twelve-month period (except in the case of a documented suspicion of a material breach by the Supplier or following a personal data breach affecting the Customer), submit to the Supplier a reasonable written questionnaire concerning the Supplier's compliance with this DPA. The Supplier shall respond within a reasonable time, normally no more than thirty (30) calendar days.

4.3

On-site audit. Where the Customer has documented grounds to believe that the Supplier is materially in breach of this DPA, and the Supplier's response under sections 4.1 and 4.2 does not adequately address those grounds, the Customer may conduct, or commission an independent third-party auditor (subject to the third-party auditor's signing a confidentiality undertaking acceptable to the Supplier acting reasonably) to conduct, an audit of the Supplier's facilities and processing activities relevant to the provision of the Service to the Customer. The audit shall be conducted:

  • at the Customer's cost (except where the audit identifies a material breach by the Supplier, in which case the Supplier shall reimburse the Customer's reasonable audit costs);
  • on at least thirty (30) days' prior written notice;
  • during normal business hours;
  • in a manner that does not disrupt the Supplier's operations or the security or availability of the Service for other customers; and
  • subject to the confidentiality obligations in the Agreement.
4.4

Sub-processor facilities. The Customer acknowledges that audit rights in respect of certain sub-processors' facilities (in particular hyperscale cloud providers) may not be available in the form of on-site audits, and that the Supplier's reasonable cooperation in such cases consists of providing the relevant sub-processor's then-current third-party assurance reports and certifications (such as ISO/IEC 27001 and SOC 2 reports), and reasonable responses to written questions, in lieu of physical access to the sub-processor's facilities.

05

International transfers

5.1

Default residency. Customer Data is hosted in the European Union or the European Economic Area (EU/EEA) by default. Personal data is processed within the EU/EEA except where Schedule C identifies a specific sub-processor that processes personal data outside the EU/EEA.

5.2

Transfer mechanisms. The Supplier shall not transfer any personal data processed under this DPA outside the EU/EEA unless the transfer is subject to a valid transfer mechanism under the Data Protection Laws, such as an adequacy decision (including the EU–US Data Privacy Framework) or the Standard Contractual Clauses adopted by the European Commission. Schedule C identifies the transfer mechanism and the supplementary measures relied on for each such sub-processor.

06

Personal data breach

6.1

Notification. The Supplier shall notify the Customer without undue delay, and in any event within seventy-two (72) hours of the Supplier's confirmation of a personal data breach affecting the Customer's personal data. The notice shall include the information then reasonably available to the Supplier that the Customer needs to fulfil its own notification obligations under the Data Protection Laws.

6.2

Ongoing information. The Supplier shall continue to provide the Customer with additional information about the breach as it becomes available.

6.3

Cooperation. The Supplier shall reasonably cooperate with the Customer in any investigation, regulatory process or remediation arising from or in connection with the breach.

6.4

Order-Form-level variation. The parties may agree, in the Order Form, a shorter notification window than the seventy-two (72) hours specified in section 6.1.

07

Deletion of personal data

Within a reasonable period of time after termination or expiry of the Agreement, the Supplier shall delete or return to the Customer all personal data that the Supplier processes on behalf of the Customer as data processor or sub-processor, in accordance with section 14 (Switching and data portability) of the MSA, except to the extent that the Supplier is required by applicable law to retain copies.

08

Liability

Each party's liability for damages incurred by any data subject in connection with the processing of personal data under the Agreement is determined in accordance with Article 82 of the GDPR or another corresponding applicable provision of mandatory data-protection law. For clarity, this section 8 applies exclusively to damages incurred by data subjects in connection with the processing of personal data under the Agreement; the liability provisions in section 12 of the MSA apply to all other types of damages.

Schedule A — Summary of data processing

All capitalised terms have the same meaning as in the DPA, unless separately defined here.

1. Nature and purposes of processing personal data

The Supplier operates a web-based engagement platform called Howspace as a SaaS offering, the purpose of which is to enable organisations to create and host organisational development processes or training programmes. Administrators chosen by the organisations can create private workspaces for selected groups of people and invite participants to join those workspaces. Users can use the workspaces to discuss ideas, exchange information and documents and share their expertise with other participants. Administrators have a set of tools to steer participants' activities and create content.

Howspace processes personal data of the Customer's or its End Customer's employees or representatives to create and maintain administrator rights to the Howspace platform. Howspace processes personal data of platform users (typically employees or representatives of the Customer, its End Customers, or third parties) to identify each user joining a workspace. To enable certain service features and to ensure the functionality and security of the platform, Howspace also processes log file data of each user.

The personal data is processed by the Supplier as data processor on behalf of the Customer in order to provide the Howspace platform for the Customer's use.

2. Categories of data subjects

  • Employees and representatives of the Customer or its End Customers.
  • Authorised users of the Howspace platform.

3. Types of personal data processed

  • Full name.
  • Contact details.
  • Web server log files (request source IP address, request time and date, user-agent identification).
  • Howspace log files (user email, request time, user-agent identification).
  • Howspace AI subsystem log files (customer ID, workspace ID, execution time, timestamp).

4. Duration of processing

Personal data is processed for the duration of the Agreement.

Schedule B — Sub-processors

The current list of sub-processors is also published on the Supplier's website. The Supplier shall give the Customer prior notice of any change to this list in accordance with section 3.2 of this DPA.

Sub-processor Country of incorporation Purpose of processing Processing location / transfer basis
AWS EMEA SARL Luxembourg Cloud services for data storage, web hosting, management and related technical and support services concerning the Howspace platform and related services. Primarily Sweden; the exact EU country may vary depending on availability.
Intercom R&D Unlimited Company Ireland Customer communication and customer support. Ireland.
Whereby AS Norway Live widget (video). Ireland.
DeepL SE Germany Translation functionality. Finland.
Microsoft Operations Limited Ireland AI functionality for prompting and summarising (Azure OpenAI). Primarily Ireland; the exact EU country may vary depending on availability.
Mailgun Technologies Inc. United States Backup email functionality if AWS is not available. Germany and Belgium. International transfers subject to the EU–US Data Privacy Framework and Standard Contractual Clauses.
Vercel Inc. United States Frontend cloud hosting of static assets and Content Delivery Network (CDN). Global Edge Network. Static assets requested by EU users are served directly from EU-based edge nodes. International transfers subject to the EU–US Data Privacy Framework and Standard Contractual Clauses.
Qdrant Solutions GmbH Germany Managed vector database cloud for AI similarity search and embeddings storage. Sweden.
Cloudflare, Inc. United States Content Delivery Network (CDN), Web Application Firewall (WAF), DNS and DDoS protection. Global Edge Network. Web traffic and security filtering are dynamically routed to the edge data centre closest to the user (including EU locations); traffic metadata, security logs and analytics are processed globally, including in the United States. International transfers subject to the EU–US Data Privacy Framework and Standard Contractual Clauses.

Schedule C — Summary of international transfers

This Schedule identifies sub-processors that may involve the transfer of personal data outside the EU/EEA, the legal basis on which each transfer is made and the principal safeguards in place. The Supplier maintains, and makes available to the Customer on written request, copies of the executed Standard Contractual Clauses (redacted of pricing and other commercially sensitive information) and a summary of the most recent transfer impact assessment for each such transfer.

AWS EMEA SARL (Luxembourg), Intercom (Ireland), Whereby (Norway — adequacy decision), DeepL (Germany), Microsoft Operations Limited (Ireland) and Qdrant Solutions GmbH (Germany) process personal data exclusively within the EU/EEA or in countries benefiting from an EU Commission adequacy decision. No additional transfer mechanism is required for these sub-processors.

Sub-processor Country of incorporation Personal data categories transferred Transfer mechanism Principal supplementary measures
Mailgun Technologies Inc. United States (data hosted in Germany and Belgium) Account Data, Howspace log files (email addresses, message metadata) — only when AWS email is unavailable EU–US Data Privacy Framework (Mailgun self-certification); EU Commission Standard Contractual Clauses (Module 3, processor-to-sub-processor) as backstop. Encryption in transit (TLS 1.2+); access controls; logging; data minimisation (failover use only); TIA last reviewed [DATE]; assessed as adequate.
Vercel Inc. United States (static assets served from Global Edge Network; EU users served from EU edge nodes) Web server log files (request source IP, timestamps, user-agent strings) EU–US Data Privacy Framework (Vercel self-certification); EU Commission Standard Contractual Clauses (Module 3) as backstop. EU edge routing for EU users; encryption in transit; no static assets contain application-level personal data; TIA last reviewed [DATE]; assessed as adequate.
Cloudflare, Inc. United States (traffic routed to nearest edge; metadata processed globally including in the US) Web server log files, security event logs, IP addresses, request metadata EU–US Data Privacy Framework (Cloudflare self-certification); EU Commission Standard Contractual Clauses (Module 3) as backstop; Cloudflare Data Localization Suite where configured. EU edge routing for EU users; encryption in transit; aggregated/anonymised analytics where possible; TIA last reviewed [DATE]; assessed as adequate.

How to obtain the underlying documents

On written request to privacy@howspace.com, the Supplier will provide the Customer with: (a) the executed Standard Contractual Clauses with the relevant sub-processor (redacted of pricing and other commercially sensitive information); (b) a summary of the relevant transfer impact assessment, including the supplementary technical, organisational and contractual measures relied on; and (c) the sub-processor's current Data Privacy Framework certification status (where applicable).