GDPR Article 28 · Effective 5 April 2026
Note: This DPA is incorporated into and forms part of your agreement with Takko Advisory Oy for use of the TACI Platform. By accepting the Terms of Service, you also accept this DPA on behalf of your organisation.
This Data Processing Agreement ("DPA") is entered into between Takko Advisory Oy ("Processor") and the customer organisation ("Controller") that has agreed to the TACI Platform Terms of Service.
"Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR (Regulation (EU) 2016/679).
The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the TACI Platform services as described in the Terms of Service. Processing shall continue for the duration of the service agreement.
Categories of data subjects: The Controller's employees, representatives, project members, and partner organisation contacts.
Categories of personal data: Names, email addresses, job titles, organisational affiliations, platform usage data, and any personal data contained in governance documents uploaded to the Platform.
Purpose: To provide collective impact governance services including project management, proposal tracking, decision logging, KPI monitoring, and governance reporting.
The Processor shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure that persons authorised to process the data are bound by confidentiality; (c) implement appropriate technical and organisational measures per Article 32 GDPR; (d) assist the Controller in fulfilling data subject rights requests; (e) delete or return all Personal Data upon termination as instructed; (f) make available all information necessary to demonstrate compliance.
The Controller grants general authorisation for the Processor to engage sub-processors. Current sub-processors include: cloud infrastructure providers (EU-hosted), email delivery services, and monitoring tools. The Processor shall notify the Controller of any intended changes to sub-processors with 30 days notice, giving the Controller the opportunity to object. All sub-processors are bound by equivalent data protection obligations.
Personal Data is processed within the EU/EEA. Any transfer outside the EU/EEA will only occur with appropriate safeguards in place (Standard Contractual Clauses or equivalent mechanisms as approved by the European Commission).
The Processor maintains: pseudonymisation and encryption of personal data; ability to ensure ongoing confidentiality, integrity, availability and resilience; ability to restore availability in a timely manner; a process for regularly testing security measures. Specific measures include: bcrypt password hashing, HTTPS/TLS encryption, JWT authentication, role-based access control, and audit logging of all data access.
The Processor shall notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach. Notification shall include: nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR Articles 15–22. The Controller remains responsible for responding to data subjects. The Processor will provide reasonable assistance within 5 business days of receiving a written request.
The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, with reasonable notice.
This DPA is governed by Finnish law and the GDPR. Disputes shall be resolved in the District Court of Helsinki.