Data Processing Agreement
DPA v1 · Last updated: 18.2.2026
This DPA forms part of the Arctura service agreement and supplements the Terms of Service and Privacy Policy. Full DPA v1 draft (17 clauses, Annex A–C, DORA Schedule, EU AI Act Schedule, Art. 22, YT/SVPL) is in docs/legal/DPA_v1_draft.md — request at legal@neurflow.fi. B2B customers may request a signed PDF version at legal@neurflow.fi.
1. Definitions
- Data controller: The Customer who determines the purpose and means of processing personal data.
- Data processor: NeurFlow Oy, which processes personal data on behalf of the Customer.
- Sub-processor: A third party authorised by NeurFlow to process data under this DPA.
2. Purpose of processing
NeurFlow processes the following data on behalf of the Customer:
- Vehicle/device telemetry (GPS, speed, consumption, sensor data)
- Driver/operator data (name, ID, driving hours, fatigue indicators)
- Alerts and event data (timestamp, location, type)
Purpose: Operational intelligence, predictive analytics and reporting for the Customer's business.
2a. Processor obligations (GDPR Art. 28(3))
NeurFlow undertakes to process personal data only on the Customer's documented instructions and to assist the Customer in meeting its GDPR obligations. Specifically:
- Duration of processing: For the term of the agreement; after termination see Section 6.
- Types of data: Telemetry, driver, user and billing data.
- Categories of data subjects: Drivers, operators, administrators, billing contacts.
- DSAR assistance: NeurFlow assists the Customer in fulfilling data subject rights (access, rectification, erasure, restriction, portability) within 30 days.
- Sub-processors: Use of new sub-processors is subject to prior notice; see Section 4.
3. Technical and organisational measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256-GCM |
| Encryption in transit | TLS 1.3 |
| Access control | Supabase RLS, JWT authentication |
| PII scrubbing | DLP before analytics storage |
| Infrastructure | GKE europe-north1 (Hamina, Finland) |
4. Sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| Google Cloud Platform | 🇫🇮 Hamina, Finland (europe-north1) | Infrastructure (GKE Web + Engine, BigQuery, DLP) |
| Supabase | 🇮🇪 Ireland (EU-West-1) | PostgreSQL, authentication |
| Stripe | 🇮🇪 Ireland (Stripe Payments Europe) | Payment processing |
| Resend | ⚠️ Verify EU/USA* | Transactional email |
| Google AI (Gemini) | 🇺🇸 / 🇪🇺* | LLM: fleet analytics |
| Anthropic (Claude) | 🇺🇸* | LLM: fleet analytics |
| x.ai (Grok) | 🇺🇸* | LLM: fleet analytics (Global mode) |
| OpenRouter (Mistral, Grok, Claude, Gemini) | 🇪🇺 / 🇺🇸* | LLM: Quant, ESG, EU Enforcement (Mistral) |
| Aleph Alpha | 🇩🇪 Germany | LLM: Päätösyksikkö EU mode — data stays in Europe |
* USA sub-processors: DPF / SCC in place. Resend: transactional email (contact form, order notifications). LLM services process limited telemetry context (device, location, speed); no direct identifiers. Sovereignty Switch: In EU mode, only Mistral and Aleph Alpha are used (data stays in Europe). Full list: /legal/subprocessors-en.
Change notice: NeurFlow will notify the Customer of any new or changed sub-processors at least 30 days before onboarding (by email and/or via the Service). The Customer has the right to object on reasonable grounds within 14 days; in that case the parties will agree on an alternative (e.g. removal of data from that sub-processor) or terminate the agreement in accordance with the contract.
5. Breach notification
NeurFlow notifies the Customer of any data breach within 24 hours of detection (DPA v1: 24h). The notification includes the nature and scope of the breach, impacts on data subjects, and remedial measures.
6. Data deletion and return
Upon termination, NeurFlow provides a data export (JSON/CSV) within 30 days upon request, deletes Customer data from production within 60 days, and provides written confirmation.
NeurFlow Oy · Business ID: 3597951-1 · Helsinki, Finland
DPA inquiries: legal@neurflow.fi