Data Processing Addendum
Last updated: 6 May 2026
This Data Processing Addendum (“DPA“) forms part of the Terms of Service between sampsa.dev oy (Y-tunnus 3183970-6, “Taulu“, “we“, “us“) and the customer who has accepted those Terms (“Customer“, “you“). It applies whenever you, in your use of Taulu, act as a data controller of personal data and Taulu acts as your data processor under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR“) or its UK equivalent.
For your account-level personal data (your email, login, profile), Taulu is the controller, and the Privacy Notice describes that processing. This DPA does not change those controller-level relationships.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR. “Customer Personal Data“ means the personal data within the Customer Content you upload or generate in Taulu (for example, the content of stickies, kanban cards, comments, attachments, or imported boards).
2. Subject matter, duration, nature and purpose
| Item | Detail |
|---|---|
| Subject matter | Provision of the Taulu collaborative-canvas service |
| Duration | The term of the Terms of Service, plus the export period in §5 of those Terms and the retention windows in the Privacy Notice |
| Nature | Hosting, storage, transmission, display, search, indexing, AI-assisted extraction (only for the photo-import feature you trigger), real-time voice routing through our SFU (end-to-end encrypted between participants; the routing server processes only encrypted packets and audio is never persisted), import from third-party services you connect, and incident-response support |
| Purpose | Enabling collaborative work on a shared canvas as instructed by you |
3. Categories of personal data
Whatever you choose to put into Taulu. Typical categories include:
- Names, email addresses, and other contact data of your collaborators, customers, or stakeholders that you place on a board.
- Free-text content and attachments that may incidentally contain personal data.
- Where you connect a Trello or Miro account, content you import from that service, including authorship and timestamps.
- Voice audio exchanged in board voice rooms. Audio is end-to-end encrypted between participants using per-room SFrame keys; our routing server forwards only ciphertext and never receives or stores plaintext audio. Voice room state (membership, ephemeral in-room text chat) is held in memory only and is never persisted to disk.
You decide what to upload. We do not solicit or require any particular category.
4. Categories of data subjects
The natural persons whose personal data you choose to process through Taulu, typically your employees, collaborators, customers, and other contacts.
5. Documented instructions
Your use of Taulu, the configuration choices you make in Settings and
in the organisation Admin area, and any written instructions you send
us at [email protected] constitute your documented processing
instructions. We process Customer Personal Data only on those
instructions, except where applicable law requires otherwise (in
which case we will, where permitted, tell you of the legal
requirement before processing).
6. Customer responsibilities
You are responsible for:
- having a lawful basis for the processing you carry out through Taulu;
- providing transparency notices to your data subjects;
- responding to data subject requests directed at you (we assist per §11);
- the accuracy, quality, and legality of Customer Personal Data;
- choosing whether and when to use the photo-import feature (see §10 and §9 of the Terms);
- restricting access within your organisation to people who need it.
7. Our obligations as processor
We will:
- process Customer Personal Data only on your documented instructions (§5);
- ensure that personnel with access are bound by appropriate confidentiality obligations;
- implement the security measures described in §9 below and in the Privacy Notice;
- assist you with data subject requests, security, breach notification, data protection impact assessments, and prior consultation, to the extent reasonable given the nature of the Service and the information available to us;
- on request at the end of the processing, delete or return Customer Personal Data per §13.
8. Sub-processors
You authorise us to engage the sub-processors listed in the Privacy Notice. We impose contractual obligations on each sub-processor that are at least as protective as this DPA. We remain liable to you for the acts and omissions of our sub-processors as if they were our own.
We will tell you of any new or replacement sub-processor with at least 30 days’ notice, by email and in the Privacy Notice’s sub-processor table. If you object on reasonable data-protection grounds, you may terminate the affected portion of the Service per the Terms; we are not obliged to continue using a sub-processor we have a legitimate business reason to engage.
9. Security measures
We maintain appropriate technical and organisational measures proportionate to the risk, including:
- encryption in transit (TLS 1.2+) and encryption at rest for object storage;
- end-to-end encryption between participants for voice rooms, with per-room SFrame keys (the routing server processes only encrypted packets);
- least-privilege access controls and audit logging of administrative and incident-response operations;
- separate environments for development, test, and production;
- rate limiting, bot-mitigation, and anti-abuse controls on authentication endpoints;
- regular dependency scanning and patching;
- backup and restore tested as part of routine ops;
- a documented incident-response process.
The current control set may evolve. We will not materially weaken overall protection.
10. International transfers
Our hosting infrastructure is in Helsinki, Finland (EU) and our AI sub-processor (Mistral AI SAS) operates in Paris, France (EU). A small number of sub-processors are located outside the EEA (e.g. Cloudflare edge nodes serving non-EU traffic). For any such transfer we rely on the European Commission’s Standard Contractual Clauses (SCCs) 2021/914, with supplementary measures where required. Where the UK GDPR applies, the UK International Data Transfer Addendum to the SCCs applies. The Privacy Notice lists each sub-processor’s location.
11. Data subject rights
Where a data subject contacts us directly with a request relating to Customer Personal Data, we will refer them to you and not respond substantively, unless you instruct us otherwise. We will, taking into account the nature of the processing, assist you by appropriate technical and organisational measures (including the export tools in the canvas) to fulfil your obligation to respond to data subject requests. Data subjects in Finland may also contact the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) directly; data subjects elsewhere in the EEA / UK may contact their local supervisory authority.
12. Personal data breach
If we become aware of a personal data breach affecting Customer Personal Data we will notify you without undue delay and in any event within 72 hours of becoming aware. Our notice will describe the nature of the breach, the categories and approximate volume of data subjects and records concerned, the likely consequences, and the measures taken or proposed. You remain responsible for any notifications you must make to supervisory authorities or data subjects under Articles 33-34 GDPR.
13. Return or deletion on termination
On termination or expiry of the Service, you may export your boards through the canvas export tools for the period described in §5 of the Terms. After that period, and in any event within a reasonable time after final termination, we will delete Customer Personal Data from production systems. Backups containing Customer Personal Data will age out per the retention rules in the Privacy Notice; while they remain we will not actively use them and will continue to apply this DPA to any access to them. If applicable law requires retention of specific records, we will keep only what the law requires.
14. Audits
You may, no more than once per twelve-month period and on at least 30 days’ written notice, request the documentation we maintain to demonstrate compliance with this DPA, including summaries of penetration tests and the security control set under §9. We are not obliged to grant on-site inspections or to disclose information that would compromise the security of other customers, our intellectual property, or our trade secrets. The supervisory authorities’ statutory audit powers are unaffected.
15. Order of precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal data processing. For all other matters the Terms of Service prevails.
16. Liability
Each party’s liability under or in connection with this DPA is subject to the liability cap and exclusions in §19 of the Terms of Service.
17. Governing law and forum
This DPA is governed by the laws of Finland, without regard to conflict-of-laws principles. Disputes arising out of or in connection with this DPA are subject to the exclusive jurisdiction of the Helsinki District Court (Helsingin käräjäoikeus) as the court of first instance, on the same terms as §23 of the Terms of Service. Where applicable EU data-protection law gives a data subject or supervisory authority a different competent forum, that statutory right is unaffected.
18. Effective date and changes
This DPA takes effect on your acceptance of the Terms of Service and remains in force for as long as we process Customer Personal Data on your behalf. We may update this DPA in line with §22 of the Terms; material changes are announced at least 30 days in advance.
Contact
Data-protection questions: [email protected] with the word “privacy”
in the subject line.
sampsa.dev oy
Fredikanterassi 7 C 120
00520 Helsinki
Finland