Last updated: 11 March 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Kodeo Labs Ab (“Kodeo”, “Processor”, “we”, “us”, “our”) and the customer entity or person using Kodeo Work as a business service (“Customer”, “Controller”, “you”).
This DPA applies where Kodeo processes personal data on behalf of the Customer in connection with the provision of Kodeo Work.
This DPA is made available to Customers through Kodeo Work, the Kodeo website, or by request via support@kodeo.io, and forms part of the agreement governing the use of Kodeo Work where applicable.
Processor Kodeo Labs Ab Småholmavägen 3B 1, 22120 Mariehamn, Åland, Finland support@kodeo.io
Controller The Customer identified in the applicable Kodeo Work account, order, subscription, or other service agreement.
This DPA sets out the terms under which Kodeo processes personal data on behalf of the Customer when providing Kodeo Work.
This DPA applies only to processing where the Customer acts as a controller and Kodeo acts as a processor under applicable data protection law.
The subject matter of the processing is the provision of Kodeo Work, including related hosting, support, authentication, email delivery, maintenance, and security operations.
The duration of the processing is the period during which Kodeo processes personal data on behalf of the Customer in connection with the provision of Kodeo Work, until deletion or return of the personal data in accordance with this DPA and the parties’ agreement.
Kodeo may process personal data as necessary to provide, maintain, secure, and support Kodeo Work.
This may include the collection, storage, organisation, structuring, retrieval, consultation, use, transmission, hosting, backup, and deletion of personal data submitted to or generated through Kodeo Work.
The purpose of the processing is to provide the Kodeo Work service to the Customer and to perform related support, security, and service operations in accordance with the Customer’s documented instructions.
The categories of data subjects may include, depending on how the Customer uses Kodeo Work:
The categories of personal data may include, depending on how the Customer uses Kodeo Work:
The Customer acknowledges that Kodeo Work is not intended for the processing of special categories of personal data unless expressly agreed in writing by Kodeo.
Kodeo will process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law.
The parties agree that the Customer’s use of Kodeo Work, configuration of the service, and written instructions provided through the service, support channels, or other agreed means constitute the Customer’s documented instructions.
If Kodeo believes an instruction infringes applicable data protection law, Kodeo may inform the Customer and suspend the affected processing until the issue is resolved.
Kodeo will ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations, whether contractual or statutory.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to individuals, Kodeo will implement appropriate technical and organisational measures designed to protect personal data.
Such measures may include, as appropriate:
The Customer grants Kodeo general written authorisation to engage subprocessors to support the provision of Kodeo Work.
As of the date of this DPA, Kodeo may use subprocessors and service providers such as:
Kodeo will impose data protection obligations on subprocessors that are no less protective than the obligations set out in this DPA, to the extent applicable to the services provided by the subprocessor.
Kodeo remains responsible for the performance of its subprocessors’ data protection obligations to the extent required by applicable law.
Kodeo may update its subprocessors from time to time. Where required by applicable law, Kodeo will provide notice of material subprocessor changes at least 30 days in advance through an updated subprocessor list, notice in the service, email, or another reasonable means.
Taking into account the nature of the processing and the information available to Kodeo, Kodeo will provide reasonable assistance to the Customer in fulfilling the Customer’s obligations under applicable data protection law, including where relevant with respect to:
Such assistance may be subject to reasonable administrative and cost recovery terms where permitted by law and agreed between the parties.
Kodeo will notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA.
Kodeo will provide information reasonably available to it to help the Customer meet any obligations to investigate, mitigate, notify, or remediate the breach.
Upon termination or expiry of the applicable services, Kodeo will, at the Customer’s choice and subject to the functionality of the service and applicable law, delete or return the personal data processed on behalf of the Customer, unless applicable law requires storage of the personal data.
This does not require Kodeo to delete personal data from backup systems immediately, provided that such data remains protected and is deleted in the ordinary course in accordance with Kodeo’s retention and backup practices.
Kodeo will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.
Where required by applicable law and where the information made available by Kodeo is not sufficient, the Customer may request an audit or inspection of Kodeo’s relevant processing activities under this DPA, subject to reasonable notice, confidentiality obligations, appropriate scope limitations, and measures to avoid disruption to Kodeo’s business and other customers.
Any audit rights under this section must be exercised no more than once per year, unless required by law or triggered by a documented security incident involving the Customer’s personal data.
Where Kodeo or its subprocessors transfer personal data outside the EEA, UK, or Switzerland, Kodeo will ensure that such transfers are made in accordance with applicable data protection law, including through adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms where required.
The liability of each party under this DPA will be subject to the limitations and exclusions of liability set out in the applicable agreement between the parties, except to the extent such limitations are not permitted by applicable law.
This DPA is governed by the laws of Finland, unless another governing law is required by applicable data protection law or agreed in the parties’ main service agreement.
If there is a conflict between this DPA and the parties’ main service agreement with respect to the processing of personal data, this DPA will prevail to the extent of that conflict.
Questions about this DPA may be sent to:
Kodeo Labs Ab Småholmavägen 3B 1, 22120 Mariehamn, Åland, Finland support@kodeo.io