Skip to main content

Data Processing Addendum

Effective date:

This Data Processing Addendum ("DPA") forms part of the Terms of Service and applies automatically to every paying Customer. It applies whenever Jonot Oy (business ID 3620928-7, "Jonot", "Processor") processes End User personal data on behalf of the Customer ("Controller"). The roles are determined under Article 28 GDPR. No separate signature is required.

1. Roles and scope

The Controller determines the purposes and means of processing. Jonot processes personal data solely as a processor on the Controller's behalf. This DPA applies to the extent the GDPR applies to the processing. Processing carried out by Polar (billing) is performed as its own controller and is not subject to this DPA.

2. Processing instructions

Jonot processes personal data only on the Controller's documented instructions — which include these terms, this DPA, and the Customer's use of the Service — unless required otherwise by law, in which case Jonot informs the Controller of the requirement before processing unless the law prohibits it. Jonot informs the Controller if, in its view, an instruction infringes data-protection law.

3. Subject matter, duration, nature, and purpose

The subject matter and duration, the nature and purpose of processing, and the categories of personal data and data subjects are described in Annex 1. Processing continues for as long as the Customer has an active subscription, plus the retention periods described in the Privacy Policy.

4. Confidentiality

Jonot ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

Jonot implements appropriate technical and organisational measures under Article 32 GDPR to ensure a level of security appropriate to the risk. The current measures are described in Annex 2.

6. Sub-processors

The Controller gives a general authorisation for the use of sub-processors. The current sub-processors are listed in Annex 3. Jonot imposes data-protection obligations equivalent to this DPA on each sub-processor and remains responsible for their performance. Jonot notifies the Controller of intended changes to sub-processors and gives the Controller an opportunity to object.

7. Data subject requests

Jonot assists the Controller, by appropriate technical and organisational measures, in responding to data subject requests for access, rectification, erasure, restriction, portability, or objection. If Jonot receives such a request directly, it forwards it to the Controller and does not respond itself unless the Controller instructs otherwise.

8. Assistance and data breaches

Jonot assists the Controller with its obligations under Articles 32–36 GDPR. On becoming aware of a personal-data breach affecting the Controller's data, Jonot notifies the Controller without undue delay and provides the information reasonably available to it.

9. Data transfers

Jonot does not transfer personal data outside the EEA without an adequacy decision or appropriate safeguards such as the EU Standard Contractual Clauses. Edge processing may occur globally through our infrastructure provider; the safeguards for such transfers are described in Annex 3.

10. Return and deletion

On termination, Jonot deletes or returns personal data as described in the Terms of Service: a 30-day export window, deletion of live records, and backups rolling off within 90 days, unless the law requires retention.

11. Audits

Jonot makes available the information necessary to demonstrate compliance with this DPA and allows for and contributes to audits. Jonot may satisfy this obligation through documentation or third-party reports. On-site audits require reasonable notice and confidentiality and take place no more than once a year unless a breach is suspected.

12. Liability and changes

Liability under this DPA is subject to the limitations of liability in the Terms of Service. Jonot may update this DPA to reflect legal or operational changes; material changes are notified in accordance with the Terms of Service.

Annex 1 — Description of processing

  • Subject and purpose: providing virtual queue-management to the Controller.
  • Nature: storage, display, and real-time processing of End User queue data.
  • Categories of personal data: End User names, phone numbers, queue history, and ticket metadata; Staff User account data.
  • Categories of data subjects: End Users who join the Customer's queues, and the Customer's Staff Users.
  • Duration: the term of the subscription and the retention periods in the Privacy Policy.

Annex 2 — Security measures

  • Encryption in transit (HTTPS at the edge).
  • Access control and least-privilege principle.
  • Edge rate-limiting and authentication.
  • Backups and roll-off from circulation.
  • Access and event logging.

Annex 3 — Sub-processors

  • Cloudflare: hosting, database (D1), Durable Objects, and edge network.
  • Email provider: transactional email (e.g. confirmations).
  • Polar: billing; acts as its own controller (not a sub-processor under this DPA).

Questions: info@jonot.io.