Data Processing Agreement
Last updated June 16, 2026
This DPA (GDPR Article 28) defines how Tuttu processes the personal data of the customer's callers on the customer's behalf. It forms part of the terms of service.
1. Parties and purpose
This data processing agreement (the “DPA”) forms part of and supplements the Tuttu for Business terms of service. It constitutes the agreement required by Article 28(3) of the General Data Protection Regulation (GDPR).
The customer (business customer) is the controller of its callers' and message senders' personal data. Insinööritoimisto Loikkanen Oy (business ID 3600045-9, “Tuttu”) is the processor of that data, processing it on the customer's behalf to provide the service.
Tuttu's own processing as a controller is described in the privacy policy.
2. Subject matter and duration
The subject matter is the personal data provided by the customer's callers and message senders, or generated in the course of using the service. Processing lasts for as long as the customer relationship is active, after which the data is deleted or returned in accordance with section 12.
3. Nature and purpose of processing
Tuttu answers calls and text messages forwarded to the customer's number using AI, answers questions based on the customer's knowledge base, takes messages, records callback requests, and notifies the customer of them. Processing includes receiving, recording, organising, transcribing, storing, and deleting data.
4. Categories of data and data subjects
The data subjects are the customer's callers and message senders. The data processed includes:
- phone number (when transmitted);
- the content of calls and text messages as text transcripts;
- keypad-entered numbers and the messages and callback requests left;
- any name and other contact details the caller provides;
- technical call data, such as duration.
The service is not intended for processing special categories of personal data (GDPR Article 9). Call audio is not recorded; only the text transcript is retained permanently.
5. Controller's instructions and obligations
The customer is responsible for having a legal basis for processing its callers' personal data and for having appropriately informed its callers. The settings the customer makes in the service, the knowledge base content, and its instructions constitute the customer's documented processing instructions. Tuttu will inform the customer if, in its view, an instruction infringes data protection law.
6. Processor's obligations
In accordance with Article 28(3) of the GDPR, Tuttu undertakes to:
- process personal data only on the customer's documented instructions, including for transfers, unless required otherwise by law;
- ensure that persons authorised to process the data are bound by confidentiality;
- implement the technical and organisational security measures required by Article 32 (see section 9);
- comply with the conditions for engaging sub-processors (see section 7);
- assist the customer in responding to data subject requests (see section 11);
- assist the customer with security, breach notification, and impact assessments (Articles 32–36);
- delete or return personal data at the end of processing (see section 12);
- make available to the customer the information needed to demonstrate compliance, and allow audits (see section 13).
7. Sub-processors
The customer gives Tuttu general authorisation to use sub-processors to provide the service. Tuttu enters into a data processing agreement imposing equivalent data protection obligations with each sub-processor and remains responsible for its sub-processors' acts as for its own. The sub-processors in use:
| Sub-processor | Task | Location / transfer basis |
|---|---|---|
| Twilio | Voice call and SMS transport | United States — DPF / standard contractual clauses |
| OpenAI | Real-time speech recognition and response | United States — DPF / standard contractual clauses |
| OpenRouter (Google, Anthropic) | SMS text processing and website analysis | United States — standard contractual clauses |
| Voyage AI | Knowledge base and search embeddings | United States — standard contractual clauses |
| WorkOS | Passwordless login | United States — DPF / standard contractual clauses |
| Stripe | Payments and billing | United States / Ireland — DPF / standard contractual clauses |
| Resend | Email notifications | United States — standard contractual clauses |
Tuttu will give advance notice of new or changed sub-processors in the service or by email. The customer may object to a change on reasonable data protection grounds; if no resolution is found, the customer may terminate the subscription.
8. Transfers outside the EU/EEA
The primary place of storage is in Finland (within the EU/EEA). Some sub-processors process data outside the EU/EEA, in particular in the United States. Transfers are based on the safeguards in Articles 44–46 of the GDPR: the EU–US Data Privacy Framework adequacy decision (10 July 2023) for processors certified under it, and otherwise the European Commission's standard contractual clauses (SCCs).
9. Security
Tuttu implements the measures required by Article 32 of the GDPR, such as encryption of traffic in transit, per-customer isolation through database row-level security, access control to production systems, and the principle of processing only the data needed.
10. Personal data breaches
Tuttu will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer's personal data, and will assist the customer in meeting its notification obligations under Articles 33–34 of the GDPR.
11. Data subject requests
If a data subject contacts Tuttu to exercise their rights, Tuttu will direct the request to the customer and will not respond to it itself unless instructed otherwise by the customer. Tuttu will assist the customer with reasonable technical and organisational measures in responding to data subject requests.
12. Deletion or return of data
When the customer relationship ends, the customer may export its data from the service. After account deletion, all of the customer's personal data is permanently deleted within 14 days, unless retention is required by law. Retention periods are described in more detail in the privacy policy.
13. Audits and verification
On the customer's request, Tuttu will make available the information needed to demonstrate compliance with this DPA. Audits are carried out at a reasonable, pre-agreed time and in a way that does not jeopardise the operation of the service or the security of other customers.
14. Precedence
On matters concerning the processing of personal data, this DPA takes precedence over the other terms of service. In all other respects the terms of service apply.
Sources and legislation
- GDPR, Article 28 — Regulation (EU) 2016/679 (processor)
- Standard contractual clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
- EU–US Data Privacy Framework — Commission Implementing Decision (EU) 2023/1795 of 10 July 2023