Sök
Get a bike

en

Support
Search icon
Search button icon

Data Processing Agreement

Data Processing Agreement, Vapaus

Updated 25.2.2026

 

1. Introduction and Purpose

This Data Processing Agreement ("DPA") has been drawn up between Vapaus Bikes Finland Oy ("Vapaus") and its customer companies ("Customer"). Hereinafter referred jointly as the "Parties" and individually as "Party". This DPA forms an integral part of the service agreement for the employee benefit bikes concluded between Vapaus and the Company (VALUE/ FLEX agreement, hereinafter the "Service Agreement") and applies to personal data processing activities set out in this Section and in connection with the Service Agreement.

In order to fulfil the Service Agreement, Vapaus may contact the Customer's Employees directly in matters relating to the employee benefit. For this purpose, the Customer may provide Vapaus with the contact details of its Employees. Vapaus processes these details for the following purposes:

    • Employee onboarding: communications relating to the activation and set-up of the employee benefit.
    • Service communications: ordering instructions, user guides, reminders and seasonal campaigns.
    • Fulfilment of data protection obligations: notification to data subjects in accordance with Article 14 of the GDPR, where their personal data has been obtained from the Customer.

2. Parties and Roles

Data Controller

The Customer (as identified in the Service Agreement).

The Customer acts as the data controller within the meaning of Article 4(7) of the GDPR in respect of its Employees' personal data. The Client determines the purposes and means of processing its Employees' personal data and discloses the relevant data to Vapaus for the purpose of fulfilling the Service Agreement.

Data Processor

Vapaus Bikes Finland Oy, 2879502-8, Lapinlahdenkatu 16, 00180 Helsinki, Finland

Data protection contact: molla@vapaus.io

Vapaus acts as the data processor within the meaning of Article 4(8) of the GDPR in respect of the Employee Data covered by this DPA. Vapaus processes the Customer's Employees' personal data solely on behalf of and on the instructions of the Customer, for the purposes set out in this DPA and the Service Agreement.

Relationship between the Parties

The Customer, as data controller, is responsible for determining the lawful basis for the processing of its Employees' personal data and for ensuring that the disclosure of such data to Vapaus complies with applicable data protection legislation, including the GDPR. Vapaus, as data processor, processes the Employee Data exclusively in accordance with the Customer's documented instructions and shall not process the data for any purpose beyond those set out in this DPA without the prior written authorisation of the Customer.

3. Scope and Relationship to the Service Agreement

This DPA applies to all personal data processing activities connected with the fulfilment of the employee bicycle benefit under the Service Agreement, in which Vapaus processes personal data relating to the Customer's Employees on behalf of the Customer.

This DPA enters into force upon the following occurs:

    • the Customer and Vapaus sign the Service Agreement, and
    • the Customer provides Vapaus with the first Employee List.

This DPA remains in force for the duration of the Service Agreement. Upon termination of this DPA, the provisions on data retention and deletion set out in this DPA shall continue to apply.

4. Personal Data Processed

Categories of Data Subjects

The data subjects are the Customer's Employees who are eligible for the employee bike benefit under the Service Agreement.

Categories of Personal Data

Vapaus processes the following categories of personal data on behalf of the Customer:

    • First name and surname
    • Work email address
    • Employer information (name of the Customer)
    • Order-related information (selected bike model, order status)
    • Opt-out status (whether the Employee has opted out of communications)

Sensitive data

This DPA does not cover the processing of special categories of personal data within the meaning of Article 9 of the GDPR. The Customer shall not disclose any such data to Vapaus without a separate written agreement.

5. Obligations of Vapaus (Data Processor)

Processing on Instructions Only

Vapaus shall process the Employee Data solely on the documented instructions of the Customer and shall not process the data for any purpose beyond those set out in this DPA and the Service Agreement. Vapaus shall inform the Customer immediately if it considers that any instruction infringes applicable data protection legislation.

Confidentiality

Vapaus shall ensure that all personnel authorised to process the Employee Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

Technical and Organisational Security Measures

Vapaus shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include, as a minimum:

    • Encryption of personal data in transit and at rest
    • Ongoing confidentiality, integrity, availability and resilience of processing systems
    • The ability to restore access to personal data in a timely manner in the event of a physical or technical incident
    • A process for regularly testing, assessing and evaluating the effectiveness of security measures

Data Subject Rights

Data subjects (the Client’s Employees) may exercise their GDPR rights by contacting Vapaus directly at molla@vapaus.io.

Opt-Out Mechanism

Vapaus shall include a clear and functional opt-out link in every communication sent to Employees. Opt-out requests shall be processed without undue delay and in any event within 30 days of receipt.

Notification of Personal Data Breaches

Vapaus shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting the Employee Data. The notification shall include, to the extent available at the time:

    • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
    • The name and contact details of the data protection contact point
    • A description of the likely consequences of the breach
    • A description of the measures taken or proposed to address the breach

Data Protection Impact Assessments

Vapaus shall carry out data protection impact assessment, insofar as such assessments relate to the processing under this DPA.

Records of Processing Activities

Vapaus shall maintain records of all categories of processing activities carried out on behalf of the Customer in accordance with Article 30(2) of the GDPR and shall make these available to the Customer or the competent supervisory authority upon request.

Cooperation with Supervisory Authorities

Vapaus shall cooperate with the competent supervisory authority and make available all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR.

6. Obligations of the Customer (Data Controller)

Lawful Basis

The Customer is responsible for ensuring that there is a valid lawful basis under Article 6 of the GDPR for disclosing its Employees' personal data to Vapaus. The Customer shall document this lawful basis in its own records of processing activities.

Transparency Towards Employees

The Customer and Vapaus share responsibility for ensuring that Employees are informed of the processing of their personal data in connection with the employee bike benefit.

The Customer is responsible for ensuring that its Employees are informed of the disclosure of their personal data to Vapaus for the purposes of fulfilling the Service Agreement. The Client shall do so, for example, by including this information in its own privacy notice, employment contract or employee handbook.

Vapaus is responsible for informing Employees directly of how their personal data is processed by Vapaus once their data has been received. Vapaus shall send each Employee a welcome communication upon onboarding, which shall include, in accordance with Article 14 of the GDPR:

  • the identity and contact details of Vapaus as data processor;
  • the purposes and legal basis for the processing;
  • the categories of personal data processed;
  • the retention period applicable to the data;
  • the data subject's rights and how to exercise them; and
  • a link to Vapaus's publicly available Privacy Notice.

Provision of Employee Lists

The Customer shall provide Vapaus with Employee Lists in the format and within the timescales agreed between the parties. The Customer shall ensure that the Employee Lists contain only the personal data specified in this DPA.

Accuracy of Data

The Customer is responsible for ensuring that the personal data included in the Employee Lists is accurate and up to date. The Customer shall notify Vapaus without undue delay if an Employee's employment terminates or if the Employee is no longer eligible for the benefit, so that Vapaus may delete the relevant data.

7. Retention and Deletion of Data

Retention Period

Vapaus shall retain Employee Data only for as long as the Service Agreement is in force and the relevant Employee's benefit is active, unless a longer retention period is required by applicable law.

Deletion upon Termination

Upon termination of the Service Agreement, or upon receipt of a written request from the Customer, Vapaus shall delete or anonymise all Employee Data within 30 days, unless applicable law requires continued storage. Vapaus shall provide the Customer with written confirmation of deletion upon request.

Employee Deletion Requests

Where an individual Employee's data is to be deleted prior to termination of the Service Agreement — for example, because the Employee's employment has ended or the Employee has exercised their right to erasure — Vapaus shall complete the deletion within 30 days of receiving notification from the Customer or the data subject.

8. Sub-processors

Authorisation

The Customer grants Vapaus general written authorisation to engage sub-processors for the purposes of fulfilling its obligations under this DPA and the Service Agreement. Vapaus's current list of sub-processors is set out in Annex 1 to this DPA.

Sub-processor Obligations

Vapaus shall impose data protection obligations on all sub-processors that are no less onerous than those set out in this DPA, in particular as regards the implementation of appropriate technical and organisational security measures.

9. International Data Transfers

Transfers Within the EEA

Vapaus shall, where possible, process Employee Data within the European Economic Area (EEA).

Transfers Outside the EEA

Where Employee Data is transferred to a country outside the EEA, Vapaus shall ensure that such transfers are carried out in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers.

10. Liability and Indemnification

Each party shall be liable for any damage caused to data subjects or third parties as a result of its own failure to comply with the obligations imposed by this DPA or applicable data protection legislation.

Where Vapaus is held liable by a supervisory authority or a court for damage caused by processing carried out in accordance with the Customers instructions, the Customer shall indemnify Vapaus to the extent that such liability arises from the Customer's failure to fulfil its obligations as data controller.

11. Term and Termination

This DPA enters into force in accordance with Section 3 and remains in force for the duration of the Service Agreement.

Either party may terminate this DPA with immediate effect by written notice if the other party materially breaches any provision of this DPA and fails to remedy the breach within 30 days of receiving written notice of the breach.

Termination of this DPA does not affect any rights or obligations that have accrued prior to termination. The provisions of Sections 7, 10 and 12 shall survive termination.

12. Governing Law and Disputes

This agreement shall be governed by and construed in accordance with the laws of Finland. Any dispute arising out of or in connection with this agreement shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finnish Central Chamber of Commerce.

12. Amendments

Vapaus reserves the right to amend this DPA to reflect changes in applicable data protection legislation or in its processing activities. The Customer will be notified of any material amendments with at least 30 days' notice before the amendments take effect.

Continued use of the Service following notification of amendments shall constitute acceptance of the amended DPA.

12. Annexes

Annex 1 — List of Sub-processors

Name

Nature and Purpose of Processing

Categories of personal data

Location of Processing

Hubspot

Cloud hosting provider, CRM system

Customer Personal Data, received from Employee or Employer

EU (Germany)

This list will be updated as sub-processors are added or replaced. The current version is always available at www.vapaus.io/en/dpa.