Data Processing Addendum
Last updated 2026-06-29
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer") and IntentPath Oy ("Processor") for the use of IntentPath AI (the "Service"). It reflects the parties' agreement on the processing of personal data in accordance with the GDPR.
Roles of the parties
For visitor data collected through the Service, the Customer acts as the data controller and IntentPath Oy acts as the data processor, processing personal data only on the Customer's documented instructions. For account and billing data, IntentPath Oy acts as an independent controller.
Scope of processing
The subject matter of processing is the provision of the Service. The nature and purpose are conversion analytics, intent detection, on-site playbooks, and AI assistance. The categories of data subjects are the Customer's website visitors. The categories of personal data are pseudonymous identifiers and behavioral events, excluding raw IP addresses and sensitive form values. Processing continues for the duration of the agreement.
Subprocessors
The Customer authorizes IntentPath Oy to engage the following subprocessors. We remain responsible for their compliance and will give notice of intended changes so the Customer may object.
| Name | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, storage | EU |
| Resend | Transactional email delivery | EU/US |
| Stripe | Billing and payment processing | EU/US |
| Google (Gemini API) | AI inference and embeddings | US |
| Vercel | Application hosting | Global |
Security measures
IntentPath Oy maintains appropriate technical and organizational measures, including Row-Level Security and tenant isolation, least-privilege access controls, encryption of secrets, audit logging, and consent-aware tracking. Personnel with access to personal data are bound by confidentiality obligations.
International transfers
Where personal data is transferred outside the EEA, such transfers are governed by appropriate safeguards, including the European Commission's Standard Contractual Clauses and supplementary measures where required. Subprocessor regions are listed above.
Data subject requests and assistance
IntentPath Oy will assist the Customer in responding to data subject requests and in meeting its obligations regarding security, breach notification, and data protection impact assessments, taking into account the nature of processing and the information available.
Data protection contact
Our data protection contact can be reached at dpo@yourdomain.com.