Tilit.AI Oy - statement on processing

1 DATA PROCESSOR AND DATA CONTROLLER

Provider / "Data Processor"

Tilit.AI Oy, PO Box 146, 00121 Helsinki (Business ID 3279538-9)

The Provider referred to in this statement is the contractual party committed to delivering the financial management service and related maintenance to the Customer. The product name of the financial management service is Tilit.

The Provider acts as the Data Processor on behalf of the Customer.

Customer / "Data Controller"

The Customer referred to in this statement is the contractual party that has accepted the Provider's terms of use for the Tilit financial management service and related maintenance. At the time of onboarding, it has been agreed who on the Customer's side acts as the main user and records and maintains the Customer's contact and user details in the Tilit financial management service.

The Customer acts as the data controller with respect to its own personal data (the Customer's personal data).

2 CONTACT PERSON FOR MATTERS RELATING TO THE REGISTERS

In matters relating to this personal data register, please contact your company's data protection officer and/or main user.

The Customer informs its own personnel and customers about its data protection practices in accordance with its own procedures.

The contact details of the Provider's data protection officer are available on the official website of Tilit.AI Oy at: https://tilit.ai/tietosuojaseloste

3 PURPOSE OF THE REGISTER AND BASIS FOR PROCESSING PERSONAL DATA

All personal data registers and their contents have been established for the implementation of the delivery agreement between the Provider and the Customer. Personal data includes the personal usernames of individuals using the Tilit system.

The Provider does not process the Customer's data for any other purpose than what has been agreed in the terms of use, and only to the extent necessary to fulfil the terms of use.

4 DATA STORED IN THE REGISTER

The management of user credentials and the granting of access rights in the Tilit financial management service are carried out by the Customer. The Provider's staff may also create and modify administrative and access rights in accordance with the Customer's instructions.

Special categories of personal data (more confidential data)

In payroll and HR services, personal data requiring a higher level of confidentiality is typically processed. This includes, among other things, personal identity codes, home addresses, personal phone numbers, bank account details, trade union membership, health data, and salary and tax information.

Such applications include:

  • Payroll and HR management applications
  • Processing of travel and expense claims
  • Official filings to the tax authority and other similar official stakeholders

The Provider's support staff does not independently process the Customer's data. If necessary, the data content stored in the application is reviewed based on a support request from the Customer or the maintenance staff of the production environment.

The maintenance staff of the production environment has broader access rights to the Customer's data. However, this group is very limited, and they have signed special confidentiality agreements.

Regular sources of data

Customer agreements are recorded in the Tilit financial management service. The Customer updates and maintains the registers required for the provision of the service and grants access rights in accordance with its own operations.

The names, email addresses, and access rights of the Provider's employees are updated in the Tilit financial management service by the Provider's main user.

Retention period

Data on customers who have a valid agreement with the Provider is retained in the support service system for at least the duration of the contractual relationship.

The terms of use define the retention period for the Customer's data when the agreement ends.

The retention periods for personal data concerning the Provider's personnel are related to the terms of employment and can be checked in the employment contract and the Provider's personnel instructions.

Disclosure of personal data

Personal data is not further disclosed by the Provider or used for any other purpose than what is stated in the terms of use.

6 GENERAL PRINCIPLES FOR THE USE AND PROTECTION OF PERSONAL DATA

The Customer's personal data is processed only by the Provider's personnel responsible for delivering the service in accordance with the terms of use. The management of the Provider's access rights is based on a role-based user management process in which each employee is granted only the access rights required for their duties and role.

Access to all data concerning the Customer is available only through the personal username and password of an employee authorized to access such data.

7 RIGHTS OF THE DATA SUBJECT

Under applicable data protection legislation, the personal data of the Customer and the Provider forms a personal data register in relation to which data subjects have statutory and legally recorded rights concerning their data.

The data subject has the right to access the data (right of inspection), request rectification, erasure, or restriction of processing.

A Customer user or a person registered in the registers of the Tilit financial management service must contact their company's data protection officer or main user if they wish to exercise their legal rights.

The Provider does not respond directly to inquiries or requests received from the Customer's users concerning the rights mentioned in this section, because all personal data stored in the Tilit financial management service is based on data maintained by the Customer's users.

If the Provider's personnel wish to exercise their rights referred to in this section, they must contact the Provider's data protection officer.

The data subject's right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if they consider that the Customer or the Provider has not complied with applicable data protection regulation.

8 CONTACT

For all unclear questions relating to the processing of personal data under this statement, the Customer must contact us by email at info@tilit.ai

The Provider may, if necessary, request the Customer to provide additional information or clarify their request in writing.

Reviewed and updated annually in December.