Data processing agreement.

1. Scope

This Data Processing Agreement (DPA) forms part of the service agreement and applies whenever First Mate processes personal data on behalf of the customer.

2. Roles

• Controller: the customer.
• Processor: First Mate Solutions Oy.
• Sub-processor: a third party engaged by First Mate to process personal data on the customer's behalf.

3. Subject matter and nature of processing

Processing is required to deliver the AI employee service, including communications, task execution, tool integrations, logs, and secure operation of the platform.

4. Processor obligations

First Mate commits to:

• process personal data only on documented instructions, unless law requires otherwise
• ensure authorized personnel are bound by written confidentiality commitments
• implement appropriate technical and organizational security measures
• assist the controller with data subject rights requests
• assist with breach response, DPIAs, and supervisory authority cooperation
• delete or return personal data after the agreement ends, as set out in this DPA

5. Confidentiality and NDA commitment

First Mate, its employees, contractors, and sub-processors must not use, disclose, sell, profile, or otherwise exploit customer personal data for independent purposes.

Personal data may be accessed only to deliver and secure the service, prevent abuse, investigate incidents, comply with law, or execute documented customer instructions.

All authorized personnel are bound by written confidentiality obligations that survive termination of employment or engagement. Access is role-based, logged, and auditable.

6. Security measures

• encryption in transit and at rest
• customer-level infrastructure isolation
• access control with least privilege and MFA for admin access
• logging, monitoring, incident response, and backup controls

7. Sub-processors

The customer grants general authorization for sub-processors necessary to deliver the service. First Mate imposes equivalent data protection and confidentiality obligations by written contract.

Sub-processor	Service	Location
AWS	Infrastructure	EU
Supabase	Database and authentication	EU/UK
Anthropic, OpenAI	AI inference	US
Stripe	Payments	EU/US
AgentMail	Email inboxes for AI employees	US
Resend	Transactional email	US
Vercel, Cloudflare	Website delivery and CDN	Global

We provide advance notice of material sub-processor changes. The customer may raise a reasoned objection.

8. International transfers

Where personal data is transferred outside the EU/EEA, appropriate safeguards are used, including SCCs and, where applicable, DPF mechanisms and supplementary technical measures.

9. Personal data breach notifications

First Mate notifies the customer without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach affecting customer data.

10. Data subject rights and DPIA assistance

First Mate provides reasonable assistance with data subject rights requests, DPIAs, and related supervisory authority interactions.

11. Audits

The customer may verify compliance with this DPA on reasonable prior notice and in a manner that does not unreasonably disrupt operations.

12. Termination and deletion

After termination, First Mate deletes or returns personal data at the customer's choice, unless retention is legally required. Service data is deleted within 30 days.

13. Liability and governing law

Liability is governed by the service agreement and applicable law. This DPA is governed by the laws of Finland.

14. Contact

• Email: juuso@firstmate.work
• Company: First Mate Solutions Oy
• Address: Lapinlahdenkatu 16, 00180 Helsinki, Finland