DATa PROCESSING

DATA PROCESSING AGREEMENT (DPA)

Last updated: [18.3.2026]

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use available at https://www.planmetry.com/terms-of-use (the “Terms”).

This DPA applies where Planmetry Oy (“Processor”) processes Personal Data on behalf of a Customer (“Controller”) in connection with the provision of the Service.

1.  Subject Matter and Duration

  • 1.1 This DPA governs the processing of Personal Data included in Customer Data.
  • 1.2 This DPA applies for the duration of the Customer’s use of the Service and for as long as Processor processes Personal Data on behalf of Controller.

2. Nature and Purpose of Processing

Processor processes Personal Data solely for the purpose of:

  • providing and operating the Service,
  • enabling Customer use of the Service,
  • providing customer support,
  • ensuring security and system integrity,
  • complying with legal obligations.

Processing activities may include collection, storage, organization, retrieval, transmission, consultation, restriction, and deletion.

3. Categories of Data Subjects

Personal Data may relate to:

  • Customer employees
  • Customer representatives
  • End users of Customer projects
  • Other individuals whose Personal Data is included in Customer Data

4. Types of Personal Data

Depending on Customer use, Personal Data may include:

  • Names
  • Contact details
  • Professional titles
  • User identifiers
  • IP addresses and usage data
  • Personal Data included in uploaded documents or drawings

Processor does not intentionally collect special categories of Personal Data unless uploaded by Controller.

5. Processor Obligations

Processor shall:

  • 5.1 Process Personal Data only on documented instructions from Controller.
  • 5.2 Ensure confidentiality of authorized personnel.
  • 5.3 Implement appropriate technical and organizational security measures.
  • 5.4 Assist Controller with data subject rights requests where reasonably possible.
  • 5.5 Notify Controller without undue delay of any Personal Data breach.
  • 5.6 Not sell Personal Data.
  • 5.7 Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Anonymization and Service Improvement

  • 6.1 Processor may use Customer Data for the purpose of improving, developing, testing and training the Service, including machine learning models, only after such data has been irreversibly anonymized.
  • 6.2 Anonymized data shall not identify, and shall not be capable of identifying, any individual or the Controller.
  • 6.3 Once anonymized, such data shall no longer be considered Personal Data under this DPA.
  • 6.4 Processor shall not use identifiable Personal Data contained in Customer Data for its own independent purposes.

7. Subprocessors

  • 7.1 Controller authorizes Processor to engage subprocessors.
  • 7.2 A current list of subprocessors is available at:https://www.planmetry.com/subprocessors
  • 7.3 Processor shall ensure subprocessors are bound by written agreements imposing data protection obligations equivalent to those set out in this DPA.
  • 7.4 Controller may object to a new subprocessor on reasonable data protection grounds within thirty (30) days of notification.

8. International Transfers

Where Personal Data is transferred outside the EEA, Processor shall ensure appropriate safeguards in accordance with GDPR, including:

  • Adequacy decisions, or
  • Standard Contractual Clauses (SCCs).

9. Security Measures

Processor implements appropriate technical and organizational measures, including:

  • Encryption in transit (TLS)
  • Access control and role-based permissions
  • Logical segregation of customer data
  • Monitoring and logging
  • Secure cloud infrastructure
  • Backup and disaster recovery

Additional security information may be provided upon reasonable request.

10. Audit and Demonstration of Compliance

  • 10.1 Processor shall make available information reasonably necessary to demonstrate compliance.
  • 10.2 Audits may be conducted:
  • no more than once per calendar year,
  • upon at least 30 days’ prior written notice,
  • during normal business hours.
  • 10.3 Audits shall primarily be documentation-based.
  • 10.4 On-site audits shall only be permitted where reasonable grounds exist to suspect material non-compliance.
  • 10.5 Audits shall not include access to source code or other customers’ data.
  • 10.6 Controller bears its own audit costs unless a material breach is identified.

11. Return and Deletion

  • Upon termination of the Service, Processor shall delete or anonymize Personal Data after a reasonable retention period, not exceeding ninety (90) days unless legally required otherwise.

    Controller is responsible for exporting data prior to termination.

12. Liability

  • Liability under this DPA is subject to the limitations set out in the Terms of Use.

    Nothing in this DPA limits liability that cannot be limited under applicable law.

Enterprise Addendum

  • (Applicable to Enterprise Subscription Plans Only)

    This section applies only where the Customer has entered into an Enterprise subscription agreement that explicitly includes Enterprise Data Control features.

13. Enterprise Data Hosting and Control

  • 13.1 Customer-Controlled Storage

    Where agreed under an Enterprise plan, Customer Data may be stored in a Customer-controlled environment, such as the Customer’s own cloud infrastructure (e.g., SharePoint, Azure, AWS, or other designated storage environment).

    In such cases:
  • Planmetry processes Customer Data solely for the purpose of providing the Service.
  • Persistent storage of Customer Data occurs in the Customer-controlled environment.
  • Planmetry does not retain independent copies of Customer Data beyond what is technically necessary for transient processing.
  • 13.2 Temporary Processing and Caching

    To provide functionality of the Service, Customer Data may be temporarily processed, cached, or buffered within Planmetry-managed infrastructure during active sessions or technical operations.

    Such temporary storage:
  • Is limited to what is technically necessary,
  • Is automatically overwritten or deleted after session completion or defined short-term processing windows,
  • Is not used for independent analytics or model training.
  • 13.3 No Training Use (Enterprise Option)

    Unless expressly agreed otherwise in writing, Planmetry shall not use Enterprise Customer Data, including anonymized derivatives, for the purpose of training or improving machine learning models.

    Service improvement for Enterprise plans shall be limited to:
  • Security monitoring,
  • Bug fixing,
  • Performance optimization,
  • Aggregated operational metrics that do not derive from Customer content.
  • 13.4 Data Ownership and Control

    Customer retains full ownership and control over Enterprise Customer Data.
    Planmetry shall not:
  • Commercially exploit Enterprise Customer Data,
  • Use it for independent analytics,
  • Combine it with data from other customers for training or product development.
  • 13.5 Responsibility Allocation

    Where Customer elects Customer-controlled storage:
  • Customer is responsible for the security and access controls of its designated storage environment.
  • Planmetry remains responsible for the security of processing performed within Planmetry-managed infrastructure.

Planmetry Oy
Kampinkuja 2, Sähkötalo
00100 | Helsinki | Finland
VAT: FI33458579

info@planmetry.com
QUICK LINKS
FeaturesPricingContactBlogFAQ
LEGAL
Terms of usePrivacyDPASubprocessors
SOCIAL
FacebookInstagramLinkedin