Data Processing Agreement
This agreement defines how Nordkeys processes the customer’s personal data in order to provide the service.
Important: these terms are drafted to protect Nordkeys and clarify customer responsibilities. They should be used as part of customer acceptance and the final version should be reviewed by a legal professional before broad commercial use.
1. Parties and roles
This data processing agreement applies to personal data that Nordkeys processes on behalf of the customer to provide the Nordkeys service. The customer acts as the controller and Mainostoimisto Loud Oy / Nordkeys acts as the processor unless otherwise separately agreed.
The customer is responsible for having the right to collect, use and transfer personal data to the Nordkeys service and to give Nordkeys instructions for processing it.
2. Subject, duration and purpose of processing
The processing concerns personal data related to the Nordkeys service. Processing continues for as long as the customer has an active service relationship with Nordkeys and for a reasonable period afterwards for returning or deleting data, backups, legal obligations or legal claims.
The purpose of processing is to provide the Nordkeys service, such as the booking system, channel management, direct-booking functions, cleaning management, reports, user management, technical support, maintenance and security.
3. Types of personal data and data subjects
Personal data may include, for example, booker or guest name, email address, phone number, booking details, arrival and departure dates, guest count, payment reference details, extras orders, communication details, internal notes and customer user and cleaner account details.
Data subjects may include the customer’s bookers, guests, employees, cleaners, partners, users and contact persons.
4. Customer instructions
Nordkeys processes personal data only according to the customer’s documented instructions unless mandatory law requires otherwise. Customer instructions include use of the service, settings, user actions, integration settings, support requests and this agreement.
The customer is responsible for ensuring that its instructions are lawful.
5. Sub-processors
Nordkeys may use sub-processors to provide the service, such as hosting, email, analytics, security, support, integration or infrastructure providers.
Currently used or planned providers may include Hostinger, Titan, Google Analytics, Google Ads and reCAPTCHA. If other technical suppliers or channel integrations are used, their use may be necessary for the service to function.
Nordkeys ensures that sub-processors are bound by substantially similar data protection obligations as Nordkeys.
6. Security
Nordkeys implements reasonable technical and organizational measures to protect personal data. Measures may include access control, user credential protection, backups, server environment protection, logging, software updates and limiting processing to necessary people.
The customer is responsible for securely managing its own users, passwords, API keys, Stripe keys, channel credentials and access rights.
7. Personal data breaches
If Nordkeys becomes aware of a personal data breach concerning the customer’s personal data, Nordkeys will notify the customer without undue delay after becoming aware of the breach.
As controller, the customer is responsible for possible notifications to the supervisory authority and data subjects unless the law states otherwise.
8. Data subject rights
Nordkeys assists the customer reasonably and within its technical possibilities in handling data subject requests if the request relates to data processed in the Nordkeys service.
The customer is responsible as controller for responding to requests and evaluating their lawfulness.
9. Return and deletion of data
After the service relationship ends, Nordkeys may return or delete personal data in the service upon the customer’s request within a reasonable time, unless retention is necessary for backups, legal obligations, accounting, security or legal claims.
The customer must save the necessary data before the service ends.
10. International transfers
If personal data is transferred outside the EU/EEA, Nordkeys aims to ensure that the transfer has a GDPR-compliant basis, such as European Commission standard contractual clauses or another applicable safeguard.
The data location and transfer mechanisms of third-party services, such as Google or other suppliers, may depend on that provider’s terms and settings.
11. Audits and documentation
Nordkeys provides the customer with reasonably necessary information to demonstrate obligations under this agreement, taking into account trade secrets, security and the protection of other customers’ data.
Possible audits must be agreed in advance in writing and must be reasonable, limited and acceptable from a security perspective.
12A. Customer obligations as controller
The customer is responsible as controller for having a lawful basis to collect and process personal data of bookers, guests, employees, cleaners and other data subjects. The customer is also responsible for providing required privacy notices, obtaining consents, data minimization, data accuracy and responding to data subject requests.
12B. Retention after service termination
After the service ends, Nordkeys may retain customer service data for up to 90 days for possible restoration, technical investigation or backups, unless longer retention is required for accounting, legal claims, abuse investigation, security or law. After that, data may be deleted or anonymized.
13. Updates
This data processing agreement may be updated if the Nordkeys service, sub-processors, data protection legislation or processing activities change.
Last updated: 9 June 2026.