DWS IQ 6 Platform — Customer Implementation
This Data Processing Agreement (hereinafter “DPA”) forms an integral part of the contract relating to the provision of DWS IQ 6 Services concluded between DWS IQ Oü and the Customer (hereinafter “the Contract”).
The purpose of this DPA is to define the conditions under which DWS IQ Oü undertakes to carry out, on behalf of the Customer and for the sole purpose of the strict execution of the Contract, Personal Data Processing operations. The Parties undertake henceforth to comply with the Data Protection Regulations.
Service Provider: DWS IQ Oü (Estonian registry)
Parent Company: Lifetime Oy (Y-tunnus: 0772407-9), Espoo, Finland
Table of Contents
- Definitions
- Description of Data Processing
- Obligations of the Data Processor
- Register of Data Processing
- Obligations of the Customer
- Obligations Relating to Employees
- Sub-processors
- Security of Data Processing
- Personal Data Breach
- Rights of Data Subjects
- Communication and Transfer
- Audit
- End of Contract
- Miscellaneous Provisions
- Contact
Article 1. Definitions
In addition to the terms defined in this DPA, the following terms shall have the same meaning as given in the GDPR: Personal Data, Data Processing, Data Controller, Data Processor, International Organization, Data Protection Officer, Supervisory Authority, Data Subject, Personal Data Breach.
Moreover:
- “Data Protection Regulation” means any worldwide legislation relating to data protection and privacy applicable to the processing of Personal Data under the Contract, including the GDPR, the Finnish Data Protection Act (1050/2018), and other applicable privacy laws.
- “GDPR” means the (EU) Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data.
- “Standard Contractual Clauses” means the model clauses adopted by the European Commission to regulate transfers of Personal Data outside the EU (Implementing Decision (EU) 2021/914).
- “Third Country” means any country outside the EEA and not recognized as guaranteeing an adequate level of protection by the European Commission.
- “Sub-processor” means DWS IQ Oü or any sub-processor engaged by DWS IQ Oü, processing Customer data as part of the Services.
- “Platform” means the DWS IQ 6 climate intelligence and compliance platform, including the Firehorse Suite, AI orchestration, and all related modules.
- “AI Processing” means any automated processing of Personal Data using AI models, ML algorithms, or large language models as part of the Services.
- “EU AI Act” means the Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence.
Article 2. Description of Data Processing
2.1 The Data Processing relates only to the types of Personal Data and categories of Data Subjects defined by the Customer under its sole responsibility.
2.2 The Customer is responsible for selecting Services compatible with the data processing it implements, particularly when subject to specific regulations.
2.3 The Customer undertakes to provide documented instructions concerning any Data Processing operated by DWS IQ Oü.
2.4 DWS IQ Oü undertakes to guarantee the confidentiality of Personal Data. The obligation of confidentiality remains in force for five (5) years following the expiration of the Contract.
2.5 Processing Details
- Subject: Customer climate compliance, industrial emissions, and operational data
- Nature and purpose: Climate compliance analysis (Fit for 55, ETS, CBAM, CSRD), industrial emissions processing, AI-powered document analysis, ESG data aggregation, ERP integration, multi-channel communication (Firehorse Omnichannel), content management, automated workflow orchestration
- Categories of data: Employee contact information, industrial facility data, environmental compliance data, ERP identifiers, user authentication logs, communication metadata
- Categories of Data Subjects: Customers, end users, employees of the Customer and its business partners
2.6 AI-Specific Processing
- 2.6.1 DWS IQ Oü shall maintain transparency regarding AI models used, including their purpose and operational logic.
- 2.6.2 Personal Data shall not be used for model training without explicit prior written consent.
- 2.6.3 Automatic logging of all AI system events per EU AI Act Article 12.
- 2.6.4 Reasoning lineage documentation for AI-assisted decisions affecting compliance obligations.
- 2.6.5 The Customer retains full ownership of all outputs generated by AI Processing using Customer data.
Article 3. Obligations of the Data Processor
As a Data Processor, DWS IQ Oü undertakes to:
3.1.1 Process Personal Data exclusively for the purpose of performing the Contract and according to the Customer’s documented instructions.
3.1.2 Inform the Customer if an instruction infringes Data Protection Regulations.
3.1.3 Process only Personal Data strictly necessary for the Contract or legal obligations.
3.1.4 Not process Personal Data for purposes other than Service performance.
3.1.5 Assist the Customer in developing a Data Protection Impact Assessment (DPIA) where applicable.
3.1.6 Cooperate with the Customer regarding requests from competent authorities or Data Subjects.
3.1.7 Not disclose data to Third Country authorities unless compliant with Article 49 GDPR.
3.1.8 Maintain technical and organizational measures to secure Data Processing (see Article 8).
3.1.9 Make available information needed to demonstrate compliance with Data Protection Regulations.
Article 4. Register of Data Processing
4.1 DWS IQ Oü keeps a register of all categories of Data Processing activities on behalf of the Customer, including contact details, processing categories, international transfers, and a description of technical and organizational Security Measures (TOM) per Article 32(1) GDPR.
4.2 A copy of the register will be provided without undue delay at the Customer’s or competent authorities’ request.
Article 5. Obligations of the Customer
5.1 The Customer is solely responsible for Personal Data processed via DWS IQ Oü’s Services.
5.2 The Customer shall ensure collection, processing, and dissemination of data complies with Data Protection Regulations.
5.3 The Customer undertakes to: provide information to Data Subjects, provide processing instructions, maintain a register of activities, carry out Impact Analyses, define retention periods, implement security measures outside the scope of Services, and establish internal breach handling procedures.
Article 6. Obligations Relating to Employees
6.1 DWS IQ Oü ensures Employees only access Personal Data strictly necessary for the Contract.
6.2 Only Employees who are capable of guaranteeing compliance and bound by strict confidentiality obligations are authorized to process Personal Data.
6.3 Technical and organizational measures ensure access is limited by authorization level, breaches are identified and reported, and Employees cease processing upon termination.
Article 7. Sub-processors
7.1 The Customer grants DWS IQ Oü a general authorization to use Sub-processors.
7.2 DWS IQ Oü ensures each Sub-processor provides appropriate guarantees. DWS IQ Oü remains fully responsible for Sub-processor compliance.
7.3 The list of authorized Sub-processors is in Annex A below.
7.4 Changes to the Sub-processor list will be notified 30 days in advance. The Customer may object if the change is contrary to Data Protection Regulations.
Article 8. Security of Data Processing
DWS IQ Oü implements appropriate technical and organizational measures including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Measures to guarantee confidentiality, integrity, availability and resilience
- Regular testing and evaluation of security measures
- Physical security at processing locations
- Event logging including AI system logging per EU AI Act Article 12
- JWT-based authentication with role-based access control
- Data minimization and limited retention
- Data protection by design and by default
Detailed TOM are set out in Annex B below.
Article 9. Personal Data Breach
9.1 In the event of a Personal Data Breach, DWS IQ Oü shall:
9.1.1 Inform the Customer within 48 hours of becoming aware, providing information needed for the Customer to notify the Supervisory Authority per Articles 33 and 34 GDPR.
9.1.2 Implement measures to minimize risks and mitigate harmful effects without undue delay.
9.2 If full information is not available immediately, an initial notification will be followed by additional notifications.
9.3 DWS IQ Oü maintains a register of all Personal Data Breaches, their circumstances, consequences, and remedial measures.
Article 10. Rights of Data Subjects
10.1 DWS IQ Oü cooperates with the Customer to handle Data Subject requests within GDPR timeframes.
10.2 Customer rights requests are managed via the DWS IQ 6 Platform administration panel. Other requests can be sent to legal@lifetime.fi.
Article 11. Communication and Transfer of Personal Data
11.1 DWS IQ Oü Services are located within the European Union by default. Primary processing takes place in Finland and Germany.
11.2 DWS IQ Oü shall not transmit Personal Data outside the EU without prior notice, and if transferred, shall apply Standard Contractual Clauses (SCC) and appropriate supplementary measures.
11.4 AI Model Provider Transfers
Where AI Processing requires transmission to model providers:
- Transfers are covered by appropriate safeguards under GDPR Chapter V
- Data minimization, anonymization, or pseudonymization applied before transmission
- A record of all AI model providers receiving Personal Data is maintained in Annex A
Article 12. Audit
12.1 DWS IQ Oü will provide documentation needed to demonstrate DPA compliance upon request.
12.2 The Customer may audit at its own expense, at most once per year, with 30 days written notice. The audit may be performed by the Customer or an independent third-party auditor.
12.3 Audit results are confidential and subject to NDA.
Article 13. End of Contract
13.1 Upon Contract termination, DWS IQ Oü ceases all Data Processing and deletes Personal Data and copies, unless retention is required by law.
13.2 The Customer is responsible for data conservation prior to Contract end.
13.3 A data export facility is available for 30 days following termination, after which all Customer data is securely deleted.
Article 14. Miscellaneous Provisions
14.1 This DPA is governed by Finnish law. The courts of Helsinki, Finland have exclusive jurisdiction.
14.2 This Agreement supersedes all prior agreements relating to Personal Data. Amendments must be in writing.
14.3 In case of contradiction between this DPA and the Contract, this DPA takes precedence regarding Personal Data Processing.
Article 15. Contact
- DWS IQ Oü DPO: risto@lifetime.fi
- Privacy Team: legal@lifetime.fi
- Data Breach Notification: security@lifetime.fi
- Privacy Policy: dws10.com/privacy-policy/
Annex A: Authorized Sub-processors
| Sub-processor | Purpose | Data Location | Data Processed |
|---|---|---|---|
| Supabase Inc. | Database hosting, auth, real-time | EU (Finland/Germany) | Platform data, auth data |
| Google Cloud (Google LLC) | Cloud Run, AI APIs (Gemini) | EU (Finland) | Application data, AI inference |
| Cloudflare Inc. | CDN, edge computing, DDoS | EU edge nodes | Traffic metadata, cached content |
| Anthropic PBC | AI language model (Claude API) | USA* | Pseudonymized compliance data |
| Groq Inc. | AI inference acceleration | USA* | Pseudonymized AI processing data |
| Temporal Technologies | Workflow orchestration | EU | Workflow metadata, task IDs |
* For USA-based Sub-processors, Standard Contractual Clauses (SCC) and supplementary measures are in place. Data minimization and pseudonymization applied before cross-border transfer.
Annex B: Technical and Organizational Measures (TOM)
B.1 Access Control
- Role-based access control (RBAC) with principle of least privilege
- JWT-based authentication with token expiration
- Multi-factor authentication for administrative access
- Supabase Row Level Security (RLS) at database level
B.2 Encryption
- Data at rest: AES-256 (Supabase/PostgreSQL)
- Data in transit: TLS 1.3 for all API communications
- Database connections encrypted via SSL/TLS
- Secrets managed via environment variables, never in source code
B.3 Network Security
- Helmet.js security headers on all Express endpoints
- Cloudflare WAF and DDoS protection
- VPC network isolation for database services
- API rate limiting and input validation
B.4 Data Minimization
- Personal Data pseudonymized before AI model API calls where feasible
- Collection limited to what is strictly necessary
- Automated retention policies with configurable expiry
B.5 Monitoring and Logging
- Comprehensive event logging for all platform operations
- AI system decision logging per EU AI Act Article 12
- Security incident monitoring and alerting
- Audit trail for all data access and modifications
B.6 Business Continuity
- Automated database backups with point-in-time recovery
- Multi-region deployment (Finland/Germany)
- Documented disaster recovery with RTOs and RPOs
B.7 Staff Measures
- Confidentiality agreements for all employees and contractors
- Regular data protection training
- Access revocation upon termination of employment
DWS IQ Oü (Subsidiary of Lifetime Oy, Y-tunnus: 0772407-9)
Laidunmaanraitti 2 A 25, 02330 Espoo, Finland
Document history:
2026-02-05: v1.0 — Initial DPA created
2026-04-02: v1.1 — Entity name corrected (DWS IQ Oü), placeholders filled, published to dws10.com/dpa/
Next review: 2026-07-01 (quarterly)