Last updated: 18 September 2025

Koivu Solutions Oy (“Koivu”, Business ID FI28695705), Tiedepuisto 4, A 251, 28600 Pori, Finland, acts primarily as a processor of personal data on behalf of our customer organizations (the controllers) that use our Sotender and Koivu Cloud services. For a few limited purposes described below (e.g., our website, support tickets, billing contacts), Koivu acts as a controller.

If you are an end user (e.g., a temporary worker or scheduler) using Sotender for a specific hospital, city or company, that organization is your data controller. Their privacy notice governs how your personal data is used. Koivu processes your data only according to the controller’s written instructions and our Data Processing Agreement (DPA).

1. Roles and contact

Controller for tenant data: Your employer/ordering organization using Sotender/Koivu Cloud. Please see their privacy notice (usually linked from inside the app or your employer’s intranet) for purposes, legal bases, retention and rights.

Processor: Koivu Solutions Oy, contact: support@koivusolutions.com.

Controller for Koivu’s own operations: Koivu Solutions Oy for website analytics, sales/CRM contacts, support tickets you send directly to us, and account/admin contact data in contracts and invoicing.

2. Personal data we handle as a processor (on behalf of customer controllers)

The exact data and legal bases are determined by each controller and their privacy notice. Typical categories include:

• Identification and contact data (e.g., name, email/phone) to operate the service

• Employment-related information relevant to shift management (e.g., qualifications, availability)

• Authentication identifiers (email/ID provider subject) and technical logs for security

Use of data for improvements/AI: We do not use customer personal data for Koivu’s own product training or marketing. Aggregated and de‑identified statistics may be used to operate and improve reliability and security. Any broader analytics or AI training using personal data is done only if explicitly instructed by the controller and covered by the DPA.

Retention: We retain personal data only as long as the controller instructs or as required to provide the service (including short‑term backups and logs). Upon contract end or instruction, data is deleted or returned per the DPA and backup cycles.

Sub‑processors: We use audited sub‑processors to provide the service (hosting, email delivery, identity). The current list and locations are maintained here:

• Sotendern Trust center page at: https://storage.googleapis.com/koivusolutions/trustcenter.html

International transfers: Production hosting is in the EU. Limited personal data (typically email address and minimal auth metadata) may be transferred to the US for transactional email (SendGrid) and authentication brokering (Google Identity Platform). Transfers rely on DPF adequacy or, if not available, SCCs + TIA as documented in our DPF records.

Security: We are ISO/IEC 27001:2022 sertified; encryption in transit and at rest, access control, logging/monitoring, backups and tested restore; incident response and customer notification processes.

Your rights: Please contact your organization (controller). Koivu will assist the controller to answer access, correction, deletion, objection and portability requests according to GDPR and our DSAR procedure.

3. Personal data we process as a controller (Koivu’s own operations)

• Website & Marketing: visitor analytics and B2B marketing contacts (legitimate interest; opt‑out available)

• Support: messages you send to support@koivusolutions.com , contactus@koivusolutions.com or via in‑app forms (contract/legitimate interest)

• Account & Billing Contacts: names, emails, phone numbers of customer admins for service management and invoicing (contract/legal obligation)

• Recruitment: applicants’ data for hiring (consent/legitimate interest)

Retention: Per purpose—e.g., support tickets 36 months, marketing contacts until opt‑out or inactivity, contracts and billing records retained per statutory requirements.

Your rights with Koivu as controller: Email support@koivusolutions.com . We will verify identity and respond per GDPR.

4. Data recipients and transfers

• Hosting: Google Cloud Platform (EU regions)

• Email delivery: Twilio SendGrid (US) – DPF/SCCs

• Authentication: Google Identity Platform (US) – DPF/SCCs
  Additional processors may be used for monitoring, error tracking, and support tooling as listed in our Sub‑processor Registry.

5. Security measures (high level)

• Encryption at rest and in transit; MFA and role‑based access

• Vulnerability management, logging/monitoring, backups and tested restoration

• Incident management with customer notifications where we are processor; breach handling and registers maintained

6. How to make a request or complaint

• If your data relates to a Sotender/Koivu Cloud tenant, contact your organization’s privacy contact (controller). Koivu will assist the controller.

• If your request concerns Koivu’s own operations (website, support, invoices), contact support@koivusolutions.com.

• You may lodge a complaint with the Finnish Data Protection Ombudsman.

7. Links to detailed records and policies

• See more at Sotender Trust Central at: Sotender Trust Center

Appendix A – Short Privacy Notice Template for Controllers (for customers to link)

[Organization Name] – Privacy Notice for Sotender/Koivu Cloud

Controller: [Organization legal name, address, contact]

Processor: Koivu Solutions Oy, Tiedepuisto 4, A 251, 28600 Pori, Finland; support@koivusolutions.com 

See more at Sotender Trust Central at: https://storage.googleapis.com/koivusolutions/trustcenter.html

Purposes & Legal Bases: We process personal data to manage shifts and staffing, communicate with workers, ensure compliance, secure access, and produce operational reporting. Legal bases: performance of contract (GDPR Art. 6(1)(b)), legal obligation (e.g., employment/payroll), and legitimate interests (service administration and security). Special categories (if any) processed only where necessary and lawfully (e.g., occupational health restrictions) with appropriate safeguards.

Categories of data: identification and contact details; employment and qualification details; shift preferences/availability; technical identifiers and logs for security.

Recipients: Koivu Solutions Oy (processor) and its sub‑processors for hosting, email and identity. See Koivu’s Sub‑processor Registry. Other recipients only where legally required or necessary for the above purposes (e.g., payroll/HR systems under contract).

Transfers outside EU/EEA: Limited transfers to the US for transactional email and identity brokering. Protected by the EU–US DPF (or SCCs + TIA if DPF not applicable). See Koivu’s DPF records.

Retention: We retain data no longer than necessary for staffing and legal requirements. Typical operational data is retained for [X] months after the last activity; logs [Y] days; backups per Koivu’s backup cycles. Local retention details: [link to your policy].

Your rights: GDPR rights of access, rectification, erasure, restriction, objection, portability. Contact: [controller contact/email].

Complaints: Finnish Data Protection Ombudsman (or your local authority).

Last updated: [date]