Data Processing Agreement

Roles and scope

For the data processed in the course of providing the Service, the Customer is the Controller and iso-compliant is the Processor. iso-compliant processes Customer Personal Data only on the documented instructions of the Customer (the Terms of Service plus the request payload itself constitute those instructions).

Categories of data

• Authentication data — Customer end-user credentials, API key prefixes and hashes.
• Payment-instruction metadata — names, addresses, IBAN, BIC, mandate IDs, end-to-end IDs, amounts, currencies.
• Audit attestation data — SHA-256 hashes of canonical request/response bodies; no plaintext payment content.

Sub-processors

The sub-processor inventory is the live, append-only table at public.vendor_inventory in the platform database; summarised below. iso-compliant gives the Customer at least 30 days' advance notice of any new or replacement sub-processor through the dashboard and via email to the Customer's account administrator. The Customer may object on reasonable data-protection grounds; if iso-compliant cannot accommodate the objection, the Customer may terminate the affected portion of the Service.

• Supabase Inc. — Postgres host, auth. Region: customer-elected per the order form; default EU-Frankfurt (eu-central-1), additional regions available on request.
• Cloudflare, Inc. — Workers runtime, R2 ephemeral cache, KV rate-limit, DNS, WAF, edge TLS. Global anycast PoPs; data-localisation enforced through Data Localization Suite for customers whose order form pins a specific region.
• Stripe Inc. — Subscription billing, invoice generation, payment-method storage. Region: Ireland for EU/UK customers; United States for customers elsewhere, per Stripe's standard tenancy.
• SMTP relay — Customer-elected transactional email sender. The Customer provides credentials; iso-compliant relays outgoing email through that endpoint and does not retain message bodies after dispatch.

International transfers

For Customer Personal Data that leaves the EU/EEA in the course of normal Service operation, iso-compliant relies on the Standard Contractual Clauses (SCC) Module Two (Controller → Processor) as the transfer mechanism. Equivalent mechanisms apply for transfers subject to UK GDPR (the UK International Data Transfer Addendum) and the Swiss nFADP (the Swiss Addendum) where the Customer's residency profile triggers them. Sub-processor DPAs incorporate the SCC by reference.

Data-subject requests

The Customer is responsible for receiving and assessing data-subject requests under GDPR Articles 15–22 and nFADP Articles 25–28. iso-compliant assists the Customer by providing the necessary technical interfaces (dashboard data export and erasure endpoints).

Personal data breach notification

iso-compliant notifies the Customer without undue delay, and in any event within 48 hours, of becoming aware of a personal-data breach affecting Customer Personal Data. The notification includes the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

Audit cooperation

On the enterprise tier, the Customer may request a third-party audit of iso-compliant's data-protection controls once per calendar year, at the Customer's expense, on at least 60 days' written notice. iso-compliant provides the SOC 2 Type 2 report (when available) and the latest external penetration-test executive summary as supplementary evidence under NDA.

Return and deletion

On termination, iso-compliant retains Customer audit-attestation hashes and idempotency records for seven (7) years (regulatory retention) and erases all other Customer Personal Data within 90 days unless the Customer instructs otherwise in writing.

Contact

Data protection: privacy@iso-compliant.com
Legal: legal@iso-compliant.com