Data Processing Agreement

Effective Date: 13 February 2026
Last Updated: 13 February 2026
Version: 1.0

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and ISO Mate (“Processor”) for the provision of the ISO Mate platform. This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller in connection with the services.

1. Definitions

  • Controller: The customer who determines the purposes and means of processing personal data by using the ISO Mate platform.
  • Processor: ISO Mate, which processes personal data on behalf of the Controller to provide the platform services.
  • Data Subject: An identified or identifiable natural person whose personal data is processed through the platform.
  • Personal Data: Any information relating to a Data Subject that is processed through the platform on behalf of the Controller.
  • Sub-processor: A third party engaged by the Processor to assist in processing personal data on behalf of the Controller.

2. Scope and Purpose

The Processor processes personal data solely for the purpose of providing the ISO Mate platform services to the Controller. This includes hosting, storing, and managing data that the Controller and its authorised users create, upload, or otherwise submit to the platform. The Processor does not process personal data for any purpose other than delivering the agreed services, unless required by applicable law.

3. Categories of Personal Data

The following categories of personal data may be processed through the platform, depending on how the Controller and its users use the services:

  • User profile data: Name, email address, phone number, timezone, and locale preferences.
  • Account and organisation data: Organisation name, account settings, role assignments, and user group memberships.
  • Content created within the platform: Issues, tasks, test cases, notes, diagrams, chat messages, emails, calendar events, custom object entries, user stories, sprints, releases, compliance records, and any other data entered by users.
  • File uploads: Documents, images, and other files uploaded to the platform by users.
  • Activity logs: Login attempts, audit trail records, consent records, and other system-generated activity data.
  • Billing data: Stripe customer identifiers, subscription status, and payment-related metadata. Full payment card details are processed and stored exclusively by Stripe and are never stored on ISO Mate’s infrastructure.
  • OAuth tokens: Authentication and refresh tokens for third-party integrations including Google (Gmail, Google Calendar, Google Meet) and Xero.

4. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
  • Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law.
  • Assist the Controller in ensuring compliance with obligations relating to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities, where applicable.
  • At the Controller’s choice, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.

5. Sub-processors

The Processor uses the following sub-processors to deliver the platform services. The Controller authorises the use of these sub-processors:

  • Amazon Web Services (AWS): Infrastructure hosting, compute, database, storage, and content delivery services. Primary region: ap-southeast-2 (Sydney, Australia).
  • Stripe: Payment processing and subscription management. Stripe processes billing data including payment card details on its own infrastructure.
  • Google: OAuth authentication (Sign in with Google), Gmail integration, Google Calendar synchronisation, and Google Meet integration.
  • Xero: Accounting integration to record Stripe subscriptions.
  • Mailgun: Transactional email delivery for system notifications, password resets, and other platform-generated emails.

The Processor will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object to such changes.

6. Technical and Organisational Measures

The Processor implements the following measures to protect personal data:

Encryption at Rest

All databases (Aurora Serverless v2, DocumentDB) and all storage services (Amazon S3, Amazon EFS) are encrypted at rest using AWS-managed encryption keys.

Encryption in Transit

All data transmitted between users and the platform, and between internal services, is encrypted using SSL/TLS. SSL/TLS is enforced on all S3 buckets and service endpoints.

Access Controls

The platform enforces role-based access control (RBAC) with granular permissions. Authentication is managed through Laravel Sanctum token-based authentication. Two-factor authentication (TOTP with recovery codes) is available for all user accounts.

Audit Logging

User actions, login attempts, and consent changes are recorded in audit logs. These logs support accountability and enable the Controller to monitor access to their data.

Secrets Management

All credentials, API keys, and sensitive configuration values are stored in AWS Secrets Manager. No secrets are stored in application code or configuration files.

7. Data Transfers

The primary infrastructure for the platform is hosted in the AWS ap-southeast-2 (Sydney, Australia) region. Personal data is stored and processed in this region unless a sub-processor operates in a different jurisdiction. The following sub-processors may process data outside the primary region:

  • Stripe: Processes payment data in accordance with Stripe’s data processing terms and may transfer data internationally.
  • Google: Processes authentication and integration data in accordance with Google’s data processing terms.
  • Xero: Processes accounting integration data in accordance with Xero’s data processing terms.
  • Mailgun: Processes transactional email data in accordance with Mailgun’s data processing terms.

Where personal data is transferred outside the primary hosting region, the Processor ensures that appropriate safeguards are in place in accordance with applicable data protection law.

8. Data Retention

The Processor retains personal data in accordance with the following retention practices:

  • Application Load Balancer (ALB) access logs: Retained for 30 days, then automatically deleted.
  • CI/CD pipeline artifacts: Retained for 30 days, then automatically deleted.
  • EFS file storage: Files not accessed for 30 days are transitioned to infrequent access storage via lifecycle policy.
  • S3 file uploads: Versioning is enabled to protect against accidental deletion or overwriting. Previous versions are retained in accordance with the platform’s versioning configuration.
  • Audit logs: Retained indefinitely for compliance and accountability purposes.
  • Consent records: Retained indefinitely to demonstrate compliance with data protection obligations.
  • User-created content: Retained for the duration of the Controller’s subscription and deleted upon request or account termination, subject to any applicable legal retention requirements.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access: Data Subjects may request a copy of their personal data held on the platform.
  • Right to rectification:Data Subjects may request correction of inaccurate or incomplete personal data.
  • Right to erasure: Data Subjects may request deletion of their personal data, subject to any legal obligations requiring retention.
  • Right to data portability: Data Subjects may request their personal data in a structured, commonly used, and machine-readable format.
  • Right to restriction of processing: Data Subjects may request that processing of their personal data be restricted in certain circumstances.

The Controller is responsible for verifying the identity of Data Subjects and determining the validity of requests. The Processor will provide reasonable assistance to the Controller in responding to such requests.

10. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records affected.
  • The name and contact details of the Processor’s point of contact for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

12. Term and Termination

This DPA shall remain in effect for the duration of the Controller’s use of the ISO Mate platform. Upon termination of the services, the Processor shall, at the Controller’s choice, delete or return all personal data processed on behalf of the Controller, unless applicable law requires continued storage. The Processor shall confirm deletion in writing upon request.

13. Contact

For questions or requests relating to this Data Processing Agreement, please contact us at: privacy@isomate.io