Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, both the Isovel Trial & Website Terms and the Isovel Subscription Agreement (each, the “Agreement”) between Isovel, Inc. (“Isovel,” “we,” “us”) and the customer that accepts the Agreement (“Customer,” “you”). It applies whenever Isovel processes Personal Data on your behalf, including from the first day of a free trial. If the Agreement and this DPA conflict on the subject of data processing, this DPA controls.

Plain-English summary. Your Business Central data is yours. When that data contains personal information about real people (like the names or emails inside vendor or customer records), you’re the controller and we’re your processor — we only handle it to run the service for you, we keep it secure, we use the short sub-processor list in our privacy policy, and we delete it when you leave. Isovel is offered in the US and Canada; we don’t process EEA/UK/Swiss personal data.

1. Definitions

• Personal Data — information relating to an identified or identifiable individual that Isovel processes on your behalf under the Agreement. In practice this is limited to identifiers inside the Business Central data you authorize us to access (for example, contact names, emails, and similar fields in vendor and customer records). Most data Isovel processes — items, locations, inventory, sales history, purchase orders — is business data, not Personal Data.
• Processing, Controller, Processor, and Data Subject have the meanings given under applicable data protection law.
• Sub-processor — a third party Isovel engages to process Personal Data in connection with the service.
• Applicable Data Protection Law — the privacy and data protection laws of the United States (including the CCPA where it applies) and Canada (including PIPEDA), as applicable to the parties.

2. Roles of the parties

You are the Controller of the Personal Data. Isovel is your Processor (a “service provider” under the CCPA), acting only on your documented instructions. The company that operates the Business Central tenant — not Microsoft — is the Controller of the data in that tenant; Microsoft and Isovel each act as service providers under your authorization.

3. Scope and purpose of processing

• Subject matter: provision of the Isovel supply chain planning service for Microsoft Dynamics 365 Business Central.
• Duration: for the term of the Agreement, plus the deletion windows in Section 9.
• Nature and purpose: reading authorized Business Central data into Isovel’s analytics environment to forecast demand and generate replenishment, inventory, and exception recommendations, and (for paid customers) writing approved changes back to Business Central under your control.
• Types of Personal Data: contact identifiers within vendor and customer records (names, business emails, and similar fields); authentication identifiers of your authorized users.
• Categories of Data Subjects: your authorized users, and the business contacts within your Business Central records.
• No sensitive data: Isovel is not designed to process special-category or sensitive Personal Data (health, biometrics, government IDs), and you agree not to load it into the service.

4. Your instructions

Isovel will process Personal Data only on your documented instructions, including those set out in the Agreement and this DPA, unless required to act otherwise by law (in which case we’ll tell you, unless the law prohibits it). Your configuration of the service and your authorization of the Business Central connection constitute documented instructions. Isovel will tell you if, in our opinion, an instruction violates Applicable Data Protection Law.

5. Service provider commitments (CCPA)

Isovel will not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the service, or as otherwise permitted by the CCPA; (c) retain, use, or disclose Personal Data outside the direct business relationship with you; or (d) combine Personal Data with data from other sources except as permitted by the CCPA. Isovel certifies that it understands and will comply with these restrictions.

6. Confidentiality

Isovel ensures that personnel authorized to process Personal Data are bound by confidentiality obligations and access Personal Data only on a need-to-know basis to provide the service.

7. Security

Isovel maintains technical and organizational measures appropriate to the risk, as described on the security page, including encryption in transit (TLS) and at rest, least-privilege OAuth scopes for Business Central, audit logging, and a 24-hour rollback window on every write-back. Isovel is pursuing SOC 2 Type 1 for GA. You’re responsible for the security of your own systems, credentials, and Business Central configuration.

8. Sub-processors

You authorize Isovel to engage the Sub-processors listed in our privacy policy, which we keep current. Isovel imposes data protection obligations on each Sub-processor that are substantially as protective as those in this DPA, and remains responsible for their performance. For paid customers under the Subscription Agreement, Isovel will give advance notice of material new or replacement Sub-processors; if you reasonably object on data protection grounds, you may terminate the affected service as your exclusive remedy.

9. Return and deletion

On expiry or termination of the Agreement, Isovel will delete Personal Data on the timelines in our privacy policy: trial data within 30 days of trial end, and paid customer data within 30 days of termination, after which residual copies in encrypted backups are purged on our normal backup cycle (within 90 days). You may export your data during the term. Isovel may retain Personal Data where required by law (for example, tax or security records), under continued protection.

10. Assistance to you

Taking into account the nature of processing, Isovel will provide reasonable assistance to help you: (a) respond to Data Subject requests (access, correction, deletion, and similar) — if a Data Subject contacts Isovel directly, we’ll refer them to you; (b) meet your security, breach-notification, and impact-assessment obligations. Because you control the data in Business Central and within the service, you can fulfill most requests directly.

11. Personal Data breach

Isovel will notify you without undue delay, and in any case within 72 hours, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data processed under this DPA, and will provide information reasonably available to help you meet your notification obligations. Notice of a breach is not an acknowledgment of fault or liability.

12. Data location and international transfers

Isovel processes and stores Personal Data in the United States (Google Cloud us-central1), with backups in US regions. The service is offered to customers in the United States and Canada and is not directed to the EEA, the UK, or Switzerland; Isovel does not knowingly process Personal Data subject to the GDPR or UK GDPR. If your use would require EU/UK data residency or transfer mechanisms such as Standard Contractual Clauses, do not use the service until Isovel offers those features.

13. Audit

On reasonable written request (no more than once per year, except as required by a regulator or following a breach), Isovel will make available information reasonably necessary to demonstrate compliance with this DPA, which may take the form of Isovel’s then-current third-party audit reports or security documentation (for example, SOC 2 when available) under confidentiality.

14. Term, order of precedence, and liability

This DPA is effective for as long as Isovel processes Personal Data under the Agreement. Each party’s liability under this DPA is subject to the limitations of liability in the Agreement. For paid customers, the Data Processing terms in this DPA govern over any conflicting data-processing language in the Trial & Website Terms.

15. Contact

Data protection questions and requests: support@getisovel.com.