[[ … ]] must be completed and this policy reviewed by qualified counsel against GDPR (EU 2016/679), UK GDPR, and the applicable GCC Personal Data Protection Law(s) before it is relied upon.ISOXPERT Compliance360 ("ISOXPERT", "we", "us") is a governance, risk and compliance (GRC) SaaS platform operated by [[LEGAL ENTITY NAME]], registered at [[REGISTERED ADDRESS]], [[COUNTRY]].
Controller vs. processor. For data about your own account and our direct customers we act as a controller. For personal data that a customer organization uploads about its employees, suppliers and customers, ISOXPERT acts as a processor on that organization's behalf under a Data Processing Agreement (Section 11).
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, work email, role, organization, sign-in identifiers | You / your administrator; Google OAuth |
| Employee & competency records | Names, employee IDs, department, manager, training, certifications | Customer administrators; ERP integration |
| Compliance records | Audits, non-conformances, CAPAs, incidents (incl. reporter/witness/investigator identities), management-review attendees & e-signatures | Customer users |
| Business contacts | Supplier and customer contact names, emails, phone numbers, addresses, countries | Customer users |
| Billing | Organization, plan, subscription status, affiliate code (card data handled by Stripe, not stored by us) | Stripe |
| Usage & audit logs | User ID/email, action, timestamp, field-level change history; AI usage metering | Generated automatically |
| Technical | Authentication tokens/session, IP/connection metadata held by our providers | Automatic |
We do not intentionally collect special-category data (Art. 9). Customers must not upload health, biometric or other sensitive data into free-text fields unless a lawful basis and DPA terms are in place.
| Purpose | Lawful basis |
|---|---|
| Provide the platform and its features | Contract (Art. 6(1)(b)) |
| Maintain audit trails and accountability records | Legal obligation / legitimate interest (Art. 6(1)(c)/(f)) |
| AI-assisted drafting and analysis (Google Gemini) | Contract + legitimate interest (see Section 6) |
| Billing and subscription management (Stripe) | Contract |
| Security, fraud prevention, service improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (if any) | Consent (Art. 6(1)(a)) — withdrawable at any time |
We share personal data only with the sub-processors listed on our sub-processor page (or on request), each under a data-processing agreement: Supabase (database, auth, hosting), Google (Gemini API) (AI features), Stripe (billing), Vercel (hosting), and optional customer-enabled ERP integrations (SAP / Oracle / Odoo). We do not sell personal data.
Our sub-processors may process data outside your country, including in the United States. Where data leaves the EEA/UK or a restricted GCC jurisdiction, transfers are covered by Standard Contractual Clauses and/or the provider's adequacy mechanism.
Certain features send the relevant compliance content (e.g., audit details, findings, incident descriptions) to the Google Gemini API to generate drafts and analysis. Per Google's API terms, paid Gemini API content is not used to train Google's models. We send only the data needed for the requested feature and minimise/pseudonymise direct identifiers where practical.
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with a supervisory authority. To exercise these rights, email [[privacy@your-domain.com]]; we respond within 30 days (GDPR) or the period required by the applicable PDPL. Where ISOXPERT acts as a processor, requests from a customer's employees are routed to that customer (the controller), whom we assist.
We retain personal data only as long as necessary for the purposes above and to meet legal and audit obligations. Compliance and audit records may be retained for the statutory period even after an account closes; where possible we pseudonymize rather than delete records that must be kept for audit integrity.
Data is encrypted in transit (TLS). Access is controlled by authentication, role-based access control, and database row-level security that isolates each organization's data. Administrative secrets are held server-side only. We maintain an immutable change-audit log.
ISOXPERT uses only strictly-necessary storage for authentication sessions and local app state. We do not use advertising or cross-site tracking cookies.
Where ISOXPERT processes personal data on a customer's behalf, our DPA terms apply, including sub-processor terms, security measures, breach notification, and assistance with data subject requests and DPIAs. Contact [[privacy@your-domain.com]].
We will post material changes here and notify account administrators. Questions: [[privacy@your-domain.com]].