Isurdan

Data Processing Agreement

Last updated: February 2026

1. Definitions

In this Data Processing Agreement ("DPA"):

  • "Controller" means the Customer who determines the purposes and means of processing personal data.
  • "Processor" means Isurdan, which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR.
  • "Processing" means any operation performed on personal data, as defined in Article 4(2) of the GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Purpose

This DPA applies to all processing of personal data by Isurdan on behalf of the Customer in connection with the Isurdan platform services. The purpose of processing is to provide the SaaS platform services as described in the service agreement, including people management, goal tracking, compliance management, and related analytics.

3. Processing Details

Categories of data subjects: Customer's employees, contractors, candidates, and other individuals whose data is entered into the platform.

Types of personal data: Name, email, job title, department, compensation, employment history, time-off records, performance data, equipment assignments, expense records, and other data entered by the Customer.

Duration: For the term of the service agreement, plus a data deletion period of 90 days after termination.

4. Obligations of the Processor

Isurdan shall:

  • Process personal data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorised to process personal data have committed to confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption at rest (AES-256) and in transit (TLS 1.3).
  • Not engage another processor without prior written authorisation of the Controller. The Controller provides general authorisation for sub-processors listed in our sub-processor registry.
  • Assist the Controller in responding to data subject requests within statutory deadlines.
  • Delete or return all personal data to the Controller within 90 days after the end of the service agreement, unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with GDPR obligations.

5. Sub-processors

Isurdan uses the following categories of sub-processors:

  • Cloud infrastructure: Google Cloud Platform (europe-west2 region) for hosting, database, and storage services.
  • Content delivery: Cloudflare for DDoS protection and content delivery.
  • AI processing: Anthropic for AI-powered analytics features (data processed in-session only, not used for training).

The Controller will be notified at least 30 days in advance of any new sub-processor engagement and may object to the change.

6. Security Measures

Isurdan implements the following technical and organisational measures:

  • AES-256 encryption at rest for all stored personal data.
  • TLS 1.3 encryption for all data in transit.
  • Role-based access control (RBAC) with principle of least privilege.
  • Automated database backups with point-in-time recovery.
  • Immutable audit logging with cryptographic hash chain.
  • DDoS protection via Cloudflare.
  • Container-based deployments with automated security scanning.

7. Data Subject Rights

Isurdan shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Articles 15-22, including access, rectification, erasure, restriction, portability, and objection requests. The platform provides built-in tools for processing these requests.

8. Breach Notification

In the event of a personal data breach, Isurdan shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

9. International Transfers

All personal data is stored within the European Economic Area (Google Cloud Platform europe-west2 region). In the event that any processing requires transfer of personal data outside the EEA, Isurdan shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Audit Rights

The Controller has the right to conduct audits, including inspections, to verify Isurdan's compliance with this DPA. Isurdan shall cooperate with such audits and provide access to relevant documentation, systems, and facilities. Audits shall be conducted with reasonable notice and during normal business hours.

11. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, Isurdan shall delete all personal data within 90 days, unless retention is required by applicable law. The Controller may request a copy of its data in a machine-readable format before deletion.

12. Contact

For questions about this DPA or to request a signed copy, contact us at:

hello@isurdan.com