ISO Assistant Data Processing Addendum
This Data Processing Addendum forms part of the ISO Assistant Terms and Conditions between Mercator Projects Pty Ltd and the business customer using ISO Assistant.
It applies when Mercator Projects processes personal information contained in customer content on behalf of the customer. It is intended to satisfy the written operator-contract requirements of section 21 of POPIA and, where applicable, Article 28 of the GDPR.
1. Roles and scope
The customer is the responsible party or controller for customer content and Mercator Projects is the operator or processor. If the customer is itself a processor, Mercator Projects acts as its subprocessor.
Mercator Projects remains a responsible party or controller for its own account, billing, security, support, and service-administration information as described in the Privacy Policy.
2. Customer instructions and responsibilities
Mercator Projects will process customer content only to provide, secure, maintain, support, and improve ISO Assistant; comply with documented customer instructions; and comply with applicable law.
The customer is responsible for lawful collection, notices, authorisations, data accuracy, access decisions, and ensuring that instructions comply with applicable data-protection law.
3. Confidentiality
Persons authorised by Mercator Projects to process customer content must be subject to appropriate confidentiality obligations and may access it only as needed for their duties.
4. Security measures
- Tenant-scoped membership, role, permission, and server-side access checks.
- Password hashing, secure production session cookies, session revocation, login abuse protection, and re-authentication for workspace deletion.
- Encrypted transport, provider-managed encryption at rest, private attachment storage, authenticated file delivery, and file-size and type restrictions.
- Security headers, activity records for selected sensitive actions, provider access controls, resilience, backups, and incident investigation procedures.
- Regular review and improvement of safeguards having regard to available technology, implementation cost, processing context, and risk.
5. Security incidents
Mercator Projects will investigate confirmed or reasonably suspected unauthorised access, acquisition, loss, alteration, or disclosure affecting customer content and will notify the customer without undue delay when notification is required by applicable law or this Addendum.
The customer remains responsible for notifications it must make as responsible party or controller. Mercator Projects will provide reasonably available information needed for that assessment.
6. Subprocessors
The customer gives general written authorisation for the subprocessors listed on the ISO Assistant Subprocessors page. Mercator Projects will require subprocessors to protect personal information through written terms appropriate to their role.
Mercator Projects will publish material changes to that list in advance where reasonably practicable. A customer with a reasonable data-protection objection should contact info@isoassistant.com promptly so the parties can seek a practical solution.
7. International transfers
Processing may occur outside South Africa or the country in which the customer or data subject is located. Mercator Projects will use contractual or other safeguards intended to meet POPIA section 72 and, where applicable, GDPR Chapter V, including provider data-processing terms and Standard Contractual Clauses where relevant.
8. Data-subject requests
Taking into account the nature of the processing, Mercator Projects will provide reasonable assistance for requests to access, correct, delete, restrict, object to, or port customer-controlled personal information. The customer remains responsible for deciding and communicating the response.
9. Risk assessments and regulatory assistance
Mercator Projects will provide reasonably available information to assist with required security assessments, data-protection impact assessments, prior consultations, and regulator enquiries relating to its processing of customer content.
10. Return and deletion
Customers should export records they are legally required to retain before requesting deletion. A workspace owner may request permanent workspace deletion through Billing. The request has a 30-day grace period, is disclosed to all active administrators, and may be cancelled before processing begins.
After the grace period, ISO Assistant removes the workspace’s active database records and stored files. Residual encrypted copies may remain temporarily in restricted provider backups until normal backup rotation, unless retention is required by law. Such residual copies are not available through the application or used for ordinary business purposes.
11. Compliance information and audits
On reasonable request and subject to confidentiality, Mercator Projects will provide available information reasonably necessary to demonstrate compliance with this Addendum. Independent provider audit reports or certifications may be used to satisfy infrastructure audit requests.
If that information is insufficient and applicable law requires a further audit, the parties will agree a proportionate scope, timing, confidentiality arrangement, and allocation of exceptional costs.
12. Processing details
- Subject matter: hosting and operating ISO Assistant and processing customer content.
- Duration: the customer relationship plus the deletion and protected-backup rotation period, subject to lawful retention.
- Data subjects: customer users, employees, contractors, suppliers, clients, visitors, auditors, complainants, incident participants, and other persons recorded by the customer.
- Data types: identity, contact, employment, training, supplier, audit, incident, safety, health, evidence, document, communication, technical, and related customer-entered information.
- Sensitive information: customer content may include health, employment, allegations, photographs, safety incidents, or other special personal information where the customer lawfully chooses to record it.
- Operations: collection, recording, organisation, storage, retrieval, display, transmission, support, security monitoring, backup, export, and deletion.
13. Priority and termination
If this Addendum conflicts with the Terms on the protection of customer content, this Addendum prevails to the extent of that conflict. It remains effective until customer content has been deleted or de-identified, subject to lawful retention and protected backup rotation.