Data Processing Agreement (DPA)
Last updated: March 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Controller: The customer ("you") who has accepted the iSale.deals Terms of Service.
- Processor: iSale Deals Ltd., Dubai, UAE, represented by Managing Director Konstantinos Diassinos ("we", "iSale.deals").
Contact: privacy@isale.deals
2. Subject Matter of Processing
The Processor processes personal data on behalf of the Controller in connection with providing the iSale.deals SaaS platform, including CRM, AI-powered sales coaching, call analysis, email automation, and related services as described in the Terms of Service.
3. Nature & Purpose of Processing
Processing activities include: collection, storage, organisation, retrieval, AI-based analysis of sales calls, automated email sending, contact management, deal tracking, invoicing, and reporting. The purpose is to provide AI-driven sales coaching and CRM functionality to the Controller.
4. Types of Personal Data
- Contact data (name, email, phone, company, address)
- Sales call recordings and AI-generated transcripts
- Deal and pipeline data (values, stages, notes)
- Communication data (emails, chat messages)
- Usage data (login times, feature usage, IP addresses)
- Payment data (processed by Stripe; we do not store card numbers)
5. Categories of Data Subjects
- The Controller's employees and sales representatives
- The Controller's leads, prospects, and customers
- Call participants whose recordings are uploaded
6. Processor Obligations
- Process personal data only on documented instructions from the Controller.
- Ensure all persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Section 8).
- Assist the Controller in responding to data subject requests (see Section 9).
- Delete or return all personal data upon termination of the agreement, at the Controller's choice.
- Make available all information necessary to demonstrate compliance with GDPR Art. 28.
- Allow and contribute to audits and inspections conducted by the Controller or an authorised auditor.
7. Approved Sub-Processors
The Controller hereby grants general authorisation for the use of the following sub-processors. The Processor shall inform the Controller of any intended changes to this list at least 14 days in advance.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database & Authentication | EU (Frankfurt) |
| Vercel | Hosting & CDN | Global (Edge) |
| OpenAI | AI Call Analysis & Coaching | USA |
| Twilio | Telephony / Voice | USA |
| Stripe | Payment Processing | USA / EU |
| Resend | Transactional Email | USA |
| Vapi | AI Voice Agent | USA |
For US-based sub-processors, data transfers rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework where applicable.
8. Technical & Organisational Measures (TOMs)
The Processor maintains the following measures pursuant to GDPR Art. 32:
- Encryption in transit: TLS 1.3 for all connections.
- Encryption at rest: AES-256 for database and file storage.
- Access control: Role-based access control (RBAC), row-level security in Supabase, MFA available.
- Data isolation: Multi-tenant architecture with strict tenant-level isolation via Supabase RLS policies.
- Hosting: Primary database in EU (Frankfurt, AWS eu-central-1). Application hosted on Vercel Edge.
- Backups: Automated daily database backups with point-in-time recovery.
- Monitoring: Continuous uptime monitoring, error tracking, and anomaly detection.
- Employee training: All personnel with access to personal data receive data protection training.
9. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject requests under GDPR Articles 15-22, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. Requests should be directed to privacy@isale.deals and will be addressed within 30 days.
10. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects affected.
- The name and contact details of the data protection point of contact.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate its effects.
11. Governing Law & Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of the United Arab Emirates, without prejudice to mandatory provisions of the GDPR applicable to the processing of personal data of individuals in the EU/EEA. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Dubai, UAE.
12. Download
You may print this page or save it as PDF using the button above.
See also: