Legal

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between AisleCore and you ("Customer") for the provision of the AisleCore platform.

Effective date: March 27, 2026

1. Definitions

"Data Controller": The Customer, who determines the purposes and means of processing Personal Data through the AisleCore platform.
"Data Processor": AisleCore, Inc., which processes Personal Data on behalf of the Controller in connection with providing the platform services.
"Personal Data": Any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, and any other data classified as personal data under applicable data protection laws.
"Processing": Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
"Subprocessor": A third-party entity engaged by AisleCore to process Personal Data on behalf of the Controller in connection with the platform services.
"Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

2. Scope and Purpose of Processing

AisleCore processes Personal Data solely for the purpose of providing the platform services as described in the Terms of Service, including:

Account management and user authentication (names, email addresses, roles)
Processing and reconciling trade spend, deduction, and promotional data
Generating analytics, reports, and weekly performance digests
Sending transactional communications (magic links, notifications, alerts)
Processing subscription payments through Stripe
Monitoring platform health, debugging errors, and improving service reliability

The categories of data subjects include Customer employees, representatives, and authorized users of the platform. The types of Personal Data processed include names, business email addresses, IP addresses, session data, and any personal data contained within business data uploaded by the Customer.

3. Processor Obligations

3.1 Security Measures

Encryption of all data in transit using TLS 1.3 and at rest using AES-256
Multi-tenant data isolation ensuring strict separation of each Customer's data
Role-based access controls with least-privilege principles
Comprehensive audit logging on all sensitive operations
HTTPOnly, SameSite session cookies to prevent session hijacking
Regular security assessments and vulnerability monitoring

3.2 Confidentiality

AisleCore ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations. Personal Data will only be accessed by personnel who require access to perform the platform services, and only to the extent necessary.

3.3 Sub-Processing

AisleCore will not engage a new Subprocessor without providing the Controller with prior written notice and an opportunity to object. All Subprocessors are bound by data processing agreements that impose obligations no less protective than those in this DPA. AisleCore remains liable for its Subprocessors' compliance with data protection obligations.

3.4 Data Breach Notification

In the event of a Data Breach, AisleCore will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach. AisleCore will cooperate fully with the Controller in investigating and remediating the breach.

4. Controller Rights

4.1 Right to Audit

The Controller may audit AisleCore's compliance with this DPA up to once per year, with at least 30 days' prior written notice. Audits will be conducted during normal business hours and will not unreasonably interfere with AisleCore's operations. AisleCore will make available all information necessary to demonstrate compliance.

4.2 Instructions

AisleCore will process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. If AisleCore believes an instruction infringes applicable data protection law, it will promptly inform the Controller.

4.3 Data Subject Requests

AisleCore will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) by providing appropriate technical and organizational measures.

4.4 Deletion and Return

Upon written request, AisleCore will delete or return all Personal Data to the Controller, and delete existing copies, unless applicable law requires retention. The Controller may export data at any time via CSV export through the platform.

5. Subprocessors

The following Subprocessors are currently authorized to process Personal Data in connection with the AisleCore platform:

Subprocessor	Purpose	Location	DPA Status
Stripe	Payment processing	United States	Executed
Resend	Transactional email delivery	United States	Executed
Vercel	Application hosting and edge delivery	United States / EU	Executed
Neon	PostgreSQL database hosting	United States	Executed
Sentry	Error tracking and monitoring	United States	Executed

AisleCore will notify Customers at least 30 days before authorizing any new Subprocessor. Customers may object to a new Subprocessor by contacting dpa@aislecore.com within that notice period.

6. International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. Where such transfers occur, AisleCore ensures appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs): AisleCore incorporates the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) for transfers of Personal Data to countries not recognized as providing adequate data protection.
UK International Data Transfer Addendum: For transfers from the UK, AisleCore supplements the SCCs with the UK IDTA as required.
Supplementary measures: AisleCore implements technical and organizational supplementary measures including encryption, pseudonymization, and access controls to ensure transferred data receives a level of protection essentially equivalent to that guaranteed within the EEA.

AisleCore will inform the Controller of any changes to the data transfer mechanisms used and will cooperate in implementing alternative safeguards if required.

7. Data Retention and Deletion

AisleCore retains Personal Data only for as long as necessary to provide the platform services and fulfill the purposes outlined in this DPA:

Active accounts: Personal Data is retained for the duration of the subscription.
Cancelled accounts: Data is retained for 1 year post-cancellation to allow for reactivation or data export, then permanently deleted unless the Customer requests otherwise.
Audit logs: Retained for 2 years for security and compliance purposes.
Billing records: Retained as required by applicable tax and financial regulations.
Error and performance logs: Anonymized after 90 days; identifiable data purged within 30 days.

Upon termination of the agreement or written request, all Personal Data will be securely deleted or returned within 30 days, except where retention is required by law.

8. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement (Terms of Service).

AisleCore will indemnify the Controller against any losses, damages, or costs arising from AisleCore's breach of this DPA or applicable data protection laws, provided the Controller has complied with its obligations under this DPA and applicable law.

Neither party excludes or limits liability for fraud, gross negligence, or willful misconduct, or for any liability that cannot be excluded or limited under applicable law.

9. Term and Termination

This DPA takes effect on the date the Customer first accesses the AisleCore platform and remains in effect for the duration of the underlying agreement.

Upon termination of the underlying agreement, AisleCore will continue to comply with the obligations in this DPA with respect to any Personal Data still in its possession, until such data is deleted or returned in accordance with Section 7.

Sections 1 (Definitions), 7 (Data Retention and Deletion), 8 (Liability and Indemnification), and this Section 9 survive termination of this DPA.

10. Contact

For questions, requests, or concerns regarding this Data Processing Agreement, please contact:

AisleCore Data Protection

Email: dpa@aislecore.com

Back to home