Data Processing Agreement (DPA)

Last Updated: March 2026

Language note: This English version is the binding legal document. A Hebrew translation is available at biz-planner.com/he/dpa for convenience only. In case of any conflict, this English version shall prevail.

Introduction and Scope
Definitions
Roles of the Parties
Subject Matter and Details of Processing
Processor Obligations
Confidentiality
Security Measures
Sub-Processors
Assistance with Data Subject Rights
Data Breach Notification
Data Deletion and Return on Termination
Audit Rights
International Data Transfers
Liability and Indemnification
Term and Termination
Governing Law
Contact

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the legal relationship between BizPlanner (the "Processor", defined below) and any user, business, or organization (the "Controller") that uses BizPlanner's services to process personal data on behalf of or relating to third parties.

1.1 When This DPA Applies

This DPA applies when you use BizPlanner in a context where GDPR Article 28 or Israeli Privacy Protection Law Amendment 13 imposes a contractual obligation on us as your data processor. This includes, but is not limited to:

Using BizPlanner's Model Context Protocol (MCP) integration with AI assistants (Claude, ChatGPT, and others), where personal data relating to your end users or clients flows through our MCP server
Using BizPlanner as a business tool on behalf of clients or employees whose personal data you enter into the platform
Any API or programmatic access to BizPlanner services

1.2 Acceptance

By accessing or using the BizPlanner Services as described above, you agree to the terms of this DPA. If you are acting on behalf of a company or organization, you confirm that you have authority to bind that entity to these terms.

For enterprise customers who require a countersigned DPA, please contact us at support@biz-planner.com.

1.3 Relationship to Other Agreements

This DPA supplements BizPlanner's Terms of Service and Privacy Policy. In the event of a conflict between this DPA and those documents regarding the processing of personal data in a Controller–Processor context, this DPA shall prevail.

2. Definitions

In this DPA, the following terms have the meanings set out below. Terms used but not defined here have the meanings given in the GDPR or the Israeli Privacy Protection Law (as applicable).

"BizPlanner" means Shay Asoulin, Sole Proprietorship, License No. 307874974, Kaf Tet BeNovember 8, Ashkelon, Israel, operating the platform at biz-planner.com.
"Controller" means the natural person, company, or organization that determines the purposes and means of processing personal data — in this context, you, the BizPlanner user or customer.
"Processor" means the entity that processes personal data on behalf of the Controller — in this context, BizPlanner.
"Sub-Processor" means any third party engaged by BizPlanner to assist in processing personal data under this DPA. A list of current Sub-Processors is set out in Section 8.
"Personal Data" means any information relating to an identified or identifiable natural person ("data subject"). This includes names, email addresses, financial data, business projections, and any other information the Controller uploads or generates through the Services.
"Processing" means any operation performed on personal data, including collection, storage, retrieval, use, transmission, disclosure, or deletion.
"Services" means the BizPlanner platform, including the web application at biz-planner.com, mobile applications, the MCP server (biz-planner.com/api/mcp), and any related APIs or integrations.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
"Israeli Privacy Law" means the Israeli Privacy Protection Law, 1981 (חוק הגנת הפרטיות, תשמ"א-1981) and its regulations, including Amendment 13.
"SCCs" means the Standard Contractual Clauses adopted by the European Commission for the transfer of personal data to third countries (Decision 2021/914/EU).
"Data Breach" means a security incident that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

3. Roles of the Parties

3.1 BizPlanner as Controller (Standard Use)

For the majority of BizPlanner users — individuals using the platform to plan their own business — BizPlanner acts as a Controller with respect to that user's personal data. Those relationships are governed by the Privacy Policy, not this DPA.

3.2 BizPlanner as Processor (This DPA)

This DPA applies when BizPlanner acts as a Processor on your behalf. This occurs when:

You are a consultant, accountant, or advisor who uses BizPlanner to process financial data belonging to your clients
You connect BizPlanner to an AI assistant via MCP, and that assistant processes data relating to your users or clients through our server
You use BizPlanner's API or programmatic tools to automate data processing on behalf of others

In these cases, you are the Controller and BizPlanner is the Processor. BizPlanner will process personal data only as instructed by you, in accordance with this DPA.

3.3 Joint Controller Scenarios

In cases where both parties independently determine purposes or means of processing (e.g., BizPlanner using aggregated, anonymized platform analytics), each party acts as an independent Controller for its own purposes and is separately responsible for compliance with applicable law.

4. Subject Matter and Details of Processing

4.1 Subject Matter

BizPlanner processes personal data on behalf of the Controller for the purpose of providing the Services described in the Terms of Service.

4.2 Duration of Processing

BizPlanner will process personal data for the duration of the Controller's active use of the Services, and for such additional period as required by applicable law or as specified in Section 11 (Data Deletion and Return on Termination).

4.3 Nature and Purpose of Processing

BizPlanner processes personal data for the following purposes:

Purpose	Description
Account and authentication management	Creating and managing user accounts, authenticating users via email, Google, or Apple OAuth
Business simulation and financial modelling	Storing, retrieving, and computing financial projections entered by or on behalf of the Controller
AI-powered business analysis	Transmitting financial data (business type, revenue, costs, projections) to the AI provider to generate business insights, chat responses, and reports
MCP tool execution	Processing requests from AI assistants via the MCP server, including reading project data, running what-if scenarios, and creating or updating simulations
Report generation	Generating PDF reports (bank reports, investor reports) from simulation data
Collaboration	Enabling project sharing between users invited by the Controller
Customer support	Processing support tickets and correspondence related to the Services
Security and fraud prevention	Logging access events and detecting abuse via rate limiting and audit logs
Payment processing	Processing transaction records (not payment card data, which is handled by the payment provider directly)

4.4 Types of Personal Data Processed

Depending on how you use the Services, BizPlanner may process the following categories of personal data:

Account data:

Email address, full name, profile photo
Authentication credentials (managed by Supabase Auth; BizPlanner does not store raw passwords)
Language and theme preferences

Business and financial data:

Business name, type, and stage
Financial assumptions: revenue, costs, pricing, employee headcount, salaries, investment amounts
Financial projections: monthly profit/loss, cash flow, break-even analysis
What-if scenario adjustments and version history
AI chat messages and AI-generated responses (per project)

MCP-specific data:

Project names and simulation parameters
Financial simulation results and analysis data
MCP audit log entries (tool name, timestamp, user ID)

Payment and transaction data:

Purchase records, transaction IDs, product types purchased
Invoices and tax documentation (retained for 7 years per Israeli Tax Ordinance)

Technical data:

IP address (used for security and rate limiting)
Device type, browser, operating system
Usage logs and error reports

Note on sensitive data: Under Israeli Privacy Law Amendment 13, financial data (business plans, revenue forecasts, cost structures) is classified as sensitive information. BizPlanner obtains explicit consent from data subjects before processing this data through AI features, in accordance with Amendment 13 requirements.

4.5 Categories of Data Subjects

End users: Individuals who register for and use BizPlanner accounts
Clients of consultants: Individuals or businesses whose data is entered into BizPlanner by a consultant or advisor using the platform on their behalf
Invited collaborators: Individuals invited to view or edit a shared project
Support contacts: Individuals who contact BizPlanner via the support system

5. Processor Obligations

BizPlanner, acting as Processor under this DPA, agrees to the following obligations:

5.1 Process Only on Instructions

BizPlanner will process personal data only on documented instructions from the Controller — as set out in this DPA, the Terms of Service, and any additional written instructions provided by the Controller.

If BizPlanner is required by applicable law (Israeli law, EU law, or the law of a Member State) to process personal data in a manner that conflicts with the Controller's instructions, BizPlanner will inform the Controller of that legal requirement before processing, unless such notification is prohibited by law.

5.2 Limitations on Processing

BizPlanner will not:

Process personal data for any purpose other than providing the Services
Sell, rent, or share personal data with third parties for their independent commercial purposes
Use personal data to train AI models (see also Section 8 regarding Anthropic's commercial API terms)
Transfer personal data to any country or organization outside the scope of the transfer mechanisms described in Section 13

5.3 Cooperation

BizPlanner will cooperate with the Controller and, where relevant, with supervisory authorities in fulfilling obligations under applicable data protection law. This includes:

Providing the Controller with information reasonably necessary to demonstrate compliance with this DPA
Notifying the Controller promptly if BizPlanner believes an instruction from the Controller would violate applicable data protection law
Assisting the Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where applicable

6. Confidentiality

6.1 Staff Confidentiality

BizPlanner ensures that:

Only authorized personnel who need access to personal data to perform their duties have such access
All personnel with access to personal data are subject to appropriate confidentiality obligations (whether by contract, employment terms, or statutory duty)
Personnel are trained on applicable data protection requirements

6.2 Processor Confidentiality

BizPlanner treats all personal data processed under this DPA as confidential and will not disclose it to third parties except:

To Sub-Processors listed in Section 8 for the purposes of providing the Services
As required by applicable law, court order, or governmental authority (with notice to the Controller where permitted)
With the Controller's prior written consent

7. Security Measures

7.1 Technical and Organizational Measures

BizPlanner implements technical and organizational security measures appropriate to the risk of processing, including:

Encryption:

All data transmitted between users and BizPlanner servers is encrypted in transit using TLS 1.2 or higher (HTTPS)
Data stored in the database (Supabase) is encrypted at rest using AES-256 or equivalent
All data transmitted to sub-processors is encrypted in transit

Access controls:

Role-Based Access Control (RBAC): users can only access their own data
Role-based access controls enforced at the database level
OAuth 2.0 with scoped tokens for MCP integrations, limiting access to only the data the Controller explicitly authorizes
Multi-factor authentication support for administrative access

Monitoring and logging:

Automated security monitoring and alerts for suspicious activity
MCP audit log recording all tool invocations with timestamp, user ID, and token identity
Rate limiting on all API endpoints, including MCP tools, to prevent abuse

Availability and resilience:

Regular automated database backups for disaster recovery
Infrastructure hosted on enterprise-grade cloud providers (Supabase, Vercel) with high availability SLAs

Vulnerability management:

Periodic security reviews of the platform
Dependency updates and patch management
Responsible disclosure process for security researchers

7.2 Security for Sensitive Financial Data

Given the classification of financial data as sensitive under Israeli Privacy Law Amendment 13, BizPlanner applies enhanced controls to this category:

Explicit consent obtained before transmitting financial data to the AI provider
AI data transmission limited to the minimum data necessary (no personal identifiers sent to AI provider — only financial parameters)
Input validation and sanitization on all user-submitted data

7.3 No Absolute Guarantee

No security system is impenetrable. BizPlanner does not guarantee that unauthorized third parties will never be able to defeat its security measures. However, BizPlanner will notify the Controller in the event of a data breach, as described in Section 10.

8. Sub-Processors

8.1 Authorization

The Controller authorizes BizPlanner to engage the Sub-Processors listed in Section 8.2 to assist in providing the Services. BizPlanner will ensure that each Sub-Processor is bound by data protection obligations at least as protective as those in this DPA, by written contract.

8.2 Current Sub-Processors

The following Sub-Processors are currently engaged by BizPlanner to process personal data under this DPA:

Sub-Processor	Country	Role	Data Processed	Transfer Mechanism
Supabase Inc.	USA (data stored in EU — Frankfurt, Germany)	Database, authentication, real-time sync	All account data, project data, financial simulations, audit logs	EU SCCs + Supabase DPA
Vercel Inc.	USA (Global CDN)	Web hosting, edge functions, serverless API	Request logs, edge cache (no personal data stored at edge beyond transient request processing)	EU SCCs + Vercel DPA
Anthropic PBC	USA	AI language model processing (Claude API)	Financial parameters only: business type, revenue/cost assumptions, projections, chat messages (no personal identifiers)	EU SCCs + Anthropic usage policies
Upstash Inc.	USA (EU instance — Frankfurt)	Rate limiting, Redis cache	IP addresses, request counts, rate limit counters (no business data)	EU SCCs
Resend Inc.	USA	Transactional email delivery	Email addresses, email content for system notifications (invitations, receipts, security alerts)	EU SCCs
PostHog Inc.	USA (EU instance)	Product analytics	Anonymized usage events (page views, feature usage). Routed via EU proxy (p.biz-planner.com). Session replay disabled. Requires user consent before activation.	EU SCCs + EU proxy
Google LLC (Google Analytics 4)	USA	Web traffic analytics	Anonymized traffic data (page views, referral sources, device type). No personally identifiable information. Requires user consent before activation.	EU SCCs
Functional Software Inc. (Sentry)	USA	Error monitoring	Technical error logs, stack traces (no personal business data). Session replay disabled.	EU SCCs
PAID IL Ltd. (PayMe)	Israel	Payment processing	Billing name, email, transaction records. Payment card data handled directly by PayMe and not accessible to BizPlanner.	Israeli Privacy Law (adequate protection)

8.3 Notification of Sub-Processor Changes

BizPlanner will provide the Controller with at least 30 days' advance notice before adding a new Sub-Processor or replacing an existing one, where such change involves the processing of personal data. This notice will be given by:

Updating the Sub-Processor list on this page (with a new "Last Updated" date)
Sending an email notification to active registered users

8.4 Right to Object

Upon receiving notice of a proposed Sub-Processor change, the Controller may object to the change by contacting BizPlanner at support@biz-planner.com within 30 days of the notice. If the Controller objects and BizPlanner cannot accommodate the objection (for example, where the Sub-Processor is necessary for the Services), the Controller may terminate the relevant Services without penalty.

9. Assistance with Data Subject Rights

9.1 BizPlanner's Obligation to Assist

Where personal data processed under this DPA is subject to a data subject request — including rights to access, rectification, erasure, restriction, portability, or objection — BizPlanner will assist the Controller in fulfilling that request, to the extent technically feasible and appropriate given BizPlanner's role.

9.2 Handling Data Subject Requests

Data subjects may exercise their rights directly with BizPlanner at support@biz-planner.com. BizPlanner will:

Acknowledge receipt within 7 business days
Fulfill or forward the request to the Controller within 30 days (extendable to 60 days for complex requests, with notice)
Not fulfill a request that the Controller has specifically instructed BizPlanner not to fulfill, unless required by law

9.3 Built-In Self-Service Mechanisms

BizPlanner provides the following built-in tools for data subjects to exercise their rights:

Account deletion: Users can request account deletion directly from their account settings. A 7-day grace period applies before permanent deletion.
Data export (portability): Pro users can export their project data in JSON, CSV, and PDF formats via the AI Export feature.
Profile correction: Users can update their name, email, and preferences in Settings.
AI consent withdrawal: Users can disable AI features per project to stop financial data transfers to the AI provider.
Marketing opt-out: Every marketing email includes an unsubscribe link.

9.4 Requests the Controller Must Handle

Where a data subject's request relates to data that the Controller — not BizPlanner — is primarily responsible for (for example, a client whose data was entered into BizPlanner by a consultant), the Controller is responsible for deciding whether and how to fulfill that request. BizPlanner will assist by providing the relevant data upon written request from the Controller.

10. Data Breach Notification

10.1 Detection and Notification

In the event that BizPlanner becomes aware of a Data Breach affecting personal data processed under this DPA, BizPlanner will:

Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach (or as soon as reasonably practicable if full details are not yet available)
Provide the Controller with the following information, to the extent known at the time:
- Nature of the breach and, where possible, the categories and approximate number of data subjects affected
- Categories and approximate volume of personal data records affected
- Name and contact details of BizPlanner's point of contact for further information
- Likely consequences of the breach
- Measures taken or proposed to address the breach and to mitigate its effects

10.2 Controller's Obligations

The Controller is responsible for any notification obligations to supervisory authorities or data subjects that arise from a Data Breach under applicable law (e.g., under GDPR Article 33 and 34, or Israeli Privacy Law). BizPlanner will cooperate with and assist the Controller in making any required notifications.

10.3 Notification Method

Breach notifications will be sent to the email address associated with the Controller's BizPlanner account. The Controller is responsible for ensuring this email address is current.

11. Data Deletion and Return on Termination

11.1 On Account Deletion

When a Controller deletes their BizPlanner account (or when an account is terminated for cause):

Immediate effect: The account is marked for deletion and access is suspended
Grace period (7 days): The account remains recoverable for 7 days in case the deletion was accidental
Permanent deletion (after 7 days): All project data, financial simulations, AI chat history, and personal data are permanently deleted from active databases
Email removal: The email address is removed from all marketing and transactional mailing lists
Pseudonymization: Personal identifiers in audit logs are pseudonymized for security and fraud prevention purposes

Exceptions (retained by law):

Payment records and tax invoices are retained for 7 years from the transaction date, as required by the Israeli Tax Ordinance
Aggregated, anonymized analytics data (no personal identifiers) may be retained indefinitely
Data subject to an active legal hold (e.g., if involved in a fraud investigation) will be retained until the hold is lifted

11.2 Expedited Deletion

The Controller may request immediate deletion without the 7-day grace period by contacting support@biz-planner.com and explicitly waiving the recovery period. BizPlanner will complete the deletion within 30 days of receipt of such request.

11.3 Deletion Confirmation

Upon request, BizPlanner will provide written confirmation that deletion has been completed, to the extent technically verifiable.

11.4 MCP Connection Termination

If the Controller disconnects or revokes an MCP integration (via their AI assistant's settings), BizPlanner will:

Immediately revoke the associated OAuth token, preventing further access through that integration
Retain no data specifically associated with the MCP session beyond what is already stored in the user's BizPlanner account (per the retention periods above)
Delete any temporary cached MCP session data within 30 days of revocation

12. Audit Rights

12.1 Right to Audit

The Controller has the right to verify BizPlanner's compliance with this DPA. Given BizPlanner's current scale as a sole proprietorship, audit rights are exercised through the following means:

Documentation review: The Controller may request, and BizPlanner will provide:

This DPA and any updates to it
A summary of relevant security certifications or assessments held by BizPlanner's Sub-Processors (Supabase, Vercel, etc.)
Information about BizPlanner's security measures, Sub-Processor agreements, and data processing practices
MCP audit log exports for the Controller's own account (upon request)

Third-party assessments: Where a Sub-Processor holds a relevant security certification (such as SOC 2 Type II, ISO 27001, or similar), BizPlanner will make available summaries of such reports upon request to the extent permitted by the Sub-Processor's confidentiality terms.

12.2 Audit Requests

Audit requests must be submitted in writing to support@biz-planner.com with at least 30 days' advance notice. BizPlanner will respond to reasonable audit requests within 30 days.

12.3 Cost of Audit

Documentation reviews are provided at no cost for one request per calendar year. For additional requests or requests requiring significant administrative effort, BizPlanner reserves the right to charge a reasonable fee for the time incurred.

12.4 Limitations

On-site physical audits are not available at BizPlanner's current scale. Audit rights are limited to documentation-based review as described above. BizPlanner's Sub-Processors are subject to their own audit frameworks, which are governed by their respective DPAs with BizPlanner.

13. International Data Transfers

13.1 Transfers Within Israel and the EU

Israel holds an adequacy decision from the European Commission, meaning the transfer of personal data from the EU to Israel is permitted without additional safeguards. BizPlanner's primary operations are based in Israel.

13.2 Transfers to the United States

Several of BizPlanner's Sub-Processors are located in the United States, which does not hold a general EU adequacy decision. For all such transfers, BizPlanner relies on one or more of the following mechanisms:

Standard Contractual Clauses (SCCs): BizPlanner incorporates the EU Commission's Standard Contractual Clauses (Controller-to-Processor SCCs, Decision 2021/914/EU) into its agreements with US-based Sub-Processors. A copy of the relevant SCCs can be requested at support@biz-planner.com.
EU Data Residency: Where technically feasible, BizPlanner configures Sub-Processors to store personal data within the EU:
- Supabase database: hosted in EU-Central-1 (Frankfurt, Germany)
- PostHog: EU instance, accessed via EU-based proxy (p.biz-planner.com)
- Upstash: EU instance (Frankfurt)
Data Minimization for AI Processing: Financial data transmitted to Anthropic (US) is limited to business parameters only (no personal identifiers, no contact information). This minimizes the privacy risk of cross-border AI processing.
Explicit Consent for Sensitive Data: For the transfer of financial data (classified as sensitive under Israeli Privacy Law Amendment 13) to the AI provider, BizPlanner obtains explicit prior consent from data subjects before any transfer occurs.

13.3 Israeli Privacy Law Compliance

All international data transfers comply with the requirements of the Israeli Privacy Protection Regulations (Transfer of Data Outside of Israel), including the requirement for adequate protection or explicit consent for sensitive data.

13.4 Requests for SCC Copies

The Controller may request a copy of the Standard Contractual Clauses applicable to any specific Sub-Processor transfer by contacting support@biz-planner.com. BizPlanner will provide these within 30 days, subject to the Sub-Processor's confidentiality terms.

14. Liability and Indemnification

14.1 BizPlanner's Liability

BizPlanner's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA creates liability beyond what is expressly stated in the Terms of Service.

14.2 Controller's Liability

The Controller is responsible for ensuring that:

The personal data it provides to BizPlanner was collected lawfully and with appropriate legal basis
Data subjects whose data is processed through BizPlanner have been informed of such processing in accordance with applicable law
Any instructions given to BizPlanner for processing comply with applicable data protection law

14.3 Processor Fines

If a supervisory authority imposes a fine on BizPlanner arising directly from BizPlanner's breach of this DPA or applicable data protection law (and not from the Controller's instructions), BizPlanner bears responsibility for that fine. If the fine arises from the Controller's unlawful instructions or conduct, the Controller bears responsibility.

15. Term and Termination

15.1 Term

This DPA is effective for the duration of the Controller's use of the Services and remains in force as long as BizPlanner processes personal data on the Controller's behalf.

15.2 Termination

This DPA automatically terminates upon:

Termination or expiry of the Controller's account with BizPlanner
Deletion of all personal data processed under this DPA in accordance with Section 11
Written agreement between both parties to terminate

15.3 Survival

Sections 6 (Confidentiality), 10 (Data Breach Notification), 11 (Data Deletion and Return), 12 (Audit Rights), and 14 (Liability) survive termination of this DPA.

16. Governing Law

16.1 Governing Law

This DPA is governed by the laws of the State of Israel, including the Israeli Privacy Protection Law, 1981, and its regulations.

Where the Controller or data subjects are located in the European Union or European Economic Area, this DPA is interpreted to comply with GDPR requirements. In the event of any inconsistency between Israeli law and GDPR that would affect the rights of EU data subjects, BizPlanner will apply the higher standard of protection.

16.3 Jurisdiction

Any dispute arising from this DPA will be submitted to the competent courts of Israel. For EU-based Controllers, nothing in this clause limits the right of EU data subjects to bring claims before their local courts or supervisory authorities.

17. Contact

For any questions relating to this DPA, requests to exercise data subject rights, audit requests, Sub-Processor inquiries, or to obtain copies of Standard Contractual Clauses:

BizPlanner — Data Processing Inquiries Shay Asoulin Kaf Tet BeNovember 8, Ashkelon, Israel License No. 307874974

Email: support@biz-planner.com Website: https://biz-planner.com

For enterprise customers requiring a countersigned DPA or additional contractual terms, please contact us at support@biz-planner.com with "Enterprise DPA Request" in the subject line.

Related Documents:

This DPA is effective as of March 2026. BizPlanner will notify active users of any material changes at least 30 days before they take effect.