Data Processing Agreement
The terms under which Guardivion processes personal data on behalf of Customer organisations.
1. Roles & scope
The Customer is the Controller and Guardivion is the Processor for personal data processed to deliver authentication services. Guardivion processes such data only on documented instructions from the Customer, including those expressed through the Service configuration.
2. Subject matter of processing
| Subject matter | Provision of device-based authentication and MFA. |
|---|---|
| Duration | For the term of the underlying agreement plus permitted retention. |
| Nature & purpose | Identity verification, MFA, fraud prevention, audit logging. |
| Data subjects | Customer administrators and end users. |
| Categories of data | Organisation and administrator identifiers; administrator password hashes and TOTP secrets; device public keys, enrolment records and push tokens; authentication and audit event logs. No special-category data; no biometric templates; no end-user private keys. |
3. Processor obligations
- Process personal data only on the Controller's documented instructions.
- Ensure personnel are bound by confidentiality.
- Implement the technical and organisational measures in Section 6 (Art. 32).
- Assist the Controller with data-subject requests and with DPIAs and prior consultations.
- Make available information needed to demonstrate compliance and allow audits (Section 7).
4. Sub-processors
The Controller authorises Guardivion to engage sub-processors for hosting, infrastructure, push-notification delivery, and email. A current sub-processor list [TO BE CONFIRMED] will be maintained. Guardivion imposes data-protection obligations on each sub-processor no less protective than this DPA and gives at least 30 days' notice of changes, allowing the Controller to object on reasonable grounds.
5. International transfers
Where personal data is transferred outside the EEA/UK, the parties intend to incorporate the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK International Data Transfer Addendum, with supplementary technical measures including encryption in transit ([TO BE CONFIRMED] — confirm hosting regions and transfer mechanism).
6. Security measures (Art. 32)
- Encryption in transit over HTTPS/TLS.
- Passwords stored only as Argon2id hashes; session tokens, activation tokens and API keys stored only as SHA-256 hashes.
- End-user private keys are generated in and never leave the device hardware keystore; Guardivion holds only public keys.
- Administrator access requires password plus TOTP MFA; key-management actions are restricted to owner-role accounts.
- Append-only audit logging of administrative and key operations.
- Database-level encryption at rest, backup, and continuity procedures: [TO BE CONFIRMED] (confirm per deployment).
These measures support Guardivion's programme working toward SOC 2 and ISO/IEC 27001 — see the Security Overview for current certification status.
7. Audit & assistance
Guardivion will make available the security documentation it holds to help the Controller assess compliance. Formal SOC 2 and ISO 27001 reports are not yet available (certification in progress). Additional audits may be conducted on reasonable notice, no more than annually, subject to confidentiality, unless required more frequently by a supervisory authority.
8. Personal data breach
Guardivion will notify the Controller without undue delay, and aims to do so within 72 hours, after becoming aware of a personal data breach affecting the Controller's data, providing the information the Controller reasonably needs to meet its own notification obligations. [TO BE CONFIRMED] — confirm the notification timeline you can operationally commit to.
9. Return & deletion
On termination, Guardivion deletes or returns personal data at the Controller's choice and deletes existing copies within 90 days, except where retention is required by law. Backup copies are purged on the standard rolling cycle.
10. Contact
Data protection matters: [TO BE CONFIRMED] (data-protection contact email). This DPA prevails over conflicting terms in the main agreement with respect to the processing of personal data.
