SecurePoint USA
SecurePoint USAEnterprise Compliance
Book Demo
← Back to Home

Data Processing Agreement

Data processing terms template - Last Updated: June 10, 2026

DefinitionsScope & PurposeData ProcessingSecurity MeasuresSubprocessorsData Subject RightsBreach NotificationTermination

Legal Disclaimer

This Data Processing Agreement (DPA) is provided as a template for enterprise clients. Organizations must implement their own compliance policies and may require legal review based on their specific regulatory requirements and jurisdiction.

Definitions

Key Terms

Controller:
Your organization that determines the purposes and means of processing personal data
Processor:
SecurePoint USA - processes personal data on behalf of the Controller
Personal Data:
Visitor information including names, emails, photos, and screening results
Processing:
Any operation performed on personal data (collection, storage, screening, analysis)
Data Subject:
Individual visitors whose personal data is processed

Scope and Purpose

Processing Activities

SecurePoint USA processes personal data solely for the purpose of providing visitor management and compliance screening services, including:

  • Visitor check-in and check-out management
  • Real-time sanctions and watchlist screening
  • Compliance reporting and audit trails
  • Photo capture and storage (with explicit consent)
  • Host notification and visitor communication
  • Data export and portability requests

Legal Basis

US Clients

Contractual necessity for ITAR/EAR compliance and security screening

EU Clients

Legitimate interest (security) and explicit consent where required

Data Processing Details

Categories of Personal Data

  • Identity data (name, company)
  • Contact data (email, phone)
  • Biometric data (photos, with consent)
  • Screening results and risk scores
  • Visit timestamps and duration
  • Host information and purpose

Data Retention

  • Visitor and screening records: retained according to customer configuration and signed terms
  • Audit and evidence records: designed for long-term compliance support where enabled
  • ID images and photos: governed by customer settings, plan entitlements, and legal hold requirements
  • Operational logs: retained for limited operational and security needs
  • Deletion and erasure requests: handled subject to controller instructions, legal obligations, and audit preservation requirements

Data Minimization

We collect only the minimum data necessary for the enabled visitor management, screening, audit, and support workflows. Marketing and optional integrations are handled separately under the applicable customer configuration and consent basis.

Security Measures

Technical Safeguards

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Multi-factor authentication (MFA)
  • Role-based access controls (RBAC)
  • Immutable audit logging
  • Security assessments and remediation tracking

Organizational Measures

  • Data protection training
  • Confidentiality agreements
  • Access logging and monitoring
  • Incident response procedures
  • Compliance program reviews
  • Vendor security assessments
SOC 2 Readiness
Controls Mapping in Progress
NIST 800-171
Security Framework
ISO 27001
Readiness in Progress

These cards describe SecurePoint USA control alignment and readiness work. They do not represent a SecurePoint USA SOC 2, ISO 27001, FedRAMP, or CMMC certification. Provider security evidence is reviewed separately during vendor and contract review.

Subprocessors

SecurePoint USA may engage service providers to operate the services, including hosting, database and storage, billing, communications, observability, support, and optional AI-assisted workflows. The actual subprocessors used for a customer may depend on product configuration, enabled integrations, and signed order terms.

Subprocessor Categories

  • Application hosting and deployment infrastructure
  • Database, authentication, and private file storage
  • Billing and payment processing where enabled
  • Email, SMS, and support communications where enabled
  • Monitoring, logging, and reliability tooling
  • Optional AI-assisted services where enabled and reviewed
  • Screening data sources and compliance-data providers

A current named subprocessor list can be provided during procurement or contract review. Vendor certifications, regions, and data-transfer terms are validated as part of that review rather than asserted on this template page.

Subprocessor Changes

Subprocessor notice, objection windows, and approval rights are governed by the signed agreement for the customer.

Where required by contract or law, SecurePoint USA provides notice of material subprocessor changes and works with the customer on reasonable objections.

Data Subject Rights

SecurePoint USA assists Controllers in fulfilling data subject rights under GDPR and other applicable laws.

Supported Rights

  • Access: Export visitor data in CSV format
  • Rectification: Update visitor information
  • Erasure: Delete visitor records (GDPR)
  • Portability: Data export in machine-readable format
  • Restriction: Limit processing of specific data
  • Objection: Opt-out of non-essential processing

Response Timeline

Standard Requests30 days
Complex Requests60 days
Erasure Requests72 hours

Controller Responsibilities

Controllers must verify data subject identity and provide written authorization for any data processing requests.SecurePoint USA will not process requests directly from data subjects without controller approval.

Data Breach Notification

Notification Timeline

Immediate (0-24 hours)
Initial breach detection and containment
Within 72 hours
Controller notification with preliminary assessment
Within 30 days
Detailed breach analysis and remediation report

Breach Information

  • Nature of the personal data breach
  • Categories and approximate number of data subjects
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Recommended measures for data subjects

Contact Information

Data breach notifications will be sent to: support@securepointusa.com
Additional contact: security@securepointusa.com

Agreement Termination

Termination Procedures

  • 30 days written notice required
  • Data return or secure deletion within 90 days
  • Certification of data destruction provided
  • Audit logs retained for compliance purposes
  • Confidentiality obligations continue post-termination

Data Return Options

Export Format
CSV, JSON, or machine-readable format
Secure Transfer
Encrypted file transfer or secure cloud storage
Physical Media
Encrypted USB drive or secure courier

Contact Information

Data Protection Officer

Email: privacy@securepointusa.com

Phone: +1 (888) 301-5181

Address: SecurePoint USA, Inc.

Legal Department

Email: legal@securepointusa.com

DPA Requests: dpa@securepointusa.com

Response Time: Within 5 business days

Audit-Ready Visitor Operations for Regulated Facilities | SecurePoint USA