SecurePoint USA
SecurePoint USAEnterprise Compliance
Book Demo
← Back to Home

Data Processing Agreement

GDPR Article 28 Compliant • Last Updated: October 12, 2025

DefinitionsScope & PurposeData ProcessingSecurity MeasuresSubprocessorsData Subject RightsBreach NotificationTermination

Legal Disclaimer

This Data Processing Agreement (DPA) is provided as a template for enterprise clients. Organizations must implement their own compliance policies and may require legal review based on their specific regulatory requirements and jurisdiction.

Definitions

Key Terms

Controller:
Your organization that determines the purposes and means of processing personal data
Processor:
SecurePoint USA - processes personal data on behalf of the Controller
Personal Data:
Visitor information including names, emails, photos, and screening results
Processing:
Any operation performed on personal data (collection, storage, screening, analysis)
Data Subject:
Individual visitors whose personal data is processed

Scope and Purpose

Processing Activities

SecurePoint USA processes personal data solely for the purpose of providing visitor management and compliance screening services, including:

  • Visitor check-in and check-out management
  • Real-time sanctions and watchlist screening
  • Compliance reporting and audit trails
  • Photo capture and storage (with explicit consent)
  • Host notification and visitor communication
  • Data export and portability requests

Legal Basis

US Clients

Contractual necessity for ITAR/EAR compliance and security screening

EU Clients

Legitimate interest (security) and explicit consent where required

Data Processing Details

Categories of Personal Data

  • Identity data (name, company)
  • Contact data (email, phone)
  • Biometric data (photos, with consent)
  • Screening results and risk scores
  • Visit timestamps and duration
  • Host information and purpose

Data Retention Periods

  • Visitor data: 10 years (default platform retention)
  • Audit logs: 10 years (immutable)
  • Screening results: 10 years
  • Photos: Until consent withdrawal
  • GDPR erasure: Upon valid request

Data Minimization

We collect only the minimum data necessary for compliance screening and visitor management. No personal data is processed for marketing or unrelated business purposes.

Security Measures

Technical Safeguards

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Multi-factor authentication (MFA)
  • Role-based access controls (RBAC)
  • Immutable audit logging
  • Regular security assessments

Organizational Measures

  • Data protection training
  • Confidentiality agreements
  • Access logging and monitoring
  • Incident response procedures
  • Regular compliance audits
  • Vendor security assessments
SOC 2 Type II
Controls Monitoring
NIST 800-171
Security Framework
ISO 27001
Information Security

Subprocessors

SecurePoint USA may engage subprocessors to provide our services. All subprocessors are bound by equivalent data protection obligations through contractual agreements.

Current Subprocessors

Supabase
Database, Authentication & Storage
SOC 2 Type II
Vercel
Application Hosting
SOC 2 Type II
Cloudflare
CDN & Security
SOC 2 Type II
Stripe
Payment Processing
PCI DSS Level 1
Resend
Transactional Emails
GDPR Compliant
Twilio
SMS Notifications
SOC 2 Type II
Intercom
Customer Support
SOC 2 Type II
Azure OpenAI
AI Risk Summaries
GDPR DPA
Groq
AI Fast Inference
GDPR DPA

Subprocessor Changes

We will notify you of any new subprocessors or changes to existing ones with 30 days' notice.

You may object to changes within 14 days. Continued use of services constitutes acceptance.

Data Subject Rights

SecurePoint USA assists Controllers in fulfilling data subject rights under GDPR and other applicable laws.

Supported Rights

  • Access: Export visitor data in CSV format
  • Rectification: Update visitor information
  • Erasure: Delete visitor records (GDPR)
  • Portability: Data export in machine-readable format
  • Restriction: Limit processing of specific data
  • Objection: Opt-out of non-essential processing

Response Timeline

Standard Requests30 days
Complex Requests60 days
Erasure Requests72 hours

Controller Responsibilities

Controllers must verify data subject identity and provide written authorization for any data processing requests.SecurePoint USA will not process requests directly from data subjects without controller approval.

Data Breach Notification

Notification Timeline

Immediate (0-24 hours)
Initial breach detection and containment
Within 72 hours
Controller notification with preliminary assessment
Within 30 days
Detailed breach analysis and remediation report

Breach Information

  • Nature of the personal data breach
  • Categories and approximate number of data subjects
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Recommended measures for data subjects

Contact Information

Data breach notifications will be sent to: support@securepointusa.com
Additional contact: security@securepointusa.com

Agreement Termination

Termination Procedures

  • 30 days written notice required
  • Data return or secure deletion within 90 days
  • Certification of data destruction provided
  • Audit logs retained for compliance purposes
  • Confidentiality obligations continue post-termination

Data Return Options

Export Format
CSV, JSON, or machine-readable format
Secure Transfer
Encrypted file transfer or secure cloud storage
Physical Media
Encrypted USB drive or secure courier

Contact Information

Data Protection Officer

Email: privacy@securepointusa.com

Phone: +1 (888) 301-5181

Address: SecurePoint USA, Inc.

Legal Department

Email: legal@securepointusa.com

DPA Requests: dpa@securepointusa.com

Response Time: Within 5 business days