Privacy Policy · SecurePoint USA

1. Introduction

SecurePointUSA.com ("SecurePoint USA," "we," "us," or "our") provides an enterprise-grade Visitor Management System (VMS) with integrated trade compliance screening for ITAR, EAR, and international sanctions regulations.

Our Role:

We act as a data processor on behalf of our clients (the "data controllers"), handling personal data collected during visitor check-ins and compliance screening activities. Your organization remains the primary controller responsible for determining how visitor data is collected and used.

Compliance Commitment: We comply with:

U.S. federal regulations (ITAR, EAR, OFAC sanctions)
General Data Protection Regulation (GDPR) for EU residents
California Consumer Privacy Act (CCPA) and other applicable state privacy laws
Industry standards (SOC 2, ISO 27001 alignment)

For EU Residents: This policy outlines your rights under GDPR and how we process your personal data as a processor on behalf of our client organizations.

2. Data We Collect and Process

2.1 Visitor Information

When you check in at a facility using our VMS, we process:

Personal identifiers: Name, email address, phone number, company affiliation
Photographic data: Photo ID scans, visitor photos (when enabled)
Visit details: Date/time, host name, purpose of visit, site location
Identity documents: Passport/ID numbers (for compliance screening only)

2.2 Screening and Compliance Data

Risk assessment results: Risk scores (0-100 scale), match status, screening timestamps
Sanctions database results: Potential matches against 21,851+ sanctions entities (OFAC, UN, EU, DFAT, SECO)
Audit trails: Immutable logs of all screening activities and system access

2.3 Data Minimization

We collect only the minimum data necessary for visitor management, trade compliance screening, audit trail maintenance, and system security. We do not collect unnecessary personal data, and we do not sell visitor information to third parties.

3. Legal Basis for Processing & Consent

3.1 U.S. Clients

Processing is based on:

Contractual necessity: Required to fulfill our VMS and compliance screening services
Legitimate interests: Facility security, regulatory compliance, fraud prevention
Legal obligations: ITAR/EAR compliance, OFAC sanctions enforcement

3.2 EU/GDPR Clients

Processing is based on:

Consent: Obtained by the controller (your organization) during visitor check-in
Legitimate interests: Security screening, export control compliance
Legal obligations: Sanctions screening, audit trail maintenance

Opt-Out Rights: EU visitors may object to processing via the VMS dashboard or by contacting the facility directly. Note: Objecting to screening may result in denied facility access per organizational security policies.

4. Security Measures

4.1 Encryption & Data Protection

In Transit: TLS 1.3 encryption for all data transmission
At Rest: AES-256 encryption for all stored data
Database Security: Row-level security (RLS) policies ensuring organizational data isolation
Infrastructure: Hosted on enterprise-grade platforms (Vercel, Supabase) with SOC 2 Type II compliance

4.2 Access Controls

Multi-factor authentication (MFA) for all administrative access
Role-based access control (RBAC): Super Admin, Admin, Manager, User, Viewer roles
Zero-trust architecture with continuous authentication validation
Audit logging: Immutable logs of all data access and modifications

4.3 Data Breach Notification

In the event of a data breach:

Controllers notified within 72 hours (GDPR Article 33)
Affected individuals notified when required by law
Regulatory authorities notified per applicable regulations
Remediation measures implemented immediately

5. User Rights

Access & Rectification

✓ Request copies of your personal data
✓ Correct inaccurate data
✓ Response within 30 days (GDPR compliant)

Erasure & Restriction

✓ Request deletion of personal data
✓ Restrict processing
✓ Subject to legal retention requirements

Data Portability

✓ Export your data (CSV, JSON formats)
✓ Transfer to third parties upon request
✓ Machine-readable format

Objection Rights

✓ Object to processing based on legitimate interests
✓ Human review of all screening results
✓ No automated access decisions

Data Retention:

• Standard retention: 5-7 years for audit and compliance purposes (ITAR/EAR requirements)
• Client-requested deletion: Earlier deletion upon written request from the controller organization
• Automatic purging: Data auto-deleted after 7 years unless extended retention is legally required

6. International Data Transfers

6.1 Data Hosting

Primary Hosting: United States (Vercel/Supabase infrastructure)
Geographic Redundancy: Multi-region backups for disaster recovery
Data Residency: Client data stored in compliance with contractual requirements

6.2 EU Data Protection

For EU personal data transfers:

Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (2021 version)
GDPR Article 28 Compliance: All processing governed by Data Processing Addendum (DPA)
Adequacy Mechanisms: We monitor and comply with evolving EU data transfer requirements

7. Data Processing Addendum (DPA) for Controllers

GDPR Article 28 Compliance

As a data processor, we enter into GDPR-compliant Data Processing Addendums with all controller organizations.

Our DPA includes:

Processing instructions from the controller
Assistance with data subject rights requests
Detailed technical and organizational measures (TOMs)
Full subprocessor disclosure
Audit rights for controllers

7.2 Subprocessors

We engage the following subprocessors:

Supabase, Inc.: Database hosting and management (U.S.-based, SOC 2 compliant)
Cloudflare, Inc.: Content delivery and DDoS protection (Global, SOC 2 compliant)
Vercel, Inc.: Application hosting and edge infrastructure (U.S.-based)

We notify controllers 30 days before adding new subprocessors. Controllers may object to new subprocessors.

Request a DPA

Email: privacy@securepointusa.com
Subject: "DPA Request - [Your Organization Name]"
Response Time: DPA provided within 14 business days

9. Cookies & Tracking Technologies

9.1 Essential Cookies

We use strictly necessary cookies for:

Authentication: Maintaining secure user sessions
Security: CSRF protection, session management
Functionality: Language preferences, dashboard settings

9.2 Analytics

We use anonymized system usage data for performance optimization. We do not use Google Analytics, Facebook Pixel, or similar third-party tracking tools.

10. California Consumer Privacy Act (CCPA)

California Resident Rights

You have the right to:

Know: What personal information we collect and how it's used
Delete: Request deletion of your personal information
Opt-Out: Opt out of "sales" (note: we do not sell personal information)
Non-Discrimination: Exercise rights without discriminatory treatment

Submit CCPA requests: privacy@securepointusa.com(subject: "CCPA Request")

11. Changes to This Privacy Policy

We may update this policy to reflect changes in legal or regulatory requirements, new features, or industry best practices.

Material Changes: Controllers notified 30 days before changes take effect
Notification Methods: Email to registered administrators, in-app notifications
Effective Date: Always displayed at the top of this policy

12. Contact Information

Privacy Inquiries

For privacy questions, data subject requests, or DPA requests:

Privacy Email: privacy@securepointusa.com
Support Email: support@securepointusa.com
Response Time: 5 business days (general), 30 days (GDPR requests)

Controller Contact

Important: SecurePoint USA acts as a data processor. For questions about how your data is used, contact the organization that invited you to the facility (the data controller).

Enterprise-Grade Commitment

21,851+

Sanctions Entities

33.3ms

Average Response Time

99.9%+

Uptime SLA

SOC 2

Compliance Ready

Trusted by Fortune 500 Companies • Defense Contractors • Global Enterprises

Legal Disclaimer

This Privacy Policy is provided for informational purposes and does not constitute legal advice. Organizations using SecurePoint USAmust implement their own privacy policies and obtain necessary consents from visitors. SecurePoint USA provides policy-neutral risk assessments—final access and compliance decisions remain the responsibility of the controlling organization.

For specific legal guidance on ITAR, EAR, OFAC, GDPR, or CCPA compliance, consult qualified legal counsel.

SecurePoint USA Privacy Policy

Quick Navigation

1. Introduction

2. Data We Collect and Process

2.1 Visitor Information

2.2 Screening and Compliance Data

2.3 Data Minimization

3. Legal Basis for Processing & Consent

3.1 U.S. Clients

3.2 EU/GDPR Clients

4. Security Measures

4.1 Encryption & Data Protection

4.2 Access Controls

4.3 Data Breach Notification

5. User Rights

Access & Rectification

Erasure & Restriction

Data Portability

Objection Rights

6. International Data Transfers

6.1 Data Hosting

6.2 EU Data Protection

7. Data Processing Addendum (DPA) for Controllers

GDPR Article 28 Compliance

7.2 Subprocessors

Request a DPA

9. Cookies & Tracking Technologies

9.1 Essential Cookies

9.2 Analytics

10. California Consumer Privacy Act (CCPA)

California Resident Rights

11. Changes to This Privacy Policy

12. Contact Information

Privacy Inquiries

Controller Contact

Enterprise-Grade Commitment

Legal Disclaimer

SecurePoint USA Privacy Policy

Quick Navigation

1. Introduction

2. Data We Collect and Process

2.1 Visitor Information

2.2 Screening and Compliance Data

2.3 Data Minimization

3. Legal Basis for Processing & Consent

3.1 U.S. Clients

3.2 EU/GDPR Clients

4. Security Measures

4.1 Encryption & Data Protection

4.2 Access Controls

4.3 Data Breach Notification

5. User Rights

Access & Rectification

Erasure & Restriction

Data Portability

Objection Rights

6. International Data Transfers

6.1 Data Hosting

6.2 EU Data Protection

7. Data Processing Addendum (DPA) for Controllers

GDPR Article 28 Compliance

7.2 Subprocessors

Request a DPA

8. Third-Party Integrations & Data Sharing

Sanctions Screening

9. Cookies & Tracking Technologies

9.1 Essential Cookies

9.2 Analytics

10. California Consumer Privacy Act (CCPA)

California Resident Rights

11. Changes to This Privacy Policy

12. Contact Information

Privacy Inquiries

Controller Contact

Enterprise-Grade Commitment

Legal Disclaimer