GuardivionGuardivion← Back to app

Data Processing Agreement

Effective 26 June 2026 · Last updated 26 June 2026

The terms under which Guardivion processes personal data on behalf of Customer organisations.

Draft — pending legal review. Guardivion is a pre-incorporation venture; a UK entity will be registered ahead of any formal commercial agreement. Items marked [TO BE CONFIRMED] are placeholders to be completed before publication. Guardivion is working toward formal SOC 2 and ISO/IEC 27001 certification and is not yet certified.
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Guardivion [TO BE CONFIRMED — legal entity name once incorporated] ("Processor") and applies where Guardivion processes personal data on the Customer's behalf under the GDPR, UK GDPR, and similar laws.

1. Roles & scope

The Customer is the Controller and Guardivion is the Processor for personal data processed to deliver authentication services. Guardivion processes such data only on documented instructions from the Customer, including those expressed through the Service configuration.

2. Subject matter of processing

Subject matterProvision of device-based authentication and MFA.
DurationFor the term of the underlying agreement plus permitted retention.
Nature & purposeIdentity verification, MFA, fraud prevention, audit logging.
Data subjectsCustomer administrators and end users.
Categories of dataOrganisation and administrator identifiers; administrator password hashes and TOTP secrets; device public keys, enrolment records and push tokens; authentication and audit event logs. No special-category data; no biometric templates; no end-user private keys.

3. Processor obligations

4. Sub-processors

The Controller authorises Guardivion to engage sub-processors for hosting, infrastructure, push-notification delivery, and email. A current sub-processor list [TO BE CONFIRMED] will be maintained. Guardivion imposes data-protection obligations on each sub-processor no less protective than this DPA and gives at least 30 days' notice of changes, allowing the Controller to object on reasonable grounds.

5. International transfers

Where personal data is transferred outside the EEA/UK, the parties intend to incorporate the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK International Data Transfer Addendum, with supplementary technical measures including encryption in transit ([TO BE CONFIRMED] — confirm hosting regions and transfer mechanism).

6. Security measures (Art. 32)

These measures support Guardivion's programme working toward SOC 2 and ISO/IEC 27001 — see the Security Overview for current certification status.

7. Audit & assistance

Guardivion will make available the security documentation it holds to help the Controller assess compliance. Formal SOC 2 and ISO 27001 reports are not yet available (certification in progress). Additional audits may be conducted on reasonable notice, no more than annually, subject to confidentiality, unless required more frequently by a supervisory authority.

8. Personal data breach

Guardivion will notify the Controller without undue delay, and aims to do so within 72 hours, after becoming aware of a personal data breach affecting the Controller's data, providing the information the Controller reasonably needs to meet its own notification obligations. [TO BE CONFIRMED] — confirm the notification timeline you can operationally commit to.

9. Return & deletion

On termination, Guardivion deletes or returns personal data at the Controller's choice and deletes existing copies within 90 days, except where retention is required by law. Backup copies are purged on the standard rolling cycle.

10. Contact

Data protection matters: [TO BE CONFIRMED] (data-protection contact email). This DPA prevails over conflicting terms in the main agreement with respect to the processing of personal data.