Standard contractual framework for EU/EEA customers as required under Article 28 of the GDPR.
This Data Processing Agreement ("DPA") is incorporated into and forms part of the GuardArra Terms of Service. It applies where GuardArra processes personal data on behalf of EU/EEA customers acting as data controllers.
"Controller" means the GuardArra customer. "Processor" means GuardArra, LLC. "Personal Data," "Processing," "Data Subject," and related terms have the meanings given in the GDPR.
GuardArra processes personal data submitted by the Controller for the purpose of providing the GuardArra workforce management platform. The subject matter, nature, purpose, and duration of processing is as described in the Sub-Processor List and EU Privacy Notice.
GuardArra shall:
GuardArra maintains a list of approved sub-processors at sub-processors.html. GuardArra will notify Controllers of intended sub-processor changes with at least 30 days notice, providing opportunity to object.
Transfers of personal data from the EEA to the US are governed by the EU Standard Contractual Clauses (Module 2: Controller to Processor) adopted by Commission Decision 2021/914. By accepting these terms, the Controller executes the SCCs with GuardArra, LLC as the data importer.
GuardArra implements: AES-256-GCM encryption at rest; TLS 1.3 in transit; role-based access control; TOTP 2FA; full audit logging; regular security assessments; and daily encrypted backups to redundant destinations.
Customers requiring a wet-signature DPA for procurement or compliance purposes should contact legal@guardarra.com. We will issue a signed copy within 5 business days.