Data Processing Agreement
- Version
- 2.0
- Effective
- 2026-05-20
DATA PROCESSING AGREEMENT
Between OnGuard Technologies, Inc. and [Client Legal Name]
1. PURPOSE AND INCORPORATION
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement ("MSA") between OnGuard Technologies, Inc. ("OnGuard" or "Processor") and [Client Legal Name] ("Client" or "Controller") and governs OnGuard's processing of Personal Data on Client's behalf in connection with the Platform.
In the event of conflict between this DPA and the MSA regarding the protection of Personal Data, this DPA controls.
2. DEFINITIONS
Capitalized terms used and not defined here have the meanings given in the MSA. In addition:
2.1 "Applicable Data Protection Law" means any applicable law relating to the processing of Personal Data, including the CCPA/CPRA, the GDPR (and UK GDPR), and U.S. state comprehensive privacy laws.
2.2 "Personal Data" means information that identifies, relates to, or could reasonably be linked with an identifiable individual, as defined in Applicable Data Protection Law.
2.3 "Processing" means any operation performed on Personal Data, whether or not by automated means.
2.4 "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
2.5 "Subprocessor" means a third party engaged by OnGuard to process Personal Data on OnGuard's behalf.
3. ROLES OF THE PARTIES
3.1 Client is the Controller of Personal Data submitted to OnGuard for processing in connection with the Platform.
3.2 OnGuard is a Processor when processing Personal Data on Client's behalf for purposes described in the MSA and this DPA.
3.3 OnGuard may act as an independent Controller for Platform account data, usage analytics, security logs, and product-improvement data, in which case OnGuard's Privacy Policy and applicable law govern that processing.
3.4 Vendor as Controller of Guard Employment Data. The parties acknowledge that, with respect to Personal Data of Guards relating to their employment, payroll, and HR matters, the Vendor that employs the Guard is the Controller, not Client or OnGuard. OnGuard processes such data only as a Processor on the Vendor's behalf in connection with Platform features the Vendor enables.
4. SCOPE OF PROCESSING
OnGuard processes Personal Data only to provide the Platform and related services described in the MSA, including matching, scheduling visibility, communications, credential verification tooling, payment routing, and reporting.
5. CATEGORIES OF DATA AND DATA SUBJECTS
5.1 Categories of Data. As applicable: contact information, professional credentials, assignment data, schedule data, communications, location data (where enabled by Vendor), payment data, device and usage data, and limited background-check status data.
5.2 Categories of Data Subjects. Client personnel, Vendor personnel, Guards, and other Platform users.
6. CLIENT INSTRUCTIONS
OnGuard processes Personal Data only on Client's documented instructions, as set out in the MSA, this DPA, and Client's configuration of the Platform. Client represents and warrants that its instructions comply with Applicable Data Protection Law. If OnGuard believes an instruction would violate law, OnGuard will notify Client promptly and, where required, cease processing until Client provides lawful instructions.
7. CONFIDENTIALITY OF PERSONNEL
OnGuard shall ensure that personnel authorized to process Personal Data are subject to confidentiality obligations and that access is limited to those with a business need to know.
8. SECURITY MEASURES
OnGuard shall implement and maintain appropriate technical and organizational measures, including:
- encryption of Personal Data in transit (TLS) and at rest for sensitive categories;
- role-based access controls and least-privilege access;
- multi-factor authentication for administrative access;
- logging and monitoring of access to systems processing Personal Data;
- regular vulnerability scanning and penetration testing;
- backup and disaster recovery procedures;
- a documented incident response plan; and
- secure software development practices.
OnGuard updates its security measures in light of technological developments and emerging threats.
9. SUBPROCESSORS
9.1 Client provides general authorization for OnGuard's use of Subprocessors to perform services described in the MSA (including payment processors, background-check providers, cloud infrastructure, communications, and analytics).
9.2 OnGuard maintains a current Subprocessor list at https://onguardsolutions.io/legal/subprocessors and provides notice of additions or replacements at least thirty (30) days in advance where reasonably feasible.
9.3 Client may object to a new Subprocessor in writing within thirty (30) days of notice on reasonable data protection grounds. The parties shall work in good faith to resolve the objection; if unresolved, Client may terminate the affected services without penalty.
9.4 OnGuard requires each Subprocessor to provide protections no less protective than this DPA and remains responsible for the Subprocessor's acts and omissions.
10. DATA SUBJECT RIGHTS
OnGuard shall, taking into account the nature of the processing, reasonably assist Client by appropriate technical and organizational measures to fulfill Client's obligations to respond to data subject requests (access, correction, deletion, restriction, portability, objection). Client remains responsible for its Controller obligations to respond to data subjects.
11. DATA RETENTION AND DELETION
11.1 OnGuard retains Personal Data only as long as necessary to provide the Platform and as required by law or the MSA.
11.2 Upon termination or at Client's written request, OnGuard shall, at Client's option, return the Personal Data in a commonly used machine-readable format or securely delete the Personal Data from OnGuard's systems within a commercially reasonable timeframe, except where retention is required by law or for security, fraud prevention, or dispute resolution.
11.3 OnGuard shall confirm in writing when deletion is complete.
12. SECURITY INCIDENT NOTIFICATION
12.1 OnGuard shall notify Client without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Client Personal Data.
12.2 The notification shall include, to the extent known: the nature of the Security Incident; the categories and approximate number of data subjects and records affected; likely consequences; measures taken or proposed to mitigate harm; and a contact point.
12.3 OnGuard shall provide reasonable cooperation to assist Client in meeting regulatory breach-notification obligations (including state mandates with notification windows shorter than 72 hours where applicable).
13. INTERNATIONAL DATA TRANSFERS
13.1 Personal Data may be processed in the United States and other countries where OnGuard or its Subprocessors operate.
13.2 For transfers from jurisdictions with adequacy requirements, OnGuard implements appropriate safeguards (e.g., Standard Contractual Clauses, UK International Data Transfer Addendum, or equivalent mechanisms).
14. COMPLIANCE WITH LAWS
Each party shall comply with Applicable Data Protection Law in its performance under this DPA. Client is responsible for the lawful collection of Personal Data and for providing notices and obtaining consents required by law.
15. AUDIT RIGHTS
15.1 Client may, no more than once per 12-month period and upon at least sixty (60) days' prior written notice, audit OnGuard's compliance with this DPA relating to Client Personal Data, subject to reasonable confidentiality obligations.
15.2 OnGuard may, in its discretion, provide audit evidence, independent assurance reports (e.g., SOC 2), or other documentation in lieu of an on-site audit.
15.3 Client bears audit costs unless the audit reveals material non-compliance by OnGuard, in which case OnGuard bears reasonable audit costs.
15.4 Audits shall be conducted during normal business hours and shall not unreasonably interfere with OnGuard's operations.
16. LIMITATION OF LIABILITY
Liability arising under this DPA is subject to the limitations and exclusions in the MSA, except that nothing in this DPA limits liability for a party's willful misconduct, gross negligence, or fraud.
17. TERM
This DPA remains in effect for the duration of the MSA and survives termination as necessary to give effect to the parties' data protection obligations.
18. GOVERNING LAW
This DPA is governed by the laws of the State of Delaware, without regard to conflict-of-laws principles. Where Client is a California entity or transactions occur in California, mandatory provisions of California law apply.
19. ORDER OF PRECEDENCE
In the event of conflict, the order of precedence is: (1) Order Form, (2) this DPA, (3) the MSA body.
SIGNATURES
OnGuard Technologies, Inc.
By: ______________________________ Name: Kelly Christenson Title: Chief Executive Officer Date: ______________________________
[Client Legal Name]
By: ______________________________ Name: ______________________________ Title: ______________________________ Date: ______________________________
End of Data Processing Agreement.