Data Processing Agreement
Last updated: March 24, 2026 · Version 1.1
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Noorros, LLC dba GuardWell Compliance (“Processor,” “we,” “us,” or “our”) and the customer (“Controller,” “you,” or “your”) who has agreed to the GuardWell Compliance Terms of Service. This DPA sets out the terms under which we process personal data on your behalf when providing the GuardWell Compliance platform (“Service”).
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, and any other data defined as “personal data,” “personal information,” or equivalent term under applicable data protection laws.
- “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Controller” means the natural or legal person that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Controller is the customer who has agreed to the GuardWell Compliance Terms of Service.
- “Processor” means the natural or legal person that processes Personal Data on behalf of the Controller. For purposes of this DPA, the Processor is Noorros, LLC dba GuardWell Compliance.
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the California Consumer Privacy Act (CCPA), state privacy laws, and, to the extent applicable, the General Data Protection Regulation (GDPR).
2. Scope of Processing
2a. Categories of Data Subjects
- Account holders (practice administrators and owners)
- Team members (staff invited to the platform by account holders)
- Individuals referenced in compliance documentation (where applicable and under a BAA)
2b. Categories of Personal Data
- Contact information (name, email address, job title, phone number)
- Practice information (practice name, NPI, specialty, state, address)
- Account credentials (email, hashed password via Firebase Authentication)
- Usage data (pages visited, features used, timestamps)
- Device and browser information (IP address, browser type, operating system)
- Compliance documentation data (checklists, training records, incident reports, risk assessments, policy acknowledgments)
- Uploaded files and documents
- Payment information (processed by Stripe; we do not store full card numbers)
2c. Purposes of Processing
We process Personal Data solely for the following purposes:
- Providing, operating, and maintaining the Service
- User authentication and account management
- Processing subscriptions and payments
- Generating AI-powered compliance content (training courses, policy suggestions)
- Sending transactional communications (account notices, compliance reminders, billing receipts)
- Providing customer support
- Improving the Service through aggregated, anonymized usage analytics
- Complying with legal obligations
2d. Duration of Processing
Processing will continue for the duration of the Service agreement between Controller and Processor, plus any retention period specified in our Privacy Policy or required by law.
3. Data Processing Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection laws.
The Controller's instructions for processing are defined by: (a) the GuardWell Compliance Terms of Service; (b) this DPA; (c) the Controller's use and configuration of the Service; and (d) any additional documented instructions agreed upon by the parties.
The Processor shall not process Personal Data for any purpose other than those set forth in this DPA and the Terms of Service. The Processor shall not sell, rent, or share Personal Data with third parties for their own purposes.
4. Sub-processors
The Controller hereby provides general authorization for the Processor to engage Sub-processors to process Personal Data, subject to the following conditions:
- The Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA.
- The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
- The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-processor, providing the Controller an opportunity to object.
- If the Controller objects to a new Sub-processor on reasonable grounds related to data protection, the parties shall discuss the concerns in good faith. If the objection cannot be resolved, the Controller may terminate the affected Service.
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Firebase Authentication (Google Cloud) | User authentication and identity management | United States |
| Stripe | Payment processing and subscription billing | United States |
| Google Cloud SQL (PostgreSQL) | Primary database hosting | United States |
| Anthropic (Claude AI) | AI-powered content generation | United States |
| Google Cloud Run | Application hosting and serverless compute | United States |
| Google Cloud Storage | Secure file and document storage | United States |
| Resend | Transactional email delivery | United States |
5. Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
Technical Measures
- Encryption of data in transit using TLS 1.2 or higher (HTTPS)
- Encryption of data at rest using AES-256
- Multi-factor authentication support for all user accounts
- Role-based access controls with the principle of least privilege
- Comprehensive audit logging of data access (user, timestamp, action, data accessed)
- Automated backup with defined recovery time and recovery point objectives
- Regular vulnerability scanning (quarterly) and penetration testing (annually)
- Automatic session timeout after periods of inactivity
- Network segmentation and firewall controls
Organizational Measures
- Data protection and security training for all personnel with access to Personal Data
- Confidentiality obligations for all employees and contractors
- Documented security policies and procedures
- Documented incident response plan, tested at least annually
- Annual security risk assessments
- Infrastructure hosted on Google Cloud Platform with SOC 2 Type II certified data centers
- Business continuity and disaster recovery plan, tested at least annually
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection laws, including the right to:
- Access their Personal Data
- Rectify inaccurate Personal Data
- Erase their Personal Data (“right to be forgotten”)
- Restrict processing of their Personal Data
- Data portability (receive Personal Data in a structured, machine-readable format)
- Object to processing of their Personal Data
The Processor shall promptly notify the Controller if it receives a request from a Data Subject regarding their Personal Data and shall not respond to such request directly unless authorized to do so by the Controller. The Processor shall provide reasonable technical and organizational assistance to enable the Controller to respond to Data Subject requests within the timeframes required by applicable law.
7. Data Breach Response
In the event of a Data Breach involving Personal Data processed under this DPA, the Processor shall:
- Notify the Controller without undue delay and in no case later than 72 hours after becoming aware of the Data Breach.
- Provide the Controller with sufficient information to enable the Controller to meet any obligations to notify Data Subjects and/or regulatory authorities, including:
- A description of the nature of the Data Breach, including categories and approximate number of Data Subjects and records affected
- The likely consequences of the Data Breach
- A description of the measures taken or proposed to address the Data Breach and mitigate its effects
- The name and contact details of the Processor's point of contact for further information
- Cooperate with the Controller in investigating and remediating the Data Breach.
- Take immediate steps to contain the Data Breach and minimize its impact.
- Document all Data Breaches, including the facts, effects, and remedial actions taken.
8. Data Transfers
All Personal Data processed under this DPA is stored and processed within the United States on Google Cloud infrastructure. The Processor does not transfer Personal Data to any country outside of the United States.
If a transfer of Personal Data outside of the United States becomes necessary in the future, the Processor shall: (a) notify the Controller in advance; (b) ensure that appropriate safeguards are in place in accordance with applicable data protection laws (such as Standard Contractual Clauses); and (c) obtain the Controller's prior written consent before making any such transfer.
9. Data Retention and Deletion
The Processor shall retain Personal Data only for as long as necessary to fulfill the purposes of processing as described in this DPA and the Terms of Service, or as required by applicable law.
- During active subscription: Personal Data is retained for the duration of the Controller's subscription.
- After cancellation: Personal Data is retained for 30 days to allow for reactivation or data export, then permanently deleted.
- Upon termination or deletion request: The Processor shall delete or return all Personal Data within 30 days of the request, and shall certify in writing that all Personal Data has been deleted, except where retention is required by applicable law.
- Sub-processor data: The Processor shall ensure that Sub-processors delete Personal Data in accordance with the same retention and deletion requirements.
Deletion includes the permanent removal of Personal Data from all active systems, backups (within the normal backup rotation cycle, not to exceed 90 days), and Sub-processor systems.
10. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
- The Controller shall provide at least 30 days' written notice of any audit request.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
- The Controller may conduct no more than one audit per 12-month period, unless a Data Breach has occurred or a regulatory authority requires an audit.
- In lieu of an on-site audit, the Processor may provide: (a) a current SOC 2 Type II audit report; (b) results of its most recent security risk assessment; or (c) other certifications or audit reports reasonably acceptable to the Controller.
- Each party shall bear its own costs of the audit unless the audit reveals a material non-compliance by the Processor.
- The Controller and its auditors shall maintain the confidentiality of all information obtained during the audit.
11. Term and Termination
This DPA shall be effective for the duration of the Controller's use of the Service under the Terms of Service. This DPA shall automatically terminate upon termination or expiration of the Terms of Service.
Upon termination of this DPA, the Processor shall comply with the data deletion obligations set forth in Section 9. The obligations of the Processor under Sections 5 (Security Measures), 7 (Data Breach Response), 9 (Data Retention and Deletion), and 10 (Audit Rights) shall survive termination of this DPA for as long as the Processor retains any Personal Data.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service between the Controller and the Processor, except that such limitations shall not apply to either party's obligations under applicable data protection laws that cannot be limited by contract.
The Processor shall be liable for damage caused by processing that does not comply with this DPA or applicable data protection laws. The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions, consistent with the governing law provisions of the Terms of Service.
14. Contact
Questions about this Data Processing Agreement should be directed to:
Noorros, LLC dba GuardWell Compliance
Email: privacy@gwcomp.com