Skip to content

Legal

Data Processing Addendum

Standard contract terms for the processing of personal data, GDPR Article 28 compliant.

Effective:

This Data Processing Addendum ("DPA") supplements the HarborGuard Terms of Service when our processing of your data falls within the scope of GDPR, UK GDPR, or comparable data-protection legislation. By using the Service you accept this DPA; signed counterpart copies are available on request to legal@harborguard.co.

1. Roles

For data you submit through the Service, you are the controller and HarborGuard is the processor. We process personal data only on documented instructions from you, including the configuration of the Service via the dashboard, the API, or written communication.

2. Sub-processors

The current list of sub-processors and the data each receives:

  • Fly.io — application compute and PostgreSQL hosting (US region iad).
  • Stripe — billing and payment processing.
  • SendGrid (Twilio) — transactional email delivery.
  • Intercom — customer support chat.
  • Slack — outbound notification delivery (only when you connect a Slack workspace).
  • PagerDuty — outbound notification delivery (only when configured).

We notify customers at least 30 days before adding or replacing a sub-processor. You may object via privacy@harborguard.co.

3. International transfers

For transfers from the EEA, UK, or Switzerland to the United States, we rely on the EU-US Data Privacy Framework where applicable, and on Standard Contractual Clauses (Module 2 — Controller to Processor) for transfers outside the framework. The SCCs are incorporated into this DPA by reference.

4. Security measures

We implement the technical and organizational measures described on our security page: encryption in transit (TLS 1.3) and at rest (AES-256-GCM for credentials), tenant isolation enforced at the query layer, role-based access, MFA for admins, and structured audit logging.

5. Sub-processor oversight

We require each sub-processor to enter a written data-protection agreement with confidentiality and security obligations no less protective than those in this DPA, and we monitor compliance via vendor reviews at least annually.

6. Data subject requests

We assist you in fulfilling requests from data subjects exercising their rights (access, rectification, erasure, portability) within 7 business days of your written request to privacy@harborguard.co.

7. Breach notification

We notify you in writing within 72 hours of confirming a personal data breach affecting your data, including the nature of the breach, the data categories impacted, and the remedial actions taken.

8. Deletion at termination

Within 30 days of contract termination, we delete or return all personal data in our possession unless we are required to retain it under applicable law. Backups are purged on the 30-day rotation cycle.

9. Audits

We make our most recent SOC 2 Type II report available under NDA. For Enterprise customers, we accommodate annual on-site or remote audits with reasonable notice.