Guspora^™

This Data Processing Agreement ("DPA") forms part of the agreement between Ferguson Fire Protection, LLC doing business as Guspora ("Processor," "we," "us") and the entity agreeing to these terms ("Controller," "you," "Customer") for the provision of the Guspora platform services.

This DPA applies when we process personal data on your behalf as a data processor in connection with the Guspora platform.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Platform.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

2. Scope of Processing

We process Personal Data solely to provide the Guspora platform services as described in the Terms of Service and as instructed by you. Categories of data processed include:

• Account and registration data (names, emails, phone numbers, company information)
• Inspection data (reports, photos, videos, audio, equipment records)
• Credential and license verification data
• Location data (GPS coordinates during active inspections)
• Billing and payment data (processed by Stripe)
• Communications data (SMS via Twilio, support interactions)

Categories of Data Subjects include service provider employees (technicians, inspectors), property owners and managers, and AHJ officials.

3. Controller Obligations

You are responsible for ensuring that you have a lawful basis for providing Personal Data to us, that Data Subjects have been informed about the processing, and that your use of the Platform complies with applicable data protection laws.

4. Processor Obligations

We will:

• Process Personal Data only on your documented instructions and as necessary to provide the Platform services
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Not engage a Subprocessor without prior notice (see Section 7)
• Assist you in responding to Data Subject requests
• Assist you in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return Personal Data upon termination, subject to retention requirements described in the Privacy Policy
• Make available information necessary to demonstrate compliance with this DPA

5. Security Measures

We implement the following technical and organizational measures to protect Personal Data:

6. Security Incident Notification

The notification will include:

• The nature of the incident
• Categories and approximate number of Data Subjects affected
• Likely consequences
• Measures taken or proposed to address the incident

We will cooperate with you in investigating and mitigating the incident and will provide reasonable assistance in fulfilling your own breach notification obligations.

7. Subprocessors

A current list of Subprocessors is maintained at /legal/subprocessors.

We will notify you at least 30 days before engaging a new Subprocessor. If you object to a new Subprocessor, you may terminate the affected services by providing written notice within 30 days of our notification.

All Subprocessors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.

8. Data Subject Requests

We will assist you in responding to requests from Data Subjects exercising their rights under applicable data protection law (access, rectification, erasure, portability, restriction, objection). If we receive a request directly from a Data Subject, we will promptly redirect the request to you unless legally prohibited from doing so.

9. International Transfers

Personal Data is stored and processed in the United States (AWS US-East-1). For transfers of Personal Data from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Copies of executed SCCs are available upon request.

10. Data Retention and Deletion

Personal Data is retained in accordance with the retention schedule in our Privacy Policy.

• Upon termination, you may export your data for 30 days
• After 45 days, active data is deleted
• Certain data may be retained beyond termination as required by law (e.g., 7-year retention for deficiency records and tax compliance) or for audit trail permanence

11. Audits

Upon reasonable request and subject to reasonable confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may conduct an audit (or engage a qualified third-party auditor) no more than once per year with at least 30 days advance written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with our operations.

12. Limitation of Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

13. Term and Termination

This DPA remains in effect for the duration of our processing of Personal Data on your behalf. It automatically terminates when we no longer process Personal Data for you. Obligations regarding data deletion, security incident notification, and confidentiality survive termination.

14. Governing Law

This DPA is governed by the laws of the Commonwealth of Kentucky, except that where EU/UK data protection law applies to the processing, those provisions are governed by the applicable EU/UK law.

15. Execution

This DPA is incorporated into and forms part of the Terms of Service. By using the Guspora platform, you agree to the terms of this DPA. For customers who require a separately executed DPA, please contact support@guspora.com.