Legal · DPA

Data Processing Agreement.

Last updated: 2026-04-25 · counsel-review draft

This is the public summary of the Data Processing Agreement (DPA) GuardKin enters into with the firms that adopt the platform. It explains, in plain language, how GuardKin processes personal data on a firm’s behalf and the safeguards that apply.

Roles of the parties

For personal data that a firm’s clients place into GuardKin, the firm (and, where applicable, the client) is the data controller and GuardKin is the data processor. GuardKin processes that data only on documented instructions from the controller and only to provide the service.

Scope & nature of processing

GuardKin processes account, financial-readiness, estate-designation, and document data so that families can assemble their estate operational record and the right people can access it at incapacity or death. Sensitive content is encrypted client-side with keys GuardKin’s servers never receive — so for that content GuardKin is a processor of ciphertext it cannot read. See the security architecture.

Security measures

GuardKin maintains the technical and organizational measures described on the Security page and committed to in the Trust Center: zero-knowledge encryption of sensitive content, encryption in transit and at rest, a hash-linked immutable audit chain, least-privilege access, MFA enforcement, and an independent cryptography review. GuardKin is actively preparing for its SOC 2 Type II audit, targeted for completion in the next 4–6 months (Q4 2026); we are pre-certification and status is published honestly on /status.

Subprocessors

GuardKin engages a limited set of subprocessors, each listed with its purpose and location at /security/subprocessors. The DPA commits GuardKin to flow-down obligations and to advance notice of new subprocessors, giving controllers the opportunity to object.

International transfers

Data is US-resident by default. Where personal data of EU/UK data subjects is processed, transfers rely on the Standard Contractual Clauses incorporated into the DPA. EU/UK data residency is available at Stage 3+ by firm contract.

Data-subject rights & assistance

GuardKin assists controllers in responding to data-subject requests (access, correction, deletion, portability) and supports them, taking into account the nature of processing. Individuals’ rights and how to exercise them are described in the Privacy Policy.

Breach notification

GuardKin notifies controllers without undue delay after becoming aware of a personal-data breach affecting their data, with the information needed for the controller to meet its own notification obligations.

Return & deletion

On termination, GuardKin returns or deletes personal data at the controller’s election, subject to retention required by law. Export is free and available in standard formats at any time, regardless of subscription status.

Data Processing Agreement · GuardKin