Data Processing Statement

How GuardRail handles customer and personal information when providing the Services.

Effective date: November 1, 2025

Purpose

This Data Processing Statement explains GuardRail’s role in handling customer and personal information through the Services.

Roles

In most cases:

  • the organisation using GuardRail determines what information is collected, uploaded, and shared through the Services,
  • GuardRail processes that information on behalf of the organisation in order to provide the Services.

For some information, GuardRail may also act as an independent controller/business where we process data for our own legitimate business purposes, such as billing, security, fraud prevention, legal compliance, and service analytics.

Processing Activities

GuardRail processes data to:

  • host vendor registers and related records,
  • manage account access and authentication,
  • transmit invitations, reminders, and notifications,
  • store uploaded records and supporting documents,
  • generate reports,
  • secure, monitor, and improve the Services,
  • perform backup, disaster recovery, and support functions.

Types of Data

Depending on customer use, GuardRail may process:

  • account and identity data,
  • organisation and contact data,
  • vendor declarations,
  • contract and review metadata,
  • uploaded files and supporting documents,
  • usage logs and technical metadata.

Customer Responsibilities

Customers are responsible for:

  • determining whether use of GuardRail is lawful for their purposes,
  • ensuring they have a lawful basis to collect, upload, and disclose personal information to GuardRail,
  • configuring user access appropriately,
  • reviewing vendor information before relying on it,
  • responding to data subject requests where they are the controller/business,
  • ensuring notices and policies to their own users or vendors are appropriate.

GuardRail Responsibilities

GuardRail will:

  • process customer data only as necessary to provide the Services and support related operations,
  • implement reasonable security safeguards,
  • use sub-processors and infrastructure providers to support the Services,
  • assist customers with reasonable requests concerning customer data where appropriate,
  • notify customers of data breaches where required by law or contract.

Sub-processors

GuardRail may use third-party sub-processors or service providers for hosting, infrastructure, email delivery, analytics, monitoring, storage, customer support, and payment processing. A current sub-processor list may be made available on request or via our website.

International Processing

Customer data may be processed in countries where GuardRail or its sub-processors operate. GuardRail takes reasonable steps to select providers and arrangements appropriate for the Services.

Security Measures

GuardRail applies reasonable technical and organisational measures appropriate to the nature of the Services, including access controls, encryption in transit, secure hosting, logging, and role-based restrictions.

Deletion and Return

Subject to legal and operational requirements, GuardRail will provide customers with reasonable means to export their data and will delete or de-identify customer data after termination in accordance with our retention processes and service settings.

Assistance

Where appropriate and proportionate, GuardRail may assist customers with access, correction, deletion, or incident-related requests relating to customer data.

Priority of Agreements

If GuardRail enters into a separate Data Processing Addendum or enterprise agreement with a customer, that agreement will prevail to the extent of inconsistency for that customer.

Download this Document