Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the AlignSure Terms of Service and governs how Newf Technology, Inc. processes data on behalf of customers.

1. Definitions

"Controller"

The customer organization that determines the purposes and means of processing personal data.

"Processor"

Newf Technology, Inc., operating as AlignSure, which processes personal data on behalf of the Controller.

"Personal Data"

Any information relating to an identified or identifiable natural person.

"Processing"

Any operation performed on personal data.

"Sub-processor"

A third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Purpose

This DPA applies to all personal data processed by AlignSure on behalf of the customer in connection with the AlignSure platform and services. Processing activities include storage, analysis, review coordination, evidence generation, and compliance workflow execution as described in the Terms of Service.

3. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process personal data have committed to confidentiality
• Implement appropriate technical and organizational security measures as described in our Security Practices
• Assist the Controller in responding to data subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return all personal data upon termination of services
• Make available all information necessary to demonstrate compliance and allow for audits

4. Sub-processors

AlignSure uses the following categories of sub-processors:

• Cloud infrastructure providers (hosting, storage, compute)
• Authentication and identity providers
• Email delivery services

A current list of sub-processors is available upon request. The Processor will notify the Controller of any intended changes to sub-processors with reasonable advance notice.

5. Data Transfers

All customer data processed by AlignSure is stored and processed within the United States. AlignSure does not transfer personal data outside the United States without prior written consent of the Controller.

6. Security Measures

The Processor implements and maintains technical and organizational security measures appropriate to the risk, including:

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
• Tenant isolation ensuring customer data is never commingled
• Identity-bound access controls through Microsoft Entra ID
• Audit logging of all data access and processing activities
• Regular security assessments and vulnerability management

Detailed security practices are described at alignsure.com/security.

7. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. Data Retention and Deletion

Personal data is retained for the duration of the service agreement plus 30 days. Upon termination or expiration of services, the Processor will delete all personal data within 30 days unless retention is required by applicable law. The Controller may request data export at any time during the service term.

9. Relationship to BAA

For customers whose use of AlignSure involves protected health information (PHI) as defined under HIPAA, the Business Associate Agreement between the parties governs PHI-specific obligations and supersedes this DPA with respect to PHI processing. This DPA governs processing of all other personal data.

10. Term and Amendments

This DPA is effective for the duration of the service agreement. Newf Technology, Inc. may update this DPA to reflect changes in data processing practices or applicable law, with reasonable notice to the Controller.