Data Processing Agreement
This Data Processing Agreement governs the processing of personal data by Newf Technology, Inc. on behalf of customers using the AlignSure platform.
Note: This DPA supplements the Master Services Agreement. For customers whose use of AlignSure involves Protected Health Information as defined under HIPAA, the Business Associate Agreement governs PHI-specific obligations and supersedes this DPA with respect to PHI processing.
Scope of Processing
AlignSure processes personal data as necessary to provide compliance management, document review, regulatory calendar, and workforce management services as described in the Master Services Agreement.
Data Categories
Personal data processed may include: employee names and contact information, job titles and department assignments, professional certifications and credentials, compliance training records, and workforce safety records.
PHI processing is governed by the Business Associate Agreement, not this DPA.
Processing Locations
All personal data is processed and stored within the United States. AlignSure does not transfer personal data outside the United States without prior written consent.
Security Measures
AlignSure implements technical and organizational security measures including: encryption at rest (AES-256) and in transit (TLS 1.2+), tenant isolation at application, database, and storage layers, identity-bound access controls through Microsoft Entra ID, audit logging of all data access and processing activities, and regular security assessments and vulnerability management.
Detailed security practices are described at alignsure.com/security.
Sub-processors
A current list of sub-processors is maintained at alignsure.com/legal/subprocessors. Newf Technology will notify customers of any intended changes to sub-processors with at least 30 days advance notice.
Data Breach Notification
In the event of a personal data breach, Newf Technology will notify the customer without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.
Data Retention and Deletion
Personal data is retained for the duration of the service agreement plus 30 days. Upon termination, Newf Technology will delete all personal data within 30 days unless retention is required by applicable law. Customers may request data export at any time during the service term.
Contact
For DPA inquiries: [email protected]
Effective Date: February 18, 2026
This document is structured for attorney review. Section headings and structure should be preserved during legal review.