1. Introduction

The Government Contracting Authority (GCA) is committed to protecting the privacy and security of personal and sensitive information. This Data Protection Policy outlines our practices for collecting, processing, storing, and protecting data in accordance with applicable laws and regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy frameworks.

Effective Date: March 2026

2. Scope

This policy applies to all personal and sensitive information processed by GCA, including information relating to:

This policy covers all processing activities regardless of whether data is collected directly or obtained from third parties.

3. Data Collection

GCA collects personal and business information through various channels as part of delivering our government contracting services. We adhere to the principle of data minimization, collecting only the information necessary to fulfill our contractual obligations and provide effective services.

Types of Data Collected

GCA collects only information necessary to provide our services and fulfill legal obligations:

Collection Methods

Data is collected through:

4. Legal Basis for Processing

GCA processes personal data based on the following legal grounds:

For EU residents, processing is conducted in compliance with GDPR Article 6 (lawfulness of processing).

5. Use of Data

GCA uses collected data for the following purposes:

Data will not be used for purposes other than those disclosed without obtaining additional consent.

6. Data Storage and Security

GCA stores all data in secure, access-controlled environments and employs industry-leading security measures to protect personal information from unauthorized access, alteration, disclosure, or destruction. Our security posture is designed to meet the stringent requirements of federal government contracting.

Security Measures

GCA implements comprehensive security controls to protect personal and sensitive information:

Data Retention

GCA retains personal data only as long as necessary to provide services or fulfill legal obligations. Retention periods vary based on data type and purpose:

Secure Destruction

When data is no longer needed, GCA securely destroys it through:

7. Data Sharing and Disclosure

GCA is committed to limiting the sharing of personal data to only those circumstances where it is necessary to deliver our services, comply with legal obligations, or fulfill contractual requirements. We maintain strict controls over who receives personal data and under what conditions.

No Sale or Rental

GCA does not sell, rent, or trade personal information to third parties for marketing purposes.

Permitted Sharing

GCA may share personal data with:

Third-Party Obligations

All recipients of personal data must maintain confidentiality and comply with applicable data protection laws. GCA requires Data Processing Agreements (DPAs) with all service providers.

8. International Data Transfers

GCA may transfer personal data internationally to fulfill service obligations and comply with government contracting requirements. International transfers are protected through:

GCA ensures equivalent protections for data transferred outside the data subject's home jurisdiction.

9. Data Subject Rights

Individuals have the following rights regarding their personal data:

Response Timeline: GCA will respond to all requests within 30 days (extendable to 60 days for complex requests). You may submit requests to privacy@gcagov.com or via certified mail to our principal address.

10. Children's Privacy

GCA services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided personal data, we will delete such information immediately.

Parents or guardians who believe a child has provided information to GCA should contact privacy@gcagov.com immediately.

11. Data Breach Notification

GCA maintains a comprehensive incident response plan to address data breaches promptly and effectively. In the event of a breach, our priority is to contain the incident, protect affected individuals, and meet all legal notification requirements.

Breach Definition

A data breach is any unauthorized access, disclosure, or loss of personal data that compromises security or privacy.

Response Procedures

Upon discovery or report of a breach, GCA will:

  1. Immediately investigate and assess scope and impact
  2. Contain the breach and prevent further unauthorized access
  3. Document breach details, timeline, and remedial actions
  4. Notify supervisory authorities and affected individuals as required
GDPR: Notify supervisory authority within 72 hours of discovery (unless breach poses minimal risk). CCPA: Notify residents without undue delay. State Laws: Comply with applicable state breach notification requirements.

Individual Notification

Affected individuals will be notified without undue delay (within 30 days for non-GDPR breaches, immediately for high-risk GDPR breaches) via email or certified mail with:

12. Cloud Infrastructure and Compliance

GCA leverages enterprise-grade cloud infrastructure specifically designed for government workloads to ensure the highest levels of data protection, availability, and regulatory compliance.

Platform

GCA utilizes Microsoft Azure Government (GCC High) and Microsoft 365 GCC High for all data storage and processing.

Certifications and Attestations

Our infrastructure maintains the following compliance certifications:

Security Posture

GCA maintains a comprehensive body of evidence documenting compliance with all federal security requirements. Evidence is available upon request to authorized government representatives and security auditors.

13. Employee Training

GCA requires all employees and contractors with access to personal data to complete annual data protection and security training. Training covers:

Compliance with training requirements is mandatory and documented for audit purposes.

14. Government Contracting Requirements

As a government contractor, GCA must adhere to specialized requirements:

Federal Acquisition Regulation (FAR)

GCA complies with all applicable FAR clauses, including:

Defense Contractor Requirements

For Department of Defense contracts:

Agency Supplements

Compliance with additional requirements from specific agencies (GSA, State Department, etc.) as applicable to individual contracts.

15. Policy Review and Updates

This Data Protection Policy is reviewed and updated annually or when significant changes occur, such as:

GCA will notify stakeholders of material changes via email or website update.

16. Contact Information

For questions, requests, or concerns regarding this policy or GCA's data practices:

Email: privacy@gcagov.com

Phone: 202-990-6030

Address: 1309 Coffeen Ave, Suite 11198, Sheridan, WY 82801, USA

You also have the right to lodge a complaint with your local data protection authority (e.g., your country's data protection agency or regulator).

Government Contracting Authority is committed to maintaining trust through transparent, responsible data practices.


Last Updated: March 2026 · © Government Contracting Authority