GCA's comprehensive data protection framework and practices.
The Government Contracting Authority (GCA) is committed to protecting the privacy and security of personal and sensitive information. This Data Protection Policy outlines our practices for collecting, processing, storing, and protecting data in accordance with applicable laws and regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy frameworks.
Effective Date: March 2026
This policy applies to all personal and sensitive information processed by GCA, including information relating to:
This policy covers all processing activities regardless of whether data is collected directly or obtained from third parties.
GCA collects personal and business information through various channels as part of delivering our government contracting services. We adhere to the principle of data minimization, collecting only the information necessary to fulfill our contractual obligations and provide effective services.
GCA collects only information necessary to provide our services and fulfill legal obligations:
Data is collected through:
GCA processes personal data based on the following legal grounds:
For EU residents, processing is conducted in compliance with GDPR Article 6 (lawfulness of processing).
GCA uses collected data for the following purposes:
Data will not be used for purposes other than those disclosed without obtaining additional consent.
GCA stores all data in secure, access-controlled environments and employs industry-leading security measures to protect personal information from unauthorized access, alteration, disclosure, or destruction. Our security posture is designed to meet the stringent requirements of federal government contracting.
GCA implements comprehensive security controls to protect personal and sensitive information:
GCA retains personal data only as long as necessary to provide services or fulfill legal obligations. Retention periods vary based on data type and purpose:
When data is no longer needed, GCA securely destroys it through:
GCA is committed to limiting the sharing of personal data to only those circumstances where it is necessary to deliver our services, comply with legal obligations, or fulfill contractual requirements. We maintain strict controls over who receives personal data and under what conditions.
GCA does not sell, rent, or trade personal information to third parties for marketing purposes.
GCA may share personal data with:
All recipients of personal data must maintain confidentiality and comply with applicable data protection laws. GCA requires Data Processing Agreements (DPAs) with all service providers.
GCA may transfer personal data internationally to fulfill service obligations and comply with government contracting requirements. International transfers are protected through:
GCA ensures equivalent protections for data transferred outside the data subject's home jurisdiction.
Individuals have the following rights regarding their personal data:
Response Timeline: GCA will respond to all requests within 30 days (extendable to 60 days for complex requests). You may submit requests to privacy@gcagov.com or via certified mail to our principal address.
Parents or guardians who believe a child has provided information to GCA should contact privacy@gcagov.com immediately.
GCA maintains a comprehensive incident response plan to address data breaches promptly and effectively. In the event of a breach, our priority is to contain the incident, protect affected individuals, and meet all legal notification requirements.
A data breach is any unauthorized access, disclosure, or loss of personal data that compromises security or privacy.
Upon discovery or report of a breach, GCA will:
Affected individuals will be notified without undue delay (within 30 days for non-GDPR breaches, immediately for high-risk GDPR breaches) via email or certified mail with:
GCA leverages enterprise-grade cloud infrastructure specifically designed for government workloads to ensure the highest levels of data protection, availability, and regulatory compliance.
GCA utilizes Microsoft Azure Government (GCC High) and Microsoft 365 GCC High for all data storage and processing.
Our infrastructure maintains the following compliance certifications:
GCA maintains a comprehensive body of evidence documenting compliance with all federal security requirements. Evidence is available upon request to authorized government representatives and security auditors.
GCA requires all employees and contractors with access to personal data to complete annual data protection and security training. Training covers:
Compliance with training requirements is mandatory and documented for audit purposes.
As a government contractor, GCA must adhere to specialized requirements:
GCA complies with all applicable FAR clauses, including:
For Department of Defense contracts:
Compliance with additional requirements from specific agencies (GSA, State Department, etc.) as applicable to individual contracts.
This Data Protection Policy is reviewed and updated annually or when significant changes occur, such as:
GCA will notify stakeholders of material changes via email or website update.
For questions, requests, or concerns regarding this policy or GCA's data practices:
Email: privacy@gcagov.com
Phone: 202-990-6030
Address: 1309 Coffeen Ave, Suite 11198, Sheridan, WY 82801, USA
You also have the right to lodge a complaint with your local data protection authority (e.g., your country's data protection agency or regulator).
Government Contracting Authority is committed to maintaining trust through transparent, responsible data practices.