Legal Stack v1.0
Signing Flow — what becomes binding at each step
Effective: May 25, 2026. TinyGuard's contract with a facility is not one click-through. It's a sequenced chain of discrete signing steps; each step binds a specific document code (TG-MSA-001, TG-DPA-001, etc.), each prior step locks before the next begins, and the resulting state is an enforceable chain — not aspirational marketing language. This page is the customer-facing map of that chain. The mechanics live in the Center admin dashboard.
⚠️ Honest operational status (May 25, 2026)
The signing flow described below is the contract-of-record shape — what each document binds and in what order, today, in the MSA + DPA/BAA + state addenda we sign with facilities. The software-collection mechanism for the per-step signatures (step-status dashboard, parent-portal signature capture, staff-portal acknowledgment, attestation expiry reminders, append-only audit log) is on the engineering roadmap and is the same multi-sprint chain that builds the auto-suspend gate referenced on /legal/covenants. Until that chain ships, the controlling enforcement mechanism is the operator's signed paper-process attestation at intake and the contractual covenants themselves. Any complaint of a covenant lapse should be filed to legal@tinyguard.co for 24-hour investigation. This page will be updated in lockstep when the code-level flow ships.
Why a flow, not a single click-through
A binding contract chain is sequenced. The MSA frames the relationship; the DPA or BAA assigns controller/processor roles inside that frame; the state addendum carries state-specific obligations; the Center attestation closes the loop with operational responsibility. Out-of-order signing would mean a Center is bound to an obligation (e.g. state-addendum signage) before the framework that makes the obligation enforceable exists.
Each step locks the prior step. Once Step 2 (vertical agreement) is signed, Step 1 (MSA) cannot be unilaterally edited by either party — only re-signed as a numbered amendment. The same lock propagates down the chain. This is how the doc-code references in MSA §3 (no-biometrics covenant), the DPA's COPPA framing, and the state addendum's wiretap reaffirmation stay coherent over time.
Each step has a status: pending, in review, signed, locked. Today these statuses are tracked in the audit log against signed paper-process attestations; the Center-admin and TinyGuard-side step-status dashboards ship in the June 2026 rollout (see the operational note above). The 4 covenants are contractually gated on the corresponding step being signed-and-locked — software-enforced per-room broadcast / audio gating on those signatures ships with the same rollout.
1
Master Service Agreement
TG-MSA-001 (childcare) · TG-MSA-E-001 (elder care)
Signed by: Center owner or authorized agent.
Counterparty: TinyGuard LLC.
Delivery: redline-friendly Word draft from
legal@tinyguard.co; signed via DocuSign or counterpart PDF.
🔒 Binds at this step
All four covenants in
/legal/covenants — particularly MSA §3 (the no-biometrics covenant, carved out of the liability cap). Pricing tier, support terms, term length, payment terms. Termination + cure provisions.
⏭️ Unlocks next step
Step 2 (vertical data agreement) cannot be sent until MSA is countersigned. Operationally: Center cannot create users or enable cameras until MSA is locked.
2
Vertical Data Agreement — DPA or BAA
TG-DPA-001 (childcare) · TG-BAA-E-001 (elder care)
Signed by: Same authorized signer as the MSA. Vertical-routing: childcare facilities sign the DPA (data processing under COPPA + state child-privacy law); elder facilities sign the BAA (HIPAA Business Associate path). The two stacks remain separate at the data layer — a Center signs one, not both.
🔒 Binds at this step
Controller/processor split (Center = data controller, TinyGuard = processor). 24-hour breach notification window. Sub-processor obligations (see
Subprocessor List). 30-day data-return-or-destroy on termination. Elder-specific: HIPAA-aligned MAR + EVV + resident-dignity statute compliance.
⏭️ Unlocks next step
Step 3 state addendum cannot be sent until the appropriate DPA or BAA is locked. Operationally: state-specific obligations (e.g. IL BIPA reaffirmation, NYC LL3, OR audio carve-out) only attach to a Center once their state addendum is signed in Step 3.
3
State Addendum
Childcare: TG-STA-001..012 (TX, CA, IL, MN, NY, FL, CT, MD, MA, PA, WA, OR drafted) · Elder: TG-STA-E-001..006 (TX, IL, WA, MN, OK, UT drafted)
Signed by: Same signer.
Selection: determined by the facility's licensed state(s); multi-state operators sign one per operating state.
Drafting on signing: states without a drafted addendum get one authored by Luther on request — email
legal@tinyguard.co with your state.
🔒 Binds at this step
State-specific obligations beyond the federal baseline: biometric-statute reaffirmation (IL BIPA, WA RCW 19.375, NYC LL3), wiretap-statute all-party-consent posture (11+1 states), child-care subsidy reporting (CCDF where applicable), elder resident-dignity statutes, breach-notification timelines per state. The MSA §3 no-biometrics covenant is restated here per state.
⏭️ Unlocks next step
Step 4 attestation cannot be filed until the state addendum is locked. Operationally: state-specific dashboard gates (e.g. CA single-party-consent audio prompts vs. IL BIPA biometric block) cannot configure until the addendum identifies the operating state.
4
Center / Facility Admin Attestation
TG-ATT-001 (childcare) · TG-ATT-E-001 (elder care)
Signed by: Center admin (may be a different person than the MSA signer — the operational owner). Periodic: annual re-attestation; expiry reminders ship in the June 2026 dashboard rollout — until then, the Center owns the renewal calendar and TinyGuard sends manual prompts. Counterparty: TinyGuard (TinyGuard preserves the attestation in the audit log; no countersignature required).
🔒 Binds at this step
Operational compliance posture: confirms the Center has collected parent (TG-PAR-001) or resident/representative (TG-RES-001) consent at enrollment, posted required signage, trained staff on the covenant boundaries, and is prepared for state-licensing inspection. Bind is on the Center, not TinyGuard — the signed attestation is the controlling enforcement mechanism today. Complaints of a covenant lapse →
compliance@tinyguard.co.
⏭️ Unlocks next step
Step 5 enrollment + Step 6 audio (if needed) can begin. Software-enforced per-room broadcast auto-suspend on the four gate conditions (consent coverage, signage check, attestation expiry, device placement re-check) ships June 2026 — heartbeat re-evaluator and signage/placement write endpoints are already live in the backend; the customer-facing dashboard surface ships with the rollout.
5
Enrollment-time consent (per parent / per resident)
Childcare: TG-PAR-001 disclosure + (optional) TG-PAR-002 audio addendum, TG-PAR-003 AUP, TG-PAR-004 incident-review release · Elder: TG-RES-001..004 parallels
Signed by: Each enrolling parent (childcare) or resident/authorized representative (elder care).
Collected by: the Center as data controller — TinyGuard does not centrally store the signed forms, but the Center attestation in Step 4 obliges them to retain on request.
Template: printable form at
tinyguard.co/legal/coppa-parental-consent-template (childcare) — print, sign, attach to the enrollment packet.
🔒 Binds at this step
Per-individual consent that the broadcast feature applies to that specific child or resident (covenant 03: enrollment-gated broadcast). Each missing signature = one missing coverage point. Today the Center owns coverage tracking under the Step 4 attestation; software-enforced per-room broadcast auto-suspend on sub-100% coverage ships June 2026 (see
/legal/covenants).
⏭️ Unlocks next step
Audio activation in Step 6 requires Step 5 audio addendum coverage at 100% per room. Camera live-broadcast in any room requires Step 5 disclosure coverage at 100% per child/resident in that room.
6
Audio addendum (optional, off-by-default)
TG-PAR-002 (parent audio addendum) · TG-RES-002 (resident audio addendum) · TG-EMP-001 (staff workforce notice & consent)
Signed by: Every enrolling parent or resident/authorized representative covered by the audio rooms, PLUS every staff member who works in those rooms. State scope: required for any room in an 11+1 all-party-consent state (CA, CT, DE, FL, IL, MA, MD, MT, NH, PA, WA — and OR for some contexts under the 2026 update). Default state: audio is OFF. Audio cannot be enabled per-room until coverage is 100%.
🔒 Binds at this step
Audio recording consent per the wiretap-statute requirement. Each signature is per-individual, per-room. Audio is off by default in code across every installation; turning it on requires the operator-attested addendum + 100% staff + family coverage. Software-enforced per-room signature-coverage gating on audio activation ships June 2026 as part of the broadcast-gate rollout.
⏭️ Final state
Once Steps 1-5 are locked and Step 6 (if pursued) is at 100% room coverage, the contract chain is fully binding and the platform is fully enabled per the four covenants. Re-attestation (Step 4 annual) + per-enrollment Step 5 are the ongoing operational rhythm.
Step state machine — pending / in-review / signed / locked
Each step exposes one of four states in the Center admin dashboard:
pending — TinyGuard has sent the document; the Center has not started review. Visible to Center, not yet binding.in_review — Center counsel has the document; redlines may be in flight. Either party may withdraw or revise.signed — Both signatures collected. The document is binding on its parties but the step is not yet immutable.locked — The next step has begun, which locks all prior steps as immutable. To amend a locked step, both parties sign a numbered amendment that references the original by its document code.
The lock-on-next-step model is what makes the chain enforceable. Without it, the MSA could be silently revised after the DPA was signed, and the DPA's references to the MSA would become incoherent. The compliance audit-log records every state transition with timestamp + signer identity + counterparty + document hash; that log is the audit-defensible record.
Re-signing and amendments
The signing flow is not a one-time event. Three classes of re-signing exist:
- Annual re-attestation — Step 4 (TG-ATT-001) expires 12 months after signing. Until the June 2026 dashboard rollout adds 30 / 14 / 7-day reminders, the Center owns the renewal calendar (TinyGuard sends manual reminders); if the attestation lapses, the underlying covenants stay in force, but operational coverage is no longer confirmed and the software gate (post-rollout) will suspend per-room broadcast.
- Per-enrollment consent — Step 5 happens every time a new parent enrolls or a new resident is admitted. The Center handles this routinely under the Step 4 attestation. Software-enforced per-room consent-coverage gating ships June 2026; until then, coverage is operator-attested and audit-logged.
- Material amendments — to change a locked step (e.g., add a new state addendum, modify a covenant by separately negotiated amendment per the no-biometrics-covenant rules), both parties sign a numbered amendment that references the original by document code. The amendment doesn't replace the original — it stacks on top, audit-logged as a chain.
Contact
Signing-flow questions, document requests, or counsel review: legal@tinyguard.co
Sales / commercial questions: del@tinyguard.co
Phone: (510) 686-3357
TinyGuard LLC, 7428 SW Ashford St, Tigard, OR 97224
