Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller", "you") and Rofterm ("Processor", "Rofterm") and governs the processing of personal data that Rofterm carries out on your behalf when providing the Service.
1. Parties & roles
For personal data contained in Customer Data, you act as the controller (or processor on behalf of your own customers) and Rofterm, the operator of the Service, acts as the processor (or subprocessor). Each party will comply with applicable data protection laws, including the UK GDPR, EU GDPR and other laws that apply to its processing.
2. Scope & processing instructions
Rofterm will process personal data only on your documented instructions, including those set out in this DPA, the main agreement, and your use of the Service's features and configuration. Rofterm will inform you if, in its opinion, an instruction infringes applicable data protection law. Details of the processing are set out in Annex A.
3. Processor obligations
- Process personal data only as instructed and for the purpose of providing the Service.
- Ensure personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (see Annex B).
- Not sell personal data or use it for our own marketing or profiling.
- Assist you, as set out below, in meeting your data protection obligations.
4. Subprocessors
You authorize Rofterm to engage subprocessors to provide the Service (for example, cloud hosting, database, authentication and email providers). Rofterm will impose data protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance. A current list of subprocessors is available on request. We will give reasonable notice of intended changes and allow you to object on reasonable data protection grounds.
5. Security measures
Rofterm maintains technical and organizational measures appropriate to the risk, as described in Annex B, and will not materially decrease their overall protection during the term.
6. Personal data breach notification
Rofterm will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and will provide information reasonably available to help you meet your notification obligations to authorities and data subjects.
7. Assistance & data subject rights
Taking into account the nature of the processing, Rofterm will provide reasonable assistance with: responding to data subject requests (access, correction, deletion, portability, objection); data protection impact assessments; and consultations with supervisory authorities. Where a data subject contacts Rofterm directly, we will refer them to you.
8. International transfers
Where processing involves transferring personal data outside the UK or EEA, the parties will rely on an approved transfer mechanism such as the UK International Data Transfer Agreement (or Addendum) and/or the EU Standard Contractual Clauses, which are incorporated by reference and completed using the details in Annex A.
9. Return & deletion
On termination of the Service, Rofterm will, at your choice, return or delete personal data, and delete existing copies, unless retention is required by law. The Service provides export functionality for a limited period after termination, after which data is deleted in line with our retention schedule.
10. Audits
Rofterm will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and frequency limits. Where available, third-party certifications or reports may be provided to satisfy audit requests.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement.
Annex A — Details of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Rofterm enterprise risk, controls and compliance platform. |
| Duration | The term of the subscription, plus any retention period required by law. |
| Nature & purpose | Hosting, storage, processing and transmission of Customer Data to deliver and support the Service. |
| Types of data | Business contact details (names, work emails, roles) of users and the risk, control, incident, evidence and report records entered by the Controller. |
| Data subjects | The Controller's employees, contractors, risk and control owners, and other personnel named in Customer Data. |
| Special categories | Not intended; the Service is not designed for special-category data and should not be used to store it. |
| Frequency | Continuous, for the duration of the subscription. |
Annex B — Technical & organizational measures
- Encryption — personal data encrypted in transit (TLS) and at rest.
- Access control — role-based permissions, least-privilege access, and per-tenant isolation.
- Authentication — secure authentication and support for single sign-on.
- Network & application security — hardened infrastructure, input validation, rate limiting and dependency management.
- Logging & monitoring — activity logging and monitoring for anomalous or unauthorized activity.
- Resilience — backups and recovery processes appropriate to the Service.
- Organizational — confidentiality obligations, security awareness, and incident response procedures.
Contact
For DPA requests, the current subprocessor list, or a signed copy, contact hey@rofterm.com.