Data Processing Addendum
This DPA forms part of, and is incorporated into, the Roooster Terms of Service between Roooster and the Customer, and applies whenever Roooster processes personal data on the Customer's behalf. A counter-signed copy is available on request. Email privacy@roooster.ai with your legal entity name and signing contact and we'll return a signed PDF within 5 business days.
1. Parties and roles
This Data Processing Addendum ("DPA") supplements the Roooster Terms of Service between Roooster ("Processor") and the Customer ("Controller") where Roooster processes personal data on the Customer's behalf. For end-customer data Customers enter into the platform (homeowners, tenants, contacts), the Customer is the Controller and Roooster is the Processor.
2. Scope and subject matter
Roooster processes personal data only as instructed by the Customer and only to provide the Roooster service: storing customer records, generating quotes, dispatching jobs, sending service-related communications, and processing payments through Stripe.
3. Categories of data and data subjects
- Operators & staff: name, email, hashed password, phone, role, login + audit metadata.
- End customers entered by operators: name, service address, phone, email, job history, photos uploaded for AI quoting, access notes.
- Payment metadata: Stripe customer + charge identifiers. Full card data is never stored by Roooster; Stripe holds it under PCI DSS.
4. Sub-processors
A current list of sub-processors is maintained at roooster.ai/legal/subprocessors. Roooster will notify Customers via that page at least 30 days before adding a new sub-processor.
5. Security measures
Roooster maintains the technical and organizational measures described on roooster.ai/security, including TLS in transit, encryption at rest, Argon2id password hashing, Postgres row-level tenant isolation, signed + DB-backed session cookies, webhook signature verification, and audit-logged privileged actions.
6. Personal data breach notification
Roooster will notify the Customer without undue delay, and in any case within 72 hours of becoming aware, of a personal data breach affecting the Customer's data. Notifications are sent to the Customer's primary admin email and include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation steps taken.
7. International transfers
Where personal data is transferred outside the EEA / UK to a jurisdiction not recognised as adequate, Roooster relies on the EU Standard Contractual Clauses (Module Two, Controller to Processor) and equivalent UK addenda, available on request.
8. Assistance with data-subject rights
Roooster assists Controllers in fulfilling access, rectification, and erasure requests. Today these requests are handled by emailing privacy@roooster.ai; Roooster will respond within 30 days. Self-service export and deletion tools are on the roadmap.
9. Return or deletion of data
On termination of the Roooster service, Roooster will, at the Customer's choice, return or delete all personal data processed on the Customer's behalf within 90 days, unless applicable law requires retention.
10. Contact
Questions about this DPA, requests for a counter-signed copy, or data-protection inquiries: privacy@roooster.ai.