Rooots

Legal

Data Processing Addendum

Last updated: June 17, 2026 · Version 1.0

This Data Processing Addendum ("DPA") forms part of the Rooots Terms of Service between Rooots LLC ("Processor," "Rooots") and the customer ("Controller," "Customer"). This DPA applies when Customer is subject to data protection laws including but not limited to the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and similar regulations.

This DPA is automatically applicable when Customer's use of the Service involves processing personal data of EU/EEA/UK residents or California residents.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR or CCPA where applicable, including but not limited to:

  • "Personal Data"
  • "Data Subject"
  • "Processing"
  • "Sub-Processor"
  • "Data Protection Laws"

2. Roles of the Parties

  • Customer is the Controller of Personal Data processed in connection with the Service
  • Rooots is the Processor acting on behalf of the Customer
  • Rooots' Sub-Processors are listed in Schedule 1

3. Processing of Personal Data

3.1 Purpose and Scope

Rooots processes Personal Data only:

  • To provide the Service as described in the Terms of Service
  • In accordance with Customer's documented instructions
  • As required by applicable law

3.2 Categories of Personal Data

Personal Data processed may include:

  • Customer's account information (employees, owners)
  • Customer's business contacts (vendors, customers)
  • Customer's employee records
  • Customer's customer records
  • Document contents containing personal data

3.3 Categories of Data Subjects

Data Subjects may include:

  • Customer's owners and operators
  • Customer's employees
  • Customer's vendors and suppliers
  • Customer's customers and clients
  • Other individuals named in Customer's business records

3.4 Duration

Processing continues for the duration of the Service agreement, plus the data retention periods specified in the Privacy Policy.

4. Rooots' Obligations

Rooots shall:

4.1 Process Per Instructions

Process Personal Data only on documented instructions from Customer, including transfers to third countries, unless required by law.

4.2 Confidentiality

Ensure persons authorized to process Personal Data are bound by confidentiality obligations.

4.3 Security Measures

Implement appropriate technical and organizational measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security testing
  • Incident response procedures
  • Staff training on data protection

4.4 Sub-Processors

  • Engage Sub-Processors only with general written authorization
  • Maintain a current list of Sub-Processors (Schedule 1)
  • Notify Customer of changes to Sub-Processors with reasonable opportunity to object
  • Impose data protection obligations on Sub-Processors equivalent to those in this DPA
  • Remain liable for Sub-Processor actions

4.5 Assistance with Data Subject Rights

Assist Customer in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) within applicable legal timeframes.

4.6 Assistance with Security and Notifications

Assist Customer with:

  • Data Protection Impact Assessments (DPIAs) where required
  • Prior consultations with supervisory authorities
  • Notifications of Personal Data breaches (see Section 5)

4.7 Audit Rights

Make available all information necessary to demonstrate compliance with this DPA. Allow audits, including inspections, conducted by Customer or its mandated auditor, subject to:

  • Reasonable advance notice (30 days minimum)
  • Confidentiality obligations
  • Audits no more frequent than annually unless required following a security incident
  • Customer bears all audit costs unless material non-compliance is found

4.8 Return or Deletion

Upon termination of the Service, return all Personal Data or delete it within 90 days unless legally required to retain. Provide written certification of deletion upon request.

5. Personal Data Breach

In the event of a Personal Data breach affecting Customer's data, Rooots shall:

  • Notify Customer without undue delay (within 72 hours of becoming aware)
  • Provide information including:
    • Nature and scope of the breach
    • Categories and approximate number of Data Subjects affected
    • Categories and approximate number of Personal Data records affected
    • Likely consequences
    • Measures taken or proposed to address the breach
  • Assist Customer with notifications to supervisory authorities and Data Subjects as required by law

6. International Transfers

If Rooots transfers Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, transfers shall be subject to:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Additional safeguards as required by applicable law
  • The UK International Data Transfer Addendum where applicable

Specifically:

  • Anthropic processes data in the United States
  • OpenAI processes data in the United States
  • Stripe processes data in the United States
  • All Sub-Processors are bound by appropriate transfer mechanisms

7. CCPA-Specific Provisions

For California Personal Information:

  • Rooots is a "Service Provider" as defined by CCPA
  • Rooots will not sell or share Customer's Personal Information
  • Rooots will not retain, use, or disclose Personal Information outside the direct business relationship
  • Rooots will not combine Customer's Personal Information with other personal information collected from other sources, except as permitted by CCPA
  • Rooots certifies it understands these restrictions

8. Liability

Liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. The Parties acknowledge that the limitations in the Terms of Service constitute reasonable allocation of risk.

9. Term and Termination

This DPA remains in effect for the duration of the Service agreement and survives termination to the extent necessary to fulfill obligations relating to Personal Data.

10. Order of Precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

Schedule 1: Sub-Processors

The following Sub-Processors are authorized to process Personal Data on behalf of Rooots:

Sub-ProcessorPurposeLocation
Supabase Inc.Database hostingUnited States
Vercel Inc.Application hostingUnited States
Stripe Inc.Payment processingUnited States
Resend (Bayes Inc.)Email deliveryUnited States
Anthropic PBCAI text/document analysisUnited States
OpenAI LLCVoice transcriptionUnited States
Google LLCWorkspace email, Maps, AnalyticsUnited States

Updates to this list will be made available at rooots.net/subprocessors with at least 30 days advance notice.

Schedule 2: Technical and Organizational Measures

Rooots implements the following safeguards:

Technical Measures

  • End-to-end TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted storage of access tokens and credentials
  • Multi-factor authentication available for all user accounts
  • Regular security patching and updates
  • Automated backup systems with 30-day retention
  • Network-level firewalls and intrusion detection

Organizational Measures

  • Background checks for personnel with access to production systems
  • Confidentiality obligations for all personnel
  • Principle of least privilege for system access
  • Regular security training
  • Incident response procedures
  • Vendor risk assessments
  • Annual security review

Acknowledgment

By using the Service after the date above, Customer acknowledges and agrees to this DPA. This DPA is binding on both parties without requiring a separate signature.

For questions about this DPA, contact support@rooots.net with subject "DPA Inquiry."

Rooots LLC Coeur d'Alene, Idaho

↑ Back to top