Data Processing Addendum
Effective: January 1, 2026 · Last updated: January 1, 2026
This DPA forms part of, and is incorporated into, the Roostr Terms of Service between Roostr and the Customer, and applies whenever Roostr processes personal data on the Customer's behalf. A counter-signed copy is available on request. Email privacy@roostr.app with your legal entity name and signing contact and we'll return a signed PDF within 5 business days.
1. Parties and roles
This Data Processing Addendum ("DPA") supplements the Roostr Terms of Service between Roostr ("Processor") and the Customer ("Controller") where Roostr processes personal data on the Customer's behalf. For end-customer data Customers enter into the platform (homeowners, tenants, contacts), the Customer is the Controller and Roostr is the Processor.
2. Scope and subject matter
Roostr processes personal data only as instructed by the Customer and only to provide the Roostr service: storing customer records, generating quotes, dispatching jobs, sending service-related communications, and processing payments through Stripe.
3. Categories of data and data subjects
- Operators & staff: name, email, hashed password, phone, role, login + audit metadata.
- End customers entered by operators: name, service address, phone, email, job history, photos uploaded for AI quoting, access notes.
- Payment metadata: Stripe customer + charge identifiers. Full card data is never stored by Roostr; Stripe holds it under PCI DSS.
4. Sub-processors
A current list of sub-processors is maintained at roostr.app/legal/subprocessors. Roostr will notify Customers via that page at least 30 days before adding a new sub-processor.
5. Security measures
Roostr maintains the technical and organizational measures described on roostr.app/security, including TLS in transit, encryption at rest, Argon2id password hashing, Postgres row-level tenant isolation, signed + DB-backed session cookies, webhook signature verification, and audit-logged privileged actions.
6. Personal data breach notification
Roostr will notify the Customer without undue delay, and in any case within 72 hours of becoming aware, of a personal data breach affecting the Customer's data. Notifications are sent to the Customer's primary admin email and include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation steps taken.
7. International transfers
Where personal data is transferred outside the EEA / UK to a jurisdiction not recognised as adequate, Roostr relies on the EU Standard Contractual Clauses (Module Two, Controller to Processor) and equivalent UK addenda, available on request.
8. Assistance with data-subject rights
Roostr assists Controllers in fulfilling access, rectification, and erasure requests. Today these requests are handled by emailing privacy@roostr.app; Roostr will respond within 30 days. Self-service export and deletion tools are on the roadmap.
9. Return or deletion of data
On termination of the Roostr service, Roostr will, at the Customer's choice, return or delete all personal data processed on the Customer's behalf within 90 days, unless applicable law requires retention.
10. Contact
Questions about this DPA, requests for a counter-signed copy, or data-protection inquiries: privacy@roostr.app.