Skip to Content

Data Processing Agreement

Design Element

Last Updated: September 1, 2025

This Data Processing Agreement (“DPA”) is attached to and incorporated in the Software-as-a-Service Master Subscription Agreement (“Agreement”) between Provider (also referred to as “Processor” herein) and Client (also referred to as “Controller” herein). This DPA forms part of the Agreement and sets out the terms that apply when Personal Data is processed by Provider under the Agreement.  This DPA shall become effective upon the earlier to occur of (i) the execution of an applicable Order Form or (ii) the exchange of Personal Data (as defined herein) between the parties.

The purpose of the DPA is to ensure that the Processing of Personal Data pursuant to the applicable Services under the Agreement is conducted by the parties hereto in accordance with the requirements of applicable Data Protection Laws, as follows:

1.    Definitions

“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or “CPRA”).

“Consumer”, “Business”, “Sell”, “Service Provider”, and “Share” will have the meanings given to them in the CCPA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.  For the purposes of the DPA, the Client is the Controller.

“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.

“Data Protection Laws” means all laws and regulations applicable to Provider’s processing of Personal Data in question under the Agreement, including without limitation Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the UK EU (Withdrawal) Act 2019 and the Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”), Australian Privacy Principles and the Australian Privacy Act (1988), CCPA & CPRA and other applicable U.S. federal and state consumer data protection laws, in each case, as may be amended, superseded or replaced.

“Data Subject” means the individual to whom Personal Data relates.

“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Client Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means an actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. “Personal Data Breach” does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For the purposes of the DPA, the Provider is the Processor.

“Restricted Transfer” means (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area (“EEA”) to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

 “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as may be amended, superseded or replaced.

“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement and which processes Personal Data. Sub-Processors may include third parties or our Affiliates but will exclude any ROC-P employee.

“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/fororganisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2.    Client Responsibilities

  1. Compliance with Laws. Within the scope of the Agreement Client is responsible for complying with all requirements that apply to it as a Controller under applicable Data Protection Laws and the Instructions it issues to the Provider as a Processor. Without prejudice to the generality of the foregoing, Client is solely responsible for: (i) the accuracy, quality, and legality of Client Data and the means by which Client acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection, use and/or transfer of the Personal Data, including obtaining any necessary consents and authorizations related to the same; (iii) ensuring that Client’s Instructions regarding the Processing of Personal Data comply with applicable Data Protection Laws; and (iv) complying with all laws (including Data Protection Laws) applicable to Client’s use of the Subscription Services.  Client agrees to inform the Processor without undue delay if it discovers its Instructions are not in compliance with applicable Data Protection Laws.
  2. Controller Instructions. The parties agree that the Agreement (including this DPA), together with Client’s use of the Subscription Service in accordance with the Agreement, constitute the complete Client Instructions in relation to the Processing of Personal Data.  Client may provide additional Instructions during the Subscription Term from time-to-time provided they are consistent with the Agreement and the nature and lawful use of the Subscription Services.
  3. Security. Client is responsible for independently determining whether the data security measures provided for in the Subscription Service adequately meet Client’s obligations under applicable Data Protection Laws. Client is solely responsible for the secure use of the Subscription Service, including with respect to the security of the Client, Authorized User, and or ACI login credentials to the Subscription Services and protecting the security of Personal Data in transit to and from the Subscription Service (including to securely backup or encrypt any such Personal Data on Client’s systems or storage repositories).

3.    ROC-P Obligations

  1. Compliance with Instructions. Provider will only Process Personal Data for the purposes of performing its obligations in the Agreement and in this DPA or as otherwise agreed within the scope of Client’s lawful Instructions, except where and to the extent otherwise required by applicable law. Provider shall not be responsible for compliance with any Data Protection Laws applicable to Controller or Controller’s industry that are not generally applicable to Provider’s processing of Personal Data under the Agreement.
    1. Conflict of Laws. If Provider becomes aware of a Client Instruction that is not compliant with applicable Data Protection Laws, Provider will (i) promptly notify Client; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Client issues legally compliant Instructions. Provider shall not be liable for any failure to perform the applicable Subscription Services due to Client’s unlawful Instructions related to the Processing of Personal Data.Security. Provider shall implement and maintain appropriate technical and organizational measures to protect the confidentiality, security and integrity of Personal Data, as described more fully under Annex 2 to this DPA (“Security Measures”). Notwithstanding any provision to the contrary, Provider may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protections offered by the Security Measures as of the Effective Date of the Agreement.Confidentiality. Provider shall ensure that any personnel whom it authorizes to Process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.Personal Data Breaches. Provider shall notify Client without undue delay, but in no event more than seventy-two (72) hours, upon becoming aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or is reasonably requested by Client. At Client’s request, Provider will promptly provide such reasonable assistance as necessary to enable Client to notify relevant Personal Data Breaches to competent supervisory authorities and/or affected Data Subjects pursuant to its obligations as a Controller under Data Protection Laws.
    1. Deletion or Return of Personal Data. Provider will delete or return all Client Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of the Subscription Service and/or Agreement with the exception of Client Data that Provider is required to retain pursuant to applicable law or due to archived Client Data on back-up systems, which data shall be securely isolated and protected from any further Processing and deleted in accordance with Provider’s standard retention and deletion schedule practices. Client may request the deletion of its ROC-P account after expiration or termination of the Subscription Service and/or Agreement by sending a request using the privacy request form. Clients may self-serve the export of Client Data at any time. Provider shall provide reasonable assistance, at the Client’s sole cost and expense, to retrieve and/or export Client Data during the Subscription Term. 

4.    Data Subject Requests

The Subscription Service provides several self-serve controls that can be used to retrieve, correct, delete, or restrict Personal Data, to assist Client in connection with its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).

If Client is unable to independently address a Data Subject Request through the Subscription Service, then upon written request, Provider will provide reasonable assistance to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. Client agrees to reimburse Provider for the commercially reasonable costs arising from such assistance.

Provider will promptly inform Client in writing and will advise the Data Subject to submit their request to Client directly in the event Provider receives a Data Subject Request directly. Controller is solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

5. Sub-Processors

Where Provider engages Sub-Processors, they shall be under legally binding duties of confidentiality, and shall have in place data protection terms commensurate with the Sub-processors scope and/or level or Processing of Personal Data. Provider remains responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor hereunder.

Client provides its general authorization for Provider to engage Sub-Processors to Process Personal Data pursuant to the terms of the Agreement and this DPA. Currently appointed Sub-Processors include those third parties and ROC-P Partners listed (“Sub-Processor List“). Client may subscribe to receive notifications by email related to the addition or replacement of any Sub-Processors by completing the form available at: ROC-P Subprocessor Notifications.

Provided Client has opted-in for notifications by completing the form linked above, Provider will provide at least 30 days prior notice of any such change or modification to the Sub-Processor List. The parties agree to cooperate in good faith to resolve Client’s reasonable concerns with a view to achieving a commercially reasonable resolution.

6. Data Transfers

Client acknowledges and agrees that Provider may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and that Personal Data may be transferred to and Processed by ROC-P LLC in the United States and to other jurisdictions where Sub-Processors have operations as outlined in the Sub-Processor Annex 3 hereto. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

The parties agree that when the transfer of personal data from Client (as “data exporter”) to Provider (as “data importer”) is a Restricted Transfer, Data Protection Laws require that appropriate safeguards are put in place. For the purposes of such Restricted Transfers from Client to Provider, the parties rely on Provider’s certification under the EU-U.S Data Privacy Framework, the Swiss-US Data Privacy Framework and the UK-US Data Privacy Framework (together, the “DPF”) operated by the U.S. Department of Commerce. To the extent that the DPF is invalidated or ceases to be an appropriate safeguard under Article 46 GDPR for transfers to the United States, then, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:

  1. In relation to transfers of Client Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:
    • the Module Two terms apply to the extent the Client is a Controller of European Data and the Module Three terms apply to the extent the Client is a Processor of European Data;
    • in Clause 7, the optional docking clause applies;
    • in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA;
    • in Clause 11, the optional language is deleted;
    • in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the ‘Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles);
    • the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA;
    • the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
  2. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications:
    1.  the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement;
    2. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and
    3. any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
  3. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications:
    • references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA;
    • references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and
    • references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
  4. Alternative Transfer Mechanism. In the event that ROC-P is required to adopt an alternative transfer mechanism for European Data, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

7. Audit Rights

Client acknowledges that the Subscription Service is hosted by Provider’s hosting Sub-Processors, who maintain independently validated security programs (including SOC 2 and ISO 27001) and that such Sub-Processor systems are architected as part of SOC 2 compliance and tested by independent third-party penetration testing firms. Provider will make all information reasonably necessary to demonstrate compliance with this DPA available to Client and allow for and contribute to audits, including inspections conducted by Client or an independent auditor engaged by Client to assess compliance with this DPA, where required by applicable law.

As an alternative to the audit rights included above, upon Client’s written request, Provider will provide written responses (on a confidential basis) to all reasonable requests for information made by Client necessary to confirm Provider’s compliance with this DPA, provided Client will not exercise the rights included in this Section 7 more than once per calendar year or upon less than thirty (30) days’ advance notice with respect to an audit under the first paragraph unless Client has reasonable grounds to suspect Provider’s non-compliance with the DPA.

8. Cooperation

To the extent that the required information is reasonably available to Provider, and Client does not otherwise have access to the required information, Provider will provide reasonable assistance to Client with data protection impact assessments or consultations with supervisory authorities or other competent data privacy authorities to the extent required by Data Protection Laws.

9. No Sale or Sharing

To the extent that the processing of Client Personal Data is subject to the CCPA, the parties acknowledge and agree that Client is a Business, and Provider is a Service Provider for the purposes of the CCPA and that further Provider is prohibited from: (a)selling Client Personal Data or otherwise making Client Personal Data available to any third party for monetary or other valuable consideration; (b) sharing Client Personal Data with any third party for cross-behavioral advertising; (c) retaining, using, or disclosing Client Personal Data for any purpose other than for the business purposes specified in this DPA or as otherwise permitted by the CCPA; (d) retaining, using or disclosing Client Personal Data outside of the direct business relationship between the parties, and; (e) except as otherwise permitted by the CCPA, combining Client Personal Data with personal data that Provider receives from or on behalf of another person or persons, or collects from its own interaction with the data subject. Provider will notify Client promptly if it makes the determination that it can no longer meet its obligations under the CCPA.

10. General Provisions

  1. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, we reserve the right to make any updates and changes to this DPA to comply with Data Protection Laws or to maintain industry standard security measures provided such updates and/or changes will not materially degrade the functionality or security of the Services.
  2. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
  3. Governing Law. This DPA will be governed by and construed in accordance with the governing law and jurisdiction agreed to in the Agreement.

Annex 1: Details of Processing

A.   List of Parties

Data exporter:

Name: The Client, as defined in the Agreement

Address: The Client’s address, as set out in the Order Form

Contact person’s name, position, and contact details: The Client’s contact details, as set out in the Order Form and/or as set out in the Client’s ROC-P Account

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Client’s subscription to the ROC-P Services under the Agreement

Role (controller/processor): Controller

Data Importer:

Name: ROC-P LLC.

Address: 215 Second Ave. SE, Suite 300, Cedar Rapids, IA 52401 USA

Contact person’s name, position and contact details: Kyle Kew, Chief Technology Officer, kyle.kew@roc-p.com, ROC-P LLC., 215 Second Ave. SE, Suite 300, Cedar Rapids, IA 52401 USA

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Client’s use of the ROC-P Subscription Services under the ROC-P Agreement

Role (controller/processor): Processor

B. Description of Transfer

Categories of Data Subjects whose Personal Data is Transferred

Client submits Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled  in Client’s sole discretion, and which may include, but is not limited to, Client’s Authorized Users and ACIs (as defined in the Agreement).

Categories of Personal Data Transferred

Client submits Personal Data to the Subscription Services, the extent of which is determined and controlled in Client’s sole discretion, and which includes those categories identified by Client in the R5 onboarding document.

Sensitive Data transferred and applied restrictions or safeguards

Sensitive data is not permitted to be submitted or uploaded to the Services and Client is strongly recommended not to introduce sensitive and/or special categories of personal data, as defined under Data Protection Laws, to the Services.

Frequency of the Transfer

Continuous.

Nature and Purpose of the Processing

The nature and purpose of the processing of Personal Data is in accordance with the Agreement (including this DPA), as necessary for Provider to provide the Services to Client.

Retention Period

Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, Personal Data shall be retained for the duration of any Subscription Term under an Order Form(s), or as otherwise required by applicable law.

Annex 2 – Security Measures

Provider maintains the Security Measures described in this Annex. All capitalized terms not otherwise defined herein will have the meanings as set forth in the Agreement.

A. Preventing Unauthorized Access

  • Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
  • Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
  • Authentication: We implement a uniform password policy for our customer products and services. Clients who interact with the product or services via the user interface must authenticate before accessing non-public Client Data.
  • Authorization: Client Data is stored in multi-tenant storage systems accessible to Clients via only application user interfaces and application programming interfaces. Clients are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
  • Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

B.    Preventing Unauthorized Use

We implement industry standard access controls and detection capabilities for the internal networks that support our products.

  • Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
  • Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
  • Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.
  • Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of both the ROC-P web application and internal corporate network infrastructure on a scheduled basis. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.

C.   Limitations of Privilege & Authorization Requirements

  • Product access: A subset of our employees have access to the products and to Client Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access permissions are reviewed at least once every six months.
  • Background checks: Where permitted by applicable law, ROC-P employees undergo a third-party background or reference check. In the United States, employment offers are contingent upon the results of a third-party background check. All ROC-P employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
  • ROC-P employee training: Conducting annual training to ensure anyone with access to personal data is aware of information security risks and complies with ROC-P policies and standards related to data protection.

D. Transmission Control

  • In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces. Our HTTPS implementation uses industry standard algorithms and certificates.
  • At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.

E. Input Control

  • Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
  • Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Client damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement and DPA.

F. Availability Control

  • Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum uptime as specified in the Service Level Agreement. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation, and air conditioning (HVAC) services.
  • Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Client Data is backed up to multiple durable data stores and replicated across multiple availability zones.
  • Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
  • Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes.
  • Failover: Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.