Skip to content
Rofterm Rofterm
Platform Compliance Reporting Industries Security FAQ
Sign in Book a demo
Platform Compliance Reporting Industries Security FAQ Book a demo

Legal

Data Processing Agreement

Last updated: 28 June 2026 Effective: 28 June 2026

On this page

1. Parties & roles 2. Scope & instructions 3. Processor obligations 4. Subprocessors 5. Security measures 6. Breach notification 7. Assistance & rights 8. International transfers 9. Return & deletion 10. Audits 11. Liability Annex A — Details of processing Annex B — Security measures Contact

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller", "you") and Rofterm ("Processor", "Rofterm") and governs the processing of personal data that Rofterm carries out on your behalf when providing the Service.

Template notice: This is a good-faith starting point, not legal advice. Rofterm is not yet incorporated as a registered company, so this DPA references no legal entity or registered address; update it once Rofterm is registered. For most enterprise deals a DPA is signed as part of the contract rather than accepted from a web page. Have qualified counsel review and finalize it, and attach the applicable Standard Contractual Clauses where required.

1. Parties & roles

For personal data contained in Customer Data, you act as the controller (or processor on behalf of your own customers) and Rofterm, the operator of the Service, acts as the processor (or subprocessor). Each party will comply with applicable data protection laws, including the UK GDPR, EU GDPR and other laws that apply to its processing.

2. Scope & processing instructions

Rofterm will process personal data only on your documented instructions, including those set out in this DPA, the main agreement, and your use of the Service's features and configuration. Rofterm will inform you if, in its opinion, an instruction infringes applicable data protection law. Details of the processing are set out in Annex A.

3. Processor obligations

  • Process personal data only as instructed and for the purpose of providing the Service.
  • Ensure personnel authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see Annex B).
  • Not sell personal data or use it for our own marketing or profiling.
  • Assist you, as set out below, in meeting your data protection obligations.

4. Subprocessors

You authorize Rofterm to engage subprocessors to provide the Service (for example, cloud hosting, database, authentication and email providers). Rofterm will impose data protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance. A current list of subprocessors is available on request. We will give reasonable notice of intended changes and allow you to object on reasonable data protection grounds.

5. Security measures

Rofterm maintains technical and organizational measures appropriate to the risk, as described in Annex B, and will not materially decrease their overall protection during the term.

6. Personal data breach notification

Rofterm will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and will provide information reasonably available to help you meet your notification obligations to authorities and data subjects.

7. Assistance & data subject rights

Taking into account the nature of the processing, Rofterm will provide reasonable assistance with: responding to data subject requests (access, correction, deletion, portability, objection); data protection impact assessments; and consultations with supervisory authorities. Where a data subject contacts Rofterm directly, we will refer them to you.

8. International transfers

Where processing involves transferring personal data outside the UK or EEA, the parties will rely on an approved transfer mechanism such as the UK International Data Transfer Agreement (or Addendum) and/or the EU Standard Contractual Clauses, which are incorporated by reference and completed using the details in Annex A.

9. Return & deletion

On termination of the Service, Rofterm will, at your choice, return or delete personal data, and delete existing copies, unless retention is required by law. The Service provides export functionality for a limited period after termination, after which data is deleted in line with our retention schedule.

10. Audits

Rofterm will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and frequency limits. Where available, third-party certifications or reports may be provided to satisfy audit requests.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement.

Annex A — Details of processing

ItemDetail
Subject matterProvision of the Rofterm enterprise risk, controls and compliance platform.
DurationThe term of the subscription, plus any retention period required by law.
Nature & purposeHosting, storage, processing and transmission of Customer Data to deliver and support the Service.
Types of dataBusiness contact details (names, work emails, roles) of users and the risk, control, incident, evidence and report records entered by the Controller.
Data subjectsThe Controller's employees, contractors, risk and control owners, and other personnel named in Customer Data.
Special categoriesNot intended; the Service is not designed for special-category data and should not be used to store it.
FrequencyContinuous, for the duration of the subscription.

Annex B — Technical & organizational measures

  • Encryption — personal data encrypted in transit (TLS) and at rest.
  • Access control — role-based permissions, least-privilege access, and per-tenant isolation.
  • Authentication — secure authentication and support for single sign-on.
  • Network & application security — hardened infrastructure, input validation, rate limiting and dependency management.
  • Logging & monitoring — activity logging and monitoring for anomalous or unauthorized activity.
  • Resilience — backups and recovery processes appropriate to the Service.
  • Organizational — confidentiality obligations, security awareness, and incident response procedures.
Replace this annex with the specific measures your deployment actually implements before relying on it contractually.

Contact

For DPA requests, the current subprocessor list, or a signed copy, contact hey@rofterm.com.

Rofterm

Board-ready enterprise risk & compliance, built for modern Chief Risk Officers.

Product

PlatformComplianceReportingSecurity

Legal

PrivacyTermsDPA
© 2026 Rofterm. All rights reserved. Built for Chief Risk Officers who'd rather walk into the boardroom ready.