Data Processing Agreement (DPA)

Last updated: March 13, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Rootforce ("Processor", "we", "us") and the organization using RF Time Tracker ("Controller", "you", "your") pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

2. Scope and Purpose of Processing

The Processor processes Personal Data solely to provide the Service to the Controller. The categories of data processed are:

CategoryData ElementsPurpose
Account DataName, email address, hashed passwordUser authentication and identification
Time Tracking DataTime entries, descriptions, start/end times, break durations, project/tag assignmentsCore service functionality
Organization DataTenant membership, user roles, payroll information (if configured)Access control and reporting

Data subjects: Employees and authorized users of the Controller's organization.

3. Obligations of the Processor

  1. Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
  2. Ensure that persons authorized to process Personal Data have committed to confidentiality.
  3. Implement appropriate technical and organizational security measures (see Section 5).
  4. Not engage another processor without prior written authorization of the Controller (see Section 6).
  5. Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
  6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA).
  7. At the Controller's choice, delete or return all Personal Data after the end of the service, unless storage is required by law.
  8. Make available all information necessary to demonstrate compliance and allow for audits.

4. Obligations of the Controller

  1. Ensure that there is a lawful basis for processing Personal Data through the Service.
  2. Inform data subjects about the processing in accordance with Articles 13–14 GDPR.
  3. Ensure that instructions given to the Processor comply with applicable data protection law.

5. Technical and Organizational Measures

The Processor implements the following measures to protect Personal Data:

MeasureImplementation
Encryption in transitAll communication uses HTTPS/TLS
Encryption at restGoogle Cloud Platform managed encryption (AES-256)
Password securityBcrypt hashing (cost factor 12), never stored in plaintext
AuthenticationShort-lived JWT tokens (1-hour expiry), secure token storage (iOS Keychain / Android Keystore)
Access controlTenant isolation — users can only access data within their organization
Rate limitingBrute-force protection on all authentication endpoints
Audit loggingAdministrative actions recorded with PII redacted
Error monitoringSentry configured to strip personal data before transmission
InfrastructureGoogle Cloud Run with non-root containers, multi-stage Docker builds
Vulnerability scanningTrivy container scanning in CI/CD pipeline

6. Sub-Processors

The Controller authorizes the use of the following sub-processors:

Sub-ProcessorPurposeLocation
Google Cloud Platform (Firestore)Data storageEurope (europe-west1)
Google Cloud RunApplication hostingEurope (europe-west1)
Sentry (Functional Software Inc.)Error monitoring (PII stripped)EU

The Processor will inform the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object.

7. Data Transfers

All Personal Data is stored and processed within the European Union (Google Cloud europe-west1 region). No transfers to third countries outside the EU/EEA take place.

8. Data Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification will include:

9. Data Retention and Deletion

10. Audit Rights

The Controller has the right to conduct audits (or appoint an independent auditor) to verify the Processor's compliance with this DPA. The Processor will cooperate with reasonable audit requests and provide access to relevant documentation and systems.

11. Term and Termination

This DPA is effective for the duration of the Controller's use of the Service. Upon termination, the Processor will delete or return all Personal Data within 30 days, unless retention is required by applicable law.

12. Contact

For questions about this DPA or to exercise audit rights:

Rootforce
Email: privacy@rootforce.com