Last updated: March 13, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Rootforce ("Processor", "we", "us") and the organization using RF Time Tracker ("Controller", "you", "your") pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
The Processor processes Personal Data solely to provide the Service to the Controller. The categories of data processed are:
| Category | Data Elements | Purpose |
|---|---|---|
| Account Data | Name, email address, hashed password | User authentication and identification |
| Time Tracking Data | Time entries, descriptions, start/end times, break durations, project/tag assignments | Core service functionality |
| Organization Data | Tenant membership, user roles, payroll information (if configured) | Access control and reporting |
Data subjects: Employees and authorized users of the Controller's organization.
The Processor implements the following measures to protect Personal Data:
| Measure | Implementation |
|---|---|
| Encryption in transit | All communication uses HTTPS/TLS |
| Encryption at rest | Google Cloud Platform managed encryption (AES-256) |
| Password security | Bcrypt hashing (cost factor 12), never stored in plaintext |
| Authentication | Short-lived JWT tokens (1-hour expiry), secure token storage (iOS Keychain / Android Keystore) |
| Access control | Tenant isolation — users can only access data within their organization |
| Rate limiting | Brute-force protection on all authentication endpoints |
| Audit logging | Administrative actions recorded with PII redacted |
| Error monitoring | Sentry configured to strip personal data before transmission |
| Infrastructure | Google Cloud Run with non-root containers, multi-stage Docker builds |
| Vulnerability scanning | Trivy container scanning in CI/CD pipeline |
The Controller authorizes the use of the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Firestore) | Data storage | Europe (europe-west1) |
| Google Cloud Run | Application hosting | Europe (europe-west1) |
| Sentry (Functional Software Inc.) | Error monitoring (PII stripped) | EU |
The Processor will inform the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object.
All Personal Data is stored and processed within the European Union (Google Cloud europe-west1 region). No transfers to third countries outside the EU/EEA take place.
The Processor will notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification will include:
The Controller has the right to conduct audits (or appoint an independent auditor) to verify the Processor's compliance with this DPA. The Processor will cooperate with reasonable audit requests and provide access to relevant documentation and systems.
This DPA is effective for the duration of the Controller's use of the Service. Upon termination, the Processor will delete or return all Personal Data within 30 days, unless retention is required by applicable law.
For questions about this DPA or to exercise audit rights:
Rootforce
Email: privacy@rootforce.com