Data Processing Addendum (template)

Working draft · Last updated 6 July 2026

Working draft template. Not executed until counsel review completes and both parties sign. A signable copy is available on request: hello@rootcase.io.

This Data Processing Addendum ("DPA") forms part of the agreement between ⟦COMPANY LEGAL NAME⟧ ("Processor", "we") and the customer identified in the signature block ("Controller", "Customer") covering the Customer's use of the service (the "Agreement").

1. Roles and scope

  1. The Customer is the controller of Customer Personal Data; we are the processor. Each party complies with the data protection laws applicable to it (including, where applicable, GDPR, UK GDPR, and CCPA/CPRA).
  2. We process Customer Personal Data only on the Customer's documented instructions — the Agreement, this DPA, and the Customer's configuration of the Service — unless required by law (in which case we inform the Customer unless prohibited).

2. Processing details (Annex 1)

Subject matter Detection and explanation of Salesforce errors; creation of tickets in Customer-elected tools
Duration Term of the Agreement + the 30-day deletion window
Nature and purpose Reading Salesforce configuration metadata (read-only; the sole write is the opt-in Case destination in the Customer's own org); processing error text and UI step labels; transient handling of client-side-masked screenshots (≤ 24 h); delivery of ticket content to Customer-elected destinations
Data subjects Customer's users of Salesforce (employees/contractors); Customer's admins
Personal data User email, name, role; UI action labels and templated paths; error message text as displayed by Salesforce (may incidentally echo entered values); masked screenshots in transit; audit records of admin actions
Special categories None intended or solicited; the Service is not designed to process them

3. Confidentiality and personnel

Persons authorized to process Customer Personal Data are bound by confidentiality obligations and access is limited to what their role requires.

4. Security

We implement and maintain the technical and organizational measures described in the Security Overview (incorporated by reference), including: per-tenant row-level security enforced in the database; encryption of OAuth tokens at rest and TLS 1.2+ in transit; client-side screenshot masking; audit logging of administrative actions; and automated release-blocking privacy tests. We will not materially decrease the overall security of the Service during the term.

5. Subprocessors

  1. The Customer authorizes the subprocessors listed at /legal/subprocessors, including the distinction between infrastructure subprocessors and Customer-elected destinations (engaged only upon the Customer connecting them).
  2. We give at least 14 days' notice before adding or replacing a subprocessor; the Customer may object on reasonable data-protection grounds, and if we cannot resolve the objection the Customer may terminate the affected service with a pro-rata refund of prepaid fees.
  3. We flow down data-protection obligations no less protective than this DPA to every subprocessor and remain liable for their performance.

6. International transfers

Where processing involves a transfer of EU/EEA or UK personal data to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: controller → processor) and the UK Addendum. ⟦SCCs — to be completed and attached by counsel: module selection, Annexes, supervisory authority⟧

7. Assistance, breach notification, DPIAs

  1. We assist the Customer with data subject requests (access, rectification, erasure, export) — most are self-service in the product; the rest via hello@rootcase.io within 30 days.
  2. We notify the Customer's admins without undue delay and within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, with the information reasonably required for the Customer's own notification obligations, and keep the Customer informed as facts develop.
  3. We provide reasonable assistance with DPIAs and prior consultations to the extent they concern the Service.

8. Deletion and return

On termination, we delete Customer Personal Data from production systems within 30 days (backups expire on their normal cycle, at most ⟦backup window⟧ days later), and before deletion provide an export in a machine-readable format on request. Customer admins can also delete synced Salesforce data at any time from within the product.

9. Audit

Once per 12 months and on reasonable notice, we make available the information reasonably necessary to demonstrate compliance with this DPA (documentation, security overview, completed questionnaires, and — when available — third-party audit reports), and permit audits required of the Customer by law or a supervisory authority under confidentiality.

10. Order of precedence; term

This DPA prevails over the Agreement in case of conflict about data protection. It remains in force as long as we process Customer Personal Data.