Capitalized terms not defined here have the meanings given in the MSA. \"Customer Personal Data\" means Personal Data that Customer (or its end users) submits to the Services. \"Applicable Data Protection Law\" means GDPR, UK GDPR, CCPA/CPRA, and any other data protection law applicable to the processing.
For Customer Personal Data, Customer is the Controller and ROAM is the Processor. ROAM will only process Customer Personal Data on documented instructions from Customer, including with regard to international transfers.
Customer authorizes ROAM to engage the subprocessors listed at /legal/dpa (currently: Replit (hosting), Stripe (billing), OpenAI (AI inference), Postmark and Google Workspace (email delivery), and WorkOS (SSO)). ROAM will give Customer at least thirty (30) days' notice before adding or replacing a subprocessor and will impose data-protection obligations on each subprocessor that are no less protective than those in this DPA.
ROAM will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These include encryption in transit, role-based access control, audit logging, secret rotation, and a documented incident response procedure.
ROAM will assist Customer, taking into account the nature of the processing, in responding to requests from data subjects to exercise their rights under Applicable Data Protection Law.
Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland to a country not benefiting from an adequacy decision, the EU Standard Contractual Clauses (Module 2: Controller to Processor) and, where applicable, the UK International Data Transfer Addendum, are incorporated by reference.
Customer may, no more than once per year and on at least thirty (30) days' notice, request reasonable evidence of ROAM's compliance with this DPA. Customer may also rely on third-party certifications and reports that ROAM provides.
ROAM will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide reasonable assistance to Customer's breach response.
On termination of the Services, ROAM will, at Customer's choice, return or delete Customer Personal Data within ninety (90) days, except where retention is required by applicable law.
The MSA's limitation of liability applies to claims under this DPA, except as required by Applicable Data Protection Law.
This DPA is incorporated by reference into the Master Services Agreement.