Data Processing Agreement

Terms governing how RobotRock processes personal data on your behalf.

Last updated: June 26, 2025

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between your organization (“Customer”) and RobotRock (“Processor”) for use of the RobotRock human-in-the-loop approval platform (the “Services”).

This DPA applies when RobotRock processes personal data on behalf of Customer in connection with the Services. Contact legal@robotrock.io for a countersigned copy or enterprise amendments.

2. Roles and scope

Customer is the data controller for Customer Content (task context, approval decisions, comments, and related workflow data) submitted to the Services. RobotRock processes that data as a processor solely to provide, secure, and improve the Services as instructed through Customer's use of the dashboard, API, and SDK.

RobotRock may act as an independent controller for account administration, billing, security logging, and product communications related to the Services.

3. Processor obligations

RobotRock will:

  • Process personal data only on documented instructions from Customer, unless required by law
  • Ensure personnel with access are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Customer with data subject requests where applicable, using available product features and reasonable support
  • Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Content
  • Delete or return Customer Content upon termination, subject to backup cycles and legal retention requirements

4. Subprocessors

Customer authorizes RobotRock to engage subprocessors listed on our Trust Center. RobotRock will impose data protection obligations on subprocessors substantially similar to this DPA and remain responsible for their performance.

RobotRock will provide notice of material subprocessor changes by updating the Trust Center. Customer may object on reasonable grounds by contacting privacy@robotrock.io within 30 days.

5. International transfers

Where personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, RobotRock will implement appropriate safeguards, including Standard Contractual Clauses where required by applicable law.

6. Audits and compliance

RobotRock will make available information reasonably necessary to demonstrate compliance with this DPA, including security documentation and, when available, third-party audit reports (such as SOC 2), subject to confidentiality restrictions.

7. Term

This DPA remains in effect for the duration of Customer's use of the Services and survives termination until Customer Content is deleted from active systems, subject to applicable retention periods.

8. Related documents