Data Protection Agreement

Last updated: April 19, 2026

This Data Protection Agreement (“DPA”) forms part of the contract for services (“Principal Agreement”) between the Customer (“Data Controller”) and RosterBird, operated by Balerion Software LLP, located at 13B Ganga Street, Anakaputhur, Chennai 600070, India (“Data Processor”). This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the RosterBird service.

1. Definitions

Data Controller — The entity that determines the purposes and means of the processing of Personal Data.

Data Processor — The entity that processes Personal Data on behalf of the Data Controller.

Personal Data — Any information relating to an identified or identifiable natural person, as defined by Article 4(1) of the GDPR.

Sub-Processor — A third party engaged by the Processor to assist in processing Personal Data on behalf of the Controller.

Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

2. Purpose and Scope

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the RosterBird service as described in the Principal Agreement.

Categories of Data Subjects Employees and team members of the Controller’s organisation who are managed via the RosterBird service.
Types of Personal Data Names, usernames, email addresses, Slack user IDs, and profile picture URLs obtained from the Controller’s Slack workspace.
Purpose of Processing To provide employee/team scheduling, shift rotation management, notifications, and related operational services.
Duration of Processing For the duration of the Principal Agreement, unless otherwise requested by the Controller in writing.

3. Processor Obligations

The Processor agrees to:

  1. Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
  2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 5.
  4. Assist the Controller, taking into account the nature of processing, in responding to requests for exercising data subject rights as described in Section 4.
  5. Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities.
  6. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.
  7. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits and inspections as described in Section 9.

4. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR, including:

  1. Right of access (Article 15)
  2. Right to rectification (Article 16)
  3. Right to erasure (Article 17)
  4. Right to restriction of processing (Article 18)
  5. Right to data portability (Article 20)
  6. Right to object (Article 21)

If a data subject contacts the Processor directly regarding their rights, the Processor shall promptly forward the request to the Controller and shall not respond to the data subject directly unless instructed to do so by the Controller.

5. Security Measures

The Processor shall implement and maintain the following technical and organisational security measures:

  1. Encryption of Personal Data at rest and in transit (TLS 1.2 or higher).
  2. Access controls ensuring only authorised personnel can access Personal Data, enforced through role-based permissions.
  3. Regular monitoring and testing of systems, networks, and processes for vulnerabilities.
  4. Secure hosting within the European Union (data centre located in Germany).
  5. Regular backups with encryption and access controls equivalent to production systems.

The Processor shall regularly review and update these measures to ensure ongoing effectiveness and appropriateness relative to the risks involved.

6. Sub-Processors

The Controller provides general authorisation for the Processor to engage sub-processors, subject to the conditions in this section.

The Processor currently engages the following sub-processors:

Sub-Processor Purpose Location
Hetzner Online GmbH Cloud infrastructure and hosting EU (Germany)
Mailgun Technologies (Sinch) Transactional email delivery USA (with Standard Contractual Clauses)
Paddle.com Market Ltd Payment processing and subscription billing UK (with Standard Contractual Clauses)
Google Analytics (Google LLC) Web analytics USA (with Standard Contractual Clauses)

The Processor shall notify the Controller in writing at least 30 days before engaging any new sub-processor. The Controller may object to the new sub-processor within 14 days of notification. If the Controller objects on reasonable grounds, the parties shall discuss the matter in good faith.

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

7. International Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless appropriate safeguards are in place as required by Chapter V of the GDPR, including but not limited to:

  1. An adequacy decision by the European Commission (Article 45 GDPR).
  2. Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR).
  3. Binding Corporate Rules (Article 47 GDPR).

The Processor’s primary data processing infrastructure is located within the EU (Germany). Where sub-processors are located outside the EEA, the Processor shall ensure that the appropriate transfer mechanisms listed above are in place.

8. Data Breach Notification

In the event of a Data Breach involving Personal Data processed under this DPA, the Processor shall:

  1. Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, via email to the Controller’s designated contact.
  2. Provide the following information (to the extent available at the time of notification, with further details provided as they become available):
    1. The nature of the breach, including the categories and approximate number of data subjects and records concerned.
    2. The likely consequences of the breach.
    3. The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
    4. The name and contact details of the Processor’s point of contact for further information.
  3. Cooperate with and assist the Controller in investigating, mitigating, and remediating the breach.

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

  1. The Controller shall provide at least 30 days’ written notice of any audit request.
  2. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor’s operations.
  3. The Controller shall bear its own costs associated with the audit.
  4. Audit findings and any information obtained shall be treated as confidential by the Controller.

As an alternative to on-site audits, the Processor may provide the Controller with a summary of relevant security certifications, audit reports (such as SOC 2), or other evidence of compliance, where available.

10. Data Retention and Deletion

Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller’s written election:

  1. Return all Personal Data to the Controller in a commonly used, machine-readable format; or
  2. Delete all Personal Data, including all existing copies, unless applicable law requires continued storage.

If the Controller does not provide instructions within 30 days of termination, the Processor shall delete all Personal Data and certify such deletion in writing to the Controller.

11. Governing Law and GDPR Compliance

This DPA shall be governed by and construed in accordance with the laws of India.

Notwithstanding the governing law, the data protection obligations set out in this DPA shall at all times comply with Regulation (EU) 2016/679 (GDPR) and, where applicable, any supplementary data protection legislation of EU Member States. In the event of any conflict between this DPA and the GDPR, the provisions of the GDPR shall prevail.

12. Term and Amendments

This DPA shall remain in effect for the duration of the Principal Agreement and for as long as the Processor processes Personal Data on behalf of the Controller.

This DPA may be amended only by written agreement signed by both parties. The Processor reserves the right to update the list of sub-processors and security measures, subject to the notification requirements set out in this DPA.

Questions about this DPA? Contact us at support@rosterbird.com