Data Processing Agreement
The DPA is intended to be executed with the customer Master Services Agreement. Fusion Frameworks LLC generally acts as processor for customer workforce data; the customer acts as controller.
Processing scope
RostrOps processes workforce and operational data to provide the platform: site presence, authority verification, access-control support, attendance and absence workflows, labor-hour support, reporting, billing, notifications, audit, and support.
Security measures
- Tenant-scoped authorization and role-based access controls.
- Hashed passwords, peppered PIN hashing, short-lived access tokens, and rotating refresh tokens.
- Production TLS and database SSL verification.
- Secrets stored outside source control through Azure Key Vault.
- Append-only audit logging, with selected audit records hash-chained for tamper evidence.
- Worker photos stored outside public static paths and served through authenticated tenant-scoped endpoints.
Authorized subprocessors
Current subprocessors and service providers include Microsoft Azure, Resend, Expo, Anthropic for optional customer-enabled AI features, and limited site-location/weather services. The final DPA should confirm the exact list and notice process for changes.
Counsel items before signature
- Confirm breach notice timing and customer/regulator notice responsibility.
- Confirm audit rights, frequency, and whether security questionnaire responses substitute for audits.
- Confirm deletion, return, and manual export commitments.
- Confirm retention exceptions for audit logs and finalized billing records.
- Confirm Azure region, backups, encryption-at-rest, and subprocessor geography.