Rostrps
Legal Request DPA
Legal center Data processing

Data Processing Agreement

Status: customer agreement draft for counsel review. Last reviewed: July 8, 2026.

The DPA is intended to be executed with the customer Master Services Agreement. Fusion Frameworks LLC generally acts as processor for customer workforce data; the customer acts as controller.

Processing scope

RostrOps processes workforce and operational data to provide the platform: site presence, authority verification, access-control support, attendance and absence workflows, labor-hour support, reporting, billing, notifications, audit, and support.

Security measures

  • Tenant-scoped authorization and role-based access controls.
  • Hashed passwords, peppered PIN hashing, short-lived access tokens, and rotating refresh tokens.
  • Production TLS and database SSL verification.
  • Secrets stored outside source control through Azure Key Vault.
  • Append-only audit logging, with selected audit records hash-chained for tamper evidence.
  • Worker photos stored outside public static paths and served through authenticated tenant-scoped endpoints.

Authorized subprocessors

Current subprocessors and service providers include Microsoft Azure, Resend, Expo, Anthropic for optional customer-enabled AI features, and limited site-location/weather services. The final DPA should confirm the exact list and notice process for changes.

Counsel items before signature

  • Confirm breach notice timing and customer/regulator notice responsibility.
  • Confirm audit rights, frequency, and whether security questionnaire responses substitute for audits.
  • Confirm deletion, return, and manual export commitments.
  • Confirm retention exceptions for audit logs and finalized billing records.
  • Confirm Azure region, backups, encryption-at-rest, and subprocessor geography.