Data Processing Agreement

Last updated February 15, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between RollSuite, Inc. (“RollSuite”, “Processor”, “we”, “us”, or “our”) and the entity or individual agreeing to these terms (“Customer”, “Controller”, or “you”) for the provision of the RollSuite services (the “Services”) as described in the Terms of Use.

This DPA applies where and only to the extent that RollSuite processes Personal Data on behalf of the Customer in the course of providing the Services, and such Personal Data is subject to applicable Data Protection Laws.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given to them in the Terms of Use.

  • “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) the GDPR, CCPA, HIPAA, UAE Health Data Law, and any other applicable data privacy legislation.
  • “Personal Data” means any information relating to an identified or identifiable individual that is processed by RollSuite on behalf of the Customer in connection with the Services.
  • “Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • “Sub-processor” means any third party engaged by RollSuite to process Personal Data on behalf of the Customer.
  • “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by RollSuite.

2. Scope and Purpose of Processing

RollSuite processes Personal Data solely for the purpose of providing the Services to the Customer, which includes syncing, analyzing, and visualizing operational and practice management data, generating reports, and providing related analytics capabilities. The categories of data processed may include:

  • Customer account information (name, email, role, organization);
  • Business operational data uploaded to or synced with the Services;
  • Patient or client records (where applicable, such as for healthcare verticals), including protected health information (PHI) subject to HIPAA;
  • Financial, billing, and transactional data;
  • Usage data and system logs generated through use of the Services.

3. Obligations of the Customer (Controller)

The Customer warrants and agrees that:

  • It has obtained all necessary consents, authorizations, and legal bases required under applicable Data Protection Laws before providing Personal Data to RollSuite;
  • It will comply with all applicable Data Protection Laws in its use of the Services and its instructions to RollSuite regarding the processing of Personal Data;
  • It is responsible for the accuracy, quality, and legality of the Personal Data provided to RollSuite;
  • It will notify RollSuite promptly of any data subject requests or regulatory inquiries relating to the processing of Personal Data.

4. Obligations of RollSuite (Processor)

RollSuite agrees to:

  • Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law;
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage;
  • Assist the Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws;
  • Assist the Customer in ensuring compliance with its obligations regarding Security Incidents, data protection impact assessments, and consultations with supervisory authorities;
  • At the Customer’s choice, delete or return all Personal Data after the end of the provision of Services, unless applicable law requires further storage;
  • Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA.

5. Security Measures

RollSuite implements and maintains appropriate technical and organizational security measures designed to protect Personal Data, including but not limited to:

  • AES-256 encryption for data at rest;
  • TLS 1.3 encryption for data in transit;
  • Logical tenant isolation of customer data;
  • Role-based access control (RBAC) enforced across all systems;
  • Multi-factor authentication required for all employees;
  • Regular vulnerability scanning and annual third-party penetration testing;
  • Automated data backup with point-in-time recovery;
  • 24/7 monitoring and alerting for critical infrastructure;
  • HIPAA-compliant data handling for healthcare vertical customers, including encryption, access controls, and audit logging for protected health information.

For a complete overview of our security posture, please visit our Trust Center.

6. Sub-processors

The Customer provides general authorization for RollSuite to engage Sub-processors to process Personal Data on behalf of the Customer. A current list of Sub-processors is available on our Trust Center.

RollSuite will notify the Customer of any intended changes to Sub-processors by updating the list on the Trust Center at least thirty (30) days prior to any new Sub-processor processing Personal Data. If the Customer objects to a new Sub-processor, the Customer may terminate the affected Services by providing written notice within thirty (30) days of being notified.

RollSuite will impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA, and RollSuite remains liable for the acts and omissions of its Sub-processors.

7. Data Subject Rights

RollSuite will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject rights under applicable Data Protection Laws, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object.

If RollSuite receives a request from a data subject directly, RollSuite will promptly redirect the data subject to the Customer and will not respond to the request without the Customer’s authorization, unless legally required to do so.

8. Security Incident Notification

RollSuite will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Personal Data. Such notification will include:

  • A description of the nature of the Security Incident;
  • The categories and approximate number of data subjects and Personal Data records affected;
  • The likely consequences of the Security Incident;
  • The measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.

RollSuite will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Security Incident.

9. International Data Transfers

RollSuite may transfer Personal Data to countries outside the Customer’s jurisdiction, including to the United States, where our primary infrastructure and Sub-processors are located. Where such transfers are subject to Data Protection Laws requiring appropriate safeguards (such as GDPR), RollSuite will ensure that adequate transfer mechanisms are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Other lawful transfer mechanisms recognized under applicable Data Protection Laws;
  • Supplementary measures as may be required to ensure an essentially equivalent level of data protection.

10. Data Retention and Deletion

RollSuite will retain Personal Data only for as long as necessary to provide the Services and fulfil the purposes described in this DPA. Upon termination of the Services or upon the Customer’s written request:

  • RollSuite will delete or return all Personal Data within ninety (90) days, unless retention is required by applicable law;
  • RollSuite will certify in writing that it has deleted or returned the Personal Data upon the Customer’s request;
  • Backup copies will be deleted in accordance with our standard backup rotation schedule, and in no event later than one hundred eighty (180) days after termination.

11. Audit Rights

RollSuite will make available to the Customer, upon reasonable request, all information necessary to demonstrate compliance with this DPA. The Customer may, no more than once per twelve (12) month period and with at least thirty (30) days’ prior written notice:

  • Conduct an audit, or appoint a qualified, independent third-party auditor (subject to reasonable confidentiality obligations) to conduct an audit of RollSuite’s processing activities and security measures;
  • Request and review copies of relevant certifications, audit reports (including SOC 2 self-evaluations), and security documentation.

RollSuite will cooperate with any such audit and provide reasonable assistance. Audits will be conducted during normal business hours and will not unreasonably interfere with RollSuite’s operations.

12. HIPAA Business Associate Addendum

Where the Customer is a Covered Entity or Business Associate under HIPAA, this DPA incorporates by reference a Business Associate Agreement (BAA) as required under HIPAA. In such cases, RollSuite agrees to:

  • Use and disclose Protected Health Information (PHI) only as permitted or required by the BAA, this DPA, or as required by law;
  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI;
  • Report to the Customer any use or disclosure of PHI not provided for by the BAA or any Security Incident of which RollSuite becomes aware;
  • Ensure that any Sub-processors that create, receive, maintain, or transmit PHI on behalf of RollSuite agree to the same restrictions and conditions that apply to RollSuite under the BAA.

To execute a BAA with RollSuite, please contact us at support@rollsuite.com.

13. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Use.

14. Term and Termination

This DPA will remain in effect for the duration of the Customer’s use of the Services and will automatically terminate upon the termination or expiry of the Customer’s agreement with RollSuite. Provisions of this DPA that by their nature should survive termination (including sections on data deletion, audit rights, liability, and confidentiality) will continue to apply after termination.

15. Governing Law

This DPA is governed by and construed in accordance with the governing law provisions set forth in the Terms of Use, unless otherwise required by applicable Data Protection Laws.

16. Contact

For questions or concerns about this DPA, or to exercise any rights under this agreement, please contact us at support@rollsuite.com.