Skip to main content

Trust Center · Legal

Data Processing Addendum

Revision

This Addendum forms part of the agreement between TailRoster (the “Processor”) and the operator using TailRoster (the “Controller”) and governs the processing of personal data carried out by TailRoster on the Controller's behalf. It applies where the Controller is subject to the GDPR, UK GDPR, or the CCPA / CPRA.

Ready to sign?

Read the clauses below first. To execute the DPA, email security@tailroster.com with your business name and legal contact. We pre-fill your operator details, counter-sign, and return signed copies to both parties within one business day. (A one-click in-app signing flow with per-account storage is in development; until it ships we run signature over email so nothing here implies an automation we don't yet have.)

1. Roles of the parties

The Controller determines the purposes and means of processing pet-parent and end-customer personal data. TailRoster processes that data only on the Controller's documented instructions, including those set out in the underlying agreement and this Addendum.

Where TailRoster determines the purposes and means for its own operator-account data (e.g. billing, account administration), it acts as an independent controller for that limited data.

2. Subject matter, nature & purpose

TailRoster processes personal data as necessary to provide the daycare, boarding, grooming, reservation, payment, and communication features of the service, for the duration of the agreement.

Categories of data subjects: facility staff, pet parents, and their contacts. Categories of personal data: contact details, pet records, reservation and service history, and payment metadata (card data is tokenized by Stripe and not stored by TailRoster).

3. Processing on instructions

TailRoster processes personal data only on the Controller's documented instructions, unless required by law — in which case TailRoster will notify the Controller first, where legally permitted.

TailRoster will inform the Controller if it believes an instruction infringes applicable data-protection law.

4. Security measures

TailRoster maintains technical and organizational measures appropriate to the risk, including: AES-256 encryption at rest and TLS 1.3 in transit; multi-tenant isolation enforced by row-level security; role-based access control with per-user permission auditing; an append-only audit log of privileged actions; and continuous service-health monitoring with alerting.

TailRoster's current security posture is published and kept current at the Trust Center, including a downloadable security overview.

5. Sub-processors

The Controller authorizes TailRoster to engage the sub-processors listed in the Trust Center subprocessor table to deliver the service. TailRoster imposes data-protection obligations on each sub-processor no less protective than those in this Addendum.

TailRoster will update the published subprocessor list and notify the Controller in advance of adding or replacing a sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds.

6. International transfers

Customer data is hosted in the United States (us-east-1). Where personal data of EU, UK, or Swiss data subjects is transferred outside its region, the transfer is governed by the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), incorporated into this Addendum by reference.

EU (Frankfurt) data residency is a planned enterprise-tier option and is not yet available.

7. Data-subject rights & assistance

TailRoster will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in responding to data-subject requests (access, correction, deletion, portability) and in meeting the Controller's obligations on security, breach notification, and impact assessments.

TailRoster responds to verified data-subject and Controller assistance requests within 30 days.

8. Personal-data breach notification

TailRoster will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, with the information reasonably available to assist the Controller's own notification obligations.

9. Return & deletion

On termination of the agreement, TailRoster will, at the Controller's choice, delete or return the personal data it processes on the Controller's behalf, and delete existing copies unless retention is required by law. Routine backup copies expire on the standard 35-day backup retention cycle.

10. Audits & information

TailRoster will make available to the Controller the information reasonably necessary to demonstrate compliance with this Addendum, including the security overview and, once available, the SOC 2 report under NDA.

Security overview (printable)Trust Center

This document is provided for review and is not legal advice. Have your counsel review it before execution; the executed version controls.