Skip to content

Legal

Data Processing Agreement

Last updated May 17, 2026. This DPA forms part of the Terms of Service whenever Root Herald processes personal data on your behalf. If you need a wet signature copy on your paper, email dpa@rootherald.io.

1. Roles

Who's processing what

When you (the customer) use Root Herald to verify the devices of your end-users, you are the data controller with respect to any personal data those end-users send through us. Root Herald, Inc. is your data processor. We process personal data only on your documented instructions, which are encoded in the public API contract and this DPA.

Root Herald is the controller of your tenant-admin account data (login, billing, support). That data is covered by our Privacy Policy, not this DPA.

2. Subject matter

Categories of data and people

  • Device attestation evidence — TPM quotes, Secure Enclave assertions, App Attest tokens. Not personal data on its own. Becomes personal data only when you join it to a user identity on your side.
  • Anonymous device handles — cryptographic identifiers derived from the attestation key. We treat these as pseudonymous personal data under GDPR Art. 4(5).
  • Request metadata — IP address, user-agent, timestamp. Retained 30 days for security and abuse detection.
  • People involved — your end-users whose devices attest, and the authorized members of your team who administer your tenant.

3. Our obligations

What we promise

We process personal data only on your instructions and in accordance with applicable law. We'll tell you immediately if we believe an instruction violates law. We keep personal data confidential (everyone with access has signed binding confidentiality agreements). We assist you with data subject requests, data protection impact assessments, and security breach notifications.

We maintain technical and organizational measures appropriate to the risk — encryption at rest (AES-256-GCM) and in transit (TLS 1.3), tenant isolation, audit logging, MFA required for production access, annual third-party penetration testing. The full security overview lives at /security.

4. Sub-processors

Who else gets to see the data

We use sub-processors to provide the service. The current list lives at /legal/sub-processors. We notify you 30 days before adding a new sub-processor (subscribe to the RSS feed on that page). You may object in writing; if we can't agree on a solution we'll let you terminate the affected service with a pro-rata refund of prepaid fees.

5. International transfers

Cross-border data flow

Our production environment is in the United States (AWS us-west-2). For data subjects in the European Economic Area, the United Kingdom, or Switzerland, transfers are covered by the EU Standard Contractual Clauses (Modules 2 and 3, 2021 version). The UK Addendum and the Swiss Addendum are incorporated by reference where applicable.

6. Breach notification

If something goes wrong

If we discover a personal data breach affecting your data we'll notify your tenant admin email without undue delay and at the latest within 48 hours, with a description of what happened, what data was affected, what we've done about it, and what you should do. We'll keep notifying you until the matter is closed.

7. Return and deletion

When the contract ends

Upon termination of the service, at your choice, we either return personal data to you or delete it. Default is deletion, completed within 30 days. Exception: data we're required to keep by law (e.g., tax records). Anonymous statistical signals derived from your data may remain in aggregate form because they no longer relate to identifiable people.

8. Audit

Your right to verify

Once per year (or more if we've had a breach), you can audit our compliance with this DPA. We'll share our current security and compliance documentation — including our SOC 2 status and any audit reports once available — and respond to a reasonable written questionnaire. If you want an on-site audit, we'll work out scheduling and a neutral auditor; you cover the cost unless we find a material breach.