This Data Protection Addendum (“Addendum”) is entered into by and between CreatorMonet Technologies Private Limited (“Rootflo”) and the Customer (as defined in the Agreement). It forms part of the Rootflo Terms of Service located at https://www.rootflo.ai/terms-of-service or any other applicable written or electronic agreement incorporating this Addendum, each governing the Customer’s access to and use of Rootflo’s services (the “Agreement”).
This Addendum was last updated in May, 2025.
Customer enters into this Addendum on behalf of itself and any of its Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Rootflo. For the purposes of this Addendum, and unless otherwise specified, references to “Customer” shall include both the Customer and such Affiliates. The parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
For the purposes of this Addendum:"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
The terms “Business,” “Business Purpose,” “Commercial Purpose,” “Contractor,” “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Process,” “Processor,” “Sell,” “Service Provider,” “Share,” “Subprocessor,” “Supervisory Authority,” and “Third Party” have the meanings given to them in applicable Data Protection Laws. Cognate terms will be interpreted in line with these definitions.
Capitalized terms not otherwise defined in this Addendum shall have the meanings assigned to them in the Agreement.
This Addendum applies to Rootflo’s Processing of Customer Personal Data under the Agreement, to the extent that such Processing is subject to applicable Data Protection Laws. This Addendum shall be governed by the governing law outlined in the Agreement, unless otherwise required by relevant Data Protection Laws.
The Parties acknowledge and agree that, with regard to the Processing of Customer Personal Data—and as further described in Annex 1—the Customer acts as a Controller (or “Business” under applicable U.S. privacy laws), and Rootflo acts as a Processor (or “Service Provider”). This Addendum applies solely to Rootflo’s Processing of Customer Personal Data in the role of a Processor, Subprocessor, or Third Party, as described in Annex 1.
The Parties further agree that it is the sole responsibility of the Customer to ensure that appropriate communications are made to its Affiliates or any other relevant Controller(s) who utilize Rootflo’s Services, where such communications are required or advisable under applicable Data Protection Laws, to support their compliance obligations.
The Customer is also solely responsible for complying with any notification or reporting obligations regarding Security Incidents, including obligations to notify regulators, affected individuals, or any other parties, as may be required under applicable laws.
The subject matter, purpose, and scope of the Processing of Customer Personal Data by Rootflo are set forth in Annex 1 to this Addendum. The Parties may mutually agree in writing to modify Annex 1 from time to time, to reflect changes in the Services, applicable legal requirements, or to clarify the understanding of the Processing activities under this Addendum.
The Processing activities conducted under this Addendum are undertaken for the sole purpose of delivering the Services as specified in the Agreement and any related Order Forms.
The Customer shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data. In connection with its access to and use of the Services, the Customer shall Process Customer Personal Data within such Services and provide Rootflo with instructions in accordance with applicable Data Protection Laws. As between the Parties, the Customer shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Rootflo of Customer Personal Data. The Customer agrees not to provide Rootflo with any data concerning a natural person's health, religion, or any special categories of data as defined in Article 9 of the GDPR.
Rootflo shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall:
Processing Instructions: Process the Customer Personal Data for the purposes of the Agreement and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of the Customer, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Agreement. The Agreement, this Addendum, and the Customer’s use of the Services’ features and functionality are the Customer’s written instructions to Rootflo in relation to Processing Customer Personal Data, including as follows:
Rootflo shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of the Customer and for the specific business purpose of providing the Services and in accordance with the Customer’s instructions, including as described in the Agreement. Rootflo shall not Sell or Share Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with the Customer or for any other purpose (including Rootflo’s commercial purpose) except as required or permitted by law. Rootflo shall immediately inform the Customer (a) if Rootflo determines that it is no longer able to meet its obligations under Data Protection Laws or (b) if, in Rootflo's opinion, an instruction infringes applicable Data Protection Laws. The Customer reserves the right to take reasonable and appropriate steps to ensure Rootflo's Processing of Customer Personal Data is consistent with the Customer’s obligations under Data Protection Law and discontinue and remediate unauthorized use of Customer Personal Data;
Rootflo shall have rights to process Customer Personal Data solely (i) to the extent necessary to (a) perform the Business Purposes and its obligations under the Agreement; (b) operate, manage, test, maintain, and enhance the Services including as part of its business operations; (c) disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of Customer Personal Data, including without limitation any individual device or individual person; and/or (d) protect the Services from a threat to the Services or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to the Customer; (iii) as otherwise expressly authorized by the Customer;
Rootflo will not combine Customer Personal Data which Rootflo Processes on the Customer’s behalf, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individuals, provided that Rootflo may combine personal information to perform any Business Purpose permitted or required under the Agreement to perform the Services;
Confidentiality: Implement and maintain measures designed to ensure that Rootflo personnel authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality unless disclosure is required by law or professional regulations;
Security Measures: Implement and maintain the technical and organizational measures set out in the Agreement, and, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain any further commercially reasonable and appropriate administrative, technical, and organizational measures designed to ensure a level of security appropriate to the risk of the Processing of Customer Personal Data in accordance with Article 32 of the GDPR, and specifically:
Pseudonymization and encryption of Customer Personal Data;
Ensuring ongoing confidentiality, integrity, availability, and resilience of Rootflo’s processing systems and services that process Customer Personal Data;
Restoring availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;
Regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Customer Personal Data.
Sub-Processors: The Customer hereby agrees that Rootflo is generally authorized to engage and appoint Sub-processors, and specifically the Sub-processors listed in Annex 2 hereto, subject to Rootflo's:
Notifying the Customer at least thirty (30) calendar days in advance of any intended changes or additions to its Sub-processors listed in Annex 2 by emailing notice of the intended change to the Customer;
Including data protection obligations in its contract with each Sub-processor that are materially the same as those set out in this Addendum;
Remaining liable to the Customer for any failure by each Sub-processor to fulfill its obligations in relation to the Processing of the Customer Personal Data.
In relation to any notice received under section 5.2(d)(1), the Customer shall have a period of thirty (30) days from the date of the notice to inform Rootflo in writing of any reasonable objection on data protection grounds to the use of that Sub-processor. The parties will then, for a period of no more than thirty (30) days from the date of the Customer's objection, work together in good faith to attempt to find a commercially reasonable solution for the Customer which avoids the use of the objected-to Sub-processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Agreement) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty, or indemnification whatsoever (but without prejudice to any fees incurred by the Customer prior to termination);
Legal Requests: To the extent legally permissible, promptly notify the Customer in case of any legally binding requests (i.e., disclosures required by law, court order, or subpoena) for disclosure of Customer Personal Data by Rootflo. In case it is not legally binding, then Customer Personal Data would not be disclosed, and Rootflo will notify the Customer of such request rejection. A record of all legally binding disclosure requests relating to Customer Personal Data shall be maintained;
Data Subject Requests: To the extent legally permissible, promptly notify the Customer of any communication from a Data Subject regarding the Processing of Customer Personal Data, or any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Customer Personal Data. Rootflo will not respond to any such request or complaint unless expressly authorized to do so by the Customer or is otherwise required to respond under applicable Data Protection Laws. Taking into account the nature of the Processing, Rootflo will reasonably assist the Customer (or the relevant Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's, Customer's Affiliates', or the relevant Controller(s)' obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR. The Customer agrees to pay Rootflo for time and for out-of-pocket expenses incurred by Rootflo in connection with the performance of its obligations under this Section 5.2(f);
Personal Data Breach Notification: Upon Rootflo's becoming aware of a Personal Data Breach involving Customer Personal Data, notify the Customer without undue delay of any Personal Data Breach involving Customer Personal Data, such notice to include, to the extent reasonably available to Rootflo, all timely information reasonably required by the Customer (or the relevant Controller) to comply with its data breach reporting obligations under the applicable Data Protection Laws. Rootflo shall further take all such measures and actions as are necessary to remedy or mitigate the effects of such Security Incident and shall keep the Customer reasonably informed of developments concerning Customer Personal Data. The Customer acknowledges that Rootflo’s notification of a Security Incident is not an acknowledgment by Rootflo of its fault or liability. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems;
Assistance with Data Protection Impact Assessments: To the extent required by the applicable Data Protection Laws, provide reasonable assistance to the Customer, Customer's Affiliates', or the relevant Controller(s)' with its obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and information available to Rootflo; the Customer agrees to pay Rootflo for time and for out-of-pocket expenses incurred by Rootflo in connection with any assistance provided in connection with Articles 35 and 36 of the GDPR;
Data Return or Deletion: Cease Processing the Customer Personal Data upon the termination or expiry of the Agreement, and at the option of the Customer, Customer's Affiliates, or the relevant Controller(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Customer Personal Data Processed by Rootflo, unless (and solely to the extent and for such period as) applicable law requires Rootflo to retain some or all of the Customer Personal Data. Any such Customer Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Agreement;
Record Keeping: Maintain the necessary records in support of demonstrating compliance with its obligations (as specified in the applicable contract) for the processing of Customer Personal Data carried out on behalf of the Customer;
Audit Rights: Make available to the Customer all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by the Customer, or an independent third-party auditor mandated by the Customer, provided that the Customer gives Rootflo reasonable prior notice of its intention to audit, conducts its audit during Rootflo’s normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Rootflo’s operations. For the purposes of demonstrating compliance with this Addendum under this Section 5.2(k), the Parties agree that in the first instance, once per year during the term of the Agreement (except if and when required by instruction of a competent Supervisory Authority or where the Customer believes a further audit is necessary due to a Personal Data Breach concerning Customer Personal Data suffered by Rootflo
6.1 Each Party represents and warrants that, throughout the term of this Addendum, it will ensure that its employees, agents, and subcontractors fully comply with all applicable Data Protection Laws in the performance of their obligations.
7.1 When Customer Personal Data is transferred from the Customer or its Affiliates (as data exporter) to Rootflo (as data importer) and such transfer qualifies as a Restricted Transfer under applicable EU laws, the Parties agree that the transfer shall be governed by the Controller-to-Processor Standard Contractual Clauses (SCCs), which are hereby incorporated into and form part of this Addendum as follows:
For Personal Data subject to the EU GDPR: Where Rootflo processes EU GDPR–protected Customer Personal Data on behalf of the Customer:
Module Two (controller-to-processor) of the EU SCCs will apply;
Clause 7: the optional docking clause shall apply;
Clause 9: Option 2 (general authorization) shall apply, with the notice period for changes to sub-processors as specified in Section 4.2(d) of this Addendum;
Clause 11: the optional language shall not apply;
Clause 17: Option 1 shall apply, designating Irish law as the governing law;
Clause 18(b): disputes shall be resolved in the courts of the Republic of Ireland;
Annex I of the EU SCCs shall be deemed completed with the details in Annex 1 of this Addendum;
Annex II of the EU SCCs shall be deemed completed with the security measures set out in Section 4 of Annex 1.
For Personal Data subject to the Swiss DPA: The EU SCCs shall also apply, with the following modifications to align with Swiss requirements:
References to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
References to “EU”, “Union”, “Member State”, and “Member State law” shall be interpreted to mean “Switzerland” and “Swiss law”;
References to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant Swiss data protection authority and courts;
The SCCs shall be governed by Swiss law, and disputes shall be resolved before the competent courts in Switzerland.
For Personal Data subject to the UK GDPR: The EU SCCs shall apply, modified and interpreted in line with the UK Addendum (Part 2: Mandatory Clauses), which is incorporated into and forms part of this Addendum. In the event of any conflict between the UK Addendum and the SCCs, the provisions of the UK Addendum shall prevail as per its Sections 10 and 11.
Tables 1 to 3 of the UK Addendum shall be completed with the information in Annex I of this Addendum.
Table 4 shall be deemed completed by selecting both “Importer” and “Exporter”.
AI Processing Location and Limitation: Rootflo shall process Customer Personal Data using AI and machine learning technologies exclusively within the Frankfurt region, Germany. Such processing will adhere to the terms of this Addendum and applicable Data Protection Laws, including the GDPR. The use of AI will be strictly limited to fulfilling the services provided by Rootflo and shall only be conducted to the extent necessary to achieve those specified purposes.
Rootflo shall not engage in any additional Restricted Transfers of Customer Personal Data—whether as an importer or exporter—unless such transfers fully comply with applicable Data Protection Laws and are governed by valid Standard Contractual Clauses (or other appropriate Transfer Mechanism) executed between the relevant parties involved in the transfer.
The Customer is responsible for regularly evaluating all international transfers of Personal Data on a case-by-case basis. This includes monitoring evolving risks arising from changes in local laws, regulations, and data processing practices. The Customer should implement appropriate supplementary safeguards, such as encryption or pseudonymization, where necessary to ensure continued compliance with Data Protection Laws.
Where one Party is located outside the European Economic Area (EEA) or a jurisdiction deemed adequate, and receives Personal Data:
that Party will act as the data importer,
the other Party will act as the data exporter, and
the applicable Transfer Mechanism will govern the transfer.
"Transfer Mechanism" refers to any lawful method of transferring Personal Data from the EEA or an adequate country to a third country in compliance with applicable Data Protection Laws. This may include, but is not limited to:
The Standard Contractual Clauses (SCCs) approved by the European Commission (Decision of 4 June 2021, as updated);
The International Data Transfer Agreement issued by the UK Information Commissioner’s Office (ICO) under Section 119A of the UK Data Protection Act 2018 (effective 21 March 2022);
The International Data Transfer Addendum issued by the ICO (also under Section 119A, effective 21 March 2022).
If a Transfer Mechanism alone is deemed insufficient to ensure adequate protection of the transferred Personal Data, the data importer agrees to promptly implement additional safeguards necessary to ensure compliance with Data Protection Laws and to maintain the equivalent level of protection.
If the data importer receives a legally binding request from a public authority for access to Personal Data, and to the extent permitted by law, it shall:
challenge the request where appropriate,
notify the data exporter without undue delay, and
disclose only the minimum amount of Personal Data required, keeping detailed records of such disclosures.
This Addendum supplements the terms of the Agreement. In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the following order of precedence shall apply:
First, any applicable Standard Contractual Clauses or other agreed-upon Cross-Border Transfer Mechanisms;
Second, the terms of this Addendum;
Third, the underlying Agreement.
Where any provision of this Addendum or the Agreement conflicts—directly or indirectly—with the Controller to Processor Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail.
To the extent permitted by applicable law, the Customer agrees to:
defend Rootflo and its Affiliates (collectively, the “Indemnified Parties”) against any third-party claim, demand, action, or proceeding (each, a “Claim”) arising out of or in connection with the Customer’s breach of this Addendum or its non-compliance with applicable Data Protection Laws; and
indemnify and hold harmless the Indemnified Parties from any resulting losses, damages, liabilities, penalties (including administrative fines), settlements, and reasonable costs and expenses (including legal, investigative, and consultancy fees).
Rootflo reserves the right to participate in the defense or settlement of any such Claim with counsel of its choice, at its own expense.
This Addendum incorporates the following principles and obligations:
Privacy by Design and by Default: Rootflo shall implement appropriate technical and organizational measures to ensure data protection is integrated into the processing activities.
Security of Processing: Rootflo shall maintain adequate security measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Breach Notifications:
In the event of a personal data breach involving Customer Personal Data, Rootflo shall notify the relevant Supervisory Authority in accordance with applicable Data Protection Law.
Rootflo shall also notify the Customer without undue delay after becoming aware of any such breach.
Data Protection Impact Assessments: Where required by applicable Data Protection Law, Rootflo shall assist the Customer in conducting data protection impact assessments and, where necessary, in carrying out prior consultations with the relevant Supervisory Authorities.
Regulatory Compliance: Rootflo shall comply with all applicable statutory and regulatory requirements, including ISO/IEC 27001:2022, ISO/IEC 27701:2019, and the EU General Data Protection Regulation (GDPR).
Data Subject Rights: If a Data Subject wishes to exercise rights under applicable Data Protection Law—such as access, correction, or erasure of Personal Data processed by Rootflo—they may do so by contacting the Data Protection Officer (DPO) as follows:
Contact Details of DPO:
Name: Vishnu Satis
Email: vishnu@rootflo.ai
The DPO may also be contacted to raise concerns or complaints related to the processing of Customer Personal Data.
Temporary Files: Rootflo confirms that no temporary files are generated during the processing of Customer Personal Data.
This Annex includes certain details of the Processing of Customer Personal Data by Scrut Automation in connection with the Services.
1. List of Parties
Data Exporter
Name:
Customer (as defined in the Agreement)
Address:
As set forth in the relevant Order Form.
Contact person’s name, position and contact details:
As set forth in the relevant Order Form.
Activities relevant to the data transferred under these Clauses:
Recipient of the Services provided by Scrut Automation in accordance with the Agreement.
Signature and date:
Signature and date are set out in the Agreement.
Role (controller/processor):
Controller
Data Importer
Name:
CreatorMonet Technologies Private Limited
Address:
5th Floor, #1664, 7th Cross, 27th Main Road, HSR Layout, Bangalore - India
Contact person’s name, position and contact details:
Vishnu Satis, vishnu@rootflo.ai
Activities relevant to the data transferred under these Clauses:
Provision of the Services to the Customer in accordance with the Agreement.
Signature and date:
Signature and date are set out in the Agreement.
Role (controller/processor):
Processor
2. Competent Supervisory Authority
Name:
Creatormonet Pvt. Ltd.
3. Processing Information
Categories of data subjects whose personal data is transferred
Customer’s authorized users of the Services
Categories of personal data transferred
Processed automatically by the Services:
· Names
· email IDs
Processed where and to the extent provided by Customer or its authorized users in connection with audit services provided by Scrut Automation:
· address
· date of birth
· past employment details
Sensitive personal data transferred
None
Frequency of the transfer
Continuous
Nature of the processing
The nature of the processing is more fully described in the Agreement and accompanying order forms but will include the following basic processing activities: The provision of Services to Customer. In order to provide people data, Scrut Automation receives identifying Customer Personal Data to permit Scrut Automation to query, cleanse, standardize, enrich, (when required) send to additional data to feed providers, and to store the query information.
Purpose of the data transfer and further processing
The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms.
For processing involving California consumers, please select the Business Purpose(s) for Processing Personal Data
☐ N/A
☐ Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards
☐ Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes
☐ Debugging to identify and repair errors that impair existing intended functionality.
☐ Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business
☐ Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
☐ Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
☐ Undertaking internal research for technological development and demonstration.
☐ Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for or controlled by the business.
☐ To retain and employ another service provider or contractor as a subcontractor where the subcontractor meets the requirements for a service provider or contractor under CCPA.
☐ To build or improve the quality of the services it is providing to the business even if this Business Purpose is not specified in the written contract required by CCPA provided that Service Provider does not use the Customer Personal Data to perform Services on behalf of another person.
☐ To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, even if this Business Purpose is not specified in the written contract.
Period for which the personal data will be retained or criteria used to determine that period
The period for which the Customer Personal Data will be retained is more fully described in the Agreement, Addendum, and accompanying order forms.
Subprocessor transfers – subject matter, nature, and duration of processing
The subject matter, nature, and duration of the Processing more fully described in the Agreement, Addendum, and accompanying order forms.
4. Technical and Organisational Security Measures
This section outlines the technical and organisational measures implemented by Rootflo, in its role as a data processor/data importer, to ensure a level of security appropriate to the nature, scope, context, and purpose of data processing. These measures are designed to safeguard personal data and mitigate risks to the rights and freedoms of individuals, in accordance with applicable data protection laws.
• Security
• Security Management System
Organization: Rootflo appoints dedicated and qualified security personnel responsible for the development, implementation, and continuous oversight of its Information Security Program.
Policies: Rootflo maintains a comprehensive set of security policies aimed at ensuring the confidentiality, integrity, availability, and resilience of Customer Personal Data. These policies are reviewed and updated at least once annually to remain aligned with evolving standards and risks.
Assessments: To validate the effectiveness of its security controls, Rootflo engages independent third-party experts to conduct annual risk assessments across all systems handling Customer Personal Data.
Risk Treatment: Rootflo operates a formal risk treatment framework that includes regular penetration testing, vulnerability scanning, and timely patch management to proactively identify and mitigate security threats.
Vendor Management: Rootflo enforces a structured vendor management program to assess and monitor third-party service providers that process or have access to Customer Personal Data, ensuring they meet required security standards.
Incident Management: Rootflo follows a defined incident response process, conducting regular reviews of security incidents, performing root cause analysis, and implementing corrective actions to prevent recurrence.
Standards: Rootflo’s Information Security Management System adheres to internationally recognized standards, including compliance with ISO/IEC 27001:2022.
• Personnel Security
Rootflo ensures that all personnel conduct themselves in accordance with the company’s standards for confidentiality, ethical behavior, appropriate system usage, and professional conduct. Before granting access to Customer Personal Data, Rootflo performs background checks on relevant employees—covering employment history and criminal records—where legally permissible and in line with local labor laws, industry norms, and statutory requirements.
All personnel must sign written confidentiality agreements at the time of joining and are expected to maintain the confidentiality of Customer Personal Data at all times. They are required to formally acknowledge and comply with Rootflo’s privacy, confidentiality, and security policies. Rootflo provides regular training on data protection and security practices to all employees, with additional specialized training or certifications mandated for roles involving direct handling of Customer Personal Data. No personnel are permitted to access or process Customer Personal Data without proper authorization.
• Access Controls
Access Management: Rootflo maintains a structured access management process that governs the request, review, approval, and provisioning of personnel access to Customer Personal Data. Access is granted strictly on a need-to-know basis and limited to individuals with proper authorization. Regular access reviews are conducted to ensure only those with a continuing business need retain access to such data and associated systems.
Infrastructure Security Personnel: Rootflo enforces a security policy applicable to all personnel and integrates security training into the employee onboarding and ongoing development programs. Dedicated infrastructure security staff continuously monitor Rootflo’s systems, manage service security reviews, and respond to any incidents in real time.
Access Control and Privilege Management: All administrators and end users must authenticate through Multi-Factor Authentication (MFA) or a secure Single Sign-On (SSO) system before accessing Rootflo’s services. Role-based access controls are in place to restrict access based on job function and operational requirements.
Internal Data Access Policies: Rootflo’s internal processes are designed to protect Customer Personal Data from unauthorized access, use, alteration, or disclosure. Systems are built to enforce the principles of “least privilege” and “need to know.” Access is controlled through unique user IDs, strong password requirements, two-factor authentication, and rigorously maintained access control lists.Access rights are granted or modified based on job responsibilities, task relevance, and operational necessity. All changes are managed through automated workflows with full audit trails to ensure accountability. System access is logged to support audits and investigations. Password policies adhere to industry standards, including complexity requirements, periodic expiry, lockout protocols, prevention of password reuse, and re-authentication after periods of inactivity.
• Data Center and Network Security
• Data Centers
Infrastructure: Rootflo utilizes Amazon Web Services (AWS) as its primary cloud infrastructure provider.
Infrastructure Resilience: To ensure high availability and fault tolerance, Rootflo leverages AWS's Multi-Availability Zone architecture. Regular backup restoration tests are conducted to validate the integrity and recoverability of data, ensuring operational continuity.
Server Configuration and Hardening: Rootflo’s server environments are tailored for application-specific needs and undergo rigorous hardening procedures to safeguard against vulnerabilities. A formal code review process is in place to strengthen the security posture of all deployed software and infrastructure.
Disaster Recovery: Data is redundantly replicated across multiple systems to guard against loss or accidental destruction. Rootflo has a comprehensive disaster recovery plan in place, which is routinely tested and updated to maintain readiness.
Security Logging and Monitoring: All systems at Rootflo are configured with centralized logging to support security audits and detect unauthorized access attempts. Continuous monitoring enables real-time detection of anomalies and threats across the network.
Vulnerability Management: Rootflo conducts regular vulnerability scans across its production and development environments. Identified risks are prioritized and remediated in accordance with their severity—Critical, High, and Medium threats are addressed with security patches as quickly as commercially feasible.
• Networks and Transmission
Data Transmission: All data transmitted within Rootflo’s production environment utilizes secure, industry-standard Internet protocols to ensure confidentiality and integrity during transit.
External Attack Surface Protection: Rootflo implements AWS Security Groups—functioning as virtual firewalls—to tightly control inbound and outbound traffic to its production environment, minimizing exposure to external threats.
Incident Response: Rootflo has established robust incident management policies and escalation procedures. A dedicated security team monitors multiple communication channels to detect and respond to security incidents. In the event of a confirmed or suspected breach, the team acts swiftly to contain and mitigate the impact, investigate the root cause, and document the event and remediation steps.
Encryption Technologies: To protect customer data, Rootflo enforces HTTPS (TLS/SSL) encryption for all data in transit and applies strong encryption standards for data at rest. These measures are designed to uphold the security, privacy, and integrity of Customer Personal Data throughout its lifecycle.
Data Storage, Isolation, Authentication, and Destruction: Rootflo stores customer data in a secure multi-tenant environment hosted on AWS. Data, including databases and file systems, is replicated across multiple AWS availability zones to ensure high availability and resilience. Each customer’s data is logically isolated to prevent unauthorized access or cross-tenant exposure. Rootflo employs a centralized authentication system across all services to enforce consistent and robust access controls. To ensure the secure and irreversible disposal of customer data, Rootflo follows industry-standard data destruction practices, including secure deletion protocols and automated data lifecycle management processes.
Rootflo’s list of sub-processors.
