Skip to main content

Data Processing Agreement

Last updated on April 18, 2026.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer") and Jon Simpson, trading as Duty Room (the "Service Provider"). It applies where Duty Room processes personal information on your behalf in the course of providing the Services.

Definitions

"Applicable Privacy Law" means any US federal or state law governing the processing of personal information that applies to the Services, including but not limited to the California Consumer Privacy Act ("CCPA") as amended by the CPRA. "Personal Information" has the broadest meaning given to that term (or "personal data") under Applicable Privacy Law.

Where the CCPA applies, Duty Room acts as a "Service Provider" (as defined in the CCPA) and not as a "third party." We do not sell or share your Personal Information.

Scope of Processing

We process Personal Information only as necessary to provide the Services. Specifically:

  • Subject matter: Provision of a compliance operations platform.
  • Duration: For as long as you have an active account, plus the post-cancellation retention period described in the Terms.
  • Nature and purpose: Storage, retrieval, organization, and display of operational records you create in the Services.
  • Types of Personal Information: Names, email addresses, job titles, and other contact information of your staff. Operational records may contain personal information at your discretion. You should not store sensitive personal information (such as health data, Social Security numbers, or financial account numbers) in the Services.
  • Individuals: Your employees, contractors, and other individuals whose information you choose to store in the Services.

Service Provider Obligations

Duty Room will:

  1. Process Personal Information only on your documented instructions and solely for the purpose of providing the Services, unless required by law.
  2. Ensure that persons authorized to process Personal Information are subject to appropriate confidentiality obligations.
  3. Implement appropriate technical and organizational measures to protect Personal Information, including encryption in transit and at rest.
  4. Not engage another service provider or sub-processor without first notifying you and giving you the opportunity to object, as described in the Sub-processors section below.
  5. Assist you, taking into account the nature of the processing, in responding to individuals exercising their rights under Applicable Privacy Law.
  6. Assist you in meeting your obligations regarding security and breach notification under Applicable Privacy Law.
  7. At your choice, delete or return all Personal Information after the end of the provision of Services, and delete existing copies unless required by law to retain them. The timelines for deletion are set out in the Terms.
  8. Make available to you information necessary to demonstrate compliance with these obligations.
  9. Not sell, share, or use Personal Information for any purpose other than providing the Services, including not using it for cross-context behavioral advertising.

Breach Notification

If we become aware of a breach of security affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address it.

Sub-processors

The following sub-processors are engaged as of the date of this DPA:

Sub-processor Purpose Location
Amazon Web Services (AWS) Infrastructure and hosting United States
Postmark (AC PM LLC) Transactional email delivery United States
Sentry (Functional Software, Inc.) Application error monitoring United States

We will notify you by email at least 30 days before adding or replacing a sub-processor. If you object, you may terminate your account in accordance with the Terms.

Contact

For questions about this DPA, contact us at privacy@dutyroom.com.