Data Processing Addendum
Operators processing EU personal data should request a signed DPA from Roomfora before launch. This page summarizes the arrangement in plain English. To request the signed instrument, email legal@roomfora.com.
1. Introduction
A Data Processing Addendum (“DPA”) is an agreement that sets out the legal responsibilities of a service provider that processes personal data on behalf of a customer. If you are an operator based in the European Economic Area, the United Kingdom, or Switzerland, or if you process personal data about individuals in those regions, you typically need a DPA with Roomfora to use our Service in compliance with the GDPR (and equivalent laws).
This page describes Roomfora's standard DPA terms. Large customers and customers with specific legal requirements can request a countersigned DPA from us; see Section 9.
2. Roles
For the purposes of data protection law, the operator using Roomfora is the controller of personal data about its bookers and its own staff, and Roomfora is a processoracting on the operator's documented instructions. Roomfora is a controller only for data processed for our own purposes, such as operator account information and platform-level billing.
3. Subject matter and duration
Subject matter: Roomfora's processing of personal data on behalf of the operator as part of providing the Service.
Duration: the term during which the operator has an active Roomfora account, plus any retention period required by law.
4. Nature and purpose of processing
Roomfora processes personal data to:
- Authenticate operator staff and bookers;
- Display bookable resources and accept bookings;
- Process payments and payouts through Stripe Connect;
- Send transactional email (confirmations, receipts, reminders);
- Provide an audit trail of booking and payment activity;
- Diagnose errors and improve the Service.
Categories of data subjects include the operator's staff and the operator's bookers. Categories of personal data include contact details, account credentials, booking metadata, and billing metadata. Roomfora does not intentionally process special categories of data.
5. Sub-processors
Roomfora uses the following sub-processors to deliver the Service. This list is the same one published in our Privacy Policy and is updated there when a new vendor is added.
| Vendor | Purpose | Data category |
|---|---|---|
| Clerk | Authentication & identity | Email address, name, login metadata |
| Stripe (incl. Stripe Connect) | Payments, payouts, KYC for connected operator accounts | Name, email, business details, payout bank details, card data (tokenized; never touches our servers) |
| Neon | PostgreSQL database hosting | All application data, encrypted at rest |
| Vercel | Application & edge hosting | Request logs, IP addresses, deployment metadata |
| Resend | Transactional email delivery | Recipient email, subject, body |
| Sentry | Error monitoring & performance tracing | Stack traces, request paths, user ID (no passwords, no payment data) |
| PostHog | Product analytics & session replay | Page views, clicks, session recordings (sensitive fields masked) |
We will give operators reasonable notice of new sub-processors (for example, by updating this page and the Privacy Policy) and will consider objections in good faith.
6. Security measures
Roomfora implements the technical and organizational measures summarized in Section 9 (Security) of the Privacy Policy. In summary: TLS in transit, encryption at rest via Neon, password handling by Clerk, least-privilege access controls, logging and error monitoring through Sentry, and regular review of vendor risk.
7. Data subject requests
If a booker or staff member exercises their rights under data protection law (access, deletion, portability, objection), the operator is primarily responsible for responding. Roomfora provides account-level tools to help operators fulfill those requests and, on request, will reasonably assist. Forward requests to privacy@roomfora.com if you need help.
8. International transfers
Roomfora is based in the United States and uses US-hosted infrastructure. Where Roomfora transfers personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (“SCCs”), together with the UK International Data Transfer Addendum where applicable, as the legal basis for transfer. A signed DPA from Roomfora incorporates the SCCs by reference.
9. How to request a signed DPA
Email legal@roomfora.com with your operator account name, the entity name that should appear on the DPA, and the region(s) you operate in. We will send back a countersigned DPA, typically within five business days.
Last updated: