Rocket Alumni Solutions – Data Processing Addendum (DPA)URL: https://www.rocketalumnisolutions.com/dpa
Effective Date: The earlier of (a) the Effective Date of the Agreement incorporating this DPA, or (b) the date on which Customer first uses the Service referencing this DPA.This Data Processing Addendum (“DPA”) forms part of the applicable master agreement, order form, or online terms between Rocket Alumni Solutions, Inc. (“Rocket”) and the applicable end‑customer entity (“Customer”) that governs Customer’s use of Rocket’s hosted software and related services (the “Service”) (together, the “Agreement”).
1. Roles; Scope; Instructions1.1 Roles. For Customer Personal Data processed in the Service, Customer is the controller (or “business”), and Rocket is the processor (or “service provider”/“contractor”).
1.2 Purpose/Scope. Rocket will Process Customer Personal Data solely to provide, secure, and support the Service and program materials under the Agreement and this DPA, and in accordance with Customer’s documented instructions.
1.3 Instructions. Customer instructs Rocket to Process Customer Personal Data (a) to provide and improve the Service (including security, quality, support, and availability), (b) as documented in the Agreement, this DPA and any Order, and (c) as required by law. If an instruction violates Data Protection Laws, Rocket will notify Customer.
1.4 Student/PHI boundaries. The Service does not require PHI; Rocket is not a HIPAA Business Associate. Customer will not submit PHI. For K‑12 data, the EDU Addendum (Schedule EDU) governs.
2. Definitions“Customer Personal Data” means Personal Data Processed by Rocket on behalf of Customer under the Agreement. “Data Protection Laws” include, as applicable, GDPR, UK GDPR, Swiss FADP, and U.S. State Privacy Laws (e.g., CPRA, ColoPA, VCDPA, etc.). “SCCs” means the EU Commission’s 2021 Standard Contractual Clauses (Controller‑to‑Processor, Module 2). Capitalized terms not defined here have the meanings in the Agreement or applicable law. “Process/Processing,” “Personal Data,” “Controller,” “Processor,” etc., have the meanings under GDPR.
3. Confidentiality; PersonnelRocket will ensure that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations and receive appropriate privacy/security training.
4. Security4.1 Measures. Rocket maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including the controls summarized in Schedule D (Security Overview) to the Agreement and restated in Annex II (e.g., TLS in transit; AES‑256 at rest; RBAC; SSO/MFA for admins; logging/monitoring; backups; vulnerability management; DR/BCP; secure SDLC).
4.2 Compliance. Rocket will regularly assess these measures and may update them, provided updates do not materially decrease overall protection.
5. Sub‑processors5.1 Authorization. Customer authorizes Rocket to engage Sub‑processors to support the Service. Current Sub‑processors are listed at: https://www.rocketalumnisolutions.com/subprocessors (the “Sub‑processor Page”).
5.2 Onboarding. Rocket will (a) impose data‑protection terms on Sub‑processors no less protective than this DPA, and (b) remain liable for their performance.
5.3 Changes & Objection. Rocket will post updates to the Sub‑processor Page and, where materially new processing is introduced, provide notice (email or dashboard). Customer may object on reasonable data‑protection grounds within 10 days; the parties will discuss in good faith. If unresolved, Customer may terminate the affected Service (not the entire Agreement) with a pro‑rata refund for prepaid, unused fees.6. Data Subject Requests; AssistanceTaking into account the nature of the Processing, Rocket will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise rights of Data Subjects (access, correction, deletion, portability, restriction, objection) under Data Protection Laws. Where requests are made directly to Rocket, Rocket will, where permitted, promptly forward them to Customer.7. Breach NotificationRocket will notify Customer without undue delay and in any event within 72 hours after confirming a Personal Data Breach involving Customer Personal Data. The notice will include details known at the time (nature of the incident, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed). Rocket will keep Customer reasonably informed and cooperate with Customer’s reasonable remediation efforts.8. Audits; Information8.1 Reports. Upon request (no more than annually and subject to confidentiality), Rocket will provide available third‑party reports or summaries regarding its controls (e.g., SOC 2, penetration‑test executive summaries) and complete reasonable security questionnaires.
8.2 On‑site review. If such documentation is insufficient, Customer may perform a targeted audit of Rocket’s relevant facilities and systems, no more than once per 12 months, with 30 days’ notice, during business hours, under a written audit plan that avoids disruption and protects Rocket’s and other customers’ confidentiality. Audits are at Customer’s cost unless a material violation is found.9. Return & DeletionAt termination or expiry of the Service, Rocket will make self‑service export tools available for 30 days (unless agreed otherwise). After that window, Rocket will delete Customer Personal Data from active systems and schedule deletion from backups per retention cycles, unless law requires longer retention. On request, Rocket will certify deletion.10. International Transfers10.1 SCCs. Where Customer Personal Data is transferred from the EEA to a country without an adequacy decision, the parties agree the SCCs (Module 2, 2021/914), including the Docking Clause, are incorporated by reference and completed per Annex I–III.
10.2 UK Transfers. For transfers subject to UK GDPR, the UK International Data Transfer Addendum (IDTA Addendum to the EU SCCs, version B.1.0, in force 21 March 2022) is incorporated, completed as in Schedule UK.
10.3 Swiss Transfers. For transfers subject to Swiss FADP, the SCCs apply with the modifications in Schedule CH(e.g., references to GDPR read as references to FADP; FDPIC as the competent authority; Swiss courts/jurisdiction as applicable).
10.4 Supplementary Measures. Rocket implements supplementary measures described in Annex II (e.g., encryption in transit/at rest, access controls, and internal policies) and will challenge government access requests where legally permissible.11. Compliance; DPIAs; CooperationRocket will provide Customer with information necessary to demonstrate compliance and to support data protection impact assessments and consultations with supervisory authorities, considering the nature of Processing and available information.12. CCPA/CPRA and U.S. State Privacy LawsTo the extent Customer Personal Data is subject to U.S. State Privacy Laws (e.g., CPRA), Rocket acts as Service Provider/Contractor:
(a) Processes Customer Personal Data only to perform the Service and as permitted by law;
(b) No selling or sharing of Personal Information; no cross‑context behavioral advertising;
(c) No combining Customer Personal Data with other data except as permitted (e.g., to detect security incidents, maintain/improve the Service, or as directed by Customer);
(d) Assists with consumer requests and provides reasonable cooperation for assessments; and
(e) Certifies it understands and will comply with these restrictions.13. De‑identified/Aggregated Data; TelemetryRocket may Process de‑identified or aggregated data derived from Customer’s use for Service operations, security, and improvement. Rocket will not attempt to re‑identify de‑identified data and will maintain safeguards consistent with CPRA §1798.140(m).14. Order of Precedence; ConflictsIf there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict with respect to Processing of Customer Personal Data. If there is a conflict between this DPA and the SCCs, the SCCs control for EEA/UK/Swiss transfers.15. LiabilityLiability under this DPA is as set out in the Agreement. Nothing in the SCCs reduces the rights of Data Subjects or the powers of supervisory authorities.16. MiscellaneousElectronic acceptance logs or countersignature may evidence agreement to this DPA. The DPA may be updated to reflect regulatory changes, with notice where required.Schedule EDU – K‑12 Student Data Addendum (FERPA/COPPA/SOPIPA‑style)Scope. Applies when Customer is a K‑12 school, district, or state/local education agency (or a contractor acting for one) and uploads Student Data to the Service.School Official; Educational Purpose. Rocket acts as a “school official” with a “legitimate educational interest” under FERPA, Processing Student Data only for educational purposes, under Customer’s control.No Targeted Advertising; No Selling. Rocket will not (a) use Student Data to engage in targeted advertising, (b) build profiles other than in furtherance of the Service, or (c) sell Student Data.Parental Rights. Customer is responsible for parental consents (including under COPPA for children under 13). Rocket will support Customer’s access/correction/deletion requests.Data Minimization; PII in Tickets. Customer and partners will avoid including student PII in support tickets, logs, or screenshots.Security & Breach Notice. Security and breach terms in this DPA apply. Rocket will provide prompt breach notifications to Customer; Customer handles notices to guardians and regulators unless law requires otherwise.SOPIPA and Similar Laws. Rocket will comply with SOPIPA‑style restrictions applicable to Student Data.Deletion on Request/Exit. Upon request or termination, Rocket will delete Student Data consistent with Section 9, except where retention is legally required.Sub‑resellers/Partners. Customer‑authorized resellers must meet equivalent Student Data obligations; repeated violations are grounds for termination of their access.Annex I – Description of Transfer and Processing (SCCs – Module 2)A. List of PartiesData Exporter (Controller): Customer (entity identified in the Agreement and Order).
Address/Contact: As stated in the Order.
Contact for privacy: As stated in the Order.
Activities: Use of the Service to operate Customer’s alumni/recognition/engagement programs and related administration.Data Importer (Processor): Rocket Alumni Solutions, Inc.
Address: [Rocket HQ Address]
Contact for privacy/security: legal@rocketalumnisolutions.com
Activities: Provision, hosting, support, and security of the Service.B. Description of TransferCategories of Data Subjects: Students; parents/guardians; alumni; donors; staff/faculty/administrators; volunteers; community members; Partner personnel (limited to business contacts).Categories of Personal Data: Identifiers (name, email, phone, postal address), education/affiliation metadata (graduation year, school/club/team, roles), images and media submitted by Customer, usage logs, device/browser metadata, support communications. Special Categories: Not required and should not be submitted. Any such data is incidental and at Customer’s sole discretion/instruction.Frequency of transfer: Continuous and ad hoc as initiated by Customer during the term.Nature and purpose: Hosting, display, search, analytics, support, security, backup, disaster recovery, and service improvement.Retention period: As per Section 9 (return/deletion); backups per retention cycles.Subject to onward transfers: Yes, to authorized Sub‑processors listed on the Sub‑processor Page.C. Competent Supervisory Authority (EEA):
The authority for the EEA Member State of the Customer’s main establishment, or if none, where Data Subjects are located (per Clause 13 of the SCCs).D. Sensitive data protections (if any submitted contrary to guidance): Access restrictions, encryption, and logging as in Annex II; no profiling for unrelated purposes.Annex II – Technical and Organisational Measures (Article 32 GDPR)Rocket implements, at minimum, the following measures (aligned to Schedule D of the Agreement):Governance & Access Control: RBAC; least privilege; SSO/MFA for admin access; quarterly access reviews; background checks where lawful.Encryption: TLS 1.2+ in transit; AES‑256 at rest; key management with strict access controls.Network & Segmentation: Private subnets; security groups; Multi‑AZ deployments; restricted administrative endpoints; hardened bastions.Logging & Monitoring: Centralized logs; immutable log retention windows; anomaly detection; alerting; audit trails for privileged actions.Vulnerability & Patch Management: Automated dependency scanning (e.g., Snyk); regular OS and image patching; SLAs: Critical ≤7 days; High ≤14 days.Secure SDLC: IaC (CDK/Terraform); code review; CI/CD with automated tests (including accessibility); secret management separate from source.Business Continuity & Backups: MongoDB replica sets across AZs; multi‑region backup replication; backup schedule (6‑hourly/daily/weekly/monthly) with periodic restore tests; documented RPO/RTO targets.Data Minimization & Pseudonymization: De‑identified/aggregated analytics; privacy‑by‑design review for new features.Physical Security: AWS data centers with SOC 2/ISO 27001 certifications; no customer access.Supplier/SaaS Management: Security reviews for Sub‑processors; contractual DPAs; continuous monitoring where available.Incident Response: 24×7 monitoring; incident runbooks; breach notification procedures aligned to Section 7.Training & Awareness: Onboarding and annual security/privacy training; targeted training for engineers and support.Data Subject Request Tooling: Administrative and support workflows to export, correct, or delete records on Customer instruction.Annex III – Sub‑processorsCurrent list (maintained and kept current at): https://www.rocketalumnisolutions.com/subprocessors
(Indicative categories include: AWS (IaaS/hosting), Auth0/Okta (identity/SSO), Datadog (monitoring/logs).)Schedule UK – UK Addendum to the EU SCCs (B.1.0, 21 March 2022)The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (the “UK Addendum”) is incorporated by reference. The parties agree:Table 1 (Parties): Completed by reference to Annex I (Exporter = Customer; Importer = Rocket).Table 2 (Selected SCCs): EU SCCs, Module 2 (Controller‑to‑Processor), including the Docking Clause; clauses and appendices per Annex I–III.Table 3 (Appendices): As set out in Annex I–III of this DPA.Table 4 (Ending this Addendum): Neither party may unilaterally terminate the UK Addendum except as permitted by the UK Addendum.Governing law & courts: England and Wales for the UK Addendum.Schedule CH – Swiss Addendum (FADP)For transfers subject to the Swiss FADP:References to “GDPR” in the SCCs are read to include the FADP;The FDPIC is the competent supervisory authority;References to “Member State” are read as “Switzerland”;The governing law and place of jurisdiction are Switzerland where required;Where both GDPR and FADP apply, protections are cumulative and interpreted to provide the higher level of protection.Data Location; ContactsPrimary Hosting Location: United States (AWS U.S. regions).Privacy Contact: legal@rocketalumnisolutions.comSecurity Contact: security@rocketalumnisolutions.com (or via support portal)SignaturesThis DPA is incorporated by reference into the Agreement. Where a signature is required by law, it may be executed electronically or by online acceptance.Customer (Controller)
Name: ____________________________ Title: _______________ Date: __________Rocket Alumni Solutions, Inc. (Processor)
Name: ____________________________ Title: _______________ Date: __________
