Data Processing Agreement

Last updated: March 1, 2026 · For B2B customers processing personal data of their end-users

Data Processor: Hostao LLC, 30 N Gould St, Ste 4000, Sheridan, Wyoming 82801, USA
DPA Contact: dpa@roadmapr.in
Note: This DPA is incorporated into and governed by the Roadmapr Terms of Service.

1. Definitions

Data Controller ("Customer"): The Roadmapr customer who determines the purpose and means of processing personal data.
Data Processor ("Hostao"): Hostao LLC, which processes personal data on behalf of the Customer via Roadmapr.
Data Subjects: End-users of the Customer's product who interact with the Customer's Roadmapr public roadmap.
Processing: Any operation on personal data including collection, storage, retrieval, and deletion.

2. Subject Matter & Duration

This DPA governs the processing of personal data of the Customer's end-users by Hostao LLC in connection with providing the Roadmapr Service. The duration of this DPA corresponds to the Customer's subscription term, plus 90 days following termination (for data retention and deletion obligations).

3. Nature & Purpose of Processing

Hostao processes the following data on behalf of the Customer:

Email addresses and names of end-users who vote on features or submit feedback
OAuth tokens (Google) if end-users choose Google sign-in
Vote history and feature submissions per user
IP addresses (anonymized within 30 days) for fraud prevention

Processing is performed for the purpose of: enabling feature voting; preventing duplicate votes; notifying users of feature status changes (with their consent); and providing the Customer with engagement analytics.

4. Hostao's Obligations

Hostao agrees to:

Process personal data only on documented instructions from the Customer
Ensure staff with access to personal data are bound by confidentiality obligations
Implement and maintain appropriate technical and organizational security measures (Article 32 GDPR)
Not engage new sub-processors without the Customer's prior written consent
Assist the Customer in fulfilling data subject requests (access, deletion, portability)
Notify the Customer within 72 hours of becoming aware of a personal data breach
Delete or return all personal data at the end of the processing relationship
Provide all information necessary to demonstrate compliance with this DPA

5. Sub-Processors

Hostao uses the following approved sub-processors:

Vercel Inc.USA/EUHosting & CDN

SupabaseEU (Frankfurt)Database & Authentication

Cloudflare Inc.USA/EUDDoS protection, CDN

ResendUSATransactional Email

RazorpayIndiaPayment Processing (INR)

StripeUSA/EUPayment Processing (USD)

6. International Transfers

Where personal data is transferred from the EU/EEA to the USA, Hostao relies on Standard Contractual Clauses (SCCs, 2021 version) as the legal transfer mechanism. A copy of our SCCs is available upon request at dpa@roadmapr.in.

7. Security Measures

Hostao implements the following technical and organizational measures: TLS 1.3 encryption in transit; AES-256 encryption at rest; role-based access controls; multi-factor authentication for staff; regular security audits; automated vulnerability scanning; and an incident response procedure.

8. Requesting a Signed DPA

Enterprise customers (Business plan) may request a countersigned DPA. Email dpa@roadmapr.in with your company name and the account email. We will respond within 5 business days with a signed DPA PDF.

9. Governing Law

This DPA is governed by the laws of the State of Wyoming, USA, and is subject to the dispute resolution provisions in the Roadmapr Terms of Service.