Data Processing Addendum

Last updated: June 24, 2026

This Data Processing Addendum is part of the TvRMM Terms of Service when TvRMM processes Customer Data for a customer. It is written for the normal hosted SaaS model: the customer decides what endpoints, users, scripts, logs, policies, and operational workflows to use; TvRMM processes that data to provide the service.

TvRMM does not process Customer Data with AI systems by default. Future AI-based features must be explicit opt-in and are intended to use customer-controlled provider keys, so the customer controls whether AI is enabled and which provider account handles the data.

1. Roles

For Customer Data, the customer is usually the controller or processor, and vanRoojen LLC is usually the processor or subprocessor. For TvRMM account administration, billing, security, abuse prevention, product analytics, tax, and legal records, vanRoojen LLC may act as an independent controller.

2. Customer instructions

TvRMM will process Customer Data according to:

the Terms of Service;
this DPA;
customer configuration in the portal;
documented product behavior;
lawful written instructions from authorized customer personnel.

TvRMM may decline instructions that are unlawful, unsafe, technically unsupported, outside the service, or inconsistent with the Agreement.

3. Subject matter and duration

The subject matter is hosted RMM service operation. Processing lasts for the term of the customer account and any wind-down, retention, backup, legal, billing, security, or deletion period described in the Agreement.

4. Categories of data

Customer Data may include:

tenant, organization, user, role, and preference records;
endpoint identifiers, agent identifiers, hostnames, operating system facts, hardware, software, storage, network, package, and service metadata;
patch, reboot, script, terminal, command, update, cleanup, and policy records;
logs, performance samples, audit snapshots, and event records;
homelab host and guest inventory;
support records, feature requests, exports, deletion requests, and billing metadata.

Customers should avoid submitting secrets, health data, payment card data, government identifiers, children's data, or regulated special-category data unless the use case is expressly supported and legally approved.

5. Processing purposes

TvRMM processes Customer Data to provide, secure, support, bill, monitor, troubleshoot, improve, and document the service; enforce customer roles; execute customer instructions; produce exports; support cancellation wind-down; investigate abuse; and comply with law.

6. Confidentiality

TvRMM personnel and contractors with access to Customer Data must be subject to confidentiality obligations. Access should be limited to people with a business need and appropriate authorization.

7. Security measures

TvRMM maintains administrative, technical, and organizational controls appropriate for the service, including:

session authentication and role-scoped authorization;
outbound agent communications using certificate-based identity where supported;
certificate revocation and deleted-endpoint rejection paths;
tenant and organization scoping;
logged support access and operational activity where technically available;
encrypted transport for portal and agent traffic;
access control for production systems;
backup, monitoring, and incident response practices.

Security measures may evolve as the service changes.

8. Subprocessors

TvRMM may use subprocessors listed in the Subprocessor List. TvRMM remains responsible for subprocessor performance under this DPA. TvRMM will maintain a public list and use reasonable notice for material new subprocessors where practical.

9. Data subject requests

If TvRMM receives a privacy request about Customer Data where the customer is the controller, TvRMM may direct the requester to the customer or assist the customer where the portal, export, deletion workflow, or support process allows.

10. Deletion and return

Tenant owners may export Customer Data and request deletion through customer-facing workflows where available. TvRMM will delete or return Customer Data according to the Agreement and Data Retention and Deletion Policy, unless retention is required for billing, legal, tax, security, abuse-prevention, backup, or audit reasons.

11. Security incidents

TvRMM will notify affected customers without undue delay after confirming a security incident involving Customer Data, unless law enforcement or legal obligations require delay. Notices should include known facts, affected data types, mitigation steps, and customer actions where available.

12. Audit and information

TvRMM will provide reasonable information about security, subprocessors, and processing practices through public policies, documentation, support responses, or security review materials. Customer audit requests must be reasonable, non-disruptive, scoped to the service, and subject to confidentiality.

13. International transfers

Customer Data may be processed in the United States and other locations where subprocessors operate. Where required by applicable law, TvRMM will use appropriate transfer mechanisms, such as standard contractual clauses or equivalent safeguards made available by relevant providers.

14. Conflict

If this DPA conflicts with the Terms of Service, this DPA controls only for the processing of Customer Data as processor or subprocessor.

1. Roles​

2. Customer instructions​

3. Subject matter and duration​

4. Categories of data​

5. Processing purposes​

6. Confidentiality​

7. Security measures​

8. Subprocessors​

9. Data subject requests​

10. Deletion and return​

11. Security incidents​

12. Audit and information​

13. International transfers​

14. Conflict​