RollCall

Data Processing Agreement

Last Updated: March 2026

Select your region for jurisdiction-specific data processing terms.

DPA — AustraliaDPA — New ZealandDPA — United Kingdom

1. Purpose and Scope

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between RollCall Safety Solutions Pty Ltd ("Processor") and the subscribing educational institution ("Controller"). It sets out the terms under which RollCall processes personal data on behalf of the Controller in connection with the provision of school bus management services.

This DPA applies to all personal data processed by RollCall on behalf of the Controller, including student data, parent/guardian data, and staff data necessary for the delivery of services.

2. Definitions

In this DPA, the following terms have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
  • "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Personal Data
  • "Sub-processor" means any third party engaged by RollCall to process Personal Data on behalf of the Controller

3. Obligations of the Processor

RollCall shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in responding to data subject requests
  • Notify the Controller without undue delay upon becoming aware of a Data Breach
  • Delete or return all Personal Data upon termination of services, at the Controller's election
  • Make available all information necessary to demonstrate compliance with this DPA

4. Security Measures

RollCall implements and maintains the following technical and organisational measures to protect Personal Data:

  • ISO 27001 certified Information Security Management System (ISMS)
  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Role-based access controls with principle of least privilege
  • Multi-factor authentication for all administrative access
  • Regular vulnerability assessments and annual penetration testing
  • Business continuity and disaster recovery procedures
  • Employee security awareness training

5. Sub-processors

The Controller provides general authorisation for RollCall to engage sub-processors. RollCall maintains a current list of sub-processors and will notify the Controller of any intended additions or replacements at least 30 days in advance, giving the Controller the opportunity to object.

Current sub-processors include:

  • Amazon Web Services (AWS) — Cloud infrastructure and data hosting
  • Resend — Transactional email delivery
  • Vercel — Web application hosting and content delivery

6. Data Breach Notification

In the event of a Data Breach, RollCall shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

  • A description of the nature of the breach, including categories and approximate number of affected data subjects
  • The name and contact details of RollCall's data protection contact
  • A description of the likely consequences of the breach
  • A description of measures taken or proposed to address the breach and mitigate its effects

7. Data Subject Rights

RollCall shall assist the Controller in fulfilling its obligations to respond to data subject access requests and other rights requests. RollCall provides administrative tools within the platform that enable Controllers to access, rectify, and delete personal data.

8. International Transfers

RollCall stores data in the region appropriate to each customer. Where transfers of Personal Data outside the Controller's jurisdiction are necessary, RollCall shall ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

9. Audit Rights

RollCall shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, no more than once per year with at least 30 days' prior written notice. RollCall's ISO 27001 certification and associated audit reports may be relied upon as evidence of compliance with security obligations.

10. Term and Termination

This DPA shall remain in effect for the duration of the Master Services Agreement. Upon termination, RollCall shall, at the Controller's election, return or securely delete all Personal Data within 90 days, and provide written confirmation of deletion upon request.