Customer Data Protection Policy

1. Purpose

This Data Protection Policy defines NewRocket’s commitments and controls relating to the protection of Personal Data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The policy isdesigned to clearly articulate NewRocket’s role as a Sub‑Processor and to document the responsibilities retained by the Customer as Data Controller.

2. Scope

This policy applies to all services provided by NewRocket where Customer environments, systems, or applications may contain Personal Data subject to GDPR.

This policy applies regardless of whether Personal Data is accessed directly, indirectly, or incidentally during the performance of services.

3. Role Under GDPR

3.1 Newrocket Role – Sub‑Processor

NewRocket acts solely as a Sub‑Processor on behalf of the Customer and:

  • Does not determine the purposes or means of processing Personal Data
  • Acts only on documented instructions from the Customer
  • Has no independent rights to Personal Data

3.2 Customer Role – Data Controller

The Customer is the Data Controller and retains full responsibility for:

  • Determining the lawful basis for processing
  • Identifying and naming Data Subjects
  • Defining processing purposes
  • Managing and governing Master Data
  • Ensuring compliance with GDPR obligations toward Data Subjects

3.3 Specific Exclusions

The following items are specifically out of scope as defined in this document by NewRocket

1.    Data Processing of Customer Data

2.    Data Storage of Customer Data

3.    Data Backup and Recovery of Customer Data

4.    Platform Availability of any Customer Systems including customer cloud hosted SaaS environment(s) or other Customer contracted systems and any Recovery Time Objective (RTO) and Recovery Point Objectives (RPO) of any customer systems.

5.    Security, availability, utility and warranty of any customer systems

4. Data Handling Principles

NewRocket’s services are structured so that NewRocket does not:

  • Store Personal Data
  • Host Personal Data
  • Control Personal Data
  • Manage Personal Data
  • Process Personal Data as a business function

Any potential access to Personal Data is:

  • Incidental
  • Temporary
  • Limited to what is strictly necessary to perform contracted services
  • Managed, governed and authorized by the Customer to authorized NewRocket staff.

No Personal Data is copied, retained, or extracted outside Customer‑controlled systems.

5. Access Controls

  • Access to Customer systems is granted on a least‑privilege basis by customer to NewRocket Staff performing Services
  • Access is limited to authorized personnel with a documented business need as allowed by the customer
  • Multi‑factor authentication and strong credential controls are enforced by the customer
  • Access is reviewed periodically and revoked when no longer required by NewRocket informing the customer if any staff have changed

6. Data Security Measures

NewRocket implements appropriate technical and organizational safeguards for its Data and Systems and equipment accessing Customer Systems only, including:

  • Logical access restrictions
  • Secure workstation and endpoint controls
  • Encryption in transit where supported by Customer systems
  • Logging and monitoring of authorized access
  • Secure deletion of any transient or cached data generated during support activities

7. Training and Awareness

  • All NewRocket personnel receive data protection and privacy training
  • Training includes GDPR principles, confidentiality obligations, and secure handling practices
  • Training is refreshed periodically and upon material regulatory change

8. Data Subject Rights

NewRocket does not independently receive or respond to Data Subject requests.

Where required, NewRocket will reasonably assist the Customer in fulfilling Data Subject rights requests (including access, rectification,erasure, restriction, or objection), solely under the Customer’s instructions and to the extent technically feasible.

9. Incident Management

  • NewRocket maintains a documented Security Incident Response process for its systems
  • Any confirmed or suspected incident involving Customer Personal Data is promptly escalated to the Customer
  • NewRocket cooperates fully with Customer‑led investigations, remediation, and regulatory notifications

10. Sub‑Processing and Third Parties

NewRocket does not engage additional sub‑processors to access Customer Personal Data without appropriate contractual and Customer‑approved safeguards.

11. Audits and Assurance

  • NewRocket maintains internal controls to support GDPR compliance
  • Upon reasonable request, NewRocket will provide compliance information or participate in audits as contractually agreed
  • Audit activities must not compromise security or confidentiality obligations

12. Data Retention and Deletion

  • NewRocket does not retain Personal Data beyond the duration of authorized access if explicitly requested by customer
  • Any temporary or incidental data exposure is terminated immediately upon completion of services
  • No Personal Data is archived or backed up by NewRocket systems

13. Contractual Alignment

This policy operates in conjunction with:

  • Data Processing Agreements (DPAs)
  • Master Services Agreements (MSAs)
  • Customer‑specific security or privacy addenda

In the event of conflict, contractual terms agreed with the Customer shall prevail.

14. Policy Review

This policy is reviewed periodically and updated as necessary to reflect regulatory changes, contractual obligations, or operational adjustments.

15. Terms and Definitions

Data Controller
The entity that determines the purposes and means of processing Personal Data.Under this policy, the Customer acts as the Data Controller.

Data Processor
An entity that processes Personal Data on behalf of the Data Controller.

Sub‑Processor
An entity engaged by a Data Processor to perform specific processing activities on behalf of the Data Controller. NewRocket acts as a Sub‑Processor.

Personal Data
Any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1).

Data Subject
An identified or identifiable natural person whose Personal Data is processed.

Customer Systems

AnySystem hosting customer data as defined by Customer and congruent with Customer’s Role as a Controller

Processing
Any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, or deletion.

Master Data
Authoritative data sets owned, governed, and maintained by the Data Controller. Responsibility for Master Data rests exclusively with the Customer.

GDPR
Regulation (EU) 2016/679 – the General Data Protection Regulation

Talk to a human