Data Processing Agreement (DPA)

marketing.legal.lastUpdated: 2025-02-20

1. Roles and subject matter

For the processing of personal data described in this DPA, you are the data controller (or, where applicable, a processor to your own controller) and we act as data processor (or sub-processor, where applicable).

This DPA sets out the parties’ obligations regarding our processing of personal data on your behalf in connection with the provision of the DinerOps Service. Details of the processing (subject matter, duration, nature, purposes, categories of data subjects and personal data) are set out in Annex 1.

2. Duration

This DPA applies for as long as we process personal data on your behalf under the main agreement, and thereafter for as long as we retain such personal data in accordance with section 10 of this DPA.

3. Documented instructions

We will process personal data only on your documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless we are required to do so by EU or Member State law to which we are subject. In such a case, we will inform you of that legal requirement before processing, unless the law prohibits us from doing so.

The main agreement, this DPA, your configuration of the Service and any other documented instructions you provide constitute your instructions. If we consider that an instruction infringes the GDPR or other applicable data protection laws, we will inform you without undue delay.

4. Confidentiality

We will ensure that persons authorised to process personal data on our behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that access to personal data is limited to those individuals who need such access for the purposes of the agreement.

5. Security of processing

Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to data subjects, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures are described in Annex 2 (Technical and Organisational Measures) and may include, as appropriate: access control and authentication, encryption, backup and recovery procedures, logging and monitoring, vulnerability management, staff training and security policies. We may update these measures from time to time, provided that such updates do not materially reduce the level of protection.

6. Subprocessors

You provide us with a general written authorisation to engage subprocessors for the processing of personal data. A current list or description of our subprocessors is made available in this DPA and related documentation, or on request from support@dinerops.com.

We will inform you of any intended changes concerning the addition or replacement of subprocessors by updating the subprocessor list and, where feasible, by email or through the Service. You may object to such changes on reasonable grounds relating to data protection by notifying us within 14 days of being informed.

If you object and we cannot in good faith agree on a solution within a reasonable period, you may terminate the affected part of the Service to the extent it cannot reasonably be provided without the subprocessor and receive a pro-rated refund of prepaid fees for the remaining term of the affected Service.

We will ensure that our subprocessors are bound by written contracts imposing data protection obligations that are no less protective than those set out in this DPA, including obligations regarding security, confidentiality, assistance and international transfers. We remain fully liable to you for the performance of our subprocessors’ obligations.

7. Assistance to the customer

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, for the fulfilment of your obligation to respond to data subject requests under Chapter III of the GDPR.

If a data subject request is made directly to us and identifies you as controller, we will promptly inform you and will not respond directly without your instructions, except to acknowledge receipt or as required by law.

Taking into account the nature of processing and the information available to us, we will also assist you in ensuring compliance with your obligations under Articles 32 to 36 GDPR, including with respect to security of processing, data breach notifications, data protection impact assessments and prior consultations with supervisory authorities.

8. Personal data breaches

In the event of a personal data breach affecting personal data processed on your behalf, we will notify you without undue delay after becoming aware of the breach. Such notification will include, to the extent reasonably available:

  • a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach; and
  • the measures taken or proposed to address the breach and mitigate its possible adverse effects, and a contact point for further information.

Where and insofar as it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. You are responsible for assessing whether to notify the relevant supervisory authority and affected data subjects and for making such notifications where required.

9. International transfers

We will only transfer personal data to a third country or international organisation outside the EU/EEA on your documented instructions or as necessary to provide the Service, and always in compliance with Chapter V GDPR.

Where personal data is transferred outside the EU/EEA to a country not subject to an adequacy decision, we will ensure appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission and any additional measures required by law. Details of such transfer mechanisms are described in our data protection documentation and are available on request from support@dinerops.com.

10. Return and deletion of personal data

Upon termination or expiry of the main agreement, you may export customer data as described in the Terms of Service. Within a reasonable time after termination and subject to the data export period in the Terms of Service, we will delete personal data from active systems or irreversibly anonymise it, unless EU or Member State law requires storage of the data.

We may retain personal data in backups for a limited period beyond the time limits above, but will ensure that such data is isolated from further active processing and is securely deleted in accordance with scheduled backup rotation. Upon your written request, we will provide written confirmation that deletion has been completed in accordance with this section.

11. Audits and inspections

We will make available to you all information reasonably necessary to demonstrate compliance with our obligations under Article 28 GDPR and this DPA, including relevant third-party audit reports or certifications, if available.

You or an independent auditor mandated by you may, no more than once per year and with at least 30 days’ prior written notice, conduct an on-site audit of our processing facilities relevant to the Service, where such audit is limited in scope and duration to what is necessary to verify compliance, does not unreasonably interfere with our business and is subject to appropriate confidentiality obligations.

Before an on-site audit, the parties will agree in writing on the scope, timing and duration. You will bear your own costs and reimburse us for reasonable time and materials spent in connection with the audit. Where we provide sufficient recent third-party audit reports that demonstrate compliance with this DPA, you agree to first review such reports before requesting an on-site audit.

12. Liability and order of precedence

The liability provisions in the main agreement apply to this DPA. Any limitations of liability in the main agreement apply to our obligations under this DPA to the maximum extent permitted by applicable law. Nothing in this DPA limits either party’s liability under Articles 82 and 83 GDPR where such limitation is not permitted by law.

In case of conflict between this DPA and the main agreement, this DPA prevails with respect to the subject matter of personal data processing. Otherwise, the main agreement remains in full force and effect.

Annex 1 – Details of processing

Subject matter: Processing of personal data as necessary to provide the DinerOps Service (restaurant reservations management, floor plan, work hours, analytics and related features) to you.

Duration: For the term of the main agreement and any data retention period described in section 10 of this DPA and in the Terms of Service.

Nature and purpose: Hosting and storage of customer data; collection, recording, organisation and structuring of data; retrieval, consultation and use in the context of the Service; transmission to integration partners on your instructions; deletion or anonymisation at the end of the retention period; security monitoring, logging and incident response.

Types of personal data (depending on your use of the Service) may include: contact details of restaurant guests (name, phone, email), reservation details (date, time, party size, notes), work hours data about staff (names, shifts, roles), user account data (names, emails, roles) and technical identifiers (IP addresses, logs). You should not knowingly upload special categories of personal data or criminal offence data unless expressly agreed in writing.

Categories of data subjects include: restaurant guests and prospective guests, your staff and contractors, and your administrative users of the Service.

Annex 2 – Technical and organisational measures

We implement, among others, the following categories of technical and organisational measures (TOMs). A more detailed description is available in our security and data protection documentation, including this DPA:

  • access control and authentication (role-based access, strong authentication for administrative access, least-privilege principles);
  • physical security via reputable data centre or cloud providers with physical access controls;
  • network and application security (firewalls, encryption in transit, secure software development and patching processes);
  • data protection (logical separation of customer data, backups and recovery procedures, encryption at rest where appropriate);
  • monitoring and logging of relevant events and unusual activity;
  • incident management procedures for identifying, assessing and responding to security incidents;
  • personnel security and regular security and privacy training; and
  • vendor management and business continuity / disaster recovery planning.

Annex 3 – Subprocessors

A current list or description of subprocessors engaged in the processing of personal data on your behalf is available in our documentation or on request from support@dinerops.com. The list indicates the subprocessor’s name, location and the nature of the services provided.