1. Scope
This Data Processing Agreement (DPA) applies when we process personal data on your behalf as part of the DinerOps Service. You are the data controller; we act as data processor. This DPA is part of, or incorporated by reference into, the Terms of Service and Privacy Policy.
2. Roles and instructions
We process personal data only on your documented instructions (including via the Service and these terms). We will not use the data for our own purposes except as necessary to provide the Service or as required by law. If we are required by law to process data beyond your instructions, we will inform you unless prohibited.
3. Confidentiality and security
We ensure that persons authorized to process the data are bound by confidentiality. We implement appropriate technical and organizational measures to protect the data (e.g. encryption, access controls, secure hosting). We will assist you in ensuring compliance with your obligations regarding security and data breach notification, in line with the Service and applicable law.
4. Subprocessors
We may engage subprocessors (e.g. cloud hosting, email delivery, database services) to provide the Service. We use subprocessors that provide sufficient guarantees for the protection of personal data. We remain liable to you for the performance of subprocessors. Key subprocessors include infrastructure and hosting providers; a current list is available on request or in our documentation.
5. Data subject rights
We will assist you in responding to requests from data subjects (e.g. access, rectification, erasure, restriction, portability). To the extent such requests are received by us, we will forward them to you or handle them in accordance with your instructions and the functionality of the Service.
6. Audits and compliance
We will make available to you information necessary to demonstrate compliance with this DPA. You may audit our compliance (or use third-party auditors under confidentiality) at reasonable intervals or when required by law, subject to reasonable notice and not disrupting our operations.
7. Data return and deletion
At the end of the service relationship, we will delete or return personal data in our possession in accordance with your instructions and the Service’s data export/deletion options, unless we are required to retain data by law.
8. International transfers
Where we or our subprocessors transfer data outside the EEA, we ensure appropriate safeguards (e.g. adequacy decision, standard contractual clauses) in accordance with GDPR Chapter V.
9. Contact
For DPA or data protection matters, contact us at support@dinerops.com or the address on our website.