Data Processing Agreement

Data Processing Agreement

Last Updated: November 20, 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between lojix ("Data Processor" or "we") and Restaurant Partners ("Data Controller" or "you") and governs the processing of personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual to whom Personal Data relates
  • "Data Controller" means the entity that determines the purposes and means of processing
  • "Data Processor" means the entity that processes data on behalf of the Controller
  • "Sub-processor" means any processor engaged by the Data Processor

3. Scope and Roles

3.1 Data Controller Responsibilities

Restaurant Partners (Data Controllers) are responsible for:

  • Determining the purposes and means of processing Personal Data
  • Ensuring lawful basis for processing
  • Providing privacy notices to Data Subjects
  • Obtaining necessary consents
  • Responding to Data Subject requests
  • Ensuring data accuracy

3.2 Data Processor Responsibilities

lojix (Data Processor) is responsible for:

  • Processing Personal Data only on documented instructions
  • Implementing appropriate security measures
  • Assisting with Data Subject requests
  • Maintaining records of processing activities
  • Notifying of data breaches
  • Deleting or returning data upon termination

4. Data Processing Details

4.1 Nature and Purpose of Processing

We process Personal Data for the following purposes:

  • Order processing and fulfillment
  • Payment processing
  • Customer communication
  • Analytics and reporting
  • Customer support
  • Marketing (with consent)
  • Fraud prevention and security

4.2 Types of Personal Data

  • Contact information (name, email, phone)
  • Delivery addresses
  • Payment information
  • Order history and preferences
  • Device and usage data
  • Location data
  • Dietary preferences and restrictions

4.3 Categories of Data Subjects

  • Restaurant customers
  • Website visitors
  • App users
  • Restaurant staff (for admin panel users)

4.4 Duration of Processing

Personal Data will be processed for the duration of the service agreement and retained as specified in our Privacy Policy or as required by law.

5. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

5.1 Technical Measures

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Secure authentication and access controls
  • Regular security testing and vulnerability assessments
  • Intrusion detection and prevention systems
  • Secure backup and disaster recovery procedures

5.2 Organizational Measures

  • Staff training on data protection
  • Confidentiality agreements with employees
  • Access control policies (need-to-know basis)
  • Incident response procedures
  • Regular security audits
  • Data protection impact assessments

6. Sub-processors

6.1 Authorized Sub-processors

We may engage the following categories of sub-processors:

  • Cloud Hosting: Vercel, AWS, Google Cloud
  • Payment Processing: Stripe, PayPal
  • Analytics: Google Analytics
  • Email Services: SendGrid, Mailchimp
  • Customer Support: Zendesk, Intercom
  • Database: PostgreSQL (hosted on secure infrastructure)

6.2 Sub-processor Requirements

All sub-processors must:

  • Provide sufficient guarantees of data protection
  • Enter into written agreements with equivalent obligations
  • Comply with GDPR and other applicable regulations
  • Implement appropriate security measures

6.3 Changes to Sub-processors

We will notify Data Controllers of any intended changes to sub-processors at least 30 days in advance. Controllers may object to new sub-processors within 14 days of notification.

7. Data Subject Rights

We will assist Data Controllers in fulfilling Data Subject requests, including:

  • Right of Access: Provide copies of Personal Data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Delete Personal Data ("right to be forgotten")
  • Right to Restriction: Limit processing of data
  • Right to Data Portability: Transfer data to another controller
  • Right to Object: Object to certain processing activities
  • Rights Related to Automated Decision-Making: Human review of automated decisions

We will respond to Data Subject requests within 30 days and provide necessary technical assistance to Data Controllers.

8. Data Breach Notification

8.1 Notification Procedure

In the event of a personal data breach, we will:

  • Notify Data Controllers without undue delay (within 72 hours)
  • Provide details of the breach, including:
    • Nature of the breach
    • Categories and approximate number of affected Data Subjects
    • Likely consequences
    • Measures taken or proposed to address the breach
  • Assist in notifying supervisory authorities if required
  • Assist in notifying affected Data Subjects if required

8.2 Breach Response

  • Immediate containment and investigation
  • Documentation of the breach and response
  • Implementation of remedial measures
  • Review and update of security measures

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • Privacy Shield certification (where applicable)
  • Binding Corporate Rules

10. Audits and Compliance

10.1 Audit Rights

Data Controllers have the right to:

  • Request information about our processing activities
  • Conduct audits or inspections (with reasonable notice)
  • Review security certifications and audit reports
  • Verify compliance with this DPA

10.2 Compliance Documentation

We maintain records of processing activities and make available upon request:

  • Security certifications (SOC 2, ISO 27001)
  • Third-party audit reports
  • Data processing records
  • Sub-processor agreements

11. Data Deletion and Return

Upon termination of services or at Data Controller's request, we will:

  • Delete or return all Personal Data within 30 days
  • Delete existing copies (unless legally required to retain)
  • Provide certification of deletion upon request
  • Ensure sub-processors also delete or return data

Exception: Data may be retained if required by law or for legitimate business purposes (e.g., tax records, legal disputes).

12. Liability and Indemnification

Each party shall be liable for damages caused by processing that infringes GDPR or other data protection laws. The Data Processor is liable for damages caused by:

  • Failure to comply with GDPR obligations
  • Acting outside or contrary to lawful instructions
  • Negligence or willful misconduct

13. Term and Termination

This DPA remains in effect for the duration of the service agreement. Either party may terminate this DPA if the other party:

  • Materially breaches the DPA
  • Fails to cure the breach within 30 days of notice
  • Becomes subject to insolvency proceedings

14. Data Protection Officer

For data protection inquiries, please contact our Data Protection Officer:

Email: dpo@cliptap.shop

Privacy: privacy@cliptap.shop

Address: ClipTap Data Protection Officer

Privacy PolicyTerms of ServiceCookie Policy