Data Processing Agreement

Last updated: January 15, 2024

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DoughOps ("Processor," "we," "us") and the customer ("Controller," "you") who agrees to the Terms of Service.

This DPA applies to the extent that we process Personal Data on your behalf in providing the DoughOps service, and such processing is subject to applicable Data Protection Laws.

1. Definitions

  • "Data Protection Laws" means all applicable privacy and data protection laws, including GDPR, CCPA, and similar regulations.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Subject" means the individual to whom Personal Data relates.

2. Scope of Processing

2.1 Subject Matter and Duration

The processing of Personal Data will be carried out for the duration of the agreement for the purpose of providing the DoughOps service, as described in our Terms of Service.

2.2 Nature and Purpose

We process Personal Data to provide production planning, sales analytics, and business intelligence services for food service businesses. This includes:

  • Storing and processing business data (products, recipes, production plans)
  • Analyzing sales and waste data
  • Generating predictions and recommendations
  • Sending notifications and reports
  • Providing customer support

2.3 Types of Personal Data

The following types of Personal Data may be processed:

  • Contact information (names, email addresses, phone numbers)
  • Account credentials (hashed passwords)
  • Business information (business name, address, operating hours)
  • Usage data (log-in times, features used)
  • Device information (IP addresses, browser type)

2.4 Categories of Data Subjects

  • Your employees and team members
  • Your business contacts (B2B customers)

3. Controller Obligations

You warrant and represent that:

  • You have obtained all necessary consents and authorizations for the processing of Personal Data
  • You have provided appropriate privacy notices to Data Subjects
  • Your instructions to us comply with applicable Data Protection Laws
  • You will use the Service in compliance with our Terms of Service and applicable laws

4. Processor Obligations

We shall:

  • Process Personal Data only on your documented instructions, unless required by law
  • Ensure personnel processing Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to Data Subject rights requests
  • Assist you with data protection impact assessments where required
  • Delete or return all Personal Data upon termination of the agreement
  • Make available information necessary to demonstrate compliance with this DPA

5. Security Measures

We implement appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication for administrative access
  • Infrastructure: Hosted on AWS with SOC 2 Type II compliance
  • Monitoring: Continuous security monitoring and logging
  • Backups: Regular encrypted backups with tested recovery procedures
  • Personnel: Background checks and security training for staff with data access

6. Sub-processors

6.1 Authorization

You provide general authorization for us to engage Sub-processors to process Personal Data on your behalf. We will:

  • Impose data protection obligations on Sub-processors substantially similar to this DPA
  • Remain liable for Sub-processor compliance
  • Maintain a list of current Sub-processors

6.2 Current Sub-processors

Sub-processor Purpose Location
Amazon Web Services (AWS) Cloud infrastructure and hosting United States
Stripe Payment processing United States
SendGrid Email delivery United States

6.3 Changes to Sub-processors

We will notify you of any new Sub-processors at least 14 days before engagement. You may object to a new Sub-processor within 14 days of notice by providing reasonable grounds related to data protection. If we cannot accommodate your objection, you may terminate the affected portions of the Service.

7. Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights, including:

  • Access to their Personal Data
  • Rectification of inaccurate data
  • Erasure (right to be forgotten)
  • Restriction of processing
  • Data portability
  • Objection to processing

If we receive a request directly from a Data Subject, we will forward it to you promptly unless prohibited by law.

8. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (and within 48 hours where feasible) after becoming aware of the breach
  • Provide information about the nature of the breach, categories of data affected, and remediation measures
  • Cooperate with your investigation and regulatory notifications
  • Take reasonable steps to mitigate the effects of the breach

9. International Transfers

Personal Data may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • AWS's certification under the EU-US Data Privacy Framework

Upon request, we will enter into the SCCs with you for the transfer of Personal Data.

10. Audits

Upon reasonable request and with at least 30 days notice, we will:

  • Make available relevant security certifications and audit reports
  • Respond to reasonable written questions about our security practices
  • Permit audits by you or a qualified third party (subject to confidentiality and reasonable scheduling)

Audits will be conducted at your expense and will not unreasonably disrupt our operations.

11. Term and Termination

This DPA shall remain in effect for the duration of our agreement. Upon termination:

  • We will delete or return all Personal Data within 30 days, unless legally required to retain it
  • We will provide certification of deletion upon request
  • Backup copies will be deleted within 90 days

12. Liability

Liability arising from this DPA is subject to the limitations set forth in our Terms of Service.

13. Governing Law

This DPA shall be governed by the same law that governs our Terms of Service, except that:

  • For EEA customers, GDPR provisions shall be interpreted in accordance with EU law
  • For UK customers, the UK GDPR and Data Protection Act 2018 shall apply to UK Personal Data

How to Sign This DPA

For customers requiring a signed DPA:

  • Email legal@doughops.com with your company details
  • We will provide you with a pre-signed copy of this DPA
  • Sign and return a copy to us for your records

Contact Us

For questions about this DPA or data protection matters:

  • Email: dpo@doughops.com
  • Legal: legal@doughops.com

This Data Processing Agreement is incorporated into and subject to our Terms of Service and Privacy Policy.