Speak Your Menu Data Processing Addendum (DPA)

1. Purpose & Scope

This DPA governs the Processor’s Processing of Personal Data on behalf of the Controller in connection with the Services described in the Agreement.

2. Definitions

• Personal Data – any information relating to an identified or identifiable natural person.
• Process/Processing – any operation performed on Personal Data (collection, storage, use, disclosure, etc.).
• Sub-processor – any third party engaged by the Processor to Process Personal Data.

All capitalised terms not defined here have the meanings set out in the Agreement.

3. Roles of the Parties

Controller is the data controller; Processor is the data processor with respect to Personal Data processed under the Agreement.

4. Categories of Data & Data Subjects

Data Subjects: restaurant owners, managers, directors, and employees who use the Services.

Data Categories: name, business e-mail, role, lesson assignments, lesson progress and scores, badge metadata, restaurant identifiers, and log entries (UUID, action, timestamp, role, restaurant UUID).

Special Categories: none intentionally processed.

5. Processor Obligations

• Process Personal Data only on documented instructions from Controller;
• Ensure persons authorised to Process Personal Data are bound by confidentiality;
• Implement the technical and organisational security measures in § 8;
• Assist Controller in fulfilling data-subject rights requests;
• Notify Controller without undue delay of any Personal-Data Breach;
• Make available all information necessary to demonstrate compliance and allow reasonable audits (see § 10).

6. Sub-processors

Processor may engage the Sub-processors listed at https://speakyourmenu.com/subprocessors. Processor will notify Controller at least 10 days before adding or replacing a Sub-processor, giving Controller the right to raise reasonable objections.

7. Cross-border Transfers

Personal Data may be accessed from the United States and, on a limited basis, from other jurisdictions (e.g., an authorised engineer in Pakistan). Processor relies on Standard Contractual Clauses or equivalent safeguards for such transfers.

8. Security Measures

• TLS 1.2/1.3 encryption in transit & AES-256 encryption at rest;
• Role-based access controls and multi-factor authentication for privileged accounts;
• Annual third-party penetration tests and continuous vulnerability scanning;
• Daily encrypted backups with 30-day rotation;
• Documented incident-response and breach-notification procedures.

9. Data-Subject Rights Assistance

Taking into account the nature of Processing, Processor will assist Controller—via appropriate technical and organisational measures—in fulfilling requests for access, correction, deletion, restriction, portability, and objection.

10. Audits

Controller may audit Processor’s compliance once per year (or more often if required by law or after a confirmed data-breach) upon 30 days’ notice. Audits may be satisfied by a current SOC 2 Type II report or equivalent, or by on-site review during normal business hours.

11. Deletion or Return of Data

Upon termination of the Agreement, Processor will, at Controller’s choice, delete or return all Personal Data in its possession, except to the extent retention is required by law or necessary for legitimate business records (which will be deleted within 30 days of cessation of the legal basis).

12. Liability & Indemnification

The limitations of liability in the Agreement apply equally to this DPA. Controller shall indemnify Processor against claims arising from Processing that follows Controller’s instructions.

13. Governing Law

This DPA is governed by the same law and dispute-resolution provisions as the Agreement (Delaware law; binding arbitration).

14. Term

This DPA remains in effect as long as Processor Processes Personal Data on behalf of Controller.

Contact