Adatfeldolgozási megállapodás

1. Definitions

• Controller — the restaurant partner (User) who determines the purposes and means of processing personal data of their end customers through the FoxiFood platform.
• Processor — Elite Digital Services, LLC, which processes personal data on behalf of the Controller to provide the FoxiFood platform services.
• Data Subject — the individual whose personal data is being processed (typically the end customer placing a food order).
• Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) of GDPR.
• Processing — any operation performed on personal data, including collection, storage, use, transmission, and deletion.
• Sub-processor — a third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Purpose of Processing

2.1. Subject Matter

The Processor processes personal data on behalf of the Controller for the purpose of providing the FoxiFood restaurant ordering platform, including hosting the Controller's ordering website, processing customer orders, managing customer accounts, and facilitating payment transactions.

2.2. Duration

The processing of personal data under this DPA shall continue for the duration of the Agreement between the Controller and the Processor. Upon termination, data shall be handled in accordance with Section 8 of this DPA.

2.3. Nature and Purpose

The nature and purpose of processing is to provide a software-as-a-service platform that enables the Controller to receive online food orders from their customers, manage orders, and process payments.

2.4. Categories of Data Subjects

• End customers of the restaurant partner (individuals placing food orders);
• Employees or representatives of the restaurant partner with access to the admin dashboard.

2.5. Types of Personal Data

• Contact data: name, email address, phone number;
• Delivery address (when applicable);
• Order data: items ordered, order amounts, order history, dietary preferences;
• Payment references: transaction IDs, payment status (card details are handled exclusively by Stripe and not stored by the Processor);
• Technical data: IP address, device information, browser data (for fraud prevention and service operation).

3. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller, including with regard to transfers of data to third countries, unless required to do so by applicable law;
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of GDPR;
• Not engage another processor (sub-processor) without prior written authorization from the Controller, subject to Section 5 of this DPA;
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by GDPR;
• Assist the Controller in ensuring compliance with obligations related to data protection impact assessments and prior consultation with supervisory authorities (Articles 35 and 36 of GDPR);
• At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage;
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits and inspections;
• Maintain Records of Processing Activities carried out on behalf of the Controller, in accordance with Article 30(2) of GDPR;
• Implement data protection by design and by default in accordance with Article 25 of GDPR, ensuring that only personal data necessary for each specific purpose of processing is processed.

4. Security Measures

The Processor implements the following technical and organizational measures to protect personal data:

• Encryption of data in transit using TLS 1.2+ / SSL;
• Encryption of sensitive data at rest;
• Access controls with role-based permissions and multi-factor authentication for administrative access;
• Regular automated backups with minimum 30-day retention;
• Secure cloud hosting infrastructure with physical access controls (DigitalOcean);
• Regular security updates, patching, and vulnerability assessments;
• Payment processing delegated to PCI DSS Level 1 certified Stripe — no card data stored by the Processor;
• Password hashing using industry-standard cryptographic algorithms;
• Logging and monitoring of access to personal data;
• Incident response and data breach notification procedures.

5. Sub-processors

5.1. Authorized Sub-processors

The Controller hereby grants general authorization for the Processor to engage the following sub-processors:

• Stripe, Inc. — payment processing, fraud prevention (USA, PCI DSS Level 1, SCCs in place);
• DigitalOcean, LLC — cloud hosting and infrastructure (EU and USA data centers, SCCs in place);
• Brevo (Sendinblue) — transactional email delivery (France/EU).

5.2. Changes to Sub-processors

The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object to such changes. If the Controller reasonably objects, the parties shall discuss the concerns in good faith. If no resolution is reached, the Controller may terminate the Agreement.

5.3. Sub-processor Obligations

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

6. Data Subject Rights

The Processor shall:

• Promptly notify the Controller if it receives a request directly from a Data Subject regarding their personal data;
• Not respond to such requests directly unless authorized by the Controller or required by law;
• Provide the Controller with reasonable assistance in fulfilling Data Subject requests, including technical measures for data access, rectification, erasure, restriction, and portability;
• Provide tools within the Service that enable the Controller to manage, export, and delete customer data independently.

7. Data Protection Impact Assessments

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 35 GDPR), the Controller is responsible for conducting a Data Protection Impact Assessment (DPIA). The Processor shall:

• provide the Controller with all information reasonably necessary to conduct a DPIA;
• assist the Controller with the DPIA upon reasonable request, at the Controller's expense;
• assist the Controller in prior consultation with the supervisory authority where required by Article 36 of GDPR.

The Controller must notify the Processor in advance if a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the Processor.

8. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay, and in any case within 72 hours after becoming aware of the breach;
• Provide the Controller with sufficient information to enable the Controller to meet its obligation to notify the supervisory authority and affected Data Subjects under Articles 33 and 34 of GDPR;
• Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach;
• Document the breach including its effects and the remedial actions taken.

The breach notification shall include, to the extent available: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Retention and Deletion

• Upon termination of the Agreement, the Processor will provide the Controller with 30 calendar days to export all personal data through the Service's export functions;
• After the 30-day period, the Processor will delete all personal data processed on behalf of the Controller, unless retention is required by applicable law;
• Deletion will be carried out using secure methods that render data irrecoverable;
• The Processor will provide written confirmation of data deletion upon request by the Controller;
• Backup copies will be deleted according to the regular backup rotation schedule (within 30 days of the deletion request).

10. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place as required by Chapter V of GDPR, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Transfer impact assessments where required;
• Supplementary measures to ensure adequate protection of personal data.

The Processor shall inform the Controller of any legal requirements in the destination country that may impact the protection of personal data and the ability to comply with this DPA.

11. Audits and Inspections

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 of GDPR. The Controller may conduct audits, including inspections, either directly or through an independent third-party auditor, subject to:

• Reasonable advance notice of at least 30 calendar days;
• Audits conducted during regular business hours and in a manner that minimizes disruption;
• The auditor being bound by confidentiality obligations;
• No more than one audit per 12-month period, unless required by a supervisory authority.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of GDPR to the extent that such limitation is not permitted by applicable law.

13. EU Representative

In accordance with Article 27 of the GDPR, the Processor has appointed the following entity as its representative in the European Union:

Verteco digital services, s. r. o.
Daniela Dlabača 21, Žilina 010 01, Slovakia
Company ID (IČO): 53 412 834

For full details on the EU representative and its role, see the GDPR page in the Legal section of the FoxiFood website.

14. Contact

For questions about this Data Processing Agreement or data processing matters, contact us at: [email protected]

Elite Digital Services, LLC
1111B S Governors Ave #21653
Dover, DE 19904, USA