Brasserio Data Processing Addendum
1. Parties and Incorporation
This Data Processing Addendum (‘DPA’) forms part of the Brasserio Terms of Service or any agreement governing a Restaurant Customer’s use of the Services (the ‘Agreement’) between the Restaurant Customer (‘Customer,’ ‘Controller,’ or ‘Business’) and DevYouUp, operating Brasserio (‘Brasserio,’ ‘Processor,’ ‘Service Provider,’ ‘we,’ or ‘us’).
This DPA applies when Brasserio processes Customer Personal Data on behalf of Customer as a processor, service provider, or similar role under applicable data protection laws. If a separately signed DPA exists, that signed DPA controls to the extent of conflict.
2. Definitions
‘Applicable Data Protection Laws’ means privacy and data protection laws applicable to the processing, including where applicable the EU GDPR, UK GDPR, Data Protection Act 2018, Swiss FADP, Israeli privacy and data security laws, U.S. state privacy laws including the CCPA/CPRA, and similar laws.
‘Customer Personal Data’ means personal data processed by Brasserio on behalf of Customer through the Services, including Guest Data, restaurant operational personal data, and staff data that Customer provides for restaurant operations.
‘Security Incident’ means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
‘Subprocessor’ means another processor engaged by Brasserio to process Customer Personal Data.
Terms such as controller, processor, data subject, personal data, processing, business, service provider, and consumer have the meanings given under Applicable Data Protection Laws.
3. Roles and Scope
Customer is the controller or business responsible for Customer Personal Data, including Guest reservations, waitlists, restaurant-managed operational data, imported customer lists, staff records configured by Customer, and restaurant settings. Brasserio processes Customer Personal Data on Customer’s behalf and under Customer’s documented instructions.
Brasserio acts as an independent controller for Brasserio account administration, billing, payment administration, fraud prevention, security, legal compliance, support, service improvement, and B2B marketing data that Brasserio determines and uses for its own business purposes. This DPA does not apply to those independent controller activities.
4. Customer Instructions
Brasserio will process Customer Personal Data only on documented instructions from Customer, including the Agreement, this DPA, Customer’s configuration of the Services, Customer’s use of the Services, support requests, and other written instructions accepted by Brasserio.
Brasserio may process Customer Personal Data without Customer instructions if required by applicable law, in which case Brasserio will inform Customer before processing unless legally prohibited.
5. Details of Processing
| Item | Details |
|---|---|
| Subject matter | Provision of Brasserio reservation, waitlist, table management, restaurant operations, guest communications, payment/deposit/hold support, dashboard, widget, mobile staff application, analytics, support, and related SaaS services. |
| Duration | For the term of the Agreement and the retention periods described in the Agreement, Privacy Policy, and this DPA. |
| Nature and purpose | Hosting, storing, transmitting, organizing, securing, displaying, analyzing, deleting, anonymizing, and otherwise processing Customer Personal Data to provide the Services and support Customer instructions. |
| Data subjects | Guests/diners, restaurant owners, administrators, employees, contractors, customer-list contacts, support contacts, and other individuals whose data Customer submits or configures in the Services. |
| Personal data categories | Names, phone numbers, emails where provided, party size, reservation/waitlist details, special requests, accessibility/dietary/allergy notes voluntarily provided, staff contact details, roles, device/push identifiers, branch/location data, payment status, tokens/transaction IDs, limited card metadata, operational logs, and support data. |
| Sensitive/special category data | Brasserio does not require sensitive data. Special requests, accessibility notes, dietary notes, and allergy notes may be voluntarily provided by Guests for reservation needs. |
6. Customer Obligations
Customer is responsible for:
- providing required notices and obtaining required consents or lawful bases for Customer Personal Data;
- ensuring Customer’s use of the Services complies with Applicable Data Protection Laws, consumer laws, communications laws, hospitality laws, accessibility laws, and restaurant-specific obligations;
- ensuring Customer’s instructions to Brasserio are lawful;
- responding to Guest and staff privacy requests where Customer is the controller or business;
- maintaining accurate account roles and permissions;
- protecting Customer credentials, devices, websites, plugins, scripts, and networks;
- disclosing Brasserio and any embedded widget or cookie technologies where required on Customer websites.
7. Brasserio Processor Obligations
- process Customer Personal Data only in accordance with Customer instructions and this DPA;
- ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations;
- implement and maintain technical and organizational measures designed to protect Customer Personal Data;
- assist Customer with data subject requests, DPIAs, prior consultations, and security obligations to the extent required by law and reasonably possible;
- maintain records and information reasonably necessary to demonstrate compliance with this DPA;
- delete, anonymize, or return Customer Personal Data as described in this DPA and the Agreement;
- impose data protection obligations on Subprocessors that are no less protective in substance than this DPA.
8. Security Measures
Brasserio maintains technical and organizational measures appropriate to the nature, scope, context, and risk of the processing, including:
- TLS encryption for data in transit;
- restricted internal access and least-privilege access practices;
- role-based permissions for restaurant accounts;
- secret-management and credential-protection practices;
- segregation of environments and access controls appropriate to product stage;
- monitoring, logging, and incident response procedures;
- vendor and subprocessor review appropriate to the service provided;
- payment-card handling through hosted payment pages or third-party payment processors rather than direct storage of full card numbers or CVV by Brasserio.
Brasserio does not currently promise customer-specific backup or restore services. Customer should maintain independent records where required for its business continuity, legal, or operational needs.
9. Security Incident Notification
Brasserio will notify Customer without undue delay and, where feasible, no later than 72 hours after Brasserio confirms a Security Incident affecting Customer Personal Data. The notice will include information reasonably available to Brasserio, such as the nature of the incident, affected data categories, mitigation steps, and contact point.
Brasserio will take reasonable steps to contain, investigate, and remediate Security Incidents and will provide reasonable assistance to Customer for Customer’s breach-notification obligations. Brasserio’s notice of or response to an incident is not an admission of fault or liability.
10. Subprocessors
Customer grants Brasserio general authorization to engage Subprocessors. Brasserio maintains its Subprocessor and International Transfer Notice at https://brasserio.com/subprocessor-notice.
Brasserio will provide notice of material changes to Subprocessors by updating the notice, emailing account contacts, or another reasonable method. Customer may object on reasonable data protection grounds within 30 days after notice. The parties will work in good faith to address objections. If Brasserio cannot reasonably address the objection, Customer may stop using the affected Services or terminate the affected portion of the Services according to the Agreement.
Brasserio remains responsible for Subprocessors’ processing of Customer Personal Data to the extent required by Applicable Data Protection Laws.
11. International Transfers
Customer Personal Data may be processed in Israel, the European Economic Area, the United States, and other countries where Brasserio or its Subprocessors operate. Where Customer Personal Data subject to EU GDPR is transferred to a country without an adequacy decision and the importer is not otherwise subject to GDPR, the parties rely on the EU Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914, Module Two as applicable to controller-to-processor transfers. For onward subprocessor transfers, Brasserio will use appropriate SCC modules or equivalent safeguards.
Where UK GDPR applies, the parties rely on the UK International Data Transfer Addendum to the EU SCCs or another valid UK transfer mechanism. Where Swiss law applies, references to EU member states and supervisory authorities are interpreted as needed for Swiss law. Where a vendor participates in a recognized transfer framework such as the EU-U.S. Data Privacy Framework, Brasserio may rely on that framework where legally valid.
12. Data Subject Requests
If Brasserio receives a request from a data subject relating to Customer Personal Data, Brasserio will either route the request to Customer, notify Customer, or respond according to Customer’s instructions, unless Brasserio is legally required to respond directly. Brasserio will provide reasonable assistance to Customer for such requests, taking into account the nature of processing and available information.
13. Audits and Information Rights
Upon reasonable written request, Brasserio will provide information reasonably necessary to demonstrate compliance with this DPA. Audits are limited to Customer Personal Data, must be conducted no more than once per year unless a Security Incident or regulator instruction requires otherwise, require at least 30 days’ notice, must occur during normal business hours, must not disrupt the Services, and must be subject to confidentiality and security controls.
Brasserio may satisfy audit requests through security documentation, written responses, third-party reports or certifications if available, or a mutually agreed remote review instead of on-site access.
14. Deletion and Retention
Upon termination or approved account deletion, Brasserio will delete or anonymize Customer Personal Data within the operational deletion safeguard period of 30 days, except where retention is required or permitted for legal, tax, accounting, payment, fraud, security, dispute, or legitimate business purposes.
Invoices, transaction history, and financial records are retained for 7 years where legally required. Personal customer details are anonymized where applicable. Brasserio does not currently offer customer self-service export before deletion.
15. U.S. State Privacy Terms
Where U.S. state privacy laws apply, Brasserio acts as a service provider or processor for Customer Personal Data. Brasserio will not sell Customer Personal Data, share Customer Personal Data for cross-context behavioral advertising, retain, use, or disclose Customer Personal Data outside the business purposes of providing the Services, or combine Customer Personal Data with personal information from other sources, except as permitted by applicable law.
Brasserio may use aggregated or de-identified data for product improvement, analytics, security, benchmarking, and business purposes, provided the data is maintained in a de-identified or aggregated form and not used to identify individuals where prohibited.
16. Liability and Conflict
The liability limitations in the Agreement apply to this DPA unless Applicable Data Protection Laws require otherwise. If there is a conflict between this DPA and the Agreement regarding processing of Customer Personal Data, this DPA controls. If there is a conflict between this DPA and the SCCs for international transfers, the SCCs control for that transfer.
Operated by DevYouUp | Contact: support@brasserio.com