Automenu logo
Get a free demo

Data Processing Agreement

Last updated: September 23, 2025

This Data Processing Agreement ("DPA") is entered into between Automenu Inc. ("Processor" or "Automenu") and the customer that has signed up for Automenu's services ("Controller" or "Restaurant Partner") and forms part of the Automenu Platform Terms ("Agreement").

This DPA is effective as of the date the Restaurant Partner accepted the Agreement.

1. Definitions

  • "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Personal Data Breach" shall have the meanings given to them in the GDPR.
  • "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to the GDPR and the CCPA.
  • "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as approved by the European Commission.
  • "Service Data" means any Personal Data that Processor Processes on behalf of Controller in the course of providing the Platform services under the Agreement.

2. Subject Matter and Details of Processing

2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Service Data, Restaurant Partner is the Controller and Automenu is the Processor.

2.2. Purpose. Automenu shall Process Service Data only for the purpose of providing, maintaining, and improving the Platform services as described in the Agreement and as instructed by the Controller.

2.3. Details of Processing. The details of the Processing of Service Data, as required by Article 28(3) of the GDPR, are described in Annex I of this DPA.

3. Obligations of the Processor

Automenu, as the Processor, agrees to:

3.1. Process Only on Instruction. Process Service Data only in accordance with the Controller's documented lawful instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.

3.2. Confidentiality. Ensure that all personnel authorized to Process Service Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security. Implement and maintain appropriate technical and organizational security measures to protect Service Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex II.

3.4. Subprocessors.

  • Controller provides a general authorization for Automenu to engage third-party subprocessors to Process Service Data on its behalf. The current list of subprocessors is maintained at Subprocessors and is attached as Annex III.
  • Automenu will notify Controller of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes as described in our Subprocessor Policy.
  • Automenu will impose on its subprocessors data protection obligations that are no less protective than those in this DPA. Automenu shall remain fully liable to the Controller for the performance of the subprocessor's data protection obligations.

3.5. Data Subject Rights. To the extent legally permissible, Automenu will provide reasonable assistance to the Controller to enable the Controller to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law.

3.6. Personal Data Breaches. Automenu will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Service Data. Automenu will provide the Controller with sufficient information to allow the Controller to meet any obligations to report the breach to a supervisory authority or notify Data Subjects.

3.7. Data Protection Impact Assessments. Automenu will provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities, as required under Applicable Data Protection Law.

3.8. Return or Deletion of Data. Upon termination of the Agreement, Automenu will, at the choice of the Controller, delete or return all Service Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

4. Obligations of the Controller

Controller, as the Controller, represents and warrants that:

  • It has complied and will comply with all Applicable Data Protection Law in its collection and use of Service Data.
  • It has a lawful basis for the Processing of all Service Data provided to Automenu.
  • It is solely responsible for the accuracy, quality, and legality of the Service Data and the means by which it acquired the Service Data.
  • Its instructions to Automenu for the Processing of Service Data will comply with all Applicable Data Protection Law.

5. International Data Transfers

For transfers of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to a country that does not ensure an adequate level of protection, the parties agree that the Standard Contractual Clauses (SCCs) will apply. The SCCs are deemed incorporated into this DPA by reference.

6. Audits

Automenu shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, upon reasonable notice and subject to appropriate confidentiality obligations.

7. Term and Termination

This DPA will commence on the date of the Agreement and will remain in effect until the termination or expiration of the Agreement. The obligations of confidentiality, data return/deletion, and any other provisions which by their nature are intended to survive, will survive termination.

Annex I: Details of Processing

A. Subject Matter of Processing

The Processing of Personal Data by Automenu to provide the Platform services to the Restaurant Partner as described in the Agreement.

B. Duration of Processing

For the term of the Agreement, plus any period required for the return or deletion of data as described in this DPA.

C. Nature and Purpose of Processing

To provide a comprehensive restaurant management platform, including but not limited to: creating and hosting websites, facilitating online ordering and payments, managing customer relationships and loyalty programs, providing marketing and communication tools (email/SMS), facilitating delivery services, and generating analytics and reports for the Restaurant Partner.

D. Categories of Data Subjects

  • Customers and end-users of the Restaurant Partner who place orders, create accounts, join loyalty programs, or interact with the Restaurant Partner's website or services powered by the Platform.
  • Employees (Authorized Staff) of the Restaurant Partner who are given access to the Platform.

E. Types of Personal Data Processed

  • Customer Data: Name, email address, phone number, physical address, order history, transaction details, IP address, device information, and loyalty program data.
  • Staff Data: Name, email address, role, and system usage data.

Annex II: Technical and Organizational Security Measures

Automenu implements and maintains the following security measures:

  1. Encryption: Service Data is encrypted in transit using TLS and at rest using industry-standard encryption protocols.
  2. Access Control: Access to Personal Data is restricted to authorized personnel who have a need to know. Access is managed through role-based access controls (RBAC), multi-factor authentication (MFA), and regular access reviews.
  3. Data Minimization: We collect and process only the Personal Data that is necessary to provide the services.
  4. Physical Security: Our infrastructure is hosted on secure, certified data centers (e.g., Google Cloud Platform) that have robust physical security controls.
  5. Incident Response: We maintain an incident response plan to promptly identify, investigate, and respond to security incidents and Personal Data Breaches.
  6. Business Continuity: We maintain a business continuity and disaster recovery plan, including regular data backups, to ensure service availability.
  7. Personnel Security: All employees and contractors are subject to confidentiality agreements and undergo security and privacy training.

Annex III: Authorized Subprocessors

The Restaurant Partner agrees that Automenu may use the subprocessors listed in Automenu's Subprocessors, which is maintained at the following link:

Subprocessors