Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the service agreement between Delivando UG (haftungsbeschränkt) (“Processor”) and the customer (“Controller”) who uses the Delivando SaaS platform.

This DPA is concluded pursuant to Art. 28 of the EU General Data Protection Regulation (GDPR) and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

• “Controller”— the vendor (restaurant, café, retail business) who uses the Delivando platform and determines the purposes and means of processing personal data of their customers.
• “Processor”— Delivando UG (haftungsbeschränkt), Kattenbrookstrift 51A, 30539 Hannover, Germany, which processes personal data on behalf of the Controller.
• “Personal Data”— any information relating to an identified or identifiable natural person processed under this DPA.
• “Sub-processor”— a third party engaged by the Processor to process personal data on behalf of the Controller.
• “Data Subjects”— the Controller's customers and end users whose personal data is processed through the platform.

2. Subject Matter and Duration

2.1 Subject matter

The Processor provides the Controller with a cloud-based POS, delivery management, and online ordering platform. In the course of providing these services, the Processor processes personal data on behalf of the Controller.

2.2 Duration

This DPA is effective for the duration of the service agreement between the parties. Upon termination of the service agreement, the provisions of Section 10 (Return and Deletion of Data) apply.

3. Categories of Data Subjects

The following categories of data subjects are affected by the processing:

• Customers of the Controller (end consumers who place orders)
• Employees and staff of the Controller (if staff management features are used)
• Delivery personnel

4. Types of Personal Data

The following types of personal data may be processed:

• Contact data: name, email address, phone number, delivery address
• Order data: order details, order history, preferences, remarks
• Payment data: payment method, transaction references (full payment card data is processed exclusively by PCI-compliant payment providers and is never stored by Delivando)
• Device and access data: IP address, device identifiers, session tokens
• Staff data (if applicable): name, role, working hours, access credentials
• Fiscal data: TSE transaction records, receipt data as required by KassenSichV

5. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by EU or Member State law (Art. 28(3)(a) GDPR)
• Ensure that persons authorized to process personal data have committed themselves to confidentiality (Art. 28(3)(b) GDPR)
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 28(3)(c), Art. 32 GDPR)
• Assist the Controller in fulfilling data subject requests (Art. 28(3)(e) GDPR)
• Assist the Controller in ensuring compliance with obligations related to data security, breach notification, data protection impact assessments, and prior consultation (Art. 28(3)(f) GDPR)
• At the choice of the Controller, delete or return all personal data after the end of the provision of services (Art. 28(3)(g) GDPR)
• Make available to the Controller all information necessary to demonstrate compliance and allow for audits (Art. 28(3)(h) GDPR)

6. Obligations of the Controller

The Controller shall:

• Ensure that there is a lawful basis for the processing of personal data
• Provide documented instructions to the Processor regarding the processing of personal data
• Inform the Processor immediately if they identify any errors or irregularities regarding data protection provisions
• Be responsible for providing their own privacy policy to their customers
• Comply with all applicable data protection laws, including informing data subjects about the processing

7. Technical and Organizational Measures

The Processor implements and maintains the following measures pursuant to Art. 32 GDPR:

7.1 Confidentiality

• Role-based access control with principle of least privilege
• Multi-factor authentication for administrative access
• Encryption of data in transit (TLS 1.2+)
• Encryption of data at rest (AES-256)
• Confidentiality agreements with all employees and contractors

7.2 Integrity

• Input validation and sanitization
• Audit logging of data access and modifications
• Change management procedures for system updates

7.3 Availability

• Redundant infrastructure and failover mechanisms
• Regular backups with tested recovery procedures
• DDoS protection and intrusion detection
• Disaster recovery plan with defined recovery objectives

7.4 Resilience

• Regular security assessments and penetration testing
• Patch management and vulnerability scanning
• Employee security awareness training

8. Sub-processors

8.1 General authorization

The Controller grants the Processor general written authorization to engage sub-processors for the performance of this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days.

8.2 Current sub-processors

8.3 Sub-processor obligations

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

9. Data Transfers to Third Countries

The Processor shall not transfer personal data to a country outside the EU/EEA unless:

• The European Commission has issued an adequacy decision for the receiving country (Art. 45 GDPR), or
• Appropriate safeguards are in place, in particular Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, or
• A derogation under Art. 49 GDPR applies

The Processor shall inform the Controller of any planned international transfers and the safeguards applied.

10. Return and Deletion of Data

10.1 Data export

Upon termination of the service agreement, the Processor shall make all Controller data available for export in a commonly used, machine-readable format (CSV/JSON) for a period of 30 calendar days after the effective termination date.

10.2 Deletion

After the 30-day export period, the Processor shall delete all personal data and confirm the deletion to the Controller in writing (email is sufficient), unless retention is required by law (see Section 10.3).

10.3 Legally required retention

The following data must be retained beyond the contract term due to statutory obligations. This data will be stored separately, access-restricted, and automatically deleted once the retention period expires:

Personal data within retained records (e.g., customer names, addresses) will be anonymized where legally permissible. The Controller will be informed of the specific categories of data retained and the applicable retention periods.

11. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 24 hours) after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
• The name and contact details of the Processor's contact point for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

12. Audit Rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall:

• Make available all information necessary to demonstrate compliance with Art. 28 GDPR
• Allow and contribute to audits conducted by the Controller or an auditor mandated by the Controller
• Inform the Controller immediately if, in the Processor's opinion, an instruction violates GDPR or other data protection provisions

Audits shall be carried out with reasonable prior notice (at least 30 days) and during normal business hours. The Controller shall bear its own costs for audits unless the audit reveals a material breach by the Processor.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the main service agreement (Terms of Use). Each party is liable for damages caused by processing that infringes the GDPR in accordance with Art. 82 GDPR.

14. Contact