Data Processing Agreement

This Data Processing Agreement ("DPA") forms a legally binding addendum to the Terms of Service ("Agreement") between Ordeliya ApS, a company registered in Denmark ("Ordeliya," "Processor," "we," "us"), and the merchant entity that has subscribed to the Ordeliya platform ("Merchant," "Controller," "you," "your"). This DPA governs the processing of personal data that Ordeliya carries out on behalf of the Merchant in connection with the provision of the Ordeliya restaurant management platform.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and reflects the parties' agreement with respect to the processing of personal data by Ordeliya on behalf of the Merchant. Where there is any conflict between the terms of this DPA and the main Agreement, the terms of this DPA shall prevail with respect to data protection matters.

This DPA applies to all processing of personal data that Ordeliya performs in its capacity as a data processor or sub-processor on behalf of the Merchant. It covers personal data processed through the Ordeliya administration dashboard, the merchant-branded storefront, the kitchen display system, the reservation system, the delivery management module, the email marketing module, and all other modules and services provided as part of the Ordeliya platform.

By using the Ordeliya platform, the Merchant agrees to the terms of this DPA. If the Merchant is entering into this DPA on behalf of a legal entity, the Merchant represents and warrants that it has the authority to bind that entity to this DPA.

For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined here shall have the meanings given to them in the GDPR or the main Agreement.

• "Controller"means the Merchant, who determines the purposes and means of the processing of personal data collected through the Ordeliya platform in connection with the Merchant's restaurant operations.
• "Processor"means Ordeliya ApS, which processes personal data on behalf of the Controller in accordance with the Controller's documented instructions and the terms of this DPA.
• "Sub-processor" means any third party engaged by Ordeliya to assist in the processing of personal data on behalf of the Controller, including hosting providers, payment processors, email delivery services, and error monitoring tools.
• "Personal Data"means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject"means an identified or identifiable natural person whose personal data is processed under this DPA, including the Merchant's customers, employees, and staff.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• "Standard Contractual Clauses" ("SCCs") means the contractual clauses adopted by the European Commission for the transfer of personal data to processors or controllers established in third countries, as approved under Commission Implementing Decision (EU) 2021/914.
• "Supervisory Authority" means the independent public authority responsible for monitoring the application of data protection law, including the Danish Data Protection Agency (Datatilsynet).

The parties acknowledge and agree that with respect to the processing of personal data described in this DPA, the Merchant acts as the Controller and Ordeliya acts as the Processor.

Merchant as Controller

The Merchant is responsible for determining the purposes and means of processing personal data of its customers, employees, and other data subjects through the Ordeliya platform. The Merchant is responsible for ensuring that it has a valid legal basis under Article 6 of the GDPR for each processing activity, including obtaining any necessary consent from data subjects. The Merchant is also responsible for fulfilling its transparency obligations under Articles 13 and 14 of the GDPR, including maintaining a privacy notice that accurately describes the processing of personal data through the Ordeliya platform.

The Merchant shall ensure that its instructions to Ordeliya regarding the processing of personal data comply with applicable data protection laws. The Merchant acknowledges that it bears primary responsibility for the lawfulness of the processing and for responding to data subject requests.

Ordeliya as Processor

Ordeliya processes personal data solely on behalf of the Merchant and in accordance with the Merchant's documented instructions as set out in this DPA, the main Agreement, and the platform's configuration as directed by the Merchant. Ordeliya shall not process personal data for any purpose other than providing the services described in the Agreement, unless required to do so by European Union or Member State law to which Ordeliya is subject. In such a case, Ordeliya shall inform the Merchant of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

Ordeliya shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3)(b) of the GDPR.

Ordeliya shall process personal data only on the documented instructions of the Merchant, as set forth in this DPA, the main Agreement, and the configuration of the Ordeliya platform as directed by the Merchant through the administration dashboard. The Merchant's instructions to Ordeliya regarding the processing of personal data are described in the following documents:

1. This Data Processing Agreement
2. The Terms of Service (main Agreement)
3. The platform configuration as set by the Merchant, including but not limited to: email marketing campaign settings, customer data collection forms, reservation settings, delivery zone configurations, and any integrations enabled by the Merchant

The purpose of processing is strictly limited to providing the Ordeliya restaurant management platform and associated services, including: processing customer orders, managing table reservations, operating the digital storefront, delivering email marketing campaigns on behalf of the Merchant, generating analytics and reports, managing customer accounts and loyalty programs, and providing customer support.

Ordeliya shall immediately inform the Merchant if, in Ordeliya's opinion, an instruction from the Merchant infringes the GDPR or other applicable data protection provisions. Ordeliya shall not be required to independently assess the lawfulness of the Merchant's instructions, but shall act in good faith and raise concerns where they become apparent.

The Merchant may issue additional reasonable instructions to Ordeliya regarding the processing of personal data, provided such instructions are consistent with the terms of the Agreement and this DPA. If compliance with an additional instruction would require Ordeliya to make changes beyond the standard platform functionality, the parties shall discuss the feasibility, timeline, and any associated costs in good faith.

The following categories of personal data may be processed by Ordeliya on behalf of the Merchant through the platform. The specific data processed depends on which platform modules and features the Merchant has enabled.

Customer Ordering Data

• Customer name (first name, last name)
• Email address
• Phone number
• Delivery address (street, city, postal code, country)
• Order details (items, quantities, customizations, special instructions)
• Order history and preferences
• Payment references (transaction IDs, payment method type — not full card numbers)

Reservation Data

• Guest name and contact information
• Party size, date, and time preferences
• Special requests, dietary notes, and occasion details
• Reservation history and reconfirmation tokens

Customer Account Data

• Account credentials (email, hashed password)
• Profile information (name, phone, avatar, date of birth)
• Saved addresses (up to five per customer)
• Allergen profile and dietary preferences
• Loyalty points balance and transaction history
• Favorite products
• Social login identifiers (Google ID, Apple ID, Facebook ID)
• Notification and marketing consent preferences

Email Marketing Data

• Subscriber email addresses
• Segment membership (based on order behavior, demographics)
• Campaign engagement data (opens, clicks, unsubscribes)
• Consent and suppression list status

Merchant Staff Data

• Staff member names and email addresses
• User roles and permissions
• Login activity and session metadata (IP address, user agent, device ID)
• Time tracking records (clock-in, clock-out, break times)

Behavioral and Analytics Data

• Storefront browsing activity (page views, product views, search queries)
• Session identifiers and duration
• Device type and browser information
• Customer review content and ratings

Sensitive data: Ordeliya does not knowingly process special categories of personal data (Article 9 GDPR) such as health data, biometric data, or data concerning racial or ethnic origin. Allergen preferences provided by customers are treated as dietary preferences rather than health data. The Merchant shall not instruct Ordeliya to process special category data without prior written agreement and appropriate safeguards.

The personal data processed under this DPA relates to the following categories of data subjects:

Restaurant Customers

Individuals who place orders, make reservations, create accounts, subscribe to email communications, leave reviews, or otherwise interact with the Merchant's storefront and services through the Ordeliya platform. This includes both registered account holders and guest users who provide personal data during the checkout or reservation process.

Merchant Staff and Employees

Individuals employed by or working for the Merchant who are granted access to the Ordeliya administration dashboard. This includes restaurant owners, managers, kitchen staff who use the kitchen display system, delivery personnel, and any other staff members whose information is entered into the platform for user management, time tracking, or operational purposes.

Prospective Customers

Individuals who visit the Merchant's storefront and whose browsing behavior may be collected through the customer event tracking system, even if they do not complete a purchase or create an account. The extent of data collected about prospective customers depends on the Merchant's configuration and whether the visitor has provided consent for non-essential tracking.

The Merchant is responsible for informing all data subjects about the processing of their personal data and for ensuring that appropriate legal bases and consent mechanisms are in place.

The Merchant grants Ordeliya general authorization to engage sub-processors for the purpose of delivering the Ordeliya platform and services. Ordeliya shall maintain an up-to-date list of sub-processors and shall make this list available to the Merchant upon request and through this DPA.

Current Sub-Processor List

Notification of Changes

Ordeliya shall notify the Merchant at least thirty (30) calendar days before adding a new sub-processor or replacing an existing one. Notification will be provided via email to the address associated with the Merchant's account or through a prominent notice on the Ordeliya administration dashboard.

Right to Object

The Merchant may object to the appointment of a new sub-processor by notifying Ordeliya in writing within fourteen (14) calendar days of receiving notice of the change. The objection must include reasonable grounds related to data protection. Upon receiving a valid objection, Ordeliya shall use commercially reasonable efforts to make available to the Merchant a change in the services or recommend an alternative sub-processor. If Ordeliya is unable to accommodate the objection within thirty (30) days, either party may terminate the affected services by providing written notice, and the Merchant shall receive a pro-rata refund of any prepaid fees for the terminated services.

Sub-Processor Obligations

Ordeliya shall enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set out in this DPA. Ordeliya shall remain fully liable to the Merchant for the performance of each sub-processor's obligations. Where a sub-processor fails to fulfill its data protection obligations, Ordeliya shall remain responsible for the sub-processor's performance as if Ordeliya had performed the processing itself.

In accordance with Article 32 of the GDPR, Ordeliya implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. These measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Encryption

• In transit: All data transmitted between clients and Ordeliya servers is encrypted using TLS 1.2 or higher. Internal service-to-service communication within the platform infrastructure uses encrypted channels.
• At rest: Database storage is encrypted at the filesystem level. Sensitive fields such as payment provider secret keys are additionally encrypted at the application level before storage.

Access Control

• Role-based access control (RBAC) with five hierarchical roles: Owner, Admin, Manager, Staff, and read-only variants. Each role has precisely scoped permissions.
• Multi-factor authentication (TOTP) is available and required for platform administrator accounts.
• Database-backed session management with SHA-256 hashed refresh tokens, automatic rotation, and reuse detection to prevent session hijacking.
• JWT tokens with audience separation (tenant, platform-admin, customer) ensure that authentication credentials from one realm cannot be used to access another.

Password Security

• All passwords are stored using bcrypt with a cost factor of 10. Plain text passwords are never stored, logged, or transmitted after initial hashing.
• Refresh tokens are stored as SHA-256 hashes, not in their raw form.

Tenant Isolation

• Every database query is scoped by storeIdto ensure strict tenant isolation. One merchant's data is never accessible to another merchant.
• The storeId is always derived from the authenticated JWT token, never from user-supplied request parameters, preventing cross-tenant data access.

Infrastructure Security

• Cloudflare DDoS protection and web application firewall (WAF).
• Rate limiting (100 requests per 60 seconds by default) to prevent abuse.
• Security headers (HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff).
• Content Security Policy (CSP) on storefront applications.
• Regular dependency updates and vulnerability scanning.

Monitoring and Incident Response

• Real-time error monitoring via Sentry with alerting for critical errors.
• Structured JSON logging with sensitive data redaction (authorization headers, passwords, tokens are never logged).
• Platform-level audit logging of administrative actions for accountability.
• Health check endpoints with automated monitoring and alerting.

Availability and Resilience

• Database backups are performed automatically and retained for disaster recovery.
• Circuit breaker patterns are implemented for critical service dependencies to maintain platform availability during partial outages.
• The platform is designed for high availability with automatic failover and recovery mechanisms.

Ordeliya shall assist the Merchant in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making (Article 22)

DSAR Processing

Ordeliya provides a built-in Data Subject Access Request (DSAR) module within the merchant administration dashboard. When a data subject submits a request, the Merchant can use this module to locate, export, rectify, or delete the data subject's personal data. Ordeliya shall provide reasonable technical assistance to enable the Merchant to respond to DSARs within the timeframes required by the GDPR (generally 30 calendar days, extendable by up to 60 days for complex requests).

Direct Data Subject Requests

If Ordeliya receives a data subject request directly (for example, a customer contacting Ordeliya rather than the Merchant), Ordeliya shall promptly redirect the request to the relevant Merchant, unless Ordeliya is legally required to respond directly. Ordeliya shall not respond to data subject requests on behalf of the Merchant without the Merchant's prior instruction, except to acknowledge receipt and direct the data subject to the appropriate Merchant contact.

Account Deletion

The Ordeliya platform supports customer-initiated account deletion through the storefront profile settings, in compliance with GDPR Article 17. When a customer requests account deletion, the Merchant is notified and the customer's personal data is scheduled for removal. Order records may be retained in an anonymized form for the Merchant's accounting and tax compliance purposes, as permitted under Article 17(3)(b) of the GDPR.

Ordeliya shall notify the Merchant without undue delay and in any event within seventy-two (72) hours after becoming aware of a Data Breach affecting personal data processed on behalf of the Merchant. This notification timeline aligns with the Controller's obligation under Article 33 of the GDPR to notify the supervisory authority within 72 hours and is designed to give the Merchant sufficient time to assess and report the breach as required.

Content of Breach Notification

The breach notification shall include, to the extent reasonably available at the time of notification:

1. A description of the nature of the breach, including the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records concerned.
2. The name and contact details of the Ordeliya data protection point of contact from whom more information can be obtained.
3. A description of the likely consequences of the breach for affected data subjects.
4. A description of the measures taken or proposed to be taken by Ordeliya to address the breach, including measures to mitigate its possible adverse effects.

Cooperation

Where it is not possible to provide all information at the time of the initial notification, Ordeliya shall provide the information in phases without further undue delay. Ordeliya shall cooperate with the Merchant and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach. Ordeliya shall also assist the Merchant in fulfilling the Merchant's obligation to notify affected data subjects under Article 34 of the GDPR, if applicable.

Ordeliya shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken. This documentation shall be made available to the Merchant upon request and to the supervisory authority upon lawful demand.

Ordeliya's notification of a Data Breach to the Merchant shall not be construed as an acknowledgment of fault or liability by Ordeliya with respect to the breach.

Ordeliya processes the majority of personal data within the European Union and the European Economic Area (EU/EEA). Our primary infrastructure is hosted on Railway with servers in Frankfurt (EU), and our file storage is on AWS in Stockholm (eu-north-1). We are committed to keeping personal data within the EU/EEA wherever technically and commercially feasible.

Transfers to Third Countries

Where processing by a sub-processor involves the transfer of personal data to a country outside the EU/EEA that has not received an adequacy decision from the European Commission, Ordeliya ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include:

• Standard Contractual Clauses (SCCs):Ordeliya enters into the European Commission's Standard Contractual Clauses (Module 3: Processor to Sub-processor) with sub-processors located in non-adequate countries. These SCCs are supplemented with additional technical and organizational measures as recommended by the European Data Protection Board (EDPB) in its Recommendations 01/2020.
• Supplementary measures: Where required by the transfer impact assessment, additional safeguards may include encryption of data in transit and at rest with keys held in the EU, pseudonymization of personal data before transfer, contractual commitments to challenge governmental access requests, and transparency reporting.

Current Transfer Arrangements

As of the date of this DPA, the following sub-processors may process personal data outside the EU/EEA:

• Stripe (US):Covered by SCCs and Stripe's Binding Corporate Rules (BCRs). Stripe maintains a European processing entity and processes European cardholder data in the EU where possible.
• Anthropic (US): Covered by SCCs. Only text content submitted for AI processing (product descriptions, marketing copy) is transferred. No customer personal data is included in AI processing requests.

The Merchant may request a copy of the relevant SCCs and transfer impact assessments by contacting Ordeliya at the address provided in this DPA.

Ordeliya shall make available to the Merchant all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Merchant or a qualified third-party auditor mandated by the Merchant.

Audit Rights

The Merchant may exercise its audit rights under the following conditions:

• The Merchant shall provide Ordeliya with at least thirty (30) calendar days' prior written notice of any intended audit or inspection.
• Audits shall be conducted during Ordeliya's normal business hours and shall not unreasonably interfere with Ordeliya's operations.
• The Merchant's auditor shall be bound by appropriate confidentiality obligations and shall not be a competitor of Ordeliya.
• The scope of the audit shall be limited to Ordeliya's processing of personal data on behalf of the Merchant and compliance with this DPA.
• The Merchant may conduct no more than one audit per twelve-month period, unless required by a supervisory authority or necessitated by a Data Breach.

Compliance Documentation

In lieu of or in addition to physical audits, Ordeliya may provide the following documentation to demonstrate compliance:

• Summaries of third-party security assessments or penetration test results.
• Relevant certifications and attestation reports (where available).
• Platform-level audit logs of data processing activities relevant to the Merchant.
• Written responses to reasonable compliance questionnaires submitted by the Merchant.

Cooperation with Supervisory Authorities

Ordeliya shall cooperate with the competent supervisory authority in the performance of its tasks, in accordance with Article 31 of the GDPR. If a supervisory authority conducts an investigation or audit that relates to Ordeliya's processing on behalf of the Merchant, Ordeliya shall promptly inform the Merchant (unless prohibited by law) and shall cooperate with both the Merchant and the supervisory authority to the extent required by law.

This DPA shall take effect on the date the Merchant first accesses the Ordeliya platform and shall remain in force for the duration of the main Agreement. Upon termination or expiration of the Agreement for any reason, this DPA shall automatically terminate, subject to the survival of obligations that by their nature should survive termination, including confidentiality, data return and deletion, and liability provisions.

Data Return

Upon termination of the Agreement, the Merchant may request a complete export of all personal data processed by Ordeliya on its behalf. Ordeliya shall make the data available in a structured, commonly used, and machine-readable format (JSON or CSV) for a period of ninety (90) calendar days following the effective date of termination. The Merchant may initiate the data export through the administration dashboard or by submitting a written request to Ordeliya.

Data Deletion

Following the expiration of the 90-day export window, Ordeliya shall delete all personal data processed on behalf of the Merchant from its active systems, unless retention is required by European Union or Member State law. Ordeliya shall provide written confirmation of deletion upon the Merchant's request.

Data stored in automated backups may persist beyond the deletion date for a limited period consistent with the backup retention schedule (typically 30 days). Such backup data is encrypted and access-restricted, and will be permanently deleted when the relevant backup cycle expires. Ordeliya shall not actively process backup data after the deletion from active systems.

Early Termination of DPA

If the Merchant determines that Ordeliya has materially breached this DPA and has failed to cure the breach within thirty (30) calendar days of receiving written notice, the Merchant may terminate this DPA and the main Agreement immediately. In such event, the data return and deletion provisions above shall apply.

Each party shall be liable for the damage caused by processing that infringes the GDPR, in accordance with Article 82 of the GDPR. The allocation of liability between the Controller and Processor shall be determined in accordance with Article 82(2), under which a Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

The total aggregate liability of Ordeliya under this DPA for all claims arising from or related to the processing of personal data shall be subject to the limitation of liability provisions set out in the main Agreement, except that such limitation shall not apply to liability arising from Ordeliya's willful misconduct or gross negligence in the processing of personal data.

Nothing in this DPA excludes or limits either party's liability for fraud, death, or personal injury caused by negligence, or any other liability that cannot be excluded or limited under applicable law. Nothing in this DPA shall affect the rights of data subjects under the GDPR to bring claims directly against either the Controller or the Processor.

The Merchant shall indemnify Ordeliya against any costs, claims, damages, or expenses incurred by Ordeliya as a result of the Merchant's breach of its obligations as Controller under the GDPR, including but not limited to providing unlawful processing instructions, failing to maintain a valid legal basis for processing, or failing to fulfill data subject rights obligations.

This DPA is governed by the laws of Denmark, without regard to its conflict of laws provisions. Any dispute arising from or in connection with this DPA that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the courts of Copenhagen, Denmark.