Skip to content
v2.0Last Updated: March 23, 2026

Data Processing Agreement

This DPA governs the processing of guest personal data by MyResto on behalf of Restaurants using the Platform.

Note: This Data Processing Agreement (DPA) is automatically accepted by Restaurants when they create a MyResto account. It governs the processing of guest personal data through the Platform.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

RoleParty
Data Controller ("Controller")The Restaurant entity that has registered for a MyResto account and accepted the Terms of Service.
Data Processor ("Processor")MyResto SAS, registered in France, 12 Rue de la Paix, 75002 Paris, France.

2. Definitions

Terms used in this DPA have the meanings defined in the GDPR (Regulation (EU) 2016/679) and the MyResto Terms of Service. In addition:

TermDefinition
"Guest Data"Personal data of restaurant guests that is processed through the Platform.
"Sub-processor"Any third party engaged by the Processor to process Guest Data.
"Data Breach"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Guest Data.

3. Subject Matter and Scope

This DPA governs the Processor's processing of Guest Data on behalf of the Controller through the MyResto Platform. The processing is necessary for the Processor to provide the services described in the Terms of Service.

The categories of personal data processed include:

  • Guest names
  • Email addresses
  • Phone numbers (when provided)
  • Order history (items ordered, timestamps, amounts)
  • Reservation details (date, time, party size)
  • Review and feedback content
  • Dietary preferences and allergen information (when provided)

The categories of data subjects are: guests, customers, and visitors of the Controller's restaurant who interact with the Platform.

4. Duration

This DPA shall remain in effect for the duration of the Controller's subscription to the MyResto Platform. Upon termination of the subscription, the provisions of Section 12 (Termination and Data Deletion) shall apply.

5. Processing Instructions

The Processor shall process Guest Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law to which the Processor is subject.

The Controller's instructions are documented in this DPA and the Terms of Service. The Controller may provide additional written instructions, provided they are consistent with the terms of the service and applicable law.

Note: If the Processor believes that an instruction infringes the GDPR or other data protection provisions, it shall immediately inform the Controller.

6. Confidentiality

The Processor shall ensure that all personnel authorized to process Guest Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

Access to Guest Data is restricted to personnel who require it for the performance of the services, and only to the extent necessary.

7. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These measures are described in detail in Annex B.

The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to address emerging threats and vulnerabilities.

8. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The current list of sub-processors is available on the GDPR Compliance page.

The Processor shall:

  • Notify the Controller at least 30 days before adding or replacing a sub-processor.
  • Provide the Controller with the opportunity to object to the change.
  • Ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
  • Remain fully liable to the Controller for the performance of each sub-processor's obligations.

If the Controller objects to a new sub-processor and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services with 30 days written notice.

9. International Transfers

Guest Data may be transferred to sub-processors located outside the European Economic Area (EEA), specifically in the United States. For all such transfers, the Processor ensures appropriate safeguards through:

  • Standard Contractual Clauses (SCCs): The Processor has entered into EU-approved SCCs (Commission Implementing Decision (EU) 2021/914) with each sub-processor located outside the EEA.
  • Supplementary measures: Including encryption, access controls, and contractual commitments regarding government access requests.
  • EU-US Data Privacy Framework: Where applicable, sub-processors maintain certification under the EU-US Data Privacy Framework.

10. Assistance to Controller

The Processor shall assist the Controller in fulfilling its GDPR obligations, including:

10.1 Data Subject Requests

The Processor shall promptly notify the Controller of any request received directly from a data subject and shall assist the Controller in responding to such requests. The Platform provides tools for data export, rectification, and deletion to facilitate this.

10.2 Breach Notification

The Processor shall notify the Controller of any Data Breach without undue delay after becoming aware of it. The notification shall include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

10.3 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments and prior consultations with supervisory authorities, where required.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits are subject to the following conditions:

  • The Controller shall provide at least 30 days written notice before an audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  • The Controller shall bear the costs of the audit, unless the audit reveals a material breach by the Processor.
  • Auditors must agree to confidentiality obligations.
  • The Processor may satisfy audit requests by providing relevant third-party audit reports or certifications.

12. Termination and Data Deletion

Upon termination of the Controller's subscription to the Platform, the Processor shall:

ActionDetails
Return or deleteAt the Controller's choice, return all Guest Data in JSON or CSV format, or securely delete it, within 30 days of termination.
CertificationUpon request, provide written certification that all Guest Data has been deleted.
ExceptionsThe Processor may retain Guest Data to the extent required by applicable law (e.g., tax records). Retained data remains subject to this DPA.
Sub-processor dataThe Processor shall ensure all sub-processors delete or return Guest Data within the same timeframe.

Annex A: Details of Processing

ItemDescription
Subject matterProcessing of guest personal data to provide restaurant management services
Nature and purposeCollection, storage, retrieval, and display of guest data for order management, reservations, reviews, analytics, and communications
Categories of data subjectsRestaurant guests, customers, and visitors
Types of personal dataNames, email addresses, phone numbers, order history, reservation details, review content, dietary preferences
Special categoriesHealth-related data may be inferred from allergen and dietary information. Processing is based on explicit consent.
DurationFor the term of the subscription, plus up to 30 days for data deletion after termination

Annex B: Technical and Organizational Security Measures

The Processor implements the following measures to protect Guest Data:

B.1 Technical Measures

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Secure password hashing (bcrypt/argon2)
  • Regular automated backups with encryption
  • Rate limiting and DDoS protection
  • Automated vulnerability scanning
  • Secure development practices (code review, dependency auditing)

B.2 Organizational Measures

  • Role-based access control with least-privilege principle
  • Multi-tenant data isolation at the database level
  • Background checks for personnel with access to production data
  • Regular data protection training for all staff
  • Documented incident response procedures
  • Regular review and testing of security measures
  • Designated Data Protection Officer

B.3 Physical Measures

  • Data hosted in SOC 2 Type II certified data centers (via Vercel and Neon)
  • Physical access controls and monitoring at data center facilities
  • Redundant power and network connectivity

DPA Questions?

For questions about this Data Processing Agreement, please contact our Data Protection Officer.

Get in Touch

Data Protection Officer

dpo@myresto.app

MyResto SAS, 12 Rue de la Paix, 75002 Paris