1-800-350-3339 | Contact us | Blog |

Data Processing Addendum

FoodTec Solutions, Inc.

Data Processing Addendum

Updated as of 9/19/2025

This Data Processing Addendum (“DPA”) is applicable, as of the Effective Date, any Sales Contract or other FoodTec Agreement by and between FoodTec Solutions Inc., (“Processor”) a corporation organized and existing under the laws of the Commonwealth of Massachusetts, USA, with its principal place of business at 175 Highland Ave., Needham Heights, MA 02494 and the “Client” identified in any such Sales Contract or other FoodTec Agreement, which in the context of this DPA is also sometimes referred to as ”Controller”.

This DPA is incorporated into and part of the Terms and Conditions that apply to any Sales Contract or other FoodTec Agreement (“T&Cs”) (as defined below) between the Processor and Controller (each a “Party” and collectively, the “Parties”). This DPA reflects the Parties’ rights and obligations with respect to Personal Data Processed as part of the Services (all as defined below). In the event of a conflict between the terms of this DPA and the T&Cs with respect to the subject matter herein, the terms of the T&Cs govern. Any prior data protection agreements or addenda between the Parties are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the T&Cs.

1. Definitions. For the purposes of this DPA, the following terms shall have the meanings specified below, in addition to those initially capitalized terms defined in the T&C’s:

“Breach Event” means any incident where security is compromised, resulting in unintentional or illegal destruction, misplacement, modification, or unauthorized sharing or access to Personal Data that has been transmitted, stored, or otherwise processed.

•”Client Data” has the meaning set forth in the Terms and Conditions, and encompasses the subset of Personal Data.

•“Controller” means Client, which serves as Controller with respect to all Personal Data as to which Processor’s assistance is provided, whether the Data Subjects are Client’s customers or employees.

“Data Privacy Laws” means all applicable laws and regulations relating to the processing, privacy, and/or use of Personal Data, as applicable to either party or the Services, including jurisdictional, industry-specific, or data-specific laws and regulations.

“Data Subject” refers to the identified or identifiable natural person whose Personal Data is processed.

•”Effective Date” means the Effective Date determined under the T&Cs, which may precede the commencement of an Initial Term.

“Personal Data” refers to any information that is tied to an identified or identifiable natural person (Data Subject) that is protected as personal data, personal information, or personally identifiable information under applicable Data Privacy Laws.

“Personnel” refers to the employees or other individuals who are in a contractual relationship with the Processor, including employees or other individuals who are in a contractual relationship with the Sub-Processor.

•”Privacy Addendum” means the Privacy Addendum set forth at www.foodtecsolutions.com/privacyaddendum/ as it may be updated by FoodTec from time to time.

“Processing” means actions performed by the Processor on the Personal Data whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processing Services” means any the Processing of Personal Data ancillary to the FoodTect Products or Support Services provided by the Processor pursuant to the T&Cs and each Sales Contract or other FoodTec Agreements as they may apply, but specifically excluding any collection, processing storage, use or disposition of Personal Data by either Client or Third Parties engaged by it.

“Subprocessor” or “Subcontractor” refers to any third party appointed by the Processor to assist in fulfilling its obligations in providing Processing Services to the Controller.

2. Purpose. The purpose of this DPA is to define the conditions under which the Processor shall process Personal Data on behalf of the Controller.

3. Compliance with Laws. The Processor warrants that any Processing activities performed on behalf of the Controller will be conducted consistent with those applicable Data Privacy Laws as to which Controller provides instructions. The Processor must notify the Controller in writing without undue delay if it is no longer able to meet its obligations under applicable Data Privacy Laws.

The Controller has sole responsibility for the quality and accuracy of the Personal Data and how it acquired such data. The Controller is also responsible for complying with transparency and consent requirements for the collection, use, and transfer of the Personal Data under applicable Data Privacy Laws. The Controller will promptly advise Controller of any activities, including its engagement of one or more Third Parties to provide services that conflict with the anticipated use of FoodTec Products in keeping with the Data Privacy Addendum (by way of illustration alone, sale of Personal Data, transfer of Personal Data to restaurants that are commonly owned).

4. Ownership of Data. As between the Parties, all Personal Data processed by the Processor in performing the Services shall remain the property of the Controller.

5. Duration of Processing. Processing obligations under this DPA will begin on the Effective Date and conclude upon the expiration or termination of the last Sales Contract or other FoodTec Agreement between the Parties.

6. Types of Data. The Processor will process the categories of Personal Data provided by the Controller as set forth in the Privacy Addendum.

7. Instructions for Processing. The Processor shall only process Personal Data in accordance with this DPA, including specific instructions set forth in Schedule 1, except where otherwise required by applicable law (and in such a case, shall inform the Controller of that legal requirement before processing, unless applicable law prevents it from doing so on important grounds of public interest). The Processor shall immediately inform the Controller if any instruction relating to the Personal Data infringes or may infringe any Data Privacy Laws.

8. Data Subject’s Rights. The Processor shall promptly notify the Controller of any requests from a Data Subject to exercise their rights under applicable Data Privacy Laws and shall assist the Controller in responding to a Data Subject’s request as provided in the processing instructions, Schedule 1 The Controller shall promptly notify Processor of. any requests that it from a Data Subject to exercise their rights under applicable Data Privacy Laws.

9. Confidentiality. Both Parties agree to maintain the confidentiality of Personal Data and not to disclose such data except as expressly permitted under the terms of this Agreement. The Processor shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations.

10. Data Security. The Controller and Processor shall, at all times, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk to protect the Personal Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.

11. Breach Notification. Each Party shall promptly notify the other Party of a Breach Event involving the Controller’s data.

12. Limitations on Use. The Processor shall not use or authorize the use of the Personal Data for any purpose other than as called for to implement any Sales Contract or other FoodTec Agreements.

13. Subcontractor Requirements. The Processor may engage a Subcontractor (alternatively referred to herein as Subprocessor) to process Personal Data under a written contract.

14. Destruction or Return of Data. The Processor agrees to, at the Controller’s choice, securely delete or return the Personal Data within 30 days upon termination or expiration of the last Sales Contract or FoodTec Agreement to remain in effect between the Parties, except to the extent that storage of any such data is required by applicable law (and, if so, the Processor shall inform the Controller of any such requirement and shall securely delete such data as soon as it is permitted to do so under applicable law).

15. Recordkeeping Obligations. The Processor shall maintain complete, accurate, and up to date audit logs of all categories of processing activities involving Personal Data carried out on behalf of the Controller and ensure such records shall include all information:

Necessary to demonstrate its compliance with this DPA;

That the Controller may reasonably request from time to time in writing.

Schedule 1. Specific Processing Instructions:

(A) provision of marketing functionality to Client,

(B) submitting Client Data to Messaging Platform Vendors and Telecommunications Carriers to enable delivery of Client Content to those Consumers who have opted-in to Client Messaging,

(C) display of Client Content through a Client’s web site and/or pages served by the FoodTec Solution and viewable by Consumers through Client’s web site,

(D) submission of Consumer orders,

(E) processing of Consumer transactions, including through interaction with Payment Processors,

(F) the fulfillment and delivery of Consumer orders,

(G) in connection with rendering Support Services in the context of a Client request that involves specific transactions, customer surveys.

(G) supporting financial reconciliation and provision of an audit trail,

(H) reporting on the performance of the Licensed Restaurant,

(I) response to a subpoena, regulatory inquiry or to enable compliance with the requirements of Messaging Platform Vendors and Telecommunications Carriers;

Schedule 2.

Minimum Technical and Organizational Security Measures.

The Processor shall implement and maintain at least the following technical and organizational security measures to protect the Personal Data:

Access Management

All tech support access to store or enterprise level Client Data that includes Personal Data by Level 1 Service and Support personnel is limited to a specific task assigned by a supervisor.

No access to employee biometric (fingerprint) Personal Data is possible, all such information being stored locally within the store.

Logging; Audit Trail

All access to Client Data is logged, which logs are exportable

No Intended Storage of Protected Payment Card Data

Personal Data in the nature of payment card data will only be stored if the Client’s employees disregard Processor’s guidance to only conduct transactions with payment cards using EMV devices. If notwithstanding that guidance Client employees store magnetic payment card data to the local POS, such data could only be accessed following assignment of a support task by a supervisor employed by Processor, a grant of remote access to the local POS system by a Client employee, at which point only one individual transaction at a time would be viewable, without capacity for bulk export, all of which would be logged.