Data Processing Agreement

This document is currently only available in English. Please write us at hi@resos.com if there is anything you do not understand or need translated to your native language.

This Data Processing Agreement applies to restaurants using Resos available at resos.com, app.resos.com and the Resos native mobile apps for iOS and Android.

The following mentions Resos ApS, Resos, our website domains and apps as solely “Resos”.

Data controller: the restaurant or user of Resos.

Data processor: Resos ApS, CVR DK39377187, Vesterbrogade 74, 1620 Copenhagen V, Denmark.

Background for the Data Processing Agreement

• This agreement sets out the rights and obligations that apply when the data processor handles personal data on behalf of the data controller.
• The agreement is designed for the parties to comply with Article 28(3) of Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), which sets specific requirements for the content of a data processing agreement.
• The data processor’s processing of personal data is done in order to fulfill the parties’ “main agreement”: the data controller’s use of the Resos system, as governed by our Terms & Conditions.
• The Data Processing Agreement and the “main agreement” are interdependent and cannot be terminated separately. The Data Processing Agreement may, however, without terminating the “main agreement”, be replaced by another valid data processing agreement.
• This Data Processing Agreement takes precedence over any similar provisions in other agreements between the parties, including the “main agreement”.
• This agreement has three appendices (A, B and C). The appendices form an integral part of the Data Processing Agreement.
  • Appendix A describes the guest and customer information processed, including the types of personal data and the categories of data subjects.
  • Appendix B sets out the conditions for the data processor’s use of sub-processors and lists the approved sub-processors.
  • Appendix C contains the instructions for processing, the minimum security measures to be observed, and how the data processor and any sub-processors are supervised.
• The Data Processing Agreement and its supporting documents are stored in writing, including electronically, by both parties.
• This Data Processing Agreement does not release the data processor from any obligations imposed directly on the data processor under the GDPR or any other law.

The data controller’s obligations and rights

• The data controller is responsible for the processing of personal data within the scope of the GDPR.
• The data controller therefore has both the right and the obligation to make decisions about the purposes and the means of processing.
• The data controller is responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to perform.

The data processor acts according to instructions

• The data processor may only process personal data according to documented instructions from the data controller, unless required to do so under EU law or the national law of a Member State to which the data processor is subject. In that case, the data processor shall notify the data controller of this legal requirement before processing, unless the law prohibits such notification for reasons of important public interest (Article 28(3)(a) GDPR).
• The data processor shall immediately inform the data controller if, in the data processor’s opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

Confidentiality

• The data processor ensures that only the persons currently authorized to do so have access to the personal data processed on behalf of the data controller. Access to the data must therefore be closed immediately if the authorization is withdrawn or expires.
• Only persons authorized to access personal data may process it to fulfill the data processor’s obligations to the data controller.
• The data processor ensures that the persons authorized to process personal data on behalf of the data controller have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• At the data controller’s request, the data processor shall be able to demonstrate that the relevant employees are subject to the above confidentiality obligation.

Security of processing

• The data processor implements all measures required under Article 32 GDPR. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the data processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to those risks.
• This obligation means the data processor must carry out a risk assessment and then take measures to address the identified risks. Such measures may include, among others:
  • Pseudonymization and encryption of personal data
  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services
  • The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures
• In connection with the above, the data processor shall, as a minimum, implement the level of security and the measures specified in Appendix C of this agreement.

Use of sub-processors

• The data processor shall comply with the conditions set out in Article 28(2) and (4) GDPR in order to use another processor (sub-processor).
• The data processor may not engage another processor (sub-processor) to fulfill this agreement without the data controller’s prior general written authorization.
• The data controller hereby grants the data processor general written authorization to engage the sub-processors listed in Appendix B. The data processor shall notify the data controller of any intended changes concerning the addition or replacement of sub-processors, giving the data controller the opportunity to object to such changes.
• When the data processor engages a sub-processor, the data processor shall impose on that sub-processor, through a contract or other legal act, the same data protection obligations as those set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR.
• Where the sub-processor fails to fulfill its data protection obligations, the data processor remains fully liable to the data controller for the performance of that sub-processor’s obligations.

Transfer of data to third countries or international organizations

• The data processor may only process personal data, including transferring it to third countries or international organizations, on documented instructions from the data controller, unless required to do so under EU or Member State law (Article 28(3)(a) GDPR).
• Where a sub-processor is located outside the EU/EEA, any transfer of personal data takes place under an appropriate transfer mechanism recognized under Chapter V GDPR, namely an adequacy decision (including the European Commission’s adequacy decision for the United Kingdom, and the EU-U.S. Data Privacy Framework where the sub-processor is certified) or the European Commission’s Standard Contractual Clauses, supplemented by additional safeguards where required.
• The data controller’s instruction or approval regarding transfers to third countries is set out in Appendix B (sub-processor locations) and Appendix C.

Assistance to the data controller

• Taking into account the nature of the processing, the data processor shall, insofar as possible, assist the data controller with appropriate technical and organizational measures in fulfilling the data controller’s obligation to respond to requests from data subjects exercising their rights under Chapter 3 of the GDPR, including:
  • the obligation to inform when collecting personal data
  • the data subject’s right of access
  • the right to rectification
  • the right to erasure (“the right to be forgotten”)
  • the right to restriction of processing
  • the notification obligation regarding rectification, erasure or restriction
  • the right to data portability
  • the right to object
  • the right not to be subject to a decision based solely on automated processing, including profiling
• The data processor shall assist the data controller in ensuring compliance with the data controller’s obligations under Articles 32–36 GDPR, taking into account the nature of processing and the information available to the data processor, including:
  • implementing appropriate technical and organizational measures to ensure an appropriate level of security
  • reporting a personal data breach to the supervisory authority (the Danish Data Protection Agency) without undue delay and, where feasible, within 72 hours
  • communicating a personal data breach to the data subject without undue delay where the breach is likely to result in a high risk
  • carrying out a data protection impact assessment where processing is likely to result in a high risk
  • consulting the supervisory authority prior to processing where a data protection impact assessment indicates a high risk absent mitigating measures

Notification of a personal data breach

• The data processor shall notify the data controller without undue delay after becoming aware of a personal data breach at the data processor or any sub-processor. Where feasible, the data processor’s notification shall be made within 36 hours of becoming aware of the breach, so that the data controller is able to comply with its obligation to notify the supervisory authority within 72 hours.
• The data processor shall assist the data controller in notifying the breach to the supervisory authority, which may mean helping to provide the following information, as set out in Article 33(3) GDPR:
  • the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned
  • the likely consequences of the breach
  • the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

Deleting and returning data

• Upon termination of the processing services, the data processor shall, at the data controller’s choice, delete or return all personal data to the data controller and delete existing copies, unless EU or Member State law requires retention of the personal data.

Supervision and audit

• The data processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 GDPR and this agreement, and shall allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.
• The data controller’s supervision of any sub-processor is carried out via the data processor. The detailed procedure is set out in Appendix C.

Entry into force and termination

• This agreement enters into force when the data controller accepts it, including by accepting the Resos Terms & Conditions or by electronic acceptance within the Resos system.
• The agreement may be renegotiated by either party if changes in the law or inconsistencies in the agreement give rise to it.
• Regardless of the termination of the “main agreement” and/or this Data Processing Agreement, this agreement remains in force until the processing ceases and the data processor and any sub-processors have deleted the data.

Contact

The parties may contact each other through their registered contact details. For any data protection matter, contact Resos at hi@resos.com.

Resos ApS CVR: DK39377187 Vesterbrogade 74, 1620 Copenhagen V, Denmark

Appendix A – Guest and customer information

The purpose of the data processor’s processing of personal data on behalf of the data controller is:

• To provide the platform that restaurants use for:
  • Guest and customer registration and profiling
  • Feedback from guests
  • Table booking and management
  • Ordering and delivery of food
  • Communication between the restaurant and the guest
  • Other data for systems related to running and marketing restaurants

The nature of the processing:

Resos serves as a system used by individual restaurants for registering and managing guests and table reservations (bookings). The system also builds a database of previous guests and bookings, used for statistical purposes and to improve the service provided to returning guests.

The processing includes the following types of personal data:

• Name
• Contact information (e-mail address, phone number)
• Allergies and food, drink and similar preferences

The categories of data subjects:

• Persons who have created a user login/profile on Resos
• Persons and companies who have created or claimed a restaurant account/profile and/or use Resos to market the restaurant, manage bookings, etc.
• Persons who have made a restaurant reservation or reservation request (booking) through a Resos partner or using the restaurant’s booking form/page/widget

Duration: The processing is not limited in time and continues until the agreement is terminated by one of the parties.

Appendix B – Sub-processors

Conditions for the use of sub-processors

The data controller grants the data processor general authorization to use sub-processors. The data processor shall notify the data controller of any intended addition or replacement of a sub-processor at least 2 months before it takes effect, giving the data controller the opportunity to object. If the data controller objects, it must notify the data processor within 1 month of receiving the notification, and may only object on reasonable, concrete grounds.

Approved sub-processors

Sub-processor	Purpose	Location / transfer basis
Stripe Payments Europe, Ltd.	Processing and storing subscription and payment information	EU (Ireland); onward US transfers under DPF/SCCs
Twilio Ireland Limited	Sending SMS messages and notifications to guests/users	EU (Ireland); onward US transfers under DPF/SCCs
MongoDB, Inc. (MongoDB Atlas)	Application database hosting (guest and booking data)	EU (Ireland), hosted on AWS eu-west-1; no third-country transfer
Amazon Web Services (AWS)	Cloud infrastructure underlying the MongoDB Atlas database and the Resos 3.0 (kitchen) backend	EU (Ireland, eu-west-1)
DigitalOcean, LLC	Application compute and hosting for the current app backend (app.resos.com)	UK (London); covered by the EU’s adequacy decision for the United Kingdom
Cloudflare, Inc.	Hosting, CDN and edge delivery of the website and services	US; transfers under DPF/SCCs
Customer.io (Peaberry Software, Inc.)	Lifecycle and marketing e-mail	US; transfers under DPF/SCCs
Help Scout, Inc.	Customer support and communication	US; transfers under DPF/SCCs
Mailgun (Sinch)	Transactional e-mail delivery	EU region
Visma e-conomic A/S	Accounting and invoicing	EU (Denmark), CVR DK29403473

The data processor does not transfer personal data to insecure third countries; where transfers outside the EU/EEA occur, they take place under the safeguards described in the “Transfer of data to third countries” section above.

Appendix C – Instructions for processing personal data

Subject of the instructions

The data processor processes personal data on behalf of the data controller by providing a system that the data controller uses for the management and registration of reservations, guest data and preferences, communication with guests, and related purposes.

Security of processing

The security level reflects that the processing involves a large amount of general personal data covered by Article 6 GDPR and, in some cases, special categories of personal data covered by Article 9 GDPR (e.g. allergy information). An appropriate level of security is established accordingly.

As a minimum, the data processor implements the following measures:

• Pseudonymization is used for statistics.
• Resos employees are subject to confidentiality and privacy obligations, which form part of Resos’ personal data policy.
• Resos has entered into data processing agreements with its sub-processors.
• In the event of a physical or technical incident, Resos can restore the availability of and access to personal data in a timely manner through back-ups.
• The effectiveness of the technical and organizational measures is tested regularly, in collaboration with Resos’ sub-processors.
• Personal data is stored centrally and protected; data minimization and limitation of access to both general and special categories of personal data is observed.
• Physical security of equipment and of the locations where personal data is processed.
• When working remotely, devices are secured with a personal password.

Storage period / erasure routine

Personal data is stored by the data processor until the data controller requests that it be deleted or returned.

Transfers to third countries

Transfers of personal data to a third country take place, where applicable, under the safeguards required by Chapter V GDPR.

Supervision

The data controller, or a representative of the data controller, has access to supervise the data processor, including physical inspection, where the data controller assesses a need for it. The data controller bears its own costs in connection with physical supervision; the data processor shall allocate the resources (primarily time) necessary for the data controller to carry out its supervision.