Draft — subject to legal review
Data Processing Agreement
This Data Processing Agreement (DPA) is incorporated by reference into the StoveOps Terms of Service and forms part of the agreement between StoveOps and each customer (the restaurant). It reflects the model terms of Article 28(3) GDPR and Article 39 LGPD and applies whenever StoveOps processes personal data on the customer’s behalf.
This text is a draft published for transparency and is subject to human legal review before it is relied upon as a signed instrument.
Roles and subject matter
The customer is the controller (or business / equivalent decision-maker) for personal data it submits to StoveOps; StoveOps is the processor (service provider / operator) acting only on the customer’s documented instructions. The subject matter is the provision of the StoveOps restaurant-operations service.
Duration
This DPA applies for the term of the agreement and for as long as StoveOps processes personal data on the customer’s behalf, including any wind-down period required for return or deletion.
Nature and purpose of processing
StoveOps processes personal data to provide waitlist, guest messaging, digital menu/site, marketing-workflow, analytics, billing and support features, and to keep the service secure and reliable.
Categories of data and data subjects
Data subjects include restaurant operators and staff, website visitors and restaurant guests. Categories include contact details, account and billing data, restaurant content, guest data (name, contact, party size, status, notes the restaurant chooses to store) and messaging metadata. The customer must not submit special-category data except as disclosed to and lawful for the guest.
Processor obligations
StoveOps processes personal data only on the customer’s documented instructions (including this DPA and the product configuration), ensures persons authorized to process are bound by confidentiality, and does not sell personal data or use it for its own purposes outside the agreement.
Subprocessors
The customer authorizes StoveOps to engage the subprocessors below to deliver the service. StoveOps imposes data-protection terms on each and remains responsible for their performance. We will give notice of intended changes so the customer may object.
- Cloudflare — application hosting, edge network, CAPTCHA and storage.
- Neon — managed PostgreSQL database hosting.
- Resend — transactional email delivery.
- sent.dm — SMS and WhatsApp message delivery.
- Stripe — subscription billing and payment processing.
- Grafana stack (self-hosted by StoveOps) — logs, traces and product telemetry.
Security
StoveOps maintains administrative, technical and organizational measures appropriate to the risk, including access controls, least-privilege permissions, encrypted transport, audit logging and provider review, consistent with the Security section of the Privacy Policy.
Assistance with data subject requests
Taking into account the nature of the processing, StoveOps assists the customer with appropriate measures to respond to data-subject (DSAR) requests — access, correction, deletion, portability, objection and restriction — including the in-product erasure tooling, within the timelines stated in the Privacy Policy.
Personal data breach notification
StoveOps notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer’s data, with the information the customer reasonably needs to meet its own notification obligations.
International transfers
Where personal data is transferred across borders (for example to the United States), StoveOps relies on recognized transfer mechanisms such as the EU Standard Contractual Clauses (SCCs) and equivalent safeguards under other applicable laws.
Return and deletion
On termination, and at the customer’s choice, StoveOps returns or deletes personal data processed on the customer’s behalf, subject to limited retention required by law or for backup/security logs, which then expire on their normal cycle. Guest-offboarding deletion runs automatically after the contractual relationship ends.
Audits and contact
StoveOps makes available the information necessary to demonstrate compliance with this DPA and supports reasonable audits. Questions and requests under this DPA can be sent to contact@stoveops.com.