Data Processing Agreement.

1. Roles

Under EU GDPR (Regulation 2016/679):

• Controller — the restaurant operator (Customer) identified in the Service Agreement.
• Processor — Foodo LT, UAB (legal entity code 306262368), Rinktinės g. 5-101, LT-09234 Vilnius, Lithuania.

The Controller determines the purposes and means of processing. Fooodo processes personal data only on the Controller's documented instructions, as set out in the Service Agreement and this DPA.

2. Subject matter and duration

The processing covered by this DPA is what is necessary to provide the Fooodo electronic-menu and ordering service. The duration is the term of the Service Agreement, plus the post-termination export and deletion windows described below.

3. Nature and purpose of processing

Fooodo processes personal data to:

• Display menus, take orders, route orders to the connected POS, process payments through third-party providers, and reconcile the result.
• Provide the admin panel that restaurant staff use to manage menus, tables, and orders.
• Meet contractual obligations to the Controller (incident response, support, data export on termination).
• Secure the platform (rate limiting, abuse detection, audit logging).

4. Categories of data subjects

• Restaurant guests placing orders through the electronic menu.
• Restaurant staff using the admin panel.

5. Categories of personal data

For restaurant guests:

• Order details (items, modifiers, quantities, prices, table number, timestamps).
• Payment metadata (method, status, transaction reference). Card data is held only by the payment provider (Mollie); Fooodo does not see it.
• Optional contact details where the flow asks for them (name, email for receipt, etc.).
• Technical data (IP address, device/browser, language).

For restaurant staff:

• Account identifiers (email, name, role).
• Authentication data (password hashes, session tokens).
• Audit logs of administrative actions.

Special categories of data (Article 9 GDPR) are not processed.

6. Processor obligations (Article 28 GDPR)

Fooodo undertakes to:

• Process personal data only on the Controller's documented instructions, including with regard to transfers, unless required by EU or Lithuanian law (in which case Fooodo will inform the Controller of that requirement before processing, unless that law prohibits such information on important grounds of public interest).
• Ensure that persons authorised to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Section 9).
• Engage sub-processors only under the conditions in Section 7.
• Assist the Controller in fulfilling its obligation to respond to data-subject rights requests (Articles 15–22 GDPR), taking into account the nature of the processing.
• Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available.
• At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies, unless EU or Lithuanian law requires retention.
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

7. Sub-processors

The Controller authorises Fooodo to engage sub-processors necessary to provide the Services. Current sub-processors include:

• Vercel Inc. — hosting of the marketing website and the Fooodo customer-facing application.
• Mollie B.V. — payment processing (PCI scope).
• R-Keeper (operated by your chosen R-Keeper partner) — POS integration. The Controller has its own direct relationship with R-Keeper.
• Anthropic, PBC — AI Ask widget on the marketing website (does not process customer or staff personal data; only public website visitor questions about Fooodo).
• Cloud infrastructure providers hosting the menu app, payment service, and supporting systems (PostgreSQL, Redis, monitoring, backups). Specific providers are listed on request.

Fooodo will inform the Controller of any intended changes to sub-processors with at least 30 days' notice, giving the Controller the opportunity to object on reasonable data-protection grounds. If the Controller objects and the parties cannot agree on an alternative, the Controller may terminate the affected Services without penalty.

Fooodo flows down equivalent data-protection obligations to its sub-processors and remains liable to the Controller for the performance of those obligations.

8. International transfers

Personal data is processed in the European Economic Area where possible. Where transfers to third countries are necessary (for example, to a US-based sub-processor), Fooodo relies on appropriate safeguards under Articles 44–46 GDPR, including European Commission-approved Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures such as encryption.

9. Security measures (Article 32 GDPR)

Fooodo maintains appropriate technical and organisational measures, including:

• Encryption. TLS 1.2+ in transit; encrypted storage at rest for databases and backups.
• Access control. Role-based access; least privilege; multi-factor authentication for production systems.
• Network security. Firewalls, segregation of production and non-production environments, restricted SSH/admin access.
• Monitoring and logging. Centralised application logs, error tracking (Flareapp), audit logs of administrative actions, alerting on security-relevant events.
• Backups. Regular automated backups with tested restoration procedures.
• Vulnerability management. Dependency monitoring, prompt patching of critical vulnerabilities, security review on code changes.
• Personnel. Confidentiality obligations, data-protection awareness, restricted access on a need-to-know basis.
• Sub-processor diligence. Contractual data protection terms and SCCs where required.

Specific control documentation (security whitepaper, penetration test summaries) is available to Controllers under NDA on request.

10. Personal data breaches

Fooodo will notify the Controller without undue delay after becoming aware of a personal data breach, providing at least:

• the nature of the breach, including (where possible) the categories and approximate number of data subjects and records affected;
• likely consequences;
• measures taken or proposed to address the breach and mitigate its effects.

Fooodo will assist the Controller in meeting its own breach notification obligations to supervisory authorities (Article 33) and, where required, to data subjects (Article 34).

11. Data subject requests

If a data subject contacts Fooodo directly with a rights request relating to processing covered by this DPA, Fooodo will forward the request to the Controller without undue delay and will not respond to the request itself, except to acknowledge receipt and confirm that the request has been forwarded. Fooodo will assist the Controller in responding to the request.

12. Audits

On the Controller's reasonable request and at the Controller's cost, Fooodo will make available information necessary to demonstrate compliance with this DPA and with Article 28 GDPR. The Controller may, no more than once per year (and additionally following a confirmed breach), audit Fooodo or appoint an independent auditor (subject to confidentiality undertakings) to do so. Audits are conducted with reasonable advance notice during normal business hours and in a manner that does not unreasonably disrupt operations.

13. Return and deletion

On termination of the Service Agreement, Fooodo will, at the Controller's choice and request:

• provide a standard export of the Controller's data (menu and order history) in CSV, XLSX, or comparable machine-readable format within 14 calendar days; and/or
• irreversibly delete all Controller personal data from production systems after a 30-day grace period from termination.

Backups containing the data are subject to the standard backup rotation and are deleted at the end of their normal retention cycle.

14. Liability

Liability under this DPA is governed by the Service Agreement (Sutartis §6), subject to mandatory provisions of applicable data-protection law. Each party remains liable to data subjects and supervisory authorities for its own data-protection infringements as required by GDPR.

15. Governing law and disputes

This DPA is governed by the laws of the Republic of Lithuania. Disputes are resolved in accordance with the Service Agreement.

Need a signed copy? If you require a separately signed DPA (for example, for your own audit trail or to attach to the Service Agreement), write to dpo@fooodo.com and we will arrange one.