Skip to content
Upvendo· upvendo.fr

Last updated: 2026-06-17

The English version of this Data Processing Agreement is the governing version. Translations into Dutch, French and German are provided as a courtesy.

Data Processing Agreement

Last updated: June 17, 2026

Parties

"Upvendo" in this Data Processing Agreement ("DPA") refers to the legal entity that contracts with Customer, determined by Customer's place of establishment:

  • Upvendo BV (the "EU Entity"), a company organised under the laws of Belgium with registered office at Kalvekeetdijk 179, 8300 Knokke-Heist, Belgium, is the contracting party for Customers established in the European Economic Area, the United Kingdom or Switzerland.
  • Upvendo, Inc. (the "US Entity"), a Delaware corporation with registered office at 300 Delaware Avenue, Suite 210, Wilmington, DE 19801, United States, is the contracting party for Customers established in the United States.
  • For Customers established elsewhere, the EU Entity is the contracting party unless otherwise agreed in writing.

Each is referred to as "Upvendo" or the "Processor" in this DPA according to which entity contracts with Customer.

Scope

This DPA forms part of the agreement between Upvendo and the customer ("Customer", "Controller") that subscribes to Upvendo's services (the "Services"). It governs the processing of personal data by Upvendo on behalf of Customer in connection with the Services and forms an integral part of the master services agreement between the parties (the "Agreement").

By accepting the Agreement, Customer accepts this DPA. Where the Customer is established in the European Economic Area, the United Kingdom or Switzerland, this DPA applies automatically. Where Customer is established elsewhere, this DPA applies to the extent Upvendo processes personal data subject to the EU General Data Protection Regulation 2016/679 ("GDPR") or equivalent law.

1. Definitions

Terms used in this DPA have the meaning given to them in the GDPR. Without limiting that:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" has the meaning given in Article 4(2) GDPR.
  • "Controller", "Processor" and "Sub-processor" have the meaning given in Article 4 GDPR.
  • "Data Subject" means the natural person to whom Personal Data relates.
  • "Personal Data Breach" has the meaning given in Article 4(12) GDPR.
  • "SCCs" means the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Subject Matter and Duration

Upvendo will process Personal Data on behalf of Customer for the duration of the Agreement and as necessary to provide the Services. Upon termination of the Agreement, the obligations in this DPA continue for as long as Upvendo retains any Personal Data of Customer.

The subject matter, nature, purpose, types of Personal Data and categories of Data Subjects are set out in Annex A.

3. Roles of the Parties

For all Personal Data processed under the Agreement, Customer is the Controller and Upvendo is the Processor. Customer determines the purposes and means of processing; Upvendo processes Personal Data only on Customer's documented instructions, which include the Agreement, this DPA, and any subsequent written instructions from Customer.

Upvendo will inform Customer without undue delay if Upvendo believes that an instruction infringes applicable data-protection law.

4. Processor Obligations

Upvendo will:

  1. Process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do so by EU or Member State law to which Upvendo is subject. In such a case, Upvendo will inform Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.

  2. Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  3. Take all measures required pursuant to Article 32 GDPR (security of processing) as further described in Annex C.

  4. Respect the conditions referred to in Article 28(2) and (4) GDPR for engaging another processor (Sub-processor), as further described in Clause 6.

  5. Assist Customer, taking into account the nature of the processing and the information available to Upvendo, in fulfilling Customer's obligations to respond to requests for the exercise of Data Subject rights under Chapter III GDPR, by appropriate technical and organisational measures, insofar as this is possible.

  6. Assist Customer in ensuring compliance with Articles 32 to 36 GDPR, including in connection with security of processing, notification of Personal Data Breaches, communication of Personal Data Breaches to Data Subjects, data protection impact assessments and prior consultation with supervisory authorities.

  7. At Customer's choice, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires storage. See Clause 11.

  8. Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. See Clause 10.

5. Confidentiality

Upvendo will keep all Personal Data strictly confidential. Upvendo will ensure that any persons authorised to process Personal Data:

  • access Personal Data on a need-to-know basis,
  • have undertaken to confidentiality or are under a statutory obligation of confidentiality, and
  • receive training on the proper handling of Personal Data and on Upvendo's security policies.

Confidentiality obligations survive the termination of the Agreement.

6. Sub-processors

Customer grants Upvendo a general written authorisation to engage Sub-processors to process Personal Data on Customer's behalf in connection with the Services. The current list of Sub-processors is set out in Annex B.

Upvendo will:

  1. enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those imposed on Upvendo under this DPA, in line with Article 28(4) GDPR;
  2. remain fully liable to Customer for the performance of each Sub-processor's obligations;
  3. notify Customer at least thirty (30) days in advance of any intended addition or replacement of a Sub-processor, including its identity and the purpose for which it processes Personal Data; and
  4. give Customer the opportunity to object to the appointment of a new Sub-processor on reasonable data-protection grounds within fifteen (15) days of notification. If Customer reasonably objects and the objection cannot be resolved, either party may terminate the affected Services with pro-rata refund of any prepaid but unused fees.

7. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area where Upvendo or its Sub-processors have operations, including the United States. Such transfers will only be made where one of the following lawful transfer mechanisms applies:

  1. The receiving country has been the subject of an adequacy decision by the European Commission under Article 45 GDPR.
  2. The parties have entered into the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, which are incorporated by reference into this DPA. The parties select Option 1 of Clause 17 (governing law: Belgian law) and Clause 18 (jurisdiction: courts of Brussels, Belgium).
  3. Another lawful transfer mechanism recognised under GDPR.

For transfers to the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the SCCs. For transfers to Switzerland, the parties incorporate the Swiss FADP supplementary clauses.

Upvendo will, where required by applicable law, conduct a transfer impact assessment and implement supplementary measures (such as encryption in transit and at rest, access controls, and resistance to government access requests where lawfully possible).

8. Data Subject Rights

Upvendo will assist Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling Customer's obligation to respond to Data Subject requests under Chapter III GDPR (rights of access, rectification, erasure, restriction of processing, data portability, objection and rights related to automated individual decision-making).

If Upvendo receives a Data Subject request directly relating to Personal Data processed on Customer's behalf, Upvendo will:

  1. promptly inform Customer of the request and not respond directly unless authorised by Customer or required by law; and
  2. assist Customer, at Customer's reasonable request, in responding to the request within the timeframes required by GDPR.

Upvendo may charge Customer a reasonable fee for assistance going substantially beyond what is provided through the standard Services interface.

9. Personal Data Breach Notification

Upvendo will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will:

  1. describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  2. communicate the name and contact details of Upvendo's data protection contact;
  3. describe the likely consequences of the Personal Data Breach; and
  4. describe the measures taken or proposed to be taken by Upvendo to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

10. Audit Rights

Upon Customer's reasonable request and no more than once per year (unless required by a competent supervisory authority or following a Personal Data Breach), Upvendo will make available to Customer all information necessary to demonstrate compliance with this DPA and the obligations laid down in Article 28 GDPR. This information includes the latest available third-party audit reports (where applicable), Upvendo's information security policies in summary form, and answers to reasonable security questionnaires.

Customer may, at its own cost and at reasonable intervals, request an on-site audit of Upvendo's relevant facilities. On-site audits must:

  1. be requested in writing at least thirty (30) days in advance;
  2. be conducted during normal business hours and in a manner that does not unreasonably interfere with Upvendo's operations;
  3. be subject to a non-disclosure agreement on terms reasonably acceptable to Upvendo;
  4. be limited to information strictly necessary to verify compliance with this DPA; and
  5. not access other customers' data or Upvendo's trade secrets.

Upvendo may satisfy the audit obligation by providing existing third-party audit reports (such as ISO 27001 or SOC 2 reports, once available) covering the relevant control areas, in lieu of an on-site audit.

11. Return and Deletion of Personal Data

At Customer's choice, Upvendo will, upon termination or expiry of the Agreement:

  1. return all Personal Data to Customer in a structured, commonly used and machine-readable format; or
  2. delete all Personal Data and delete existing copies,

unless EU or Member State law requires storage of the Personal Data. In such a case, Upvendo will inform Customer of the legal basis and continue to protect the Personal Data in accordance with this DPA.

Customer may request return or deletion within thirty (30) days of termination. After that period, Upvendo will delete Personal Data in accordance with its standard retention schedule.

Upvendo will certify to Customer in writing that the Personal Data has been deleted upon request.

12. Liability and Final Provisions

Each party's liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Agreement.

If any provision of this DPA is invalid or unenforceable, the remainder of the DPA remains in effect. In the event of a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict and only in respect of data-protection matters.

Governing law and jurisdiction follow the contracting Upvendo entity identified in the Parties section above:

  • Where the EU Entity (Upvendo BV) is the contracting Processor, this DPA is governed by the law of Belgium and the courts of Brussels, Belgium have exclusive jurisdiction to hear and decide any dispute arising out of or in connection with this DPA.
  • Where the US Entity (Upvendo, Inc.) is the contracting Processor, this DPA is governed by the laws of the State of Delaware, United States, and the state or federal courts located in the District of Delaware have exclusive jurisdiction.

The above is without prejudice to any mandatory jurisdiction under applicable consumer-protection or data-protection law.

Annex A: Processing Details

Subject matter of the processing: Upvendo's provision of self-ordering kiosk, online-ordering and QR-ordering software to Customer, including the integrations between Upvendo and Customer's point-of-sale (POS) system.

Duration of the processing: For the duration of the Agreement, plus the retention periods set out in this DPA and the Privacy Notice.

Nature and purpose of the processing: To enable Customer's end-users (consumers) to place orders at Customer's venue; to relay those orders to Customer's POS system; to provide Customer with operational analytics; and to enable Upvendo to maintain, support and improve the Services.

Types of Personal Data processed:

  • End-user order data (items ordered, modifiers, price, time of order)
  • End-user contact information where provided (email or phone for order confirmation, loyalty linkage)
  • End-user payment references (transaction IDs, last four digits of card, payment method — never raw card numbers, which are processed by Stripe under Stripe's own controllership)
  • Customer's staff account data (name, business email, role)
  • Customer's business contact data (name, email, phone, billing address)
  • Technical data necessary for service delivery (IP address, browser fingerprint, device identifiers)

Categories of Data Subjects:

  • Customer's end-user customers (consumers who place orders)
  • Customer's staff (operators, managers, accountants)
  • Customer's authorised representatives

Special categories of Personal Data: None processed by Upvendo by design. Upvendo does not solicit allergen information, dietary preferences or any other Article 9 GDPR special-category data from end-users in a manner that creates Personal Data about identifiable individuals.

Annex B: List of Sub-processors

Upvendo engages the following Sub-processors to provide the Services. The list is current as of the last-updated date of this DPA. Customer may request the most recent list at any time from privacy@upvendo.com.

Sub-processor Service provided Location Transfer mechanism
Cloudflare, Inc. (and Cloudflare Ireland Ltd) Hosting, edge compute, D1 database, CDN, WAF, DDoS protection Global edge network with Customer data primarily served from EU edge nodes EU SCCs (Module 2) for non-EEA processing, plus Cloudflare's DPA addendum
Stripe Payments Europe Ltd (and Stripe, Inc.) Payment processing for self-serve checkout (.com only) Ireland and United States EU SCCs (Module 2) plus Stripe's DPA
GitHub, Inc. Source-code hosting and CI (no end-user Personal Data) United States EU SCCs for any limited Personal Data of Customer's staff incidentally processed via support tickets

For Sub-processors used in connection with optional features (analytics integrations, marketing pixels, email delivery), see the up-to-date list available in the Customer back-office or on request from privacy@upvendo.com. Upvendo notifies Customer at least thirty (30) days in advance of changes to this list, in accordance with Clause 6.

Annex C: Technical and Organisational Measures

Upvendo implements the following technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures may be updated over time to reflect advances in security practice; updates will not materially reduce the overall level of protection.

1. Access controls (physical and logical)

  • Production systems are accessed only by authorised Upvendo personnel using individually-attributable accounts.
  • Multi-factor authentication is required for all administrative access to production infrastructure.
  • Access is granted on a need-to-know basis, reviewed periodically, and revoked promptly upon role change or departure.
  • Cloudflare's edge data centres (where Customer data is hosted) operate ISO 27001 and SOC 2 Type II-certified physical security controls.

2. Encryption

  • All connections to Upvendo are encrypted in transit using TLS 1.3 (HTTPS).
  • Personal Data at rest in Cloudflare D1 is encrypted by Cloudflare with AES-256.
  • Internal service-to-service traffic on Cloudflare's network is encrypted automatically.
  • Secrets (API keys, database credentials, payment tokens) are stored in Cloudflare Workers Secrets and never appear in source code.

3. Pseudonymisation

  • Where technically feasible without impairing the Services, Upvendo applies pseudonymisation to Personal Data, particularly for analytics and operational reporting.

4. Confidentiality, integrity, availability and resilience

  • Production data is logically isolated per customer tenant in every database query.
  • Cloudflare D1 supports point-in-time recovery; Upvendo's content collections are also version-controlled in source-code repositories.
  • Cloudflare's edge network provides DDoS protection, Web Application Firewall (WAF) and bot management for every request that reaches Upvendo.

5. Recovery procedures

  • Backups are retained according to the standard retention schedule.
  • Documented recovery procedures are tested at least annually.
  • Recovery time objectives (RTOs) and recovery point objectives (RPOs) are defined and reviewed quarterly.

6. Regular testing, assessment and evaluation

  • Code review by a second engineer is mandatory before any change reaches production.
  • Automated dependency vulnerability scanning runs on every commit.
  • Static analysis (ESLint, TypeScript) runs on every commit.
  • The threat model is reviewed at least annually.

7. Personnel security

  • All Upvendo personnel sign confidentiality undertakings on commencement of employment.
  • Background checks are conducted where lawful and proportionate.
  • Security awareness training is provided on commencement and at least annually thereafter.

8. Incident management

  • Documented incident-response procedures cover detection, containment, eradication, recovery and post-incident review.
  • Personal Data Breach notification to Customer is provided within seventy-two (72) hours of awareness, in accordance with Clause 9.
  • Security disclosure reports are handled in accordance with the responsible-disclosure policy published at /legal/security/.

9. Sub-processor security

  • Sub-processors are subject to written data-protection obligations no less protective than this DPA.
  • Sub-processor security posture is evaluated before onboarding and reviewed periodically.

10. Compliance and certifications

  • Upvendo is mapping its controls against the ISO 27001:2022 framework, with a target of being certification-ready in 2027.
  • SOC 2 Type II is on Upvendo's roadmap, with a public statement to follow once a scope and audit timeline are committed.
  • Cloudflare and Stripe, the principal Sub-processors, hold the certifications listed at their respective trust centres.

For any question relating to this DPA or to request a signed copy for enterprise procurement, contact privacy@upvendo.com.

Cookie preferences

We use cookies to make the site work, personalize your experience, measure traffic, and show relevant ads. Required cookies are always on; the rest is your choice. Cookie policy