Data Processing Agreement
(pursuant to Article 28 of Regulation (EU) 2016/679 — the "GDPR")
This Agreement forms an integral annex to the Company's B2B Terms of Service.
PARTIES
This Data Processing Agreement (the "DPA") is entered into between:
-
the Business Customer — the natural or legal person that creates an account or uses the Platform under the Terms of Service, with the details declared in its Registration Form / account (the "Controller" or "Customer"); and
-
"Tabb Pay Private Company" (trade name "TabbPay"), G.E.MI. No. 194779301000, VAT No. 803333569, Tax Office ΚΕΦΟΔΕ ΑΤΤΙΚΗΣ, with its seat in the Municipality of Galatsi, Attica, 39 Farron Street, P.C. 11147, email privacy@tabbpay.com (the "Processor", "TabbPay" or the "Company"),
(each a "Party", together the "Parties").
RECITALS
(A) The Company provides the Customer with a software-as-a-service platform for QR-code ordering and payment, together with related functions (staff management, returning-customer recognition, loyalty programmes), as described in the Terms of Service (the "Main Agreement").
(B) In providing those services the Company processes personal data on behalf of and on the instructions of the Customer. In respect of that processing the Customer acts as Controller and the Company as Processor within the meaning of the GDPR.
(C) This DPA governs that processing pursuant to Article 28(3) GDPR and forms an integral part of the Main Agreement. In the event of conflict, this DPA prevails on data-protection matters.
(D) For the avoidance of doubt, in respect of the Customer's own data (account, billing and security data) the Company acts as an independent Controller; that processing is governed by the Company's Privacy Policy and not by this DPA.
The Parties agree as follows:
DEFINITIONS
Capitalised terms not defined below have the meaning given in the GDPR or the Main Agreement.
- "GDPR": Regulation (EU) 2016/679.
- "Data Protection Law": the GDPR, Greek Law 4624/2019, Greek Law 3471/2006 and other applicable national and EU law, together with the decisions and guidance of the Hellenic Data Protection Authority (the "HDPA"), as in force from time to time.
- "Personal Data": the personal data processed by the Company on behalf of the Customer under this DPA, as specified in Annex A.
- "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach": as defined in Article 4 GDPR.
- "Sub-processor": any third party engaged by the Company to carry out specific processing activities on behalf of the Customer.
- "Platform": the Company's software services (dashboard at
dashboard.tabbpay.com, interfaces atapi.tabbpay.com, guest experience atapp.tabbpay.com, the TabbPay Staff application). - "Guests" / "Staff": the categories of Data Subjects in Annex A.
ARTICLE 1 — SUBJECT MATTER AND ROLES OF THE PARTIES
1.1 This DPA governs the Company's processing of Personal Data on behalf of the Customer under the Main Agreement.
1.2 The Customer is the Controller and determines the purposes and means of processing. The Company is the Processor and acts only on the Customer's instructions.
1.3 Each Party complies with the obligations applicable to it under Data Protection Law.
ARTICLE 2 — DURATION
2.1 This DPA takes effect upon acceptance of the Main Agreement (account creation) or upon signature, whichever occurs first, and remains in force for as long as the Company processes Personal Data on behalf of the Customer.
ARTICLE 3 — SUBJECT MATTER, NATURE AND PURPOSE OF PROCESSING
3.1 The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are described in Annex A.
3.2 The Company does not process the Personal Data for its own purposes or for purposes other than providing the services under the Main Agreement.
ARTICLE 4 — OBLIGATIONS OF THE CONTROLLER
4.1 The Customer warrants that it has a lawful basis (Articles 6 and, where relevant, 9 GDPR) for each transfer of Personal Data to the Company and for each processing instruction it gives.
4.2 The Customer warrants that it has provided Data Subjects (Guests, Staff) with the required information (Articles 13–14 GDPR) and, where required, has obtained valid consent.
4.3 The Customer's instructions must be lawful. The Customer is responsible for the accuracy, quality and legality of the Personal Data and the means by which it was obtained.
ARTICLE 5 — OBLIGATIONS OF THE PROCESSOR
The Company, in accordance with Article 28(3) GDPR:
5.1 (a) Instructions. Processes the Personal Data only on the Customer's documented instructions — including as regards transfers to a third country — unless required to do so by EU or national law; in that case it informs the Customer before processing, unless that law prohibits it on important grounds of public interest. The Main Agreement and this DPA constitute the Customer's complete documented instructions. If, in the Company's opinion, an instruction infringes Data Protection Law, it informs the Customer without undue delay.
5.2 (b) Confidentiality. Ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 (c) Security. Takes all measures required under Article 32 GDPR, as described in Annex B.
5.4 (d) Sub-processors. Does not engage a Sub-processor without the Customer's prior general written authorisation, in accordance with Article 7 and Annex C.
5.5 (e) Assistance with rights. Assists the Customer, by appropriate technical and organisational measures, in responding to Data Subject requests (Articles 12–23 GDPR), per Article 9.
5.6 (f) Assistance with compliance. Assists the Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, impact assessment, prior consultation), taking into account the nature of processing and the information available to it.
5.7 (g) Return/deletion. On the end of the provision of services, deletes or returns the Personal Data per Article 12.
5.8 (h) Audits. Makes available to the Customer all information necessary to demonstrate compliance and allows for and contributes to audits, per Article 11.
ARTICLE 6 — SECURITY OF PROCESSING
6.1 The Company implements the technical and organisational measures in Annex B, which — taking into account the state of the art, the cost of implementation and the risks — ensure a level of security appropriate to the risk (Article 32 GDPR).
6.2 The Company may update those measures, provided the level of security is not degraded.
ARTICLE 7 — SUB-PROCESSORS
7.1 The Customer gives a general written authorisation for the engagement of Sub-processors. Those approved as at the date of this DPA are listed in Annex C.
7.2 The Company informs the Customer of any intended addition or replacement of a Sub-processor at least fourteen (14) days in advance, giving the Customer the opportunity to object on reasonable, documented data-protection grounds. Where an objection cannot be resolved, the Customer may terminate the affected part of the services.
7.3 The Company imposes on each Sub-processor, by written contract, data-protection obligations at least equivalent to those in this DPA (Article 28(4) GDPR) and remains liable to the Customer for the Sub-processor's performance.
ARTICLE 8 — INTERNATIONAL TRANSFERS
8.1 Personal Data is primarily processed within the European Economic Area (EEA).
8.2 Where a transfer to a third country is necessary (see Annex C), it occurs only where an appropriate safeguard under Article 46 GDPR is in place — in particular the European Commission's Standard Contractual Clauses (Decision 2021/914) — and, where appropriate, supplementary measures.
ARTICLE 9 — ASSISTANCE WITH DATA SUBJECT RIGHTS
9.1 The Company forwards to the Customer, without undue delay, any Data Subject request it receives directly and does not respond to it independently, save on the Customer's instruction.
9.2 The Company provides the Customer with reasonable assistance — using the technical means available in the Platform — so the Customer can respond to access, rectification, erasure, restriction, portability and objection requests within the GDPR's time limits.
ARTICLE 10 — PERSONAL DATA BREACH
10.1 The Company notifies the Customer without undue delay and, where feasible, within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting data it processes on behalf of the Customer.
10.2 The notification includes, so far as possible, the nature of the breach, the categories and approximate number of affected Data Subjects, the likely consequences and the measures taken or proposed. The Company assists the Customer in meeting its obligations under Articles 33 and 34 GDPR. Notification to the HDPA and to Data Subjects is the Customer's responsibility as Controller.
ARTICLE 11 — AUDITS
11.1 The Company makes available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR.
11.2 The Customer may conduct an audit, itself or through a mandated auditor bound by confidentiality, once per year and/or following a documented supervisory-authority request or a Personal Data Breach, on reasonable written notice of at least thirty (30) days and in a manner that does not unreasonably disrupt the Company's operations.
11.3 The Company may satisfy the audit obligation by providing up-to-date certifications, independent auditors' reports or questionnaires, where these adequately evidence compliance.
ARTICLE 12 — RETURN AND DELETION OF DATA
12.1 On the end or termination of the Main Agreement, the Company, at the Customer's choice, deletes or returns the Personal Data and deletes existing copies, unless EU or national law requires retention.
12.2 For the avoidance of doubt, records subject to mandatory retention under tax and accounting law (in particular Laws 4308/2014 and 4174/2013 — six years) are not deleted before that period expires; until then they are placed under restriction of processing (Article 18 GDPR) and then deleted. Backups are recycled within thirty (30) days.
ARTICLE 13 — LIABILITY
13.1 Each Party's liability under this DPA is subject to the limitations of liability in the Main Agreement, to the extent permitted by Data Protection Law.
13.2 The allocation of liability towards Data Subjects or supervisory authorities is governed by Article 82 GDPR. Each Party is liable for damage caused by its own breach of its obligations.
ARTICLE 14 — MISCELLANEOUS
14.1 Relationship with the Main Agreement. This DPA forms an integral part of the Main Agreement. On data-protection matters, this DPA prevails in the event of conflict.
14.2 Amendments. Amendments are made in writing. The Company may update the Annexes to reflect changes in the services or the law, subject to Article 7 as regards Sub-processors.
14.3 Severability. The invalidity of any provision does not affect the validity of the others.
14.4 Governing law — Jurisdiction. This DPA is governed by Greek law. The courts of Athens have jurisdiction, subject to any dispute-resolution clause in the Main Agreement.
14.5 Language. The Greek version is binding; the English is provided for convenience.
SIGNATURES
This Data Processing Agreement forms part of the Terms of Service and is accepted electronically by the Business Customer upon account creation / acceptance of the Terms; no separate physical signature is required. A countersigned copy is available to Business Customers on request at privacy@tabbpay.com.
ANNEX A — DESCRIPTION OF THE PROCESSING
Subject matter: the processing of Personal Data necessary to provide the Platform to the Customer.
Duration: for as long as the Main Agreement is in force, subject to Article 12.
Nature and purpose: hosting, storage, recording, transmission and other processing of data for: ordering and payment at the venue; management of tables, menus and sessions; optional mobile verification, returning-customer recognition and loyalty operation; management of staff, shifts, tips and reviews; and forwarding of order content to the Customer's POS where enabled.
Categories of Data Subjects: (i) Guests (the Customer's consumer patrons); (ii) Staff (the Customer's employees/contractors).
Types of Personal Data:
- Guests (base): session identifier, device identifier, device-binding token, IP address, User-Agent, order content and notes, payment reference, tip amount/allocation, rating/review.
- Guests (optional identity/loyalty): salted SHA-256 hash of the mobile number; salted hashes of an email and/or a payment-card fingerprint (PSP); optional display name; verification/consent timestamps; loyalty points ledger. The raw mobile number is processed only transiently to deliver a one-time code by SMS.
- Staff: name/display name, email, phone (optional), role/status/employment details, bcrypt-hashed device PIN, push-notification credentials, performance data.
Special categories (Article 9 GDPR): none requested. Any dietary/allergen information in order notes is entered voluntarily by the Guest to fulfil the order.
ANNEX B — TECHNICAL AND ORGANISATIONAL MEASURES (Article 32 GDPR)
- Encryption in transit (TLS 1.2+) and at rest (databases and object storage).
- Role-based access control with least-privilege defaults; production access logged.
- Pseudonymisation: mobile numbers/emails/card fingerprints held as salted SHA-256 and never in plaintext; device PINs held as bcrypt hashes.
- HMAC-signed device-binding tokens, revocable per device.
- Error monitoring with PII disabled (
sendDefaultPii: false) and sensitive-field redaction (beforeSend). - One-time SMS codes: held only as a hash, in volatile cache, for up to 5 minutes.
- Automated daily data-retention/deletion sweeps.
- Regular (quarterly) reviews of access rights and Sub-processors; backups on a 30-day recycle cycle.
ANNEX C — APPROVED SUB-PROCESSORS
| Sub-processor | Role | Location / Transfer safeguard |
|---|---|---|
| Clerk, Inc. | Authentication / identity & organisation management | USA — Standard Contractual Clauses |
| Amazon Web Services EMEA SARL | Hosting, database (RDS), storage (S3), CDN (CloudFront) | EU — Frankfurt (eu-central-1) |
| Amazon Web Services EMEA SARL — End User Messaging (SMS) | Delivery of one-time codes by SMS | EU — Frankfurt; onward delivery via mobile network operator |
| Viva Payments Single Member S.A. (EMI) — and, for settlement accounts, Vivabank Single Member Banking S.A. | Guest payment processing (Viva.com ISV) and subscription billing (Smart Checkout) | EU — Greece |
| Stripe Payments Europe Ltd | Payment processing — only if expressly requested by the Customer | EU — Ireland |
| Vercel Inc. | Hosting of Next.js applications | EU (Frankfurt) with US fallback — Standard Contractual Clauses |
| Functional Software, Inc. (Sentry) | Error monitoring (PII disabled) | USA — Standard Contractual Clauses |
| Google Ireland Limited (Firebase Cloud Messaging) | Push notifications to Staff devices | EU & global — Standard Contractual Clauses |
| Resend Labs, Inc. | Delivery of transactional/operational email | USA — Standard Contractual Clauses |
| symPOSium / HIT (POS providers) | Forwarding order content to the Customer's POS, where enabled | EU |
The list is updated per Article 7. Operational source of truth: the Sub-processor List and the Privacy Policy.
Language. The Greek version of this Agreement is the legally binding one; this English text is provided for convenience.