Data Processing Agreement

1. Definitions

Terms not defined in this DPA have the meaning given to them in the Terms of Service or the UK GDPR. In addition:

• "Controller" means the Customer (venue operator) who determines the purposes and means of processing personal data through the Platform.
• "Processor" means HAMR Ltd, trading as Covered, which processes personal data on behalf of the Controller.
• "Sub-Processor" means a third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
• "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any successor legislation, together with all applicable guidance and codes of practice issued by the ICO.

2. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller in order to provide the Covered platform, as described in the Terms of Service. The duration of processing is the term of the Agreement between the parties, plus any period necessary for post-termination data return or deletion as specified in this DPA.

3. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

• Managing bookings, reservations, and table assignments
• Storing and displaying guest profiles and visit history
• Processing pre-orders and menu selections
• Facilitating payments through integrated payment providers
• Sending transactional communications (booking confirmations, reminders, receipts) via email and WhatsApp
• Sending marketing communications where the Controller has obtained appropriate consent from the data subject
• Generating reports and analytics for the Controller

4. Types of Personal Data

• Guest names, email addresses, and telephone numbers
• Booking details (date, time, party size, special requests)
• Dietary requirements and allergies (which may constitute special category data)
• Visit history, preferences, and tags assigned by the Controller
• Pre-order selections and associated pricing
• Payment metadata (transaction ID, amount, last four digits of card -- full card numbers are processed exclusively by Stripe and Square)
• Communication records (email and WhatsApp message content, delivery status)
• Controller staff names, email addresses, and access roles

5. Categories of Data Subjects

• Guests and customers of the Controller's venue(s)
• Staff and employees of the Controller
• Other individuals whose data is entered into the Platform by the Controller or its Authorised Users

6. Processor Obligations

The Processor shall:

6.1 Processing on Instructions

Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data outside the United Kingdom, unless required to do so by applicable law. If the Processor is required by law to process personal data other than on the Controller's instructions, it will inform the Controller of that legal requirement before processing, unless prohibited from doing so by law.

6.2 Confidentiality

Ensure that all personnel authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security Measures

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as applicable:

• Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures
• Role-based access controls and tenant isolation enforced through row-level security policies
• Bcrypt password hashing and support for TOTP two-factor authentication

6.4 Sub-Processors

Not engage another processor (sub-processor) without prior general written authorisation of the Controller. The Controller hereby provides general authorisation for the sub-processors listed in Section 7 of this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days of notification. The Processor shall impose the same data protection obligations on any sub-processor by way of a contract.

6.5 Assistance with Data Subject Rights

Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the UK GDPR.

6.6 Assistance with Security and Breach Notification

Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

6.7 Deletion or Return of Data

At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data. Upon termination, the Processor shall make the Controller's data available for export for 30 days, after which it will be securely deleted from all active systems within 90 days. Copies in encrypted backups will be overwritten in the normal backup rotation cycle.

6.8 Audit

Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and during business hours. The Processor may charge a reasonable fee for any audit that exceeds one audit per 12-month period.

7. Authorised Sub-Processors

The Controller authorises the Processor to engage the following sub-processors:

8. International Transfers

Where personal data is transferred to a sub-processor located outside the United Kingdom, the Processor shall ensure that one of the following safeguards is in place:

• The UK International Data Transfer Agreement (UK IDTA) issued by the ICO, with a completed transfer risk assessment.
• The EU-US Data Privacy Framework (EU-US DPF), where the sub-processor is certified under the framework.
• An adequacy decision made by the UK Secretary of State under Section 17A of the Data Protection Act 2018.

The Processor shall provide copies of the relevant transfer mechanisms to the Controller upon request.

9. Technical and Organisational Security Measures

The Processor implements the following measures to protect personal data:

9.1 Encryption

• TLS 1.3 for all data in transit
• AES-256 encryption for all data at rest
• Encrypted database backups

9.2 Access Controls

• Role-based access control (RBAC) with the principle of least privilege
• Multi-tenant data isolation enforced through row-level security (RLS) database policies
• Multi-factor authentication required for Processor staff accessing production systems
• Access logs maintained and periodically reviewed

9.3 Incident Response

• Documented incident response procedure covering detection, containment, eradication, and recovery
• Notification to the Controller without undue delay and in any event within 48 hours of becoming aware of a personal data breach
• Notification to the ICO within 72 hours where the breach is likely to result in a risk to data subjects' rights and freedoms
• Post-incident review and implementation of corrective measures

9.4 Business Continuity

• Automated database backups with point-in-time recovery
• Infrastructure designed for high availability with automated failover
• Disaster recovery procedures tested periodically

10. Controller Obligations

The Controller shall:

• Ensure that it has a valid lawful basis for each category of personal data it instructs the Processor to process.
• Provide clear and lawful documented instructions to the Processor regarding the processing of personal data.
• Ensure that it provides appropriate privacy notices to data subjects before or at the time of collecting their personal data.
• Comply with all Data Protection Laws applicable to it as a controller, including fulfilling data subject rights requests.
• Where special category data (e.g. dietary requirements indicating health conditions or religious beliefs) is entered into the Platform, ensure that an appropriate condition under Article 9 of the UK GDPR is met.

11. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for: (a) breaches of confidentiality obligations; (b) the Processor's obligation to process data only on the Controller's documented instructions; or (c) liability that cannot be excluded or limited under applicable law.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

13. Contact

For questions about this Data Processing Agreement, please contact us at hello@covered.technology.