Data Processing Addendum (DPA)

Last Updated:

Our Commitment to Data Protection

1. Introduction and Scope

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service or any other master services agreement (the "Agreement") between the customer subscribing to the Services ("Customer" or "Controller") and ScanSewa, a software initiative developed and powered by Lacspace ("ScanSewa," "we," "us," or "Processor").

This DPA applies to the processing of Personal Data that is subject to Data Protection Laws, where Customer is the Controller and ScanSewa is the Processor. It reflects the parties' agreement with regard to the processing of Customer's Personal Data in connection with the Services provided by ScanSewa.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings ascribed to them below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

  • "Data Protection Laws" means all applicable data protection and privacy laws, including, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018, and the California Consumer Privacy Act ("CCPA").
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by ScanSewa on behalf of the Customer in the course of providing the Services.
  • "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means.
  • "Controller," "Processor," "Data Subject," and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.

3. Processing of Personal Data

3.1. Roles and Responsibilities

The parties agree that with respect to the processing of Personal Data, Customer is the Controller and ScanSewa is the Processor. ScanSewa will process Personal Data only on behalf of the Customer and in accordance with the Customer's documented instructions, including the terms of this DPA and the Agreement.

3.2. Details of Processing

  • Subject Matter: The processing of Personal Data in the context of providing the ScanSewa Services as described in the Agreement.
  • Duration: For the duration of the Agreement, unless otherwise agreed upon in writing.
  • Nature and Purpose: To provide, maintain, and improve the Services, including processing transactions, managing user accounts, providing analytics, and for other purposes as instructed by the Customer.
  • Categories of Data Subjects: End-users of the Customer's services (e.g., restaurant patrons, retail shoppers), employees of the Customer, and other individuals whose data is provided to ScanSewa by the Customer via the Services.
  • Types of Personal Data: Names, contact information (email, phone number), transaction data, order details, user account credentials, device and usage information, and any other Personal Data that Customer chooses to submit to the Services.

4. Data Subject Rights

ScanSewa will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws (e.g., access, rectification, erasure, portability). Taking into account the nature of the processing, ScanSewa shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to such requests.

5. Security Measures

ScanSewa shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from security incidents and to preserve the security and confidentiality of the Personal Data. These measures include, but are not limited to, encryption of data in transit and at rest, access controls, regular security assessments, and a security incident response plan. A detailed overview of our security measures can be provided upon request.

6. Sub-processors

Customer provides a general authorization for ScanSewa to engage third-party sub-processors to process Personal Data on Customer's behalf. ScanSewa will maintain a list of its sub-processors, which can be made available to the Customer upon request. ScanSewa shall enter into a written agreement with each sub-processor containing data protection obligations no less protective than those in this DPA. ScanSewa remains fully liable to the Customer for the performance of the sub-processor's data protection obligations.

7. International Data Transfers

ScanSewa will not transfer Personal Data to a country outside of the European Economic Area (EEA), Switzerland, or the United Kingdom without appropriate safeguards as required by Data Protection Laws. If such a transfer is required, it will be done in compliance with mechanisms such as the Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

8. Audits and Compliance

ScanSewa shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to reasonable notice and confidentiality obligations.

9. Data Breach Notification

In the event of a Personal Data Breach, ScanSewa will notify the Customer without undue delay after becoming aware of the breach. The notification will include details of the breach, the potential impact, and the corrective actions taken. ScanSewa will provide reasonable assistance to the Customer in its handling of the breach, including any notifications to Supervisory Authorities or Data Subjects.

10. Deletion or Return of Data

Upon termination of the Agreement, ScanSewa shall, at the Customer's choice, delete or return all Personal Data to the Customer and delete existing copies unless applicable law requires storage of the Personal Data.

11. Contact Information

For any questions or requests related to this Data Processing Addendum, please contact our Data Protection team.