DATA PROCESSING AGREEMENT (DPA) OUTLINE
This is a high‑level outline intended to sit behind Carpia’s Terms & Conditions where required.
1. Parties
Controller: Restaurant / Merchant
Processor: Carpia (Side Alley Ltd)
Technology partners, delivery partners, and payment providers act as separate controllers or processors under their own agreements.
2. Subject Matter & Duration
Processing relates to onboarding, account management, operational support, and performance optimisation for the duration of the services.
3. Nature & Purpose of Processing
Account setup and support
Performance monitoring
Communication with restaurants
Technical and operational troubleshooting
4. Types of Personal Data
Business contact details
Platform identifiers
Limited customer/order metadata (where access is required for support)
5. Categories of Data Subjects
Restaurant owners and staff
End customers (indirect / limited access only)
6. Processing Instructions
Carpia processes data only on documented instructions from the restaurant, unless required by law.
7. Confidentiality
Carpia ensures that persons authorised to process personal data are subject to confidentiality obligations.
8. Security Measures
Carpia implements appropriate technical and organisational safeguards to protect personal data.
9. Sub‑Processors
Carpia may engage sub‑processors (e.g. hosting, analytics). A current list will be provided on request. Technology partners operate independently.
10. Data Subject Rights
Carpia assists controllers in responding to data subject requests where applicable.
11. Data Breach Notification
Carpia will notify the controller without undue delay upon becoming aware of a relevant personal data breach within its control.
12. Data Deletion or Return
Upon termination, data will be deleted or returned subject to legal and contractual obligations.
13. Liability
Carpia’s liability is limited in accordance with the main Terms & Conditions. Carpia is not responsible for data processed by third‑party platforms outside its control.
