PSavoir
← Back to home
Legal

Data Processing Addendum

This Data Processing Addendum (DPA) forms part of the agreement between POSavoir, Inc. ('Processor') and the customer ('Controller') and applies to the extent POSavoir processes personal data on the customer's behalf.

Version: 2026.04 , Supersedes all prior versions.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR, UK GDPR, or applicable U.S. state privacy laws ("Data Protection Laws").

2. Roles & subject matter

The Controller determines the purposes and means of processing personal data. POSavoir processes personal data only on documented instructions from the Controller, namely to provide the Service described in the agreement.

3. Categories of data and data subjects

  • Data subjects: Controller's employees and end-customers (patrons).
  • Categories: identification data (name, email, phone), transactional data, employment data (clock-in, schedule), device/log data.

4. POSavoir obligations

  • Process personal data only on documented Controller instructions.
  • Ensure personnel authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see Annex II).
  • Assist the Controller with data-subject requests, security, breach notification, and DPIAs.
  • Make available all information necessary to demonstrate compliance and allow audits, subject to reasonable confidentiality and frequency limits.

5. Sub-processors

The Controller authorises POSavoir to engage sub-processors listed at privacy@POSavoir.com. POSavoir will give at least 30 days' notice of new sub-processors. The Controller may object on reasonable data-protection grounds.

6. International transfers

For transfers from the EEA, UK, or Switzerland to third countries without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum.

7. Security

POSavoir implements the safeguards described on our Security page and in Annex II of this DPA, including encryption, access control, incident response, and continuous monitoring.

8. Personal data breach

POSavoir will notify the Controller without undue delay (and in any case within 72 hours of awareness) of any personal data breach affecting Controller data, with the information required by Article 33 GDPR.

9. Return or deletion

On termination, POSavoir will, at the Controller's choice, return or delete personal data within 30 days, except where retention is required by law.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability in the underlying agreement.

Annex I , Processing details

  • Nature & purpose: Provision of point-of-sale software, analytics, voice ordering, anomaly detection, and integrations.
  • Duration: The term of the agreement plus retention periods set out in the Privacy Policy.

Annex II , Technical & organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Multi-factor authentication and least-privilege access.
  • Vulnerability management, code review, annual penetration test.
  • Documented incident response and business continuity plans.
  • Background checks and security training for personnel.

Signing

To execute this DPA for your account, request the counter-signed PDF from legal@POSavoir.com.