Back to home

DPA

DPA and Responsibility Split

Overview of the Data Processing Agreement and responsibility split between Smooth Catering, restaurants and end customers.

Contact privacySubprocessors
Role
Processor
Controller
Restaurant
Version
v1.0

Related documents

SubprocessorsSecurity

In short

  • The restaurant decides why customer data is processed in the quote and order flow.
  • Smooth Catering processes data as processor and may only use it to deliver, secure and support the service.
  • This document describes the standard processor terms and is supplemented by customer agreements where applicable.

Responsibility matrix

  • The restaurant is normally controller for the end-customer quote request, order, customer communication, fulfillment, allergen information and accounting basis.
  • Smooth Catering is normally processor for the restaurant's end-customer, order, quote, CRM and production data.
  • Smooth Catering is controller for its own demo leads, SaaS account administration, support, security logs, superadmin audit logs, subscription data and product analytics.
  • Stripe, analytics, e-mail and hosting may have separate roles depending on the final integration and contracts.

Article 28 processing

  • Subject matter: operation of the catering platform, widget, quote flow, order flow, CRM, production, support and security.
  • Duration: during the customer agreement and afterwards according to the retention, export and deletion routine.
  • Nature of processing: collection, storage, display, updates, export, support troubleshooting, security logging and deletion.
  • Categories of data subjects: restaurant administrators, restaurant end customers, company customer contacts and support contacts.
  • Categories of data: contact details, quote and order details, delivery details, dietary counts, customer messages, account and security data.
  • Smooth Catering processes personal data only on documented instructions from the restaurant and will inform the restaurant if an instruction appears to conflict with data protection rules.
  • People with access are subject to confidentiality requirements and access must be limited to operations, support, security and agreed administration.
  • Smooth Catering will assist the restaurant with data subject rights, incident investigation, export, deletion and subprocessor information where the service makes it possible.
  • At the end of the agreement, data will be deleted or returned according to instruction, except for legally required, security-related or dispute-related retention.

Security and subprocessors

  • Technical and organisational measures are described in the security appendix.
  • Subprocessors may be used according to the subprocessor list. Material changes will be communicated according to the customer agreement or DPA.
  • Personal data incidents affecting restaurant data will be notified to the restaurant without undue delay with known facts, impact and measures.

Canonical policy path: /en/dpa. This page is part of Smooth Catering's public trust documentation.