Data Processing Agreement
Last updated: April 9, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between OpsPulse (“Processor”) and the Customer (“Controller”) who has agreed to the Terms of Service.
1. Definitions
- “Controller” means the Customer (restaurant operator) who determines the purposes and means of processing Personal Data.
- “Processor” means OpsPulse, which processes Personal Data on behalf of the Controller.
- “Data Subjects” means the individuals whose Personal Data is processed, primarily restaurant team members.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
- “Data Protection Laws” means the GDPR, UK GDPR, CCPA/CPRA, and any other applicable data protection or privacy legislation.
2. Scope and Purpose of Processing
The Processor shall process Personal Data only to provide the OpsPulse service as described in the Terms of Service, including:
- Authenticating team members via PIN-based login on shared kiosks
- Recording task completions and compliance checks
- Logging food safety data (temperature readings, cleaning records)
- Generating operational reports and analytics for the Controller
- Maintaining security through session management and audit logs
3. Types of Personal Data
| Category | Data Elements |
|---|---|
| Identity | Name, role, staff ID |
| Authentication | PIN hash (bcrypt, irreversible) |
| Activity | Task completions, timestamps, compliance check results |
| Food Safety | Temperature logs, cleaning records, corrective actions |
| Technical | Device fingerprint, browser type, session tokens |
4. Data Subject Categories
- Restaurant team members (staff, shift leads)
- Restaurant managers and administrators
- Health inspectors (when using inspector access features)
5. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with respect to transfers to third countries.
- Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and regular security reviews.
- Not engage another processor (sub-processor) without prior written authorization from the Controller. A current list of sub-processors is available upon request.
- Assist the Controller in responding to Data Subject requests (access, correction, deletion, portability) by providing appropriate tools and interfaces.
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation.
- At the Controller’s choice, delete or return all Personal Data upon termination of the service, and delete existing copies unless retention is required by law.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by or on behalf of the Controller.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
7. Data Retention and Deletion
- Personal Data of active team members is retained for the duration of the service agreement.
- Upon team member deactivation, personal identifiers are anonymized within 90 days. Anonymized operational records are retained for audit purposes.
- Upon contract termination, all Personal Data is deleted or returned within 30 days, except where retention is required by applicable law.
- The Controller may request immediate anonymization or deletion of specific Data Subject records at any time through the OpsPulse dashboard.
8. International Data Transfers
If Personal Data is transferred outside the European Economic Area or the United Kingdom, the Processor shall ensure that appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized under applicable Data Protection Laws. The Processor will inform the Controller of any intended transfers and the safeguards applied.
9. Audit Rights
The Controller may audit the Processor’s compliance with this DPA up to once per year, with 30 days’ prior written notice. The audit shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s operations. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or other documentation.
10. Term and Termination
This DPA shall remain in effect for the duration of the Terms of Service and shall automatically terminate upon termination of the Terms of Service. Obligations relating to data deletion, confidentiality, and cooperation with Data Subject requests shall survive termination.
11. Contact
For questions about this DPA or to request the current list of sub-processors, contact us at privacy@opspulse.app.