Data Processing Agreement

Last updated: November 2025

This Data Processing Agreement ("DPA") forms part of and is incorporated into the master service agreement, order form, or other written contract between the parties covering the provision of the Yepyet POS and Online Ordering Platform (the "Agreement").

Parties:

• Controller: [Client legal name], with registered address at [Client address] (the "Controller").
• Processor: [MACD Software Solutions LTD], with registered address at [Unit 3 Baldara House, Baldara Court, Ashbourne, Meath A84 A893] (the "Processor", "Yepyet", "we/us").

Subject Matter, Duration and Nature of Processing

Subject matter. Yepyet will process Personal Data on behalf of the Controller to provide the POS and online ordering services described in the Agreement.

Duration. From the Effective Date until termination or expiry of the Agreement, and thereafter as required for return/deletion under this DPA.

Nature and purpose. Processing includes collecting, storing, structuring, transmitting, and otherwise using Personal Data as necessary to: manage menus, orders, payments (via third-party processors), customer accounts, loyalty, delivery/collection workflows, inventory, staff scheduling, analytics and reporting, and support services.

Roles and Compliance

Controller responsibility. Controller determines the purposes and means of Processing and warrants it has a valid legal basis for all Personal Data it provides to Yepyet.

Processor responsibility. Yepyet will process Personal Data only on documented instructions from the Controller (including via the Agreement, admin console settings, and written support requests), unless required to do so by EU or Member State law. In such a case, Yepyet will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Compliance. Each party will comply with its respective obligations under the GDPR and applicable data protection laws in Ireland and the EU/EEA.

Categories of Data and Data Subjects

Data Subjects. Customers/end-users placing orders; Controller’s staff (e.g., cashiers, managers, delivery drivers); prospective customers; and other individuals associated with the Controller’s business.

Categories of Personal Data. Identification and contact data (name, email, phone); order details and preferences; delivery addresses; device and usage data (IP address, device identifiers); account credentials (hashed); staff rostering and performance logs; limited payment-related identifiers/tokens returned by third-party payment processors. Cardholder data is not stored or processed by Yepyet; it is handled by the Controller’s selected payment processor.

Special Categories. Controller will avoid submitting Special Category Data. If processing would involve such data (e.g., allergy info explicitly identifying a person), the Controller is responsible for ensuring a lawful basis and providing prior written notice to Yepyet so that appropriate safeguards can be applied.

Confidentiality and Personnel

Yepyet will ensure that persons authorised to process Personal Data are bound by confidentiality obligations and receive appropriate data protection and security training.

Security of Processing

Yepyet will implement appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, including as set out in Annex II (e.g., encryption in transit and at rest, access controls, least-privilege, monitoring and logging, vulnerability management, backups and disaster recovery, and secure software development practices).

The Controller is responsible for securing its endpoints, networks, and user access (including MFA), and for configuring the Service in accordance with best practice.

Sub-processors

The Controller provides general authorisation for Yepyet to engage Sub-processors to support the Service (e.g., cloud hosting, content delivery, email/SMS, payments). Yepyet will: (i) impose data protection obligations on Sub-processors equivalent to those set out in this DPA; (ii) remain responsible for the acts and omissions of Sub-processors; and (iii) maintain a current list of Sub-processors (see Annex III) and notify the Controller of material changes, giving the Controller a reasonable opportunity to object on reasonable grounds.

If the Controller reasonably objects to a new Sub-processor and the parties cannot reach resolution, the Controller may terminate the affected Service on written notice without penalty.

International Data Transfers

Yepyet will not transfer Personal Data outside the EEA/UK unless it has implemented appropriate safeguards under Chapter V GDPR, including (as applicable) the EU Commission Standard Contractual Clauses (SCCs) (Module 2), an adequacy decision, or Binding Corporate Rules. Where SCCs apply, they are incorporated by reference and completed as set out in Annex IV.

Where the UK GDPR applies, the UK International Data Transfer Addendum may also be incorporated as needed.

Assistance to the Controller

Yepyet will, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests under Chapter III GDPR.

Yepyet will provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, as required by Articles 35–36 GDPR, in each case solely in relation to the Service.

Personal Data Breach Notification

Notification. Yepyet will notify the Controller without undue delay (and within 24 hours of becoming aware, where feasible) after confirming a Personal Data Breach affecting the Controller’s Personal Data.

Information. Yepyet will provide timely information reasonably known about the breach, including the nature of the incident, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.

Co-operation. Yepyet will promptly take steps to contain, investigate, and remediate the breach and assist the Controller to meet any applicable notification obligations.

Return and Deletion of Data

Upon termination/expiry of the Agreement or upon written request, Yepyet will, at Controller’s choice, return all Personal Data and/or securely delete Personal Data (unless retention is required by law). Unless otherwise agreed, Yepyet will complete deletion within 30 days of termination.

Yepyet may retain minimal metadata or logs strictly necessary to demonstrate compliance, for the period required by law or applicable limitation periods.

Records and Audit

Yepyet will maintain records of processing activities as required by Article 30(2) GDPR and make them available to the Controller upon request.

On reasonable prior written notice (at least 30 days, unless required sooner by a supervisory authority or incident), during business hours, and subject to confidentiality and security restrictions, the Controller or an independent auditor mandated by the Controller may conduct an audit of Yepyet’s compliance with this DPA no more than once annually, or following a Personal Data Breach. Audits shall be conducted in a manner that minimises disruption and protects Yepyet’s and other customers’ data. Yepyet may satisfy audit obligations by providing industry-standard third‑party certifications, audit reports, or summaries thereof.

Liability and Indemnity

Each party’s liability arising out of or in connection with this DPA is subject to the exclusions and limitations set out in the Agreement. Nothing limits liability for death or personal injury, fraud, wilful misconduct, or any other liability that cannot be limited by law.

The Controller remains responsible for its own compliance with data protection laws, including obtaining all necessary consents and ensuring accuracy and lawfulness of Personal Data.

Order of Precedence and Changes

In the event of conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict in relation to data protection matters.

Yepyet may update this DPA to reflect changes in law or Sub-processor arrangements. Material changes will be notified in advance, and where required, the parties will execute updated terms.

Governing Law and Venue

This DPA shall be governed by and construed in accordance with the laws of Ireland, and the parties submit to the exclusive jurisdiction of the Irish courts, without prejudice to mandatory rights under the GDPR to bring proceedings before a competent supervisory authority or court.

Annex I – Details of Processing

• Subject matter: Provision of POS and online ordering services.
• Duration: Term of the Agreement + deletion period.
• Nature and purpose: Hosting, storage, transmission, order management, payments via third parties, analytics, support.
• Types of Personal Data: Names, contact details, delivery addresses, order history, preferences, device/IP, staff identifiers, login usernames (hashed), payment tokens/transaction references (no card PAN/CVV stored by Yepyet).
• Categories of Data Subjects: Customers/end-users, Controller’s staff, prospective customers.
• Frequency of Transfer (if any): Continuous as required by the Service.

Annex II – Technical and Organisational Measures (TOMs)

• Governance & Policies: Information security policy, access control policy, incident response plan, vendor risk management, secure SDLC.
• Access Control: Role‑based access, least privilege, MFA for admin access, unique IDs, session timeouts, periodic access reviews, segregation of duties.
• Encryption: TLS for data in transit; industry‑standard encryption for data at rest; key management with restricted access.
• Logging & Monitoring: Centralised logging, security event monitoring, alerting, and regular review; time‑synced logs; tamper‑resistant storage.
• Vulnerability & Patch Management: Regular vulnerability scanning, prompt patching, annual external penetration testing, dependency monitoring.
• Data Minimisation & Pseudonymisation: Collect only necessary data, pseudonymise where appropriate, separate environments (prod/test/dev) with masked data.
• Business Continuity & Disaster Recovery: Regular encrypted backups, geo‑redundancy (where applicable), restoration testing, RPO/RTO targets aligned to SLA.
• Physical Security: Data centre protections via reputable IaaS providers (e.g., access controls, CCTV, environmental controls) and secure office practices.
• Personnel Security: Background checks where lawful, confidentiality agreements, security and privacy training.
• Third Parties: Contractual flow‑down of data protection obligations; risk assessment prior to onboarding; ongoing review.
• Data Deletion & Return: Certified deletion procedures, secure wiping of media, data retention schedules.
• Incident Management: 24/7 reporting channel, triage and escalation procedures, post‑incident review and corrective actions.

Annex III – Sub‑processors (Categories)

• Payment Processing: Third‑party payment service providers engaged directly by Controller or via Yepyet (e.g., tokenisation, payment gateway). Card data is handled exclusively by the payment processor.
• Cloud Hosting & Storage: Reputable EU‑based or EU data‑resident providers for application hosting, databases, backups, and content delivery.
• Communications: Email/SMS providers for order confirmations and service notifications.
• Analytics & Monitoring: Tools for application performance and security monitoring.

A current, detailed list of named Sub‑processors will be provided upon request and kept up to date.

Annex IV – International Transfers and SCCs

Where Personal Data is transferred outside the EEA/UK, the parties agree that the EU Standard Contractual Clauses (Controller to Processor – Module 2) are incorporated by reference, with: (i) Controller as the data exporter; (ii) Yepyet as the data importer; (iii) Annex I and II of this DPA forming Annex I and II of the SCCs; and (iv) the governing law and competent courts of Ireland. Where UK transfers occur, the UK International Data Transfer Addendum applies mutatis mutandis.