Data Processing Agreement

This Data Processing Agreement (DPA) is entered into between Easy Host Oy trading as Pisteo (business ID 3288005-7, Helsinki, Finland) and the Restaurant identified in the Pisteo account or order form.

The DPA forms part of the Terms of Service. It applies automatically to every Restaurant that uses Pisteo. No separate signature is required, but a counter-signed version is available on request from hello@pisteo.io.

This DPA is entered into under Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

1. Roles

• Pisteo is the processor for personal data of the Restaurant’s diners that the Restaurant controls. This includes the diner email marketing list, opt-in records, optional names on order tickets, order history tied to diner emails, and loyalty stamps.
• The Restaurant is the controller for that data.
• For other data sets (the Restaurant’s own account and billing data, authentication, product analytics on the admin app), Pisteo is the controller in its own right under the Privacy Policy.
• Stripe is a separate controller for its own fraud and compliance work and a processor for parts of the payment instruction.

Where there is a conflict between this DPA and other parts of the Terms of Service on data protection matters, this DPA wins.

2. Subject matter and duration

• Subject matter: Pisteo processes personal data of the Restaurant’s diners as needed to operate the Pisteo platform.
• Duration: for as long as Pisteo processes Restaurant-controlled personal data. The DPA survives termination of the Terms of Service until all such data is returned or deleted in line with section 12.

3. Nature and purpose of processing

Pisteo processes diner personal data to:

• Take orders from diners at the Restaurant’s tables and through other ordering channels (kiosk, takeaway, reservations)
• Route payments via Stripe Connect Express
• Send VAT-compliant email receipts where requested
• Maintain the Restaurant’s diner marketing list and deliver marketing emails the Restaurant sends
• Maintain loyalty stamps where diners opt in
• Support the Restaurant in handling diner complaints, refunds, and data subject requests

4. Categories of data subjects

• Diners of the Restaurant, meaning anyone who places an order through Pisteo at the Restaurant, whether at a table, at a self-checkout kiosk, through the public takeaway link, or through the reservations link.

5. Types of personal data

• Optional name on the order ticket
• Optional email address (for receipts or marketing opt-in)
• Order content, table number, timestamps
• Payment metadata via Stripe (payment intent IDs, amount, currency, payment method type, last four digits of card if applicable)
• Loyalty stamps and reward records
• Marketing consent records
• Transient IP address and browser information for security and fraud prevention

Pisteo does not request and does not need special category data (Art 9 GDPR). The Restaurant must not enter special category data into Pisteo.

6. Documented instructions

Pisteo processes Restaurant-controlled personal data only on the Restaurant’s documented instructions, reflected in:

• The Terms of Service and this DPA
• The configuration the Restaurant sets in the admin app
• Any written instructions sent to hello@pisteo.io

Pisteo tells the Restaurant if it believes an instruction breaches the GDPR or Finnish data protection law.

7. Confidentiality

Pisteo ensures that everyone with access to Restaurant-controlled personal data is bound by confidentiality, by contract or by statute.

8. Security measures (Art 32)

Pisteo applies technical and organisational measures appropriate to the risk, including:

• Encryption in transit. TLS 1.2 or higher for all diner and restaurant traffic.
• Encryption at rest. Database and object storage encrypted at rest (Railway-managed PostgreSQL and Cloudflare R2).
• Access control. Role-based access, multi-factor authentication for all Pisteo staff with production access, least privilege as the default.
• Audit logging. Significant administrative actions are logged with user and timestamp.
• Backups. Automated, encrypted, with tested restore.
• Vulnerability management. Dependency scanning, runtime monitoring via Sentry, monitoring of Stripe Radar signals for payment fraud.
• Secure development. Code review, type-checked code, environment isolation between development, staging, and production.
• Incident response. Documented plan with a named on-call.
• Vendor management. Sub-processors selected with security and data protection in mind, and bound by written contracts with equivalent protections.

Security measures are reviewed at least annually and updated as the platform evolves.

9. Sub-processors

Pisteo uses the sub-processors below. The Restaurant gives general authorisation, with the right to object to changes as set out in section 9.2.

9.1 Current sub-processors

Sub-processor	Purpose	Location	Transfer mechanism
Stripe Payments Europe Ltd	Payments, Stripe Connect Express	Ireland (EU)	None needed for EU storage. Stripe’s intra-group transfers under Stripe’s SCCs
Cloudflare R2	Image storage (menu photos, logos)	EU region selected	SCCs 2021/914 Module 2
Railway	Application hosting and managed PostgreSQL	US-headquartered, EU data residency available	SCCs 2021/914 Module 2
Resend	Transactional and marketing email delivery	US	SCCs 2021/914 Module 2
PostHog	Admin product analytics. Diners are not tracked.	EU Cloud	None needed
Sentry	Error monitoring	US	SCCs 2021/914 Module 2
Anthropic	Claude for menu import and Menu Performance Report. No diner PII sent.	US	SCCs 2021/914 Module 2
OpenAI	Secondary natural-language processing provider. No diner PII sent.	US	SCCs 2021/914 Module 2
GitHub	Code hosting only. No customer or diner data.	US	Not applicable, no personal data stored

9.2 Changes to sub-processors

Pisteo gives at least 30 days’ notice of adding or replacing a sub-processor, by updating this DPA and notifying admin users by email.

The Restaurant may object in writing on reasonable data protection grounds. If the parties cannot find a workable solution within 30 days, the Restaurant may terminate the affected service without penalty and receive a pro-rata refund of any prepaid fees for the unused period.

10. International transfers

Where personal data is transferred outside the EEA, Pisteo relies on the European Commission’s Standard Contractual Clauses (Regulation 2021/914), Module 2 (controller to processor), and on supplementary measures where appropriate. Current US transfers: Railway hosting, Resend, Sentry, Anthropic, OpenAI.

Pisteo reviews the legal basis of these transfers periodically and updates this section as needed.

11. Data subject rights

Pisteo helps the Restaurant respond to data subject requests (access, rectification, erasure, restriction, portability, objection, withdrawal of consent) by:

• Providing admin app tools to view, export, edit, and delete diner records
• Responding to written assistance requests sent to hello@pisteo.io within 10 business days
• Helping the Restaurant communicate with the data subject where reasonable

The Restaurant handles the request as the controller. Pisteo does not respond directly to diner requests about Restaurant-controlled data unless the Restaurant asks it to.

12. Personal data breaches

Pisteo notifies the Restaurant without undue delay and in any case within 24 hours of becoming aware of a personal data breach affecting Restaurant-controlled data.

The notification includes, at minimum:

• The nature of the breach
• Categories and approximate number of data subjects and records affected
• Likely consequences
• Measures taken or proposed to mitigate

Pisteo supports the Restaurant in fulfilling its own notification obligations to the Tietosuojavaltuutettu (within 72 hours where required under Art 33 GDPR) and to data subjects (where required under Art 34 GDPR).

13. Data Protection Impact Assessments

Pisteo gives the Restaurant reasonable information and assistance for any DPIA the Restaurant undertakes under Art 35 GDPR.

14. Audit rights

The Restaurant may audit Pisteo’s compliance with this DPA once per year, on 30 days’ written notice, during business hours, in a way that does not disrupt Pisteo’s operations.

Pisteo can satisfy audit requests by providing recent third-party security reports or summary internal audit reports where they cover the questions raised. Audit costs are borne by the Restaurant unless the audit reveals material non-compliance with this DPA, in which case Pisteo bears reasonable audit costs.

15. Return and deletion of data

On termination of the Terms of Service, the Restaurant has 60 days to export data from the admin app. After 60 days, Pisteo deletes Restaurant-controlled personal data from production systems within a further 30 days.

Exceptions:

• Records Pisteo must retain under Union or Finnish law (accounting, tax, payment records)
• Backups are kept on Pisteo’s standard rolling backup cycle and overwritten in line with that cycle

On written request, Pisteo provides written confirmation of deletion.

16. Liability and governing law

Liability under this DPA is subject to the liability section of the Terms of Service. This DPA is governed by Finnish law. Disputes are resolved in the Helsinki District Court.

17. Order of precedence

If there is a conflict between this DPA and the rest of the Terms of Service, this DPA wins on data protection matters. If there is a conflict between this DPA and an SCC module signed between the parties, the SCC module wins on the points it covers.