TERMS OF USE | PRIVACY POLICY | DATA PROCESSING ADDENDUM (DPA)
DATA PROCESSING ADDENDUM (DPA)
Last update: 02/19/2026
This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the agreement governing Customer’s use of the Services (the “Agreement”), including any applicable Order Form, Terms of Use, or master services agreement, between (i) ToBeOut, Corp. (“ToBeOut”, “Processor”) and (ii) the customer entity identified in the applicable Order Form or account (“Customer”, “Controller”).
This DPA applies to the extent ToBeOut processes Personal Data on behalf of Customer as a Processor in connection with providing the Services. If there is any conflict between this DPA and the Agreement, this DPA will control with respect to the parties’ data protection obligations.
By using the Services, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, on behalf of and for the benefit of its Authorized Affiliates.
1. DEFINITIONS
1.1 Capitalized terms not otherwise defined in this DPA have the meaning given in the Agreement.
1.2 “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, as applicable:
(a) Regulation (EU) 2016/679 (“EU GDPR”);
(b) the EU GDPR as incorporated into UK law (“UK GDPR”) and the UK Data Protection Act 2018;
(c) the Swiss Federal Act on Data Protection (“Swiss FADP”);
(d) Serbian Law on Personal Data Protection (“ZZPL”);
(e) applicable U.S. federal and state privacy and data security laws (including, where applicable, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”) and similar state laws); and
(f) any implementing, derivative, or successor legislation.
1.3 “Controller” has the meaning given under Applicable Data Protection Law, and includes “Business” under the CCPA/CPRA where applicable.
1.4 “Processor” has the meaning given under Applicable Data Protection Law, and includes “Service Provider” or “Processor” under the CCPA/CPRA where applicable.
1.5 “Customer Data” means Personal Data submitted to, stored in, sent through, or otherwise processed via the Services by or on behalf of Customer, including Personal Data relating to Customer’s End Users (e.g., restaurant guests), Customer’s Users (e.g., staff), and Customer’s contacts.
1.6 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.7 “Personal Data” means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law. “Personal Information” under the CCPA/CPRA is included where applicable.
1.8 “Processing” and “process” have the meanings given under Applicable Data Protection Law.
1.9 “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data in ToBeOut’s systems. Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Data, such as pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.10 “Sub-processor” means any third party engaged by ToBeOut to process Customer Data on behalf of Customer in connection with the Services.
1.11 “Standard Contractual Clauses” or “SCCs” means: (a) the standard contractual clauses adopted by the European Commission implementing Decision (EU) 2021/914; and (b) any successor standard contractual clauses adopted by the European Commission.
1.12 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner.
1.13 “Swiss Addendum” means the modifications required to use the SCCs for transfers subject to the Swiss FADP.
1.14 “Authorized Affiliates” means Customer’s Affiliates that are permitted to use the Services under the Agreement and that qualify as Controllers of Customer Data.
2. SCOPE, ROLES AND RELATIONSHIP OF THE PARTIES
2.1 Customer as Controller. Customer determines the purposes and means of Processing Customer Data and instructs ToBeOut to process Customer Data on Customer’s behalf for the limited purpose of providing the Services in accordance with the Agreement and this DPA.
2.2 ToBeOut as Processor. ToBeOut will process Customer Data only as a Processor on behalf of Customer and only in accordance with Customer’s documented instructions, including those contained in this DPA, the Agreement, and Customer’s use of the Services’ features and settings.
2.3 Customer’s responsibility. Customer represents and warrants that it (a) has complied and will continue to comply with Applicable Data Protection Law in connection with its processing and its instructions to ToBeOut, and (b) has provided all required notices and obtained all required consents and authorizations for ToBeOut to process Customer Data as contemplated by the Agreement and this DPA.
2.4 ToBeOut as independent controller (limited). ToBeOut may process certain data as an independent controller to the extent strictly necessary for: (a) billing, accounting, tax, and legal compliance; (b) security, fraud prevention, and abuse detection; and (c) internal business analytics based on aggregated or de-identified data. ToBeOut will not use Customer Data for targeted advertising or to train or fine-tune general-purpose AI models unless Customer expressly opts in in writing or unless the data is irreversibly de-identified.
ToBeOut will not attempt to re-identify de-identified data and will implement reasonable technical and organizational controls designed to prevent re-identification.
2.4A ToBeOut Controller Data (Guest opt-in to ToBeOut).
Where a Guest provides a separate and valid opt-in directly to ToBeOut to receive ToBeOut marketing communications, the personal data processed by ToBeOut for those marketing purposes is processed by ToBeOut as an independent Controller and is not Customer Data processed under this DPA, except to the extent the parties expressly agree otherwise in writing.
ToBeOut remains responsible for complying with Applicable Data Protection Law for such independent Controller processing.
2.5 Precedence. If Customer is a Processor for another controller, Customer warrants it has authority to enter into this DPA on behalf of that controller, and Customer remains fully responsible for the instructions it provides to ToBeOut.
3. DETAILS OF PROCESSING
The subject matter, duration, nature, and purpose of Processing, the types of Customer Data, and categories of Data Subjects are described in Schedule 1 (Details of Processing).
4. TOBEOUT'S OBLIGATIONS AS PROCESSOR
4.1 Compliance. ToBeOut will process Customer Data as set out in this DPA and the Agreement, and in compliance with Applicable Data Protection Law applicable to ToBeOut as Processor.
4.2 Confidentiality. ToBeOut will ensure that persons authorized to process Customer Data are bound by appropriate confidentiality obligations (contractual or statutory).
4.3 Security Measures. ToBeOut will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against Security Incidents and to preserve the security, confidentiality, and integrity of Customer Data. These measures are described in Schedule 2 (Technical and Organizational Measures).
4.4 Assistance with Data Subject Requests. Taking into account the nature of Processing, ToBeOut will provide reasonable assistance to Customer in fulfilling Customer’s obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law (e.g., access, deletion, rectification, restriction, portability, objection). If ToBeOut receives a request directly from a Data Subject relating to Customer Data, ToBeOut will, to the extent permitted by law, direct the Data Subject to Customer and will not respond except on Customer’s documented instructions or as required by law.
4.5 Assistance with DPIAs and consultations. ToBeOut will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities to the extent required by Applicable Data Protection Law, taking into account the nature of Processing and information available to ToBeOut.
4.6 Record of processing. ToBeOut will maintain records of processing activities as required by Applicable Data Protection Law applicable to ToBeOut as Processor.
4.7 Cooperation. ToBeOut will, within reason, cooperate with Customer and with applicable supervisory authorities in relation to Processing of Customer Data, including by providing information reasonably necessary to demonstrate compliance with this DPA.
5. SECURITY INCIDENT NOTIFICATION
5.1 Notification. ToBeOut will notify Customer without undue delay after becoming aware of a Security Incident. Unless otherwise required by Applicable Data Protection Law, ToBeOut will provide initial notice within 72 hours of awareness where feasible.
5.2 Contents of notice. ToBeOut’s notice will include, to the extent available: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects and records affected; (c) the likely consequences; (d) measures taken or proposed to address and mitigate; and (e) contact information for follow-up.
5.3 Updates. ToBeOut will provide timely updates as additional information becomes available.
5.4 No admission. Notification of a Security Incident is not an acknowledgment of fault or liability by ToBeOut.
6. SUB-PROCESSING
6.1 General authorization. Customer provides a general written authorization for ToBeOut to engage Sub-processors to process Customer Data for the purposes of providing the Services.
6.2 Sub-processor list. ToBeOut will maintain a current list of Sub-processors used to provide the Services, including the Sub-processor’s name, location, and a description of processing, in Schedule 3 or an online list referenced therein.
6.3 Notice of changes. ToBeOut will provide at least thirty (30) days’ prior notice before authorizing any new Sub-processor to process Customer Data, except where changes are required on an emergency basis (e.g., to prevent or address a security threat), in which case notice will be provided as soon as reasonably practicable.
6.4 Objection. Customer may object to a new Sub-processor by providing written notice to ToBeOut within the notice period, stating reasonable grounds relating to data protection. If the parties cannot resolve the objection within a reasonable time, Customer may terminate the affected Service or the Agreement without penalty for the portion impacted, and ToBeOut will refund prepaid fees for the terminated portion for the unused remainder of the term, if applicable.
6.5 Flow-down and liability. ToBeOut will enter into a written agreement with each Sub-processor imposing obligations no less protective than those in this DPA (including appropriate security measures). ToBeOut remains responsible for the performance of its Sub-processors to the extent required under Applicable Data Protection Law.
7. INTERNATIONAL TRANSFERS
7.1 Data location. Customer understands that ToBeOut and its Sub-processors may process Customer Data in multiple countries in order to provide the Services.
7.2 Transfers from EEA. To the extent Customer Data is transferred from the EEA to a country not subject to an adequacy decision, the SCCs are incorporated by reference and will apply as set forth in Schedule 4 (SCC Implementation).
7.3 Transfers from the UK. To the extent UK GDPR applies and Customer Data is transferred from the UK to a country not subject to an adequacy regulation, the SCCs as supplemented by the UK Addendum will apply as set forth in Schedule 4.
7.4 Transfers from Switzerland. To the extent Swiss FADP applies and Customer Data is transferred from Switzerland to a country without adequate protection, the SCCs as supplemented by the Swiss Addendum will apply as set forth in Schedule 4.
7.5 Alternative transfer mechanisms. Where permitted, transfers may also be made under another valid transfer mechanism recognized by Applicable Data Protection Law (e.g., adequacy, binding corporate rules, approved certification), without limiting the availability of SCCs/UK Addendum.
8. DELETION AND RETURN OF CUSTOMER DATA
8.1 Return or deletion. Upon termination or expiration of the Agreement, ToBeOut will, at Customer’s choice and upon written request (unless self-service export/deletion is available), return Customer Data to Customer and/or delete Customer Data from ToBeOut’s systems within ninety (90) days, unless retention is required by law or for the establishment, exercise, or defense of legal claims.
For clarity, this Section governs deletion/return of Customer Data following termination or expiration of the Agreement and prevails over any general retention statements in the Terms to the extent of conflict.
8.2 Backups. Customer Data in backups will be overwritten or deleted in accordance with ToBeOut’s backup retention cycles and will remain protected by this DPA until deletion.
8.3 Survival. Sections relating to confidentiality, security, and deletion will survive termination to the extent necessary.
9. AUDITS AND COMPLIANCE INFORMATION
9.1 Documentation. Upon reasonable request, ToBeOut will make available information reasonably necessary to demonstrate compliance with this DPA, such as security questionnaires, summaries of policies, or third-party audit/attestation reports (if available).
Where ToBeOut provides a current third-party audit report or equivalent compliance documentation that reasonably addresses Customer’s request, Customer agrees that such documentation may satisfy Customer’s audit request unless a material Security Incident or regulator request requires additional audit rights.
9.2 Audit rights. Customer may conduct an audit of ToBeOut’s compliance with this DPA no more than once every twelve (12) months, and only: (a) where required by Applicable Data Protection Law; or (b) where a material Security Incident has occurred. Any audit must be: (i) conducted by an independent, qualified auditor; (ii) subject to confidentiality; (iii) limited in scope to systems relevant to Customer Data; and (iv) scheduled with reasonable notice and during regular business hours. Customer will bear its own costs and ToBeOut’s reasonable costs of assistance, unless the audit reveals material non-compliance by ToBeOut.
9.3 Restrictions. Customer will not access ToBeOut’s systems, source code, or other customers’ data during any audit.
10. CCPA/CPRA AND U.S. STATE TERMS (where applicable)
10.1 Service provider/processor. ToBeOut acts as a service provider/processor with respect to Customer Data under the CCPA/CPRA and similar laws, where applicable, and will not: (a) sell or share Customer Data; (b) retain, use, or disclose Customer Data for any purpose other than providing the Services; or (c) combine Customer Data with personal information received from another business except as permitted by law.
10.2 Customer instructions. Customer is responsible for complying with notice and opt-out obligations applicable to Customer. ToBeOut will provide reasonable assistance to Customer to respond to verifiable consumer requests relating to Customer Data processed by ToBeOut on Customer’s behalf.
11. CONFIDENTIALITY
11.1 Each party will treat the other party’s Confidential Information in accordance with the confidentiality provisions in the Agreement. Customer Data is Customer’s Confidential Information.
11.2 ToBeOut will ensure that access to Customer Data is limited to personnel and Sub-processors who require access to perform obligations under the Agreement.
12. LIABILITY, INDEMNITIES AND PRIORITY
12.1 Liability. The parties’ liability (including indemnities) is governed by the Agreement, except to the extent Applicable Data Protection Law prohibits limitation of liability for certain claims.
12.2 Priority. In case of conflict regarding data protection, this DPA will prevail over the Agreement. If there is a conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum prevail with respect to cross-border transfers.
13. MISCELLANEOUS
13.1 Order of precedence. Agreement → DPA → Schedules → SCCs/UK Addendum (for transfers) in the order set in Section 12.2.
13.2 Changes. ToBeOut may update this DPA to reflect changes in Applicable Data Protection Law or the Services. If updates materially reduce protections, Customer may terminate the affected Service within thirty (30) days of notice.
13.3 Severability. If any provision is unenforceable, it will be modified to the minimum extent necessary and the remainder will remain in effect.
13.4 Governing law. Governing law and venue are as set forth in the Agreement, unless the SCCs require otherwise for transfer-related disputes.
13.5 Counterparts. This DPA may be executed electronically and in counterparts.
SCHEDULE 1 - DETAILS OF PROCESSING
A. Subject matter. Provision of the Services, including reservation and table management, guest communications, guest database, analytics and reporting features (as enabled), and related customer support.
B. Duration. The duration of processing is the term of the Agreement, plus any period following termination during which ToBeOut provides data return/deletion, and any legally required retention.
C. Nature of processing. Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission to Customer and authorized recipients, alignment/combination (within Customer’s tenant), restriction, erasure, and destruction.
D. Purpose(s). (i) Provide, maintain, and improve the Services; (ii) prevent or address service, security, or technical issues; (iii) provide customer support; (iv) comply with legal obligations; and (v) other purposes as instructed by Customer via the Services.
E. Categories of Data Subjects. Customer’s users/staff; Customer’s guests/end-users; Customer’s contacts and representatives; any individuals whose data Customer inputs into the Services.
F. Types of Customer Data. Contact details (name, email, phone), reservation details (date/time, party size, notes), communications content, preferences recorded by Customer, identifiers and authentication data for Customer users, device/log/usage data. Special categories (sensitive data) are not required and should not be provided except at Customer’s discretion.
G. Frequency of processing. Continuous throughout the term as Customer uses the Services.
H. Retention. As described in Section 8.
Schedule 2 — TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
The measures below describe ToBeOut’s baseline controls. Specific implementations may vary by environment and may be updated over time provided overall protection is not materially diminished.
1. Information security program and governance
• Security policies and procedures covering access control, secure development, incident response, and vendor management.
• Assignment of security responsibilities; periodic review of controls.
2. Access control and authentication
• Principle of least privilege; role-based access controls.
• Multi-factor authentication for privileged/admin access where supported.
• Joiner/mover/leaver process for personnel access; periodic access reviews.
3. Encryption and transmission security
• TLS/HTTPS for data in transit.
• Encryption at rest for primary databases and backups where available/appropriate.
• Key management practices appropriate to the hosting environment.
4. Application and infrastructure security
• Secure configuration baselines; network segmentation where feasible.
• WAF/CDN protections and rate limiting where deployed.
• Malware protection and monitoring on endpoints/servers where applicable.
5. Logging, monitoring, and detection
• Centralized logging of security-relevant events.
• Monitoring for suspicious activity and operational anomalies.
6. Vulnerability and patch management
• Regular patching of operating systems and dependencies.
• Vulnerability scanning and remediation processes; secure SDLC practices.
7. Backups and business continuity
• Regular backups; restore testing on a periodic basis.
• Disaster recovery planning proportionate to service criticality.
8. Incident response
• Documented incident response plan, including containment, eradication, recovery, and communication steps.
• Post-incident review and corrective actions.
9. Personnel security
• Confidentiality obligations; security awareness training.
• Background checks where lawful and appropriate.
10. Vendor and sub-processor management
• Due diligence and contractual protections for Sub-processors.
• Ongoing review of Sub-processor posture as appropriate.
11. Data segregation and tenant isolation
• Logical separation of customer tenants in application/database layer.
• Controls to prevent cross-tenant access.
SCHEDULE 3 — SUB-PROCESSORS
ToBeOut may use the following categories of Sub-processors. The specific list (names, locations, services) is maintained in an online list or customer-facing documentation, which is incorporated by reference. Customer may request the current list at any time via support.
Categories may include: cloud hosting and infrastructure; CDN/WAF and security services; transactional email/SMS/messaging delivery; payment processing; analytics and error monitoring; customer support tooling.
Change notification procedure: as described in Section 6.3. Objection procedure: as described in Section 6.4.
The current list of Sub-processors (including names, locations, and services) is available in Section II.6 of the ToBeOut Privacy Policy at https://tobeout.com/privacy. If that section is moved or renamed, ToBeOut may publish the list in another customer-facing location and will update this reference accordingly. Customer may also request the current list at any time via support.
SCHEDULE 4 — SCC IMPLEMENTATION (EEA/UK/SWISS TRANSFERS)
1. Incorporation by reference. The SCCs are incorporated by reference and available from the European Commission. This Schedule specifies how the SCCs are deemed completed for the parties’ relationship.
2. Modules. The parties agree that Module Two (Controller to Processor) applies to Customer Data transfers from the EEA.
3. Docking clause. The optional docking clause applies.
4. Clause 7 (Docking). Applies.
5. Clause 9 (Use of Sub-processors). Option 2 applies. The notice period is as set out in Section 6.3 of this DPA.
6. Clause 11 (Redress). The optional language does not apply.
7. Clause 13 (Supervision). The competent supervisory authority is determined by EU GDPR as applicable to Customer.
8. Clause 17 (Governing law). The governing law is the law of an EU Member State that allows for third-party beneficiary rights under the SCCs, as determined by Customer.
9. Clause 18 (Forum and jurisdiction). The courts are those of the Member State selected under Clause 17.
10. Annex I (A. List of parties). Exporter: Customer. Importer: ToBeOut, Corp. Contact details: as per Agreement/account. Activities: provision of Services as described in Schedule 1.
11. Annex I (B. Description of transfer). As per Schedule 1.
12. Annex I (C. Competent supervisory authority). As determined under Clause 13.
13. Annex II (TOMs). As per Schedule 2.
14. Annex III (Sub-processors). As per Schedule 3 / current Sub-processor list.
15. UK Addendum. For transfers subject to UK GDPR, the SCCs apply as supplemented by the UK Addendum. The parties agree that the SCCs referenced in this Schedule constitute the “Approved EU SCCs” for purposes of the UK Addendum, and the tables are completed in a manner consistent with this DPA (including Schedule 1–3).
16. Swiss Addendum. For transfers subject to Swiss FADP, references to “GDPR” in the SCCs are deemed references to the Swiss FADP; references to the “EU” include Switzerland; the competent authority is the FDPIC; and the Swiss courts have jurisdiction where required by Swiss law.
SIGNATURE
This DPA is effective as of the effective date of the Agreement, and is executed by the parties through acceptance of the Agreement and use of the Services, or by authorized signatories where required.
This DPA applies to the extent ToBeOut processes Personal Data on behalf of Customer as a Processor in connection with providing the Services. If there is any conflict between this DPA and the Agreement, this DPA will control with respect to the parties’ data protection obligations.
By using the Services, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, on behalf of and for the benefit of its Authorized Affiliates.
1. DEFINITIONS
1.1 Capitalized terms not otherwise defined in this DPA have the meaning given in the Agreement.
1.2 “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, as applicable:
(a) Regulation (EU) 2016/679 (“EU GDPR”);
(b) the EU GDPR as incorporated into UK law (“UK GDPR”) and the UK Data Protection Act 2018;
(c) the Swiss Federal Act on Data Protection (“Swiss FADP”);
(d) Serbian Law on Personal Data Protection (“ZZPL”);
(e) applicable U.S. federal and state privacy and data security laws (including, where applicable, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”) and similar state laws); and
(f) any implementing, derivative, or successor legislation.
1.3 “Controller” has the meaning given under Applicable Data Protection Law, and includes “Business” under the CCPA/CPRA where applicable.
1.4 “Processor” has the meaning given under Applicable Data Protection Law, and includes “Service Provider” or “Processor” under the CCPA/CPRA where applicable.
1.5 “Customer Data” means Personal Data submitted to, stored in, sent through, or otherwise processed via the Services by or on behalf of Customer, including Personal Data relating to Customer’s End Users (e.g., restaurant guests), Customer’s Users (e.g., staff), and Customer’s contacts.
1.6 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.7 “Personal Data” means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law. “Personal Information” under the CCPA/CPRA is included where applicable.
1.8 “Processing” and “process” have the meanings given under Applicable Data Protection Law.
1.9 “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data in ToBeOut’s systems. Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Data, such as pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.10 “Sub-processor” means any third party engaged by ToBeOut to process Customer Data on behalf of Customer in connection with the Services.
1.11 “Standard Contractual Clauses” or “SCCs” means: (a) the standard contractual clauses adopted by the European Commission implementing Decision (EU) 2021/914; and (b) any successor standard contractual clauses adopted by the European Commission.
1.12 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner.
1.13 “Swiss Addendum” means the modifications required to use the SCCs for transfers subject to the Swiss FADP.
1.14 “Authorized Affiliates” means Customer’s Affiliates that are permitted to use the Services under the Agreement and that qualify as Controllers of Customer Data.
2. SCOPE, ROLES AND RELATIONSHIP OF THE PARTIES
2.1 Customer as Controller. Customer determines the purposes and means of Processing Customer Data and instructs ToBeOut to process Customer Data on Customer’s behalf for the limited purpose of providing the Services in accordance with the Agreement and this DPA.
2.2 ToBeOut as Processor. ToBeOut will process Customer Data only as a Processor on behalf of Customer and only in accordance with Customer’s documented instructions, including those contained in this DPA, the Agreement, and Customer’s use of the Services’ features and settings.
2.3 Customer’s responsibility. Customer represents and warrants that it (a) has complied and will continue to comply with Applicable Data Protection Law in connection with its processing and its instructions to ToBeOut, and (b) has provided all required notices and obtained all required consents and authorizations for ToBeOut to process Customer Data as contemplated by the Agreement and this DPA.
2.4 ToBeOut as independent controller (limited). ToBeOut may process certain data as an independent controller to the extent strictly necessary for: (a) billing, accounting, tax, and legal compliance; (b) security, fraud prevention, and abuse detection; and (c) internal business analytics based on aggregated or de-identified data. ToBeOut will not use Customer Data for targeted advertising or to train or fine-tune general-purpose AI models unless Customer expressly opts in in writing or unless the data is irreversibly de-identified.
ToBeOut will not attempt to re-identify de-identified data and will implement reasonable technical and organizational controls designed to prevent re-identification.
2.4A ToBeOut Controller Data (Guest opt-in to ToBeOut).
Where a Guest provides a separate and valid opt-in directly to ToBeOut to receive ToBeOut marketing communications, the personal data processed by ToBeOut for those marketing purposes is processed by ToBeOut as an independent Controller and is not Customer Data processed under this DPA, except to the extent the parties expressly agree otherwise in writing.
ToBeOut remains responsible for complying with Applicable Data Protection Law for such independent Controller processing.
2.5 Precedence. If Customer is a Processor for another controller, Customer warrants it has authority to enter into this DPA on behalf of that controller, and Customer remains fully responsible for the instructions it provides to ToBeOut.
3. DETAILS OF PROCESSING
The subject matter, duration, nature, and purpose of Processing, the types of Customer Data, and categories of Data Subjects are described in Schedule 1 (Details of Processing).
4. TOBEOUT'S OBLIGATIONS AS PROCESSOR
4.1 Compliance. ToBeOut will process Customer Data as set out in this DPA and the Agreement, and in compliance with Applicable Data Protection Law applicable to ToBeOut as Processor.
4.2 Confidentiality. ToBeOut will ensure that persons authorized to process Customer Data are bound by appropriate confidentiality obligations (contractual or statutory).
4.3 Security Measures. ToBeOut will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against Security Incidents and to preserve the security, confidentiality, and integrity of Customer Data. These measures are described in Schedule 2 (Technical and Organizational Measures).
4.4 Assistance with Data Subject Requests. Taking into account the nature of Processing, ToBeOut will provide reasonable assistance to Customer in fulfilling Customer’s obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law (e.g., access, deletion, rectification, restriction, portability, objection). If ToBeOut receives a request directly from a Data Subject relating to Customer Data, ToBeOut will, to the extent permitted by law, direct the Data Subject to Customer and will not respond except on Customer’s documented instructions or as required by law.
4.5 Assistance with DPIAs and consultations. ToBeOut will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities to the extent required by Applicable Data Protection Law, taking into account the nature of Processing and information available to ToBeOut.
4.6 Record of processing. ToBeOut will maintain records of processing activities as required by Applicable Data Protection Law applicable to ToBeOut as Processor.
4.7 Cooperation. ToBeOut will, within reason, cooperate with Customer and with applicable supervisory authorities in relation to Processing of Customer Data, including by providing information reasonably necessary to demonstrate compliance with this DPA.
5. SECURITY INCIDENT NOTIFICATION
5.1 Notification. ToBeOut will notify Customer without undue delay after becoming aware of a Security Incident. Unless otherwise required by Applicable Data Protection Law, ToBeOut will provide initial notice within 72 hours of awareness where feasible.
5.2 Contents of notice. ToBeOut’s notice will include, to the extent available: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects and records affected; (c) the likely consequences; (d) measures taken or proposed to address and mitigate; and (e) contact information for follow-up.
5.3 Updates. ToBeOut will provide timely updates as additional information becomes available.
5.4 No admission. Notification of a Security Incident is not an acknowledgment of fault or liability by ToBeOut.
6. SUB-PROCESSING
6.1 General authorization. Customer provides a general written authorization for ToBeOut to engage Sub-processors to process Customer Data for the purposes of providing the Services.
6.2 Sub-processor list. ToBeOut will maintain a current list of Sub-processors used to provide the Services, including the Sub-processor’s name, location, and a description of processing, in Schedule 3 or an online list referenced therein.
6.3 Notice of changes. ToBeOut will provide at least thirty (30) days’ prior notice before authorizing any new Sub-processor to process Customer Data, except where changes are required on an emergency basis (e.g., to prevent or address a security threat), in which case notice will be provided as soon as reasonably practicable.
6.4 Objection. Customer may object to a new Sub-processor by providing written notice to ToBeOut within the notice period, stating reasonable grounds relating to data protection. If the parties cannot resolve the objection within a reasonable time, Customer may terminate the affected Service or the Agreement without penalty for the portion impacted, and ToBeOut will refund prepaid fees for the terminated portion for the unused remainder of the term, if applicable.
6.5 Flow-down and liability. ToBeOut will enter into a written agreement with each Sub-processor imposing obligations no less protective than those in this DPA (including appropriate security measures). ToBeOut remains responsible for the performance of its Sub-processors to the extent required under Applicable Data Protection Law.
7. INTERNATIONAL TRANSFERS
7.1 Data location. Customer understands that ToBeOut and its Sub-processors may process Customer Data in multiple countries in order to provide the Services.
7.2 Transfers from EEA. To the extent Customer Data is transferred from the EEA to a country not subject to an adequacy decision, the SCCs are incorporated by reference and will apply as set forth in Schedule 4 (SCC Implementation).
7.3 Transfers from the UK. To the extent UK GDPR applies and Customer Data is transferred from the UK to a country not subject to an adequacy regulation, the SCCs as supplemented by the UK Addendum will apply as set forth in Schedule 4.
7.4 Transfers from Switzerland. To the extent Swiss FADP applies and Customer Data is transferred from Switzerland to a country without adequate protection, the SCCs as supplemented by the Swiss Addendum will apply as set forth in Schedule 4.
7.5 Alternative transfer mechanisms. Where permitted, transfers may also be made under another valid transfer mechanism recognized by Applicable Data Protection Law (e.g., adequacy, binding corporate rules, approved certification), without limiting the availability of SCCs/UK Addendum.
8. DELETION AND RETURN OF CUSTOMER DATA
8.1 Return or deletion. Upon termination or expiration of the Agreement, ToBeOut will, at Customer’s choice and upon written request (unless self-service export/deletion is available), return Customer Data to Customer and/or delete Customer Data from ToBeOut’s systems within ninety (90) days, unless retention is required by law or for the establishment, exercise, or defense of legal claims.
For clarity, this Section governs deletion/return of Customer Data following termination or expiration of the Agreement and prevails over any general retention statements in the Terms to the extent of conflict.
8.2 Backups. Customer Data in backups will be overwritten or deleted in accordance with ToBeOut’s backup retention cycles and will remain protected by this DPA until deletion.
8.3 Survival. Sections relating to confidentiality, security, and deletion will survive termination to the extent necessary.
9. AUDITS AND COMPLIANCE INFORMATION
9.1 Documentation. Upon reasonable request, ToBeOut will make available information reasonably necessary to demonstrate compliance with this DPA, such as security questionnaires, summaries of policies, or third-party audit/attestation reports (if available).
Where ToBeOut provides a current third-party audit report or equivalent compliance documentation that reasonably addresses Customer’s request, Customer agrees that such documentation may satisfy Customer’s audit request unless a material Security Incident or regulator request requires additional audit rights.
9.2 Audit rights. Customer may conduct an audit of ToBeOut’s compliance with this DPA no more than once every twelve (12) months, and only: (a) where required by Applicable Data Protection Law; or (b) where a material Security Incident has occurred. Any audit must be: (i) conducted by an independent, qualified auditor; (ii) subject to confidentiality; (iii) limited in scope to systems relevant to Customer Data; and (iv) scheduled with reasonable notice and during regular business hours. Customer will bear its own costs and ToBeOut’s reasonable costs of assistance, unless the audit reveals material non-compliance by ToBeOut.
9.3 Restrictions. Customer will not access ToBeOut’s systems, source code, or other customers’ data during any audit.
10. CCPA/CPRA AND U.S. STATE TERMS (where applicable)
10.1 Service provider/processor. ToBeOut acts as a service provider/processor with respect to Customer Data under the CCPA/CPRA and similar laws, where applicable, and will not: (a) sell or share Customer Data; (b) retain, use, or disclose Customer Data for any purpose other than providing the Services; or (c) combine Customer Data with personal information received from another business except as permitted by law.
10.2 Customer instructions. Customer is responsible for complying with notice and opt-out obligations applicable to Customer. ToBeOut will provide reasonable assistance to Customer to respond to verifiable consumer requests relating to Customer Data processed by ToBeOut on Customer’s behalf.
11. CONFIDENTIALITY
11.1 Each party will treat the other party’s Confidential Information in accordance with the confidentiality provisions in the Agreement. Customer Data is Customer’s Confidential Information.
11.2 ToBeOut will ensure that access to Customer Data is limited to personnel and Sub-processors who require access to perform obligations under the Agreement.
12. LIABILITY, INDEMNITIES AND PRIORITY
12.1 Liability. The parties’ liability (including indemnities) is governed by the Agreement, except to the extent Applicable Data Protection Law prohibits limitation of liability for certain claims.
12.2 Priority. In case of conflict regarding data protection, this DPA will prevail over the Agreement. If there is a conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum prevail with respect to cross-border transfers.
13. MISCELLANEOUS
13.1 Order of precedence. Agreement → DPA → Schedules → SCCs/UK Addendum (for transfers) in the order set in Section 12.2.
13.2 Changes. ToBeOut may update this DPA to reflect changes in Applicable Data Protection Law or the Services. If updates materially reduce protections, Customer may terminate the affected Service within thirty (30) days of notice.
13.3 Severability. If any provision is unenforceable, it will be modified to the minimum extent necessary and the remainder will remain in effect.
13.4 Governing law. Governing law and venue are as set forth in the Agreement, unless the SCCs require otherwise for transfer-related disputes.
13.5 Counterparts. This DPA may be executed electronically and in counterparts.
SCHEDULE 1 - DETAILS OF PROCESSING
A. Subject matter. Provision of the Services, including reservation and table management, guest communications, guest database, analytics and reporting features (as enabled), and related customer support.
B. Duration. The duration of processing is the term of the Agreement, plus any period following termination during which ToBeOut provides data return/deletion, and any legally required retention.
C. Nature of processing. Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission to Customer and authorized recipients, alignment/combination (within Customer’s tenant), restriction, erasure, and destruction.
D. Purpose(s). (i) Provide, maintain, and improve the Services; (ii) prevent or address service, security, or technical issues; (iii) provide customer support; (iv) comply with legal obligations; and (v) other purposes as instructed by Customer via the Services.
E. Categories of Data Subjects. Customer’s users/staff; Customer’s guests/end-users; Customer’s contacts and representatives; any individuals whose data Customer inputs into the Services.
F. Types of Customer Data. Contact details (name, email, phone), reservation details (date/time, party size, notes), communications content, preferences recorded by Customer, identifiers and authentication data for Customer users, device/log/usage data. Special categories (sensitive data) are not required and should not be provided except at Customer’s discretion.
G. Frequency of processing. Continuous throughout the term as Customer uses the Services.
H. Retention. As described in Section 8.
Schedule 2 — TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
The measures below describe ToBeOut’s baseline controls. Specific implementations may vary by environment and may be updated over time provided overall protection is not materially diminished.
1. Information security program and governance
• Security policies and procedures covering access control, secure development, incident response, and vendor management.
• Assignment of security responsibilities; periodic review of controls.
2. Access control and authentication
• Principle of least privilege; role-based access controls.
• Multi-factor authentication for privileged/admin access where supported.
• Joiner/mover/leaver process for personnel access; periodic access reviews.
3. Encryption and transmission security
• TLS/HTTPS for data in transit.
• Encryption at rest for primary databases and backups where available/appropriate.
• Key management practices appropriate to the hosting environment.
4. Application and infrastructure security
• Secure configuration baselines; network segmentation where feasible.
• WAF/CDN protections and rate limiting where deployed.
• Malware protection and monitoring on endpoints/servers where applicable.
5. Logging, monitoring, and detection
• Centralized logging of security-relevant events.
• Monitoring for suspicious activity and operational anomalies.
6. Vulnerability and patch management
• Regular patching of operating systems and dependencies.
• Vulnerability scanning and remediation processes; secure SDLC practices.
7. Backups and business continuity
• Regular backups; restore testing on a periodic basis.
• Disaster recovery planning proportionate to service criticality.
8. Incident response
• Documented incident response plan, including containment, eradication, recovery, and communication steps.
• Post-incident review and corrective actions.
9. Personnel security
• Confidentiality obligations; security awareness training.
• Background checks where lawful and appropriate.
10. Vendor and sub-processor management
• Due diligence and contractual protections for Sub-processors.
• Ongoing review of Sub-processor posture as appropriate.
11. Data segregation and tenant isolation
• Logical separation of customer tenants in application/database layer.
• Controls to prevent cross-tenant access.
SCHEDULE 3 — SUB-PROCESSORS
ToBeOut may use the following categories of Sub-processors. The specific list (names, locations, services) is maintained in an online list or customer-facing documentation, which is incorporated by reference. Customer may request the current list at any time via support.
Categories may include: cloud hosting and infrastructure; CDN/WAF and security services; transactional email/SMS/messaging delivery; payment processing; analytics and error monitoring; customer support tooling.
Change notification procedure: as described in Section 6.3. Objection procedure: as described in Section 6.4.
The current list of Sub-processors (including names, locations, and services) is available in Section II.6 of the ToBeOut Privacy Policy at https://tobeout.com/privacy. If that section is moved or renamed, ToBeOut may publish the list in another customer-facing location and will update this reference accordingly. Customer may also request the current list at any time via support.
SCHEDULE 4 — SCC IMPLEMENTATION (EEA/UK/SWISS TRANSFERS)
1. Incorporation by reference. The SCCs are incorporated by reference and available from the European Commission. This Schedule specifies how the SCCs are deemed completed for the parties’ relationship.
2. Modules. The parties agree that Module Two (Controller to Processor) applies to Customer Data transfers from the EEA.
3. Docking clause. The optional docking clause applies.
4. Clause 7 (Docking). Applies.
5. Clause 9 (Use of Sub-processors). Option 2 applies. The notice period is as set out in Section 6.3 of this DPA.
6. Clause 11 (Redress). The optional language does not apply.
7. Clause 13 (Supervision). The competent supervisory authority is determined by EU GDPR as applicable to Customer.
8. Clause 17 (Governing law). The governing law is the law of an EU Member State that allows for third-party beneficiary rights under the SCCs, as determined by Customer.
9. Clause 18 (Forum and jurisdiction). The courts are those of the Member State selected under Clause 17.
10. Annex I (A. List of parties). Exporter: Customer. Importer: ToBeOut, Corp. Contact details: as per Agreement/account. Activities: provision of Services as described in Schedule 1.
11. Annex I (B. Description of transfer). As per Schedule 1.
12. Annex I (C. Competent supervisory authority). As determined under Clause 13.
13. Annex II (TOMs). As per Schedule 2.
14. Annex III (Sub-processors). As per Schedule 3 / current Sub-processor list.
15. UK Addendum. For transfers subject to UK GDPR, the SCCs apply as supplemented by the UK Addendum. The parties agree that the SCCs referenced in this Schedule constitute the “Approved EU SCCs” for purposes of the UK Addendum, and the tables are completed in a manner consistent with this DPA (including Schedule 1–3).
16. Swiss Addendum. For transfers subject to Swiss FADP, references to “GDPR” in the SCCs are deemed references to the Swiss FADP; references to the “EU” include Switzerland; the competent authority is the FDPIC; and the Swiss courts have jurisdiction where required by Swiss law.
SIGNATURE
This DPA is effective as of the effective date of the Agreement, and is executed by the parties through acceptance of the Agreement and use of the Services, or by authorized signatories where required.
