Aller au contenu
Butlaroo

Data Processing Agreement

(Verwerkersovereenkomst)

Butlaroo Services B.V.
Last modified: 25 March 2026

Parties

  1. The legal entity or natural person acting in the exercise of a profession or business that has entered into an agreement with Butlaroo Services B.V. for the purchase of Services, hereinafter referred to as: "Controller" or "Client";
  2. Butlaroo Services B.V., established at Vonderweg 14, 5616 RM Eindhoven, registered with the Chamber of Commerce under number 70068143, hereinafter referred to as: "Processor" or "Butlaroo";

hereinafter jointly referred to as "Parties" and each individually as "Party".

Recitals

A. Controller and Processor have entered into an agreement for the provision of SaaS services by Processor (hereinafter: the "Master Agreement"), to which the General Terms and Conditions of Processor apply.

B. In the performance of the Master Agreement, Processor processes Personal Data on behalf of and on the instructions of Controller.

C. The Parties wish to set out in this Data Processing Agreement the arrangements regarding the processing of Personal Data by Processor, in accordance with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter: "GDPR").

D. This Data Processing Agreement forms an integral part of the Master Agreement and the General Terms and Conditions.

1. Definitions

Terms that are capitalised in this Data Processing Agreement and are not defined in this article shall have the meaning assigned to them in the General Terms and Conditions of Processor or in the GDPR. In addition, the following definitions apply:

  1. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
  2. Personal Data: all data relating to an identified or identifiable natural person, insofar as such data are processed by Processor in the context of the performance of the Master Agreement.
  3. Processing: any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure or destruction of data.
  4. Data Subject: the identified or identifiable natural person to whom the Personal Data relate.
  5. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  6. Sub-processor: a third party engaged by Processor to process Personal Data on behalf of Processor in the context of the performance of the Master Agreement.
  7. Supervisory Authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) or any other independent public authority established by an EU Member State charged with monitoring compliance with the GDPR.

2. Scope and purpose of processing

  1. This Data Processing Agreement applies to all processing of Personal Data carried out by Processor in the context of the Master Agreement, exclusively on behalf of and on the instructions of Controller.
  2. Processor shall process the Personal Data exclusively for the purposes and in the manner described in Annex 1 (Processing Activities) to this Data Processing Agreement, unless Processor is required to do so by law. In that case, Processor shall inform Controller prior to the processing of that legal requirement, unless the relevant legislation prohibits such notification on important grounds of public interest.
  3. The categories of Data Subjects, the categories of Personal Data and the nature and purpose of the processing are described in Annex 1.
  4. Processor shall not process the Personal Data for its own purposes, unless and to the extent expressly described in Article 11 of the General Terms and Conditions (Data protection and privacy), which sets out the processing activities for which Processor acts as an independent controller. This Data Processing Agreement does not apply to such processing activities.

3. Obligations of Controller

  1. Controller warrants that the processing of Personal Data is in compliance with the GDPR and other applicable privacy laws and regulations, including in particular:
    • that a valid legal basis exists for the processing of the Personal Data;
    • that Data Subjects have been adequately informed about the processing of their Personal Data, including by means of a privacy notice;
    • that any necessary consents from Data Subjects have been obtained, insofar as the processing is based thereon.
  2. Controller is responsible for the accuracy, completeness and lawfulness of the Personal Data provided to Processor.
  3. Controller shall indemnify Processor against all claims by Data Subjects or third parties arising from Controller's failure to comply with its obligations under the GDPR or this Data Processing Agreement.

4. Obligations of Processor

  1. Processor shall process the Personal Data exclusively on the basis of written instructions from Controller, including the instructions set out in this Data Processing Agreement, the Master Agreement and the General Terms and Conditions. Processor shall immediately inform Controller if, in the opinion of Processor, an instruction infringes the GDPR or other applicable privacy legislation.
  2. Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.
  3. Processor shall implement appropriate technical and organisational measures as referred to in Article 32 GDPR to ensure a level of security appropriate to the risk, as further described in Annex 2 (Technical and organisational measures).
  4. Processor shall comply with the conditions referred to in Article 28(2) and (4) GDPR for engaging Sub-processors, in accordance with Article 6 of this Data Processing Agreement.
  5. Processor shall, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to requests from Data Subjects exercising their rights as set out in Chapter III of the GDPR.
  6. Processor shall assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, data breach notification obligations, data protection impact assessment and prior consultation), taking into account the nature of the processing and the information available to Processor.
  7. At the choice of Controller, Processor shall make available or delete all Personal Data after the end of the provision of processing services, in accordance with Article 10 of this Data Processing Agreement, and shall delete existing copies, unless storage of the Personal Data is required by Union or Member State law.
  8. Processor shall make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by or on behalf of Controller, in accordance with Article 9 of this Data Processing Agreement.

5. Confidentiality

  1. Processor shall treat all Personal Data that it processes in the context of this Data Processing Agreement as confidential.
  2. Processor shall ensure that access to the Personal Data is limited to employees and third parties for whom such access is necessary for the performance of the Master Agreement and who are bound by an obligation of confidentiality.
  3. The confidentiality obligation shall remain in force after termination of this Data Processing Agreement.

6. Sub-processors

  1. Controller hereby grants Processor a general written authorisation as referred to in Article 28(2) GDPR for the engagement of Sub-processors for the performance of specific processing activities.
  2. Processor undertakes to make an up-to-date list of all Sub-processors available to Controller upon written request. This list shall contain at least the identity of the Sub-processors, their country of establishment and a brief description of the processing activity. Controller hereby consents to the use of the Sub-processors engaged at the time of signing.
  3. Processor shall inform Controller in advance of any intended changes concerning the addition or replacement of Sub-processors, observing a reasonable notice period of at least fourteen (14) days, so that Controller has the opportunity to object to such changes.
  4. If Controller objects on reasonable grounds to a new or replacement Sub-processor, the Parties shall enter into consultations to reach a reasonable solution. If the Parties are unable to reach agreement within thirty (30) days, Processor shall be entitled to:
    • proceed with the intended change if the objection of Controller is, in the reasonable opinion of Processor, insufficiently substantiated; or
    • offer Controller the possibility to terminate the Master Agreement subject to a notice period of thirty (30) days.
  5. Processor shall impose on each Sub-processor, by way of an agreement or other legal act, the same data protection obligations as the obligations set out in this Data Processing Agreement, in particular as regards providing sufficient guarantees to implement appropriate technical and organisational measures.
  6. Processor shall remain fully liable to Controller for the performance of the obligations of its Sub-processors.
  7. Processor shall keep the list of Sub-processors as referred to in paragraph 2 up to date and shall make an updated version available upon written request of Controller.
  8. Third parties with which the Platform of Processor maintains a technical connection (integration), such as point-of-sale systems, reservation systems or accounting software, shall not qualify as Sub-processors within the meaning of this Data Processing Agreement if such parties have their own, direct agreement with Controller and in that context act as an independent controller or as Controller's own processor. Controller is itself responsible for entering into appropriate data processing agreements with such parties.

7. Transfers outside the EEA

  1. Processor shall process the Personal Data exclusively within the European Economic Area (EEA).
  2. Processor shall not transfer Personal Data to a country outside the EEA or to an international organisation, unless:
    • Controller has given prior written consent thereto; and
    • appropriate safeguards have been put in place in accordance with Chapter V of the GDPR, including but not limited to an adequacy decision of the European Commission, Standard Contractual Clauses (SCCs) as referred to in Article 46(2)(c) GDPR, or Binding Corporate Rules (BCRs).
  3. If a Sub-processor processes Personal Data outside the EEA, Processor shall be responsible for putting in place the safeguards referred to in paragraph 2 with respect to that Sub-processor and shall notify Controller thereof when engaging the relevant Sub-processor.

8. Personal Data Breaches

  1. Processor shall notify Controller without undue delay, and where possible within forty-eight (48) hours after becoming aware thereof, of a Personal Data Breach relating to the Personal Data processed in the context of this Data Processing Agreement.
  2. The notification referred to in paragraph 1 shall contain at least, insofar as known at that time:
    • a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
    • the name and contact details of the contact point at Processor where further information can be obtained;
    • a description of the likely consequences of the Personal Data Breach;
    • a description of the measures taken or proposed by Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
  3. Where it is not possible to provide all information referred to in paragraph 2 at the same time, Processor shall provide the information in phases without further undue delay.
  4. Processor shall provide Controller with all reasonable cooperation in investigating, mitigating and remediating a Personal Data Breach, as well as in making any notifications to the Supervisory Authority or Data Subjects.
  5. Processor shall document all Personal Data Breaches, including the facts relating to the Personal Data Breach, its effects and the corrective measures taken, and shall make this documentation available to Controller upon request.
  6. Processor shall not make any communications to Data Subjects or third parties regarding a Personal Data Breach without prior consultation with Controller, unless Processor is required to do so by law.

9. Audits

  1. Processor shall enable Controller to carry out audits, or to have audits carried out by an independent third party, to verify compliance with the obligations under this Data Processing Agreement, subject to the conditions set out in this article.
  2. Controller shall submit an audit request at least thirty (30) days in advance in writing, including a description of the scope, duration and start date of the audit.
  3. Audits shall be carried out during regular business hours, with due regard for the confidentiality and security of the data of other clients of Processor, and in a manner that minimises disruption to Processor's business operations.
  4. Controller shall be entitled to no more than one (1) audit per calendar year, unless there is a concrete and substantiated suspicion of non-compliance by Processor or a Personal Data Breach has occurred.
  5. The reasonable costs incurred by Processor in cooperating with an audit shall be borne by Controller, unless the audit reveals a material shortcoming on the part of Processor.
  6. Processor may satisfy an audit request by providing a recent independent audit or certification report (including SOC 2, ISO 27001 or equivalent), insofar as such report reasonably covers the scope of the audit request.

10. Term, termination and data deletion

  1. This Data Processing Agreement shall enter into force on the date of signing or, if earlier, at the moment Processor first processes Personal Data in the context of the Master Agreement, and shall remain in force for the duration of the Master Agreement.
  2. Upon termination of the Master Agreement, for whatever reason, Processor shall cease the processing of Personal Data, subject to the provisions of paragraphs 3 and 4.
  3. Upon termination of the Master Agreement, Processor shall offer Controller a period of ninety (90) days to export or retrieve the Personal Data in a commonly used, machine-readable format. Controller is responsible for the timely export or retrieval of the data.
  4. After expiry of the period referred to in paragraph 3, Processor shall delete or anonymise the Personal Data and all copies thereof, unless:
    • storage is required by law under Union or Member State law, including but not limited to fiscal retention obligations (Article 52 of the Dutch General Tax Act (Algemene wet inzake rijksbelastingen): seven (7) years for transaction and financial administration data);
    • the data are necessary for the settlement of outstanding obligations, including chargebacks, disputes or claims relating to the period prior to termination.
  5. Processor shall, at Controller's request, confirm in writing that the Personal Data have been deleted or anonymised, with the exception of data retained pursuant to paragraph 4.
  6. For Personal Data retained pursuant to paragraph 4, the relevant provisions of this Data Processing Agreement — in particular those relating to confidentiality, security and purpose limitation — shall remain in force until the data have been deleted.

11. Rights of Data Subjects

  1. Processor shall assist Controller in responding to requests from Data Subjects to exercise their rights under the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability and the right to object.
  2. If Processor directly receives a request from a Data Subject, Processor shall forward this request to Controller without delay, unless Processor is required by applicable law to respond to the request itself. Processor shall not respond to the request itself without prior instruction from Controller, unless required by law.
  3. Processor shall make reasonable technical and organisational resources available, including export functionalities in the Platform, to enable Controller to comply with requests from Data Subjects.
  4. The reasonable costs incurred by Processor in providing assistance with requests from Data Subjects that are exceptionally complex or that are submitted in exceptionally large numbers shall be borne by Controller.

12. Privacy contact point

  1. Processor has designated a privacy contact point that can be reached for questions and requests relating to the processing of Personal Data: privacy@butlaroo.com.
  2. Controller shall notify Processor of its own contact person for privacy matters upon entering into the Master Agreement.

13. Liability

  1. The liability of Processor under or in connection with this Data Processing Agreement shall be subject to the limitations and exclusions of liability as set out in the General Terms and Conditions of Processor.
  2. Notwithstanding paragraph 1, the limitation of liability shall not apply to:
    • fines imposed directly on a Party by the Supervisory Authority for non-compliance with the GDPR by that Party;
    • damage that is the direct result of intent or wilful recklessness on the part of the management of a Party.
  3. Each Party shall be responsible for fines imposed on it by a Supervisory Authority as a result of its own non-compliance with the GDPR. If a fine is imposed on Processor as a result of non-compliance with the GDPR attributable to Controller (including the provision of unlawful instructions or the absence of a valid legal basis), Controller shall indemnify Processor for the amount of such fine.
  4. The Parties shall cooperate in good faith in handling claims from Data Subjects or Supervisory Authorities.

14. Final provisions

  1. In the event of a conflict between this Data Processing Agreement and the Master Agreement or the General Terms and Conditions, this Data Processing Agreement shall prevail insofar as the processing of Personal Data is concerned.
  2. Amendments to this Data Processing Agreement shall only be valid if agreed in writing by both Parties, provided that Processor shall be entitled to unilaterally amend Annex 2 (Technical and organisational measures) and the list of Sub-processors, provided that the level of security is not materially reduced and subject to the notification procedure set out in Article 6(3) with respect to Sub-processors.
  3. This Data Processing Agreement shall be governed by the laws of the Netherlands. Disputes shall be settled in accordance with the dispute resolution provision in the General Terms and Conditions.
  4. If any provision of this Data Processing Agreement is found to be void or voidable, this shall not affect the validity of the remaining provisions. The Parties shall replace the relevant provision with a valid provision that most closely reflects the intent of the original provision.

Annex 1 — Processing Activities

Purpose of processing

Processor processes Personal Data exclusively for the following purposes on behalf of Controller:

  • making the Platform available and ensuring its operation (QR ordering solutions, kiosk systems, click & collect, online ordering, point-of-sale systems, kitchen display systems);
  • processing and handling orders and transactions;
  • facilitating payment processing through licensed payment service providers;
  • generating reports, overviews and analytics on behalf of Controller;
  • sending order and transaction notifications to end users on behalf of Controller;
  • providing technical support to Controller.

Categories of Data Subjects

  • End users (guests, visitors, consumers) of Controller who place orders or make payments via the Platform;
  • Employees and Users of Controller who have access to the Platform.

Categories of Personal Data

End users:

  • Name (if provided when placing an order)
  • Email address (if provided)
  • Telephone number (if provided)
  • Delivery or collection address (if applicable)
  • Order data (products ordered, quantities, prices, time of order)
  • Payment data (transaction ID, payment method, transaction amount, transaction status; not full credit card or bank account numbers — these are processed exclusively by the licensed payment service provider)
  • IP address and device data (browser, operating system) when using the Platform
  • Any comments or preferences submitted with an order

Employees and Users of Controller:

  • Name
  • Email address
  • Telephone number (if provided)
  • Login credentials (username, hashed passwords)
  • Role and authorisation level within the Platform
  • Usage log data (login times, actions performed)

Nature of processing

Collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure by transmission (to payment service provider, to end user for order confirmations), combination, restriction, erasure and destruction.

Duration of processing

The processing takes place for the duration of the Master Agreement, plus the period required for the wind-down after termination as referred to in Article 10 of this Data Processing Agreement.

Annex 2 — Technical and organisational measures

Processor shall implement at least the following measures to ensure an appropriate level of security. Processor shall evaluate and update these measures periodically, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.

Access control

  • Access to systems that process Personal Data is restricted on a need-to-know basis.
  • Employees of Processor have individual accounts with unique login credentials.
  • Multi-factor authentication (MFA) is required for access to production and management systems.
  • Access rights are periodically reviewed and revoked upon termination of employment or engagement.

Encryption

  • Personal Data are encrypted at rest and encrypted in transit using industry-standard encryption (at minimum AES-256 for storage, TLS 1.2 or higher for transport).
  • Passwords are stored as hashed values using secure hashing algorithms.

Network security

  • Production environments are protected by firewalls and network segmentation.
  • Remote access to production systems is provided via secure connections (VPN or equivalent).
  • Regular vulnerability scans and patch management.

Availability and resilience

  • Regular backups of Personal Data, stored at a physically separate location.
  • Procedures for restoring the availability of and access to Personal Data in the event of a physical or technical incident.
  • Monitoring of the availability of production systems.

Incident management

  • Documented procedures for detecting, reporting and handling security incidents and Personal Data Breaches.
  • Designated personnel responsible for incident response.

Personnel measures

  • Employees who have access to Personal Data are bound by confidentiality obligations.
  • Awareness training in the areas of information security and data protection.

Physical security

  • Data centres of hosting providers are equipped with physical access control, fire protection and climate control.
  • Processor exclusively selects hosting providers that comply with industry-standard security certifications.

Logging and monitoring

  • Access to and changes in systems that process Personal Data are logged.
  • Log files are protected against unauthorised access and modification.

Sub-processors

The current list of Sub-processors is not appended as an annex to this Data Processing Agreement but is made available by Processor to Controller upon written request in accordance with Article 6(2) of this Data Processing Agreement. The list contains at least the identity of the Sub-processors, their country of establishment and a brief description of the processing activity.

Insofar as Sub-processors are part of a US or international group and process Personal Data outside the EEA, this is done on the basis of an adequacy decision, Standard Contractual Clauses (SCCs) as referred to in Article 46(2)(c) GDPR, or another appropriate safeguard in accordance with Chapter V GDPR. Processor verifies that appropriate safeguards have been put in place and maintains documentation thereof.

Not regarded as Sub-processors are parties with which the Platform maintains a technical connection but which have their own, direct agreement with the data subject or with Controller, services for which Processor itself is the controller, and services that do not process Personal Data in the context of the Services. See Article 6(8) of this Data Processing Agreement.

End of Data Processing Agreement