Data Processing Agreement (DPA)
Last updated: 2026
This Data Processing Agreement ("DPA") forms part of the OperoPOS Terms of Service and applies whenever OperoPOS processes personal data on behalf of a merchant in the course of providing the service.
1. Roles of the Parties
For data about the merchant's customers (names, phone numbers, delivery addresses, order history), the merchant is the Data Controller and OperoPOS is the Data Processor. For data about the merchant's own account and staff, OperoPOS is the Data Controller. This DPA governs the processor relationship.
2. Categories of Data Processed
OperoPOS processes the following categories of customer personal data on behalf of the merchant: name, phone number, email address, delivery address, geolocation (only if the customer enables it for delivery), and order history including items purchased and amounts paid.
3. Purpose and Duration
OperoPOS processes this data solely for the purpose of providing the OperoPOS service to the merchant — taking orders, routing them to the kitchen and drivers, sending confirmations, generating receipts, and producing reports. Processing continues for as long as the merchant uses the service or until the merchant instructs us to delete the data.
4. Sub-Processors
OperoPOS uses a limited number of sub-processors to deliver the service: cloud hosting (managed Postgres database, edge functions, object storage), transactional email delivery, and mapping services for delivery zones. A current list is available on request to privacy@operopos.com. We notify merchants in advance of any new sub-processor.
5. Security Measures
OperoPOS implements appropriate technical and organizational measures to protect personal data, including: encryption in transit (TLS 1.2+) and at rest (AES-256), row-level security at the database layer, role-based access control, audit logging, automated backups, and staff training on data protection. See our Security Policy for full details.
6. Data Subject Rights
OperoPOS provides the merchant with the technical tools needed to honor data-subject requests: customers can be exported, anonymized, or deleted from the merchant dashboard. If a data subject contacts OperoPOS directly, we forward the request to the merchant without acting on it ourselves, since the merchant is the Controller.
7. International Transfers
Where personal data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures.
8. Breach Notification
OperoPOS will notify the merchant without undue delay (and in any event within 72 hours) of any confirmed personal-data breach affecting their data, including the nature of the breach, the data affected, and the remediation steps taken.
9. Audit Rights
The merchant may, on reasonable notice and at the merchant's expense, audit OperoPOS's compliance with this DPA. In practice, we provide independent third-party audit reports on request to satisfy this requirement without disrupting service.
10. Deletion of Data
On termination of the service or on written request from the merchant, OperoPOS will delete all personal data processed on the merchant's behalf within 30 days, unless retention is legally required.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the OperoPOS Terms of Service.
12. Contact
Questions, signed DPA requests, or sub-processor list requests: privacy@operopos.com.