Data Processing Addendum.

This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Customer”, acting as Controller) and Aleksandar Opsenica, sole trader trading as Crumb (“Crumb”, acting as Processor) governing the Crumb digital menu service (the “Service”).

This DPA applies to the processing of Personal Data by Crumb on the Customer’s behalf in the course of providing the Service and is incorporated by reference into the Terms of Service. Where this DPA conflicts with the Terms, this DPA prevails for data-protection matters.

“GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR and Data Protection Act 2018. “Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Processing” and “Supervisory Authority” have the meanings given in the GDPR. “Standard Contractual Clauses” (SCCs) means the Commission Implementing Decision (EU) 2021/914 modules as updated from time to time.

The Customer is the Controller of the Personal Data it submits to the Service. Crumb processes that Personal Data only as a Processor on the Customer’s documented instructions, which are set out in the Terms, this DPA, and the configuration the Customer makes inside the dashboard.

• Subject matter: provision of a hosted digital menu service and associated analytics to the Customer.
• Duration: the term of the Customer’s subscription, plus the retention periods described below.
• Categories of Data Subjects: the Customer’s staff (workspace members), and guests scanning the Customer’s menus.
• Categories of Personal Data: staff names and email addresses; pseudonymous menu-event records (session id, event type, country code, viewport, referrer).
• Special categories: none. The Customer must not submit special-category data through the Service.

• Process Personal Data only on the Customer’s documented instructions, including transfers, unless required by EU/Member State law (in which case Crumb will inform the Customer first unless that law prohibits it on public-interest grounds).
• Ensure persons authorised to process the Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see §6).
• Assist the Customer, taking into account the nature of the processing, with Data Subject requests and Articles 32–36 GDPR obligations.
• On termination, delete or return the Personal Data at the Customer’s choice (see §9).
• Make available all information necessary to demonstrate compliance and allow for audits (see §7).

The Customer provides general written authorisation for Crumb to engage the sub-processors listed below. Crumb will give at least 30 days’ notice (by updating this page) of any intended addition or replacement. The Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service.

Crumb remains liable for the acts and omissions of its sub-processors as if they were its own.

• TLS 1.2+ for all data in transit; HSTS on the dashboard.
• Encryption at rest for the production database.
• Role-based access control and least-privilege service credentials.
• Short-lived JWT authentication tokens for the dashboard.
• Row-level security enforced at the database layer.
• Audit logging of dashboard edits and superuser actions.
• Backups with point-in-time recovery on the production database.
• Vulnerability scanning of dependencies and infrastructure changes.
• Documented incident-response process and 72-hour breach reporting.

Crumb will make available, on reasonable written request and no more than once per year (or following a personal-data breach materially affecting the Customer), the information necessary to demonstrate compliance with this DPA, including third-party audit reports of its sub-processors where Crumb has them. On-site audits are by mutual agreement, at the Customer’s cost, under confidentiality, and scheduled so as not to disrupt the Service.

Crumb will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting the Customer’s Personal Data, providing the information required by Article 33(3) GDPR to the extent then known, and updates as new information becomes available.

On termination or expiry of the Service, Crumb will, at the Customer’s choice expressed within 30 days of termination, delete or return all Personal Data processed on the Customer’s behalf and delete existing copies, unless EU or Member State law requires further storage. Pseudonymous menu-event aggregates that no longer identify any Data Subject may be retained.

Where the provision of the Service involves transferring Personal Data outside the EEA/UK, Crumb relies on Standard Contractual Clauses (Modules 2 and 3 as applicable) or an adequacy decision recognised by the European Commission, supplemented by technical and organisational measures appropriate to the transfer.

Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms. Nothing in this DPA limits a Data Subject’s rights under the GDPR.

This DPA is governed by the laws of Ireland and subject to the exclusive jurisdiction of the Irish courts, mirroring the Terms.