Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Sidestream OÜ (registry code 17374822, "Processor") and the Customer ("Controller") and applies whenever the Processor processes personal data on behalf of the Controller in connection with the SuperShift service (the "Service").

In the event of a conflict between this DPA and any other agreement between the parties, this DPA prevails in respect of the parties' data-protection obligations.

1. Definitions

Terms in initial capitals that are not defined here have the meaning given to them in Article 4 GDPR. In particular:

• Controller — the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processor — a natural or legal person which processes personal data on behalf of the Controller.
• Personal Data — any information relating to an identified or identifiable natural person.
• Data Subject — the identified or identifiable natural person to whom Personal Data relates.
• Processing — any operation or set of operations performed on Personal Data.

2. Subject matter and duration

The Processor will process Personal Data on behalf of the Controller for the duration of the Controller's active subscription to the Service, plus a 30-day window following termination during which Controller data is returned or deleted in accordance with section 13.

3. Nature and purpose of processing

Hosting and processing of staff schedules, employee records, time-clock entries, guest reservation details, newsletter subscribers and supplier contacts, in order to deliver the Service as described in the Terms of Service.

4. Categories of data subjects

• The Controller's staff and contractors.
• The Controller's guests who make a reservation via the booking widget.
• The Controller's newsletter subscribers.
• The Controller's suppliers (contact data only).

5. Categories of personal data

• Identification data: name, email address, phone number.
• Employment context: role, schedule, availability, time-clock entries, payroll-relevant timing data.
• Reservation details: party size, time, table, notes, opt-in flags.
• Contact preferences: subscription status, language, opt-out timestamps.

The Processor does not require, and the Controller agrees not to submit through the Service, special categories of data (Article 9 GDPR) or criminal-conviction data (Article 10 GDPR) unless expressly agreed in writing.

6. Controller instructions

The Processor processes Personal Data only on the documented instructions of the Controller. The Terms of Service, this DPA and the Controller's ongoing configuration and use of the Service together constitute the Controller's documented instructions. The Processor will notify the Controller if, in its opinion, an instruction infringes the GDPR or another applicable data-protection law.

7. Confidentiality

The Processor ensures that all personnel authorised to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

8. Security measures

The Processor implements appropriate technical and organisational measures, including:

• Encryption in transit (TLS 1.2 or higher) for all connections.
• Encryption at rest at the database layer.
• Per-tenant logical isolation through organisationId scoping on every query.
• Role-based access controls, least-privilege production access, and audit logging of administrative actions.
• Regular automated backups with documented restore procedures.
• A documented incident-response plan, including the breach-notification workflow described in section 11.
• Periodic review of these measures in line with the state of the art.

9. Subprocessors

The Controller grants the Processor general authorisation to engage subprocessors for the performance of the Service. The current list of subprocessors is published at /subprocessors.

The Processor will notify the Controller at least 30 days before adding or replacing a subprocessor. The Controller may object to the change on reasonable, data-protection-related grounds. Where the parties cannot agree, the Controller may terminate the affected portion of the Service for that reason.

The Processor imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA and remains liable to the Controller for the acts and omissions of its subprocessors.

10. Data subject rights

Taking into account the nature of the processing, the Processor will assist the Controller, by appropriate technical and organisational measures, in responding to requests from Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Where the Processor receives a Data Subject request directly, it will refer the Data Subject to the Controller and inform the Controller without undue delay.

11. Breach notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Controller data. The notification will include the information required by Article 33(3) GDPR to the extent then known, with further information provided as it becomes available.

The Processor will reasonably assist the Controller in fulfilling its own obligations under Articles 33 and 34 GDPR.

12. Audit rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by the Controller or a qualified third-party auditor mandated by the Controller.

Audits are subject to reasonable advance notice (at least 30 days, save in case of a Personal Data Breach), must be scheduled to minimise disruption to the Service, and are conducted at the Controller's expense unless the audit identifies a material breach of this DPA, in which case the Processor bears the reasonable costs.

13. Return or deletion of data

On termination of the Service for any reason, the Processor will, at the Controller's choice, return or delete all Controller Personal Data within 30 days, including from active systems and from backups within the next standard backup rotation, except to the extent that storage is required by EU or Member-State law.

14. International transfers

Where the Processor or any subprocessor processes Personal Data outside the EEA, such transfer is governed by an adequacy decision, the EU-US Data Privacy Framework, Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or another transfer mechanism recognised under Articles 44–49 GDPR.

15. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, save where applicable mandatory law provides otherwise.

16. Governing law

This DPA is governed by the laws of the Republic of Estonia. Any dispute arising from or in connection with this DPA is subject to the exclusive jurisdiction of the courts of Harju County, Tallinn, Estonia.