Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Oversight Division Engineering LLC (d/b/a bavoli) ("Processor", "we", "us", or "our") and the entity or individual accepting the Agreement ("Controller", "you", or "your").

This DPA applies where and to the extent that Processor processes Personal Data on behalf of Controller in the course of providing the bavoli restaurant reservation management platform ("Service"). This DPA is effective as of the date you accept the Agreement and will remain in effect for the duration of the Agreement.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that Processor processes on behalf of Controller in connection with the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Subprocessor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and any other applicable data protection legislation.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope of Processing

2.1 Roles

For the purposes of this DPA, Controller is the restaurant entity using the Service, and Processor is Oversight Division Engineering LLC (d/b/a bavoli). Controller determines the purposes and means of processing Personal Data; Processor processes Personal Data only on behalf of and in accordance with Controller's documented instructions.

2.2 Processing Purpose

Processor processes Personal Data solely to provide the Service, which includes restaurant reservation management, guest management, waitlist management, transactional communications, and related platform functionality.

2.3 Data Subjects

Personal Data processed under this DPA relates to the following categories of Data Subjects:

• Restaurant guests who make reservations or join waitlists
• Restaurant staff members with accounts on the platform

2.4 Types of Personal Data

The following categories of Personal Data are processed:

• Names and contact information (email addresses, phone numbers)
• Reservation details (date, time, party size, special requests)
• Dietary preferences and allergy information
• Guest profile data (visit history, notes, tags, preferences)
• Payment card tokens (processed by Stripe; full card numbers are never stored by Processor)
• Account credentials for restaurant staff

2.5 Duration

Processing will continue for the duration of the Agreement. Upon termination, Processor will handle Personal Data in accordance with Section 9 of this DPA.

3. Controller Obligations

Controller represents and warrants that:

• It has a lawful basis for the processing of Personal Data under applicable Data Protection Laws.
• It has provided appropriate notice to Data Subjects regarding the processing of their Personal Data.
• Its instructions to Processor comply with applicable Data Protection Laws.
• It will promptly notify Processor of any changes that may affect Processor's obligations under this DPA.

4. Processor Obligations

Processor will:

• Process Personal Data only on documented instructions from Controller, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 5.
• Assist Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
• Assist Controller in ensuring compliance with its obligations regarding security of processing, notification of Security Incidents, data protection impact assessments, and prior consultations with supervisory authorities.
• At Controller's choice, delete or return all Personal Data to Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to Controller all information necessary to demonstrate compliance with the obligations in this DPA.

5. Data Security

Processor implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption in transit: All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: All Personal Data stored in our databases is encrypted at rest using AES-256 encryption.
• Access controls: Role-based access controls with row-level security (RLS) ensure that each restaurant can only access its own data.
• Authentication security: Secure session management with HTTP-only cookies, CSRF protection, and support for multi-factor authentication.
• Infrastructure security: Our application is hosted on enterprise-grade infrastructure with network isolation, DDoS protection, and automated security monitoring.
• Employee access: Access to Personal Data by Processor personnel is limited to those who require it to perform their job functions, subject to confidentiality obligations.

6. Subprocessors

6.1 Authorization

Controller provides general written authorization for Processor to engage Subprocessors to assist in providing the Service. A current list of authorized Subprocessors is maintained at bavoli.com/subprocessors.

6.2 Notification of Changes

Processor will notify Controller at least 30 days before authorizing any new Subprocessor or replacing an existing Subprocessor. Controller may object to a new Subprocessor by notifying Processor in writing within 30 days of receiving notice. If Controller reasonably objects and Processor cannot provide the Service without the new Subprocessor, either party may terminate the affected portion of the Service.

6.3 Subprocessor Obligations

Processor will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA. Processor remains liable for the acts and omissions of its Subprocessors to the same extent Processor would be liable if performing the services directly.

7. Data Subject Rights

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures to fulfill Controller's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

If Processor receives a request directly from a Data Subject, Processor will promptly notify Controller and will not respond to the request without Controller's prior authorization, unless required to do so by applicable law.

8. Security Incident Notification

Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data processed under this DPA. The notification will include:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected.
• The name and contact details of Processor's point of contact for further information.
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its adverse effects.

Processor will cooperate with Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Security Incident.

9. Data Deletion and Return

Upon termination or expiration of the Agreement, Processor will, at Controller's election and written request:

• Return: Provide Controller with a complete export of all Personal Data in a commonly used, machine-readable format (CSV or JSON).
• Delete:Securely delete all Personal Data from Processor's systems, including backups, within 90 days of the request.

Processor may retain Personal Data to the extent required by applicable law, provided that Processor will ensure the confidentiality of such data and will not actively process it for any purpose other than compliance with legal obligations.

10. Audit Rights

Processor will make available to Controller all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA. Processor will allow for and contribute to audits, including inspections, conducted by Controller or an independent third-party auditor appointed by Controller, subject to the following conditions:

• Controller must provide at least 30 days' prior written notice of any audit request.
• Audits will be conducted during normal business hours and will not unreasonably disrupt Processor's operations.
• Controller will bear the costs of any audit, unless the audit reveals a material breach of this DPA by Processor.
• Audits will be limited to no more than one per twelve-month period, unless required by a supervisory authority or following a Security Incident.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not modify the liability caps, exclusions, or limitations in the Agreement.

12. Term and Termination

This DPA is effective as of the date Controller accepts the Agreement and will remain in effect for as long as Processor processes Personal Data on behalf of Controller. The obligations of Processor under this DPA will survive termination or expiration of the Agreement to the extent Processor continues to process Personal Data.

13. General Provisions

• Governing law: This DPA is governed by the laws of the State of Delaware, without regard to conflict of law principles, consistent with the Agreement.
• Conflicts: In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to data protection matters.
• Amendments: This DPA may only be amended in writing by both parties. Processor may update this DPA to reflect changes in Data Protection Laws, provided that such updates do not materially reduce the protections afforded to Personal Data.
• Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

Contact

For questions about this DPA or to exercise your rights under it, please contact us:

• Privacy inquiries: privacy@bavoli.com
• Legal inquiries: legal@bavoli.com
• Data Protection Officer: dpo@bavoli.com

Oversight Division Engineering LLC (d/b/a bavoli)