Skip to main content
◆ DPA

Data Processing
Agreement.

Effective May 10, 2026 · Standing template · Enterprise redlines welcome.

This DPA supplements the Operator Terms of Service and the Privacy Policy. It applies when Zayos processes personal data of EU/UK/EEA data subjects on your behalf. Counter-signed copies available on request.

1. Roles

Controller: you, the operator (the restaurant business).
Processor: Zay Revenue Group LLC (Zayos).

For diner data flowing through your storefront, you set the purposes and means of processing; we process it under your instructions to operate the service.

2. Subject matter, duration, nature, purpose

  • Subject matter: personal data of your diners and your operator users
  • Duration: for as long as your subscription is active, plus retention windows in §5
  • Nature: storage, processing, transmission, deletion via the Zayos platform
  • Purpose: running direct online ordering, marketplace ingestion, marketing tools, analytics
  • Categories of data subjects: diners (your customers), your operator users (staff)
  • Categories of personal data: name, email, phone, delivery address, order history, IP/user-agent, device tokens; for staff: name, work email, role, MFA tokens
  • Special categories: none collected

3. Our obligations as processor

  • Process personal data only on your documented instructions (these terms + admin actions you take in the platform)
  • Ensure persons authorized to process are bound by confidentiality
  • Apply appropriate technical and organizational measures (see §6)
  • Engage sub-processors only with general written authorization (see §4); 30-day notice on additions
  • Assist you with data-subject requests and DPIA / consultation obligations
  • Notify you without undue delay (within 72 hours) on becoming aware of a personal-data breach affecting your tenant
  • Delete or return personal data on termination per §5
  • Provide information needed to demonstrate compliance, including audit rights

4. Sub-processors

The current list lives at /zayos/legal/subprocessors. Each sub-processor has a DPA with us. We'll notify you 30 days before adding a new one; you have the right to object during the notice period.

5. Retention + deletion

On termination, we delete or return personal data within 90 days, except where retention is required by law (US tax: 7 years on order + payment records, with PII anonymized).

6. Security measures

See /zayos/legal/security for the substantive list (RLS, TLS, encryption at rest, MFA, audit logs, rate limits, etc.). We update that page when measures change.

7. International transfers

Personal data is hosted in US-East. For EU/UK data subjects, transfers from the EU/UK to the US rely on Standard Contractual Clauses (SCCs) as incorporated by reference here. UK transfers additionally rely on the UK Addendum to the SCCs. Contact us for the executed SCC + Addendum on counter-signed letterhead.

8. Audits

Once per 12 months you may, on 30 days notice and during business hours, audit our compliance — either via written questionnaire (default) or via a SOC-2 Type 1 / 2 report once we're certified (Type 1 targeted Q3 2026, Type 2 Q1 2027). On-site audits require written agreement.

9. Liability + governing law

As set out in the main Terms of Service. Florida law governs; dispute resolution per Terms §13.

10. Order of precedence

If this DPA conflicts with the Terms of Service, this DPA controls for matters relating to personal data processing. Otherwise, the Terms control.

v1.0 · Effective May 10, 2026 · Counter-signed copies: abdallah@zayrev.com