This Data Processing Agreement (“DPA”) is entered into between the restaurant Owner (“Controller”) and DineEasy, operated by Maxapp GmbH (“Processor”), and forms an integral part of the Terms of Service. It governs the processing of personal data of diners that the Controller collects through their public menu on the DineEasy platform.
1. Parties
Processor: Maxapp GmbH, Birkenstrasse 49, 6343 Rotkreuz, Switzerland.
Controller: the legal or natural person who registers a DineEasy account and operates one or more restaurant public menus on the platform.
2. Scope & roles
Diners may submit personal data through the public menu – typically a name and optionally a phone number, email, table reference, and order details. With respect to that data, the Controller is the data controller and DineEasy is the data processor. DineEasy processes the data only on the Controller’s documented instructions and only for the purposes set out in the Terms of Service: serving the public menu, recording orders, processing payments through Stripe Connect, and providing related operational telemetry to the Controller.
For account data of the Controller themselves (login email, restaurant settings, billing information), DineEasy is the controller – see the Privacy Policy.
3. Owner instructions
The Controller’s instructions are documented in the Terms, the Privacy Policy, and the configuration the Controller sets in their dashboard (e.g. whether to publish a contact email, whether ordering is enabled, whether translations are enabled). DineEasy will not process diner data for any other purpose without further written instruction.
If DineEasy considers an instruction to violate applicable data protection law, we will inform the Controller without undue delay.
4. Confidentiality
DineEasy ensures that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
5. Security measures
DineEasy implements appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Current measures include:
- Encryption in transit (TLS 1.2+) and at rest (provider-managed disk encryption).
- Role-based access control on production infrastructure with least-privilege defaults; admin actions are audited.
- Postgres row-level security on every tenant-scoped table; service-role keys are never exposed client-side.
- Stripe Connect direct charges – diner payment data never touches our infrastructure; it goes from the diner’s browser directly to Stripe.
- Webhook signature verification on every inbound integration.
- Daily backups with retention according to provider defaults.
- Pre-commit secret scanning on every commit (gitleaks).
6. Sub-processors
The Controller authorises DineEasy to engage the following sub-processors. We will give the Controller at least 30 days’ written notice (via in-product notice, the Privacy Policy update log, or email) before adding or replacing a sub-processor.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) |
| Vercel | Application hosting, edge runtime | Global; primary EU |
| Stripe | Payments, Connect onboarding | EU / Switzerland (data localised) |
| Upstash | Redis cache, QStash background jobs | EU (Frankfurt) |
| DeepL | Menu auto-translation | EU (Germany) |
| PostHog | Product analytics, error tracking | EU Cloud |
| Google Cloud (Places API) | Address autocomplete | EU |
DineEasy enters into written contracts with each sub-processor that impose data protection obligations equivalent to those in this DPA.
7. Data subject rights
DineEasy will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, objection).
If a diner contacts DineEasy directly with a request that relates to data processed on behalf of a Controller, we will redirect them to the Controller and notify the Controller without undue delay.
8. Breach notification
DineEasy will notify the Controller without undue delay – and in any event within 72 hours of becoming aware – of any personal data breach affecting the Controller’s data, with sufficient detail to allow the Controller to meet its own breach-notification obligations.
9. Audit
On reasonable written request and no more than once per calendar year, DineEasy will make available the information necessary to demonstrate compliance with this DPA, including a current sub-processor list, security overview, and most recent third-party penetration-test summary if available.
On-site audits are not generally available given the nature of the service; independent attestations and certifications, where available, may substitute.
10. International transfers
DineEasy primarily processes personal data within the EU and Switzerland. Sub-processors located outside the EU/EEA are engaged under the European Commission’s Standard Contractual Clauses and, where applicable, the Swiss- FDPIC supplementary arrangement.
11. Return & deletion
On termination of the Terms, the Controller may export their data via the dashboard. Within 30 days after termination, DineEasy will delete or anonymise all personal data processed under this DPA, except where retention is required by applicable law (e.g. invoicing records under Swiss accounting law).
12. Liability
Liability under this DPA is governed by the limitation-of-liability clause of the Terms of Service.
13. Term & termination
This DPA enters into force on acceptance of the Terms of Service and remains in force for as long as DineEasy processes personal data on behalf of the Controller.
14. Contact
Data protection questions and DPA correspondence: legal@dineeasy.app.