Legal

Data Processing Agreement

Last updated: 10 May 2026

This Data Processing Agreement (“DPA”) sets out the terms on which Rezvion (“Rezvion”, the “Processor”) processes personal data on behalf of the customer that subscribes to the Rezvion service (the “Controller”), and forms an integral part of the Terms of Service (“Terms”). It is concluded under Article 28(3) GDPR. Defined terms used in the Terms have the same meaning here.

This page is the publicly available version of the DPA. A countersigned, restaurant‑specific version is available on request at hello@rezvion.nl; otherwise, by accepting the Terms the Controller is deemed to enter into this DPA.

1. Subject‑matter, nature, and purpose of processing

Rezvion processes personal data submitted by or on behalf of the Controller for the purpose of providing the Service described in the Terms (a multi‑tenant restaurant operating platform: ordering, reservations, POS, payments routing, marketing, analytics).

2. Duration of processing

Processing continues for the term of the Controller’s subscription and for the post-termination period set out in §10 below.

3. Categories of data subjects and personal data

  • Data subjects: the Controller’s staff and authorised users; the Controller’s guests (diners, online‑order customers, reservation holders, loyalty members); the Controller’s suppliers where their contact data is loaded into the Service.
  • Personal data: identification (name); contact details (email, phone, address); order, reservation, and loyalty history; dietary preferences and allergens (special‑category — Art. 9, processed only on the explicit basis of the data subject providing it); payment‑method metadata returned by Adyen; technical identifiers (IP address, device data, cookies on storefronts).

4. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers to a third country, except where required to do so by EU or Member State law to which the Processor is subject (in which case the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits notification on important grounds of public interest);
  • Ensure that persons authorised to process the personal data have committed themselves to confidentiality;
  • Take all measures required pursuant to Article 32 GDPR (see §6);
  • Respect the conditions for engaging another processor (see §5);
  • Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising data‑subject rights (see §7);
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to the Processor;
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the conditions in §8;
  • Immediately inform the Controller if, in the Processor’s opinion, an instruction infringes the GDPR or other Union or Member State data‑protection provisions.

5. Sub‑processors

The Controller authorises Rezvion to engage the sub‑processors listed at /sub-processors. Rezvion will give the Controller at least 30 days’ prior notice of any addition or replacement of a sub‑processor (by email to the contact registered in the dashboard, and by updating that page). Within those 30 days, the Controller may object on reasonable data‑protection grounds; if the objection cannot be resolved, the Controller may terminate the affected part of the Service with a pro‑rata refund of any prepaid, unused fees.

Each sub‑processor is bound by a written contract that imposes equivalent data‑protection obligations to those in this DPA.

6. Security measures (Article 32)

Rezvion implements appropriate technical and organisational measures having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, including:

  • Tenant isolation via PostgreSQL row‑level security;
  • Encryption in transit (TLS 1.2+) and at rest (managed disk and object‑storage encryption);
  • Argon2id password hashing; mandatory two‑factor authentication for staff with production access;
  • Role‑based access control with the principle of least privilege; access logging; time‑bound just-in-time elevation;
  • Continuous monitoring (Sentry), structured request logging, anomaly detection, and rate-limited public endpoints;
  • Encrypted backups retained for 30 days, with restoration tested at least quarterly;
  • Background screening, confidentiality agreements, and security training for personnel;
  • A documented secure‑development lifecycle, vulnerability management, and a responsible‑disclosure programme.

7. Assistance with data‑subject rights

Rezvion provides the Controller with self‑service tools in the dashboard to find, export, anonymise, or delete guest records. Where the Controller cannot fulfil a data‑subject request through the dashboard, Rezvion will assist within five business days of a reasonable written request.

8. Audits

Rezvion makes available a current independent third‑party assurance report (e.g. SOC 2 Type II or ISO/IEC 27001 certificate) once available. Until such a report is in place, the Controller may, on 30 days’ prior written notice and not more than once per year (unless a breach has occurred), conduct an audit limited to information reasonably necessary to verify the Processor’s compliance, at the Controller’s cost, subject to confidentiality, scheduled to avoid operational disruption, and not extending to the personal data of other Rezvion customers.

9. International transfers

Where personal data is transferred outside the EEA, Rezvion relies on Standard Contractual Clauses (Implementing Decision (EU) 2021/914), the EU‑U.S. Data Privacy Framework where the recipient is certified, the UK Addendum where the UK GDPR applies, and supplementary technical measures. Each third‑country recipient is covered by a documented Transfer Impact Assessment.

10. Return or deletion of personal data on termination

On termination of the Service, the Processor will, at the Controller’s choice and within the timelines in the Terms, return all personal data to the Controller in JSON or CSV format and delete existing copies, or delete the personal data, in each case unless EU or Member State law requires storage of the personal data. Backups are overwritten according to the standard backup-rotation cycle (no later than 90 days after termination).

11. Personal‑data breach notification

Rezvion notifies the Controller without undue delay, and in any event within 48 hours of confirmation, after becoming aware of a personal data breach affecting Customer Data. The notice includes the information required by Article 33(3) GDPR so that the Controller can meet its 72‑hour notification obligation toward the supervisory authority. Notification is not an acknowledgement of fault or liability.

12. Governing law and order of precedence

This DPA is governed by the laws of the Netherlands. In the event of conflict between this DPA and the Terms with respect to the processing of personal data, this DPA prevails.

13. Contact

Email hello@rezvion.nl or write to Rezvion, Groest 51, 1211 CZ Hilversum, the Netherlands.

Data Processing Agreement — Rezvion