data processing agreement.

this data processing agreement (dpa) is available to eu-based operators to comply with gdpr requirements. to request a countersigned copy, email legal@olldae.com.

download as pdf ↓

1. parties

this dpa is entered into between the operator ("data controller") and olldae, inc. ("data processor"). the operator determines the purposes and means of processing personal data. olldae processes personal data on behalf of the operator solely to provide the service.

2. subject matter and duration

this dpa covers the processing of personal data as part of the olldae service. processing begins when the operator creates an account and continues for the duration of the subscription. on termination, olldae will delete all personal data within 30 days unless required by law to retain it.

3. nature and purpose of processing

olldae processes personal data to:

• provide the operating system service (inventory, recipes, costing, supplier management)
• send operational alerts and notifications
• generate reports and analytics for the operator
• manage user authentication and access control

the processing is automated and occurs on olldae's infrastructure.

4. categories of data subjects

the personal data processed relates to:

• operators (account holders) — name, email, venue information
• staff members — name, email, role, usage activity
• suppliers — contact names, email addresses, phone numbers

5. categories of personal data

• account data: names, email addresses, roles, venue details
• usage data: login times, features accessed, actions performed
• operational data: inventory records, recipes, pricing, supplier contacts
• technical data: ip addresses, browser type, device information

6. obligations of the processor

olldae will:

• process personal data only on documented instructions from the operator
• ensure all personnel with access to personal data are bound by confidentiality obligations
• implement appropriate technical and organisational measures to ensure security (encryption at rest and in transit, access controls, regular backups)
• not engage sub-processors without prior written consent of the operator (current sub-processors: supabase, resend, stripe, vercel)
• assist the operator in responding to data subject requests (access, rectification, erasure, portability)
• notify the operator without undue delay (and within 72 hours) upon becoming aware of a personal data breach
• delete or return all personal data at the end of the service, at the operator's choice
• make available all information necessary to demonstrate compliance with gdpr article 28

7. obligations of the controller

the operator will:

• ensure they have a lawful basis for processing personal data through olldae
• inform staff members that their usage of olldae is tracked
• provide olldae with documented instructions for data processing
• notify olldae of any changes to processing requirements

8. sub-processors

olldae currently uses the following sub-processors:

• supabase (aws us-east-1) — database hosting, authentication
• resend — transactional email delivery
• stripe — payment processing
• vercel — application hosting

olldae will notify the operator at least 30 days before adding or replacing a sub-processor. the operator may object within that period. if the objection cannot be resolved, the operator may terminate their subscription.

9. data transfers

personal data is primarily stored in the united states (aws us-east-1). for transfers of personal data outside the eea, olldae relies on standard contractual clauses (sccs) as approved by the european commission.

operators can request a copy of the applicable sccs by emailing legal@olldae.com.

10. security measures

olldae implements the following security measures:

• encryption at rest (aes-256)
• encryption in transit (tls 1.2+)
• row-level security on all database tables
• role-based access controls
• daily encrypted database backups
• regular security reviews
• incident response procedures

11. data breach notification

in the event of a personal data breach, olldae will:

• notify the operator without undue delay and within 72 hours of becoming aware
• provide details of the breach including nature, categories of data affected, approximate number of records, likely consequences, and measures taken to address the breach
• cooperate with the operator and relevant supervisory authorities

12. audit rights

the operator has the right to audit olldae's compliance with this dpa. audits may be conducted by the operator or an independent third party. olldae will provide reasonable cooperation and access to relevant information.

audit requests should be submitted at least 30 days in advance to legal@olldae.com.

13. term and termination

this dpa remains in effect for the duration of the operator's subscription. on termination, olldae will delete all personal data within 30 days. the operator may request immediate deletion or a copy of their data before deletion.

sections relating to confidentiality and liability survive termination.

14. contact

for questions about this dpa or to request a countersigned copy: legal@olldae.com

olldae, inc. — wilmington, delaware.