TakeawaySoft
← Home

Data Processing Addendum (DPA)

Last updated: 19 May 2026

⚠️ Placeholder content. This page is a starting template and is not legally reviewed. Before opening signup to the public, have a UK-qualified lawyer review and replace with proper text appropriate for the jurisdiction(s) you operate in.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Merchant ("Controller") and TakeawaySoft Ltd ("Processor"). It governs processing of personal data the Merchant's customers provide via the Platform.

1. Scope

This DPA applies whenever the Merchant uploads or causes the Platform to process personal data of their end-customers (names, contact details, delivery addresses, order history, payment metadata).

2. Subject-matter & duration

  • Subject-matter: provision of online ordering software.
  • Duration: for the term of the Terms of Service plus the 30-day restoration window after closure.
  • Nature & purpose: storing, displaying, and transmitting orders + customer info between the Merchant and their customers.
  • Data subjects: the Merchant's customers, employees, and any other individuals whose data the Merchant uploads.
  • Categories of data: contact details, transaction history, delivery addresses, optional preferences, IP + device for fraud prevention.

3. Processor obligations

We will:

  • Process personal data only on the documented instructions of the Merchant (the Platform features count as instructions);
  • Ensure persons authorised to access personal data are bound by confidentiality;
  • Implement appropriate technical and organisational measures (TLS, encryption at rest, access controls, audit logging, tenant isolation);
  • Assist the Merchant in responding to data-subject rights requests;
  • Notify the Merchant without undue delay (within 72 hours where feasible) of any personal data breach;
  • On termination, return or delete personal data within 30 days (unless legal obligation requires retention).

4. Sub-processors

The Merchant authorises the following sub-processors:

  • Stripe Inc. / Stripe Payments UK Ltd — payment processing.
  • Cloudflare Inc. — CDN, DDoS protection, DNS.
  • Hetzner Online GmbH — server hosting (EU).
  • SMTP2GO — transactional email delivery.
  • Google LLC (Distance Matrix) — distance-based delivery pricing (postcode lookups only).

We will notify the Merchant of any new sub-processor at least 30 days in advance and provide an opportunity to object.

5. International transfers

Where personal data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

6. Audits

The Merchant may, no more than once per 12 months and with 30 days' notice, request an audit limited to documents demonstrating compliance with this DPA. Onsite audits are subject to mutual agreement and reasonable scope.

7. Liability

Liability under this DPA is subject to the limitations in the Terms of Service.

8. Governing law

This DPA is governed by the laws of England and Wales.

9. Acceptance

By signing up to the Platform, the Merchant accepts this DPA. A counter-signed paper copy is available on request: [email protected].