Data Processing Agreement

    This Data Processing Agreement ("DPA") forms part of the Terms of Service between CartaGrid Limited and the Subscriber. By using the CartaGrid platform, the Subscriber agrees to the terms of this DPA.
  

1. Definitions

In this DPA, the following definitions apply:

"Controller" means the Subscriber, who determines the purposes and means of processing personal data entered into the CartaGrid platform.
"Processor" means CartaGrid Limited, who processes personal data on behalf of the Controller.
"Data Subject" means any identified or identifiable natural person whose personal data is processed via the CartaGrid platform.
"Personal Data" has the meaning given in UK GDPR Article 4(1).
"Processing" has the meaning given in UK GDPR Article 4(2).
"Sub-processor" means any third party engaged by CartaGrid to process personal data on behalf of the Controller.
"UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.

2. Scope and Purpose

This DPA governs the processing of personal data by CartaGrid Limited in its capacity as a data processor on behalf of the Subscriber in connection with the CartaGrid allergen compliance platform.

CartaGrid processes personal data solely to provide the services described in the Terms of Service and for no other purpose without the prior written consent of the Controller.

3. Details of Processing

Element	Detail
Subject matter	Allergen compliance, menu management, HACCP records, and related food safety services
Duration	For the term of the subscription and for 7 years thereafter, in line with UK food safety audit requirements
Nature of processing	Storage, retrieval, organisation, structuring, disclosure, and deletion of personal data
Purpose	Delivery of allergen compliance platform services; regulatory audit trail maintenance
Categories of data	Account data (name, email, job role); operational data (menu items, allergen records); usage and audit data; payment data
Categories of data subjects	Subscriber personnel (venue managers, kitchen staff); end customers interacting with allergen information

4. Processor Obligations

CartaGrid Limited shall, as data processor:

Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law
Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Clause 6 of this DPA
Respect the conditions for engaging sub-processors as set out in Clause 5 of this DPA
Assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR
Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation
Delete or return all personal data to the Controller on termination of services, and delete existing copies unless retention is required by law
Make available to the Controller all information necessary to demonstrate compliance with obligations laid down in UK GDPR Article 28

5. Sub-processors

The Controller grants CartaGrid Limited general authorisation to engage sub-processors to process personal data on the Controller's behalf. CartaGrid shall:

Maintain an up-to-date list of sub-processors (Schedule 1 to this DPA)
Notify the Controller of any intended changes to sub-processors at least 30 days in advance
Impose data protection obligations on sub-processors equivalent to those set out in this DPA
Remain fully liable to the Controller for the performance of sub-processors' obligations

6. Security Measures

CartaGrid implements the following technical and organisational measures to protect personal data:

Access controls: Role-based access controls limiting data access to authorised personnel only
Encryption: Data encrypted in transit using TLS 1.2 or higher; encryption at rest via infrastructure provider controls
Audit logging: Immutable audit trail of all allergen-related actions and data access events
Availability: 99.9% platform uptime commitment with continuous monitoring at status.cartagrid.io
Backup: Automated weekly backups retained for a minimum of 90 days
Vendor security: All sub-processors hold SOC 2 Type II certification or equivalent; payment processing is PCI DSS Level 1 compliant
Security reviews: Regular internal security reviews of platform configuration and access controls

7. Personal Data Breaches

In the event of a personal data breach, CartaGrid shall notify the Controller without undue delay and in accordance with the following timeline:

Timeframe	Action
Within 24 hours	Initial notification to Controller confirming that a breach has occurred or is suspected, with available preliminary details
Within 48 hours	Confirmation of the nature of the breach, categories and approximate number of data subjects and records affected
Within 72 hours	Full incident report including likely consequences, measures taken or proposed to address the breach
Within 7 days	Completed post-incident review and remediation report

The Controller is responsible for determining whether to notify the Information Commissioner's Office (ICO) and affected data subjects in accordance with UK GDPR Articles 33 and 34. CartaGrid will provide reasonable assistance to support such notifications.

8. Data Subject Rights

CartaGrid shall provide reasonable assistance to the Controller in fulfilling requests from data subjects to exercise their rights under UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. Where CartaGrid receives a direct request from a data subject, it shall promptly forward the request to the Controller without acting upon it unless instructed to do so.

9. Data Transfers

Some personal data processed by CartaGrid is transferred to sub-processors located outside the United Kingdom. All such transfers are conducted under appropriate safeguards as set out in Schedule 1, including Standard Contractual Clauses approved by the ICO (UK Addendum to EU SCCs) where applicable.

10. Audit Rights

The Controller may, on reasonable prior written notice of not less than 30 days and no more than once per calendar year, audit CartaGrid's compliance with this DPA, either by requesting relevant documentation or by appointing a mutually agreed third-party auditor. CartaGrid shall provide all reasonable assistance and access necessary for such audit. Any audit shall be conducted during business hours and at the Controller's expense.

11. Term and Termination

This DPA shall remain in force for the duration of the subscription and shall terminate automatically on the expiry or termination of the Terms of Service. On termination, CartaGrid shall, at the Controller's election, delete or return all personal data, unless retention is required by applicable law. Confirmation of deletion will be provided in writing within 30 days of termination.

12. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 — Approved Sub-processors

The following sub-processors are approved as of the effective date of this DPA:

Sub-processor	Function	Location	Transfer Mechanism
Airtable	Database infrastructure and data storage	United States	Standard Contractual Clauses (UK Addendum)
Glide	Frontend application platform	United States	Standard Contractual Clauses (UK Addendum)
Stripe	Payment processing	EU / United States	PCI DSS Level 1; Standard Contractual Clauses
Anthropic	AI processing for menu ingestion	United States	Standard Contractual Clauses (UK Addendum)
Make.com	Workflow automation platform	EU (Czech Republic)	Within UK adequacy decision scope
Retell AI	Voice agent and customer service platform	United States	Standard Contractual Clauses (UK Addendum)

CartaGrid will notify the Controller at least 30 days before adding or replacing any sub-processor. The Controller may object to any new sub-processor on reasonable data protection grounds within 14 days of such notification.

Schedule 2 — Breach Notification Procedure

In the event of an actual or suspected personal data breach, CartaGrid's internal procedure is as follows:

Detection and Containment

On detection of a suspected breach, CartaGrid's designated data protection lead is notified immediately. Preliminary containment measures are implemented within two hours of detection, including suspension of affected access credentials and isolation of affected systems where necessary.

Assessment

CartaGrid assesses the likely scope, nature, and severity of the breach, including the categories and approximate volume of personal data and data subjects affected, and the likely consequences for those data subjects.

Notification

The Controller is notified in accordance with the timeline set out in Clause 7 of this DPA. Notifications are sent to the primary contact email address registered to the Subscriber's account. CartaGrid will provide a single designated point of contact for the duration of the incident.

Remediation and Review

Following containment, CartaGrid conducts a full post-incident review and implements remediation measures to prevent recurrence. A written remediation report is provided to the Controller within 7 days of the incident being resolved.

13. Contact

CartaGrid Limited
14 Clifton Moor Business Village, James Nicholson Link, York YO30 4XG
operations@cartagrid.com
cartagrid.com