This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies whenever Served HQ processes personal data on behalf of a business as a processor or service provider, including customer, order, booking and loyalty data submitted through a business's Served HQ page.
1. Roles of the parties
For personal data that a business collects from its own customers through Served HQ (order details, bookings, loyalty accounts, contact and service information), the business is the controller and Served HQ is the processor. For account, billing and platform administration data, Served HQ is generally the controller in its own right, as described in the Privacy Policy.
2. Subject matter, duration and purpose
Served HQ processes personal data on the business's behalf for the duration of the business's Served HQ subscription, for the purpose of providing digital menus, ordering, reservations, loyalty, QR analytics, marketing tools and related platform features, and any related support.
3. Categories of data subjects and personal data
- Data subjects: the business's customers, and where applicable the business's own staff and invited users.
- Personal data: names, contact details, order and booking details, service or delivery addresses where enabled, loyalty identifiers, notes submitted by customers, device and technical data connected to QR scans, and payment status or references (full card data is held by payment providers, not Served HQ).
4. Processor obligations
- Process personal data only on the business's documented instructions, as reflected in the ordinary operation of the platform and its configurable features, unless otherwise required by law.
- Ensure people authorised to process personal data are subject to confidentiality obligations.
- Implement appropriate technical and organisational security measures, as described in Section 8.
- Assist the business, so far as reasonably possible, in responding to data subject requests and fulfilling its own data protection obligations.
- Notify the business without undue delay after becoming aware of a personal data breach affecting the business's customer data.
5. Sub-processors
The business authorises Served HQ to engage sub-processors to provide the platform, including hosting, email delivery, payment processing, analytics and customer support tooling. Served HQ remains responsible for sub-processors' performance of their data protection obligations. Served HQ will maintain a general awareness of which categories of sub-processor are engaged and will notify businesses of material changes where required by law.
6. Security measures
Served HQ maintains security measures appropriate to the risk, including encryption of data in transit, access controls, environment separation, logging and monitoring, and regular review of infrastructure configuration. Further detail is available in the Cyber Liability and Security page.
7. Data subject requests
Where Served HQ receives a request from a data subject relating to a specific business's customer data, Served HQ may forward the request to the relevant business, since the business is usually best placed to identify, verify and respond to the individual as controller of that relationship.
8. International transfers
Where personal data is transferred outside the United Kingdom or European Economic Area, Served HQ will rely on an adequacy decision, standard contractual clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism recognised by applicable data protection law.
9. Deletion or return of data
On termination of a business's subscription, Served HQ will delete or anonymise customer personal data within a reasonable period, except where retention is required for legal, tax, accounting, dispute resolution or fraud prevention purposes, consistent with the Privacy Policy.
10. Audits
Served HQ will provide information reasonably necessary to demonstrate compliance with this DPA. Where an on-site audit is genuinely required by law or a regulator, the parties will agree reasonable scope, notice, confidentiality and cost arrangements in good faith.