Data Processing Agreement

Subject Matter and Duration

This DPA covers any processing of personal data that MenuPi carries out on the Customer's behalf in connection with the Services — hosting screens, delivering playlists, routing telemetry, sending transactional email, and powering POS-driven content.

MenuPi processes personal data on the Controller's behalf solely to deliver the Services, for the duration of the subscription and any agreed retention period thereafter.

Roles of the Parties

Customer is the Controller and determines the purposes and means of processing. MenuPi is the Processor and processes personal data only on documented instructions from the Customer, including with regard to transfers to third countries.

Categories of Data and Data Subjects

Personal data processed under this DPA may include identifiers, contact information, professional information, and usage data about the Customer's authorized users, end customers viewing public signage where applicable, and Customer-uploaded content metadata.

Sub-processors

The Customer authorizes MenuPi to engage sub-processors listed on the Subprocessors page to assist in delivering the Services. MenuPi will provide reasonable advance notice of changes and offer the Customer the right to object on reasonable grounds.

Security Measures

MenuPi implements appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control with least-privilege defaults.
• Continuous logging, monitoring, and quarterly access reviews.
• Background checks and security training for personnel with production access.

Data Subject Requests

MenuPi will, taking into account the nature of the processing, assist the Customer through appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights.

Personal Data Breach Notification

MenuPi will notify the Customer without undue delay (and in any case within 72 hours of confirmed identification) after becoming aware of a personal data breach affecting Customer Personal Data, and provide information reasonably necessary for the Customer to meet its own notification obligations.

Audits

MenuPi will make available to the Customer information necessary to demonstrate compliance with this DPA, including by providing access to its most recent independent audit reports (e.g., SOC 2 Type II) under reasonable confidentiality terms.

International Transfers

Where MenuPi transfers personal data outside the EEA, UK, or Switzerland to a country not subject to an adequacy decision, MenuPi will rely on the EU Standard Contractual Clauses (and the UK IDTA / addendum, as applicable) as the transfer mechanism.

Term and Termination

This DPA remains in effect for the duration of the underlying subscription. On termination, MenuPi will delete or return Customer Personal Data within the retention period set out in the Privacy Policy, unless retention is required by law.

Contact

Questions about the DPA? Email legal@menupi.com.