Skip to main content
Legal

Data Processing Agreement

Last updated: 24 April 2026

This is the BahiKash standard DPA template for beta Tenants. A countersigned PDF copy will be sent to each Beta Partner by email at onboarding. This web version is for reference only; the signed PDF is the binding document. EU counsel review of a production-grade DPA is scheduled before public launch.

Parties

  • Controller: the Tenant (restaurant or hospitality business) using the BahiKash service. Identified by the signed Beta Letter of Understanding.
  • Processor: BahiKash, operated by Bhupender Kumar Verma (BahiKash OÜ incorporation in progress), Tallinn, Estonia. Contact: support@bahikash.com.

1. Subject matter and duration

The Processor hosts a cloud POS service on behalf of the Controller. Processing begins on the Controller's go-live date and ends when the Tenant's account is closed plus the 30-day data export and deletion window specified in §8.

2. Nature and purpose of processing

Processing customer-facing order data (names, phone numbers, order content, payment status) so the Controller can operate its restaurant. Processing operations include storage, retrieval, notification dispatch (email and WebSocket events), aggregation into reports, and deletion on Controller request.

3. Categories of data subjects and personal data

  • Data subjects: customers of the Controller (end customers placing orders), staff of the Controller (waiters, kitchen, managers).
  • Categories of data: names, phone numbers, order history, table-session identifiers, staff PINs (hashed), role assignments, shift timestamps, loyalty identifiers where used.
  • No special categories (Art. 9) are processed. No health, biometric, or political data.

4. Controller's obligations (Art. 28(3))

The Controller warrants that it has a lawful basis under Art. 6 for the personal data it enters into BahiKash, operates its own privacy policy disclosing this processing to its customers, and handles data-subject-rights requests received directly from its customers.

5. Processor's obligations (Art. 28(3))

  • Process personal data only on documented instructions from the Controller (including the configuration choices the Controller makes in the admin UI).
  • Ensure all personnel with access commit to confidentiality.
  • Implement appropriate technical and organisational measures (see §6).
  • Engage sub-processors only with prior general authorisation (§7).
  • Assist the Controller in responding to data-subject-rights requests.
  • Notify the Controller without undue delay of any personal data breach, in any case within 72 hours of becoming aware.
  • Return or delete all personal data at the end of service provision (§8).
  • Make available all information necessary to demonstrate compliance, and allow audits at reasonable notice.

6. Technical and organisational measures

  • Encryption in transit: all traffic over TLS 1.2 or higher, managed by Cloudflare.
  • Encryption at rest: Postgres cluster encrypted at the block-device layer.
  • Access control: role-based access with individual user accounts; no shared credentials; PINs hashed with bcrypt.
  • Backups: daily, retained seven days, encrypted.
  • Audit log: signup attempts, DPA attestation, importer runs, and admin actions are logged to an append-only table retained for 12 months.
  • Staff training: limited personnel, onboarded on data handling.
  • Incident response: documented runbook; breach notification within 72 hours.

7. Sub-processors

The Controller hereby gives general authorisation to engage the following sub-processors:

  • Cloudflare, Inc. - DNS, CDN, DDoS protection, bot management, TLS termination.
  • Resend, Inc. - transactional email delivery (receipts, password resets, platform notifications).
  • GitHub, Inc. - source code and container registry hosting; no Controller customer data is stored here.
  • Hetzner Online GmbH - disaster-recovery Postgres replica hosting (Helsinki, Finland, EEA).

The primary Postgres cluster and Kubernetes control plane are operated on hardware under the Processor's direct control, physically located in Estonia (EEA), and are not provided by a third-party sub-processor.

The Processor will give the Controller at least 14 days' notice before adding or replacing any sub-processor. The Controller may object in writing; if objection cannot be resolved, either party may terminate with no penalty.

8. Return and deletion of data

On termination of the service or at the Controller's written request, the Processor will provide a full export of Controller data (CSV or JSON) within seven days and delete all copies including backups within 30 days of export confirmation, except to the extent retention is required by applicable law.

9. International transfers

Primary storage is in Estonia (EEA). Where a sub-processor routes or stores metadata outside the EEA (e.g. Cloudflare edge, Resend operations), the transfer is governed by Standard Contractual Clauses (Commission Decision 2021/914) or an equivalent safeguard under GDPR Chapter V.

10. Liability

Liability for breach of this DPA follows the liability framework of the Beta Letter of Understanding or (post-beta) the Subscription Agreement. Nothing in this DPA limits statutory liability under GDPR Art. 82.

11. Governing law

Estonian law. Disputes as per the Beta Letter of Understanding or Subscription Agreement.

Signatures

This web version is for reference. The binding DPA is the countersigned PDF delivered at Tenant onboarding.

Privacy · Terms · DPA · Imprint