Version 1.0 — Effective date: 26 May 2026
This Data Processing Agreement ("DPA") is entered into between you (the "Customer", acting as data controller) and VivaShelf [LEGAL ENTITY NAME] ("VivaShelf", acting as data processor) and forms an integral part of the Terms of Service. It is concluded in accordance with Article 28(3) GDPR, the UK GDPR (with the UK International Data Transfer Addendum incorporated by reference), the Swiss revFADP, and the Brazilian LGPD where applicable. By accepting the Terms of Service, the Customer is deemed to have accepted this DPA on behalf of the data controller it represents.
Subject matter: provision of the VivaShelf SaaS inventory and expiry-tracking platform. Duration: for the term of the Customer's subscription plus any additional retention required by Annex III. Nature and purpose: hosting, storing, organising, structuring, retrieving, displaying, transmitting, and (on termination) deleting Customer personal data in order to deliver the Service.
Data subjects: Customer's employees, contractors, agents, and any natural persons whose data the Customer chooses to upload (typically restaurant staff and suppliers). Categories of personal data: name, business email, business phone, role within the Customer organisation, authentication credentials, audit-trail records of actions performed, and any personal data the Customer voluntarily uploads as part of supplier/contact records. Special categories: the Customer must not upload Article 9 GDPR special categories or criminal-conviction data.
VivaShelf shall: (a) process personal data only on documented instructions from the Customer (these Terms constitute the standing instructions); (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement the technical and organisational measures set out in Annex II; (d) respect the conditions for engaging sub-processors (clause 5); (e) assist the Customer in responding to requests from data subjects (clause 6); (f) assist with security obligations and Articles 32–36 GDPR; (g) on termination, delete or return all personal data (clause 8); (h) make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (clause 7).
VivaShelf shall process personal data only on the Customer's documented instructions, including with regard to transfers, unless required to do so by Union or Member-State law to which VivaShelf is subject; in that case VivaShelf shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. VivaShelf shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.
The Customer grants general written authorisation to VivaShelf to engage the sub-processors listed in Annex I. VivaShelf shall: (a) inform the Customer at least 30 days in advance of any intended addition or replacement of a sub-processor via in-app banner and/or email; (b) give the Customer the opportunity to object on reasonable data-protection grounds; (c) where an objection cannot be resolved, allow the Customer to terminate the affected Service with a pro-rata refund of prepaid fees; (d) impose by contract on each sub-processor the same data-protection obligations as set out in this DPA; and (e) remain fully liable to the Customer for the performance of each sub-processor.
Taking into account the nature of the processing, VivaShelf shall assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects under Chapter III GDPR. The Service includes self-service tools for export, deletion, rectification, and consent management.
VivaShelf shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR, including: (a) an annual summary of penetration-test and security-assessment outcomes; (b) the most recent SOC 2 Type II or equivalent attestation of the principal hosting sub-processors (where applicable); and (c) on reasonable prior written notice and not more than once per year (except following a confirmed personal-data breach affecting the Customer's data), the right for the Customer or an independent auditor mandated by the Customer to conduct an audit of VivaShelf's compliance with this DPA. Audits shall be conducted during business hours, in a manner that does not disrupt the Service, and subject to confidentiality undertakings; the Customer shall bear its own audit costs.
At the choice of the Customer, on termination of the Service, VivaShelf shall return all personal data to the Customer or delete it, save where Union or Member-State law requires storage of the personal data (e.g. food-safety traceability records under Regulation (EC) No 178/2002 or tax law). Deletion from active systems occurs within 30 days; deletion from encrypted backups occurs within 35 days thereafter.
Where VivaShelf transfers personal data outside the EU/EEA, UK, Switzerland, or Brazil, the transfer shall be subject to the appropriate safeguards under Articles 44–49 GDPR, including the Standard Contractual Clauses adopted in Commission Decision 2021/914 (which are incorporated into this DPA by reference, with the Customer acting as data exporter and VivaShelf as data importer in Module 2; for onward transfers Module 3 applies). The UK International Data Transfer Addendum and the Swiss FDPIC amendments are incorporated by reference for transfers from the UK and Switzerland respectively.
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in section 10 of the Terms of Service, save that nothing in this DPA limits either party's liability to data subjects under Article 82 GDPR or under any other mandatory provision of applicable law.
The current list of authorised sub-processors is maintained at /sub-processors and is reproduced for convenience: (1) Supabase, Inc. — managed PostgreSQL, EU region; (2) Vercel, Inc. — application hosting, edge network, CDN, EU primary; (3) Resend, Inc. — transactional email; (4) Google LLC — Google Identity OAuth (only for users who choose this sign-in method); (5) Upstash, Inc. — Redis rate-limiting; (6) Functional Software, Inc. d/b/a Sentry — error monitoring, session replay disabled; (7) Google / Apple / Mozilla push services — web-push delivery endpoints, contacted only when push is enabled; (8) Cloudflare, Inc. — origin shield, DDoS protection, bot mitigation.
Encryption in transit (TLS 1.2+) and at rest (AES-256, provided by the database sub-processor). Password hashing with bcrypt. AES-256-GCM encryption of MFA secrets with key separation. PostgreSQL Row-Level Security enforcing tenant isolation in addition to application-level checks. Role-based access control (owner / manager / staff / chef hierarchy). Content-Security-Policy with per-request cryptographic nonce. Origin shield and bot mitigation via Cloudflare where enabled. Rate limiting (60 requests/minute general API, 10 requests/minute health checks). Audit logging of data-modifying actions. Automated dependency vulnerability scanning. Principle-of-least-privilege production access; MFA strongly recommended for VivaShelf personnel. Documented breach-handling commitment with 72-hour controller notification. External penetration testing is not currently performed on a fixed cadence; we will introduce it before commercial GA or earlier if Customer agreements require it.
As described in section 11 of the Privacy Policy. Where the Customer instructs deletion, VivaShelf will comply within the timelines stated in clause 8, subject to mandatory food-safety retention under Regulation (EC) No 178/2002 (2 years minimum) and tax-law retention (7 years).
Related: Privacy Policy, Sub-processors, Terms of Service.