Data Processing Agreement

We process personal data about your callers to provide the Service. Processing continues for the duration of the Terms of Service plus the wind-down retention window described below.

To answer phone calls on the Customer's behalf, take phone orders, book reservations, manage a waitlist, answer allergen questions, and provide the Customer with a dashboard, transcripts, sentiment labels, and a Natasha's Law audit log.

• Caller phone number (from Caller-ID)
• Caller name (where the caller volunteers it)
• Caller delivery / billing address (where applicable to the order)
• Audio recording of the call
• Transcript of the call (text)
• Allergen questions asked and answers given
• Sentiment label inferred from the transcript
• Order line items and modifier selections
• Reservation details (date, time, party size, notes)

• Callers (members of the public phoning the Customer's restaurant)
• Reservation holders
• Optionally: people the caller mentions during a call (a friend they're booking for, an allergic relative)

We will:

• Process personal data only on the Controller's documented instructions, which for the operation of the Service are set out in the Terms of Service plus this DPA.
• Ensure persons authorised to process personal data are bound by an obligation of confidentiality.
• Implement appropriate technical and organisational measures to protect personal data (Annex 2).
• Engage subprocessors only under written terms equivalent to this DPA (Annex 1).
• Assist the Controller with data-subject rights requests, DPIAs, and consultations with the ICO, in each case at the Controller's reasonable cost where the request is materially beyond business-as-usual operations.
• Notify the Controller without undue delay (and in any event within 72 hours) of any personal-data breach affecting the Controller's personal data.
• On termination of the Service, return or delete all personal data as the Controller elects (default: return as a structured export; then delete) within 30 days, except where retention is required by UK law.
• Make available to the Controller all information necessary to demonstrate compliance, and allow for and contribute to audits as described in clause 8.

The Controller (restaurant) acknowledges and warrants that:

• It has a lawful basis to instruct us to process the personal data, and where applicable has obtained the necessary consents from data subjects.
• It will respond to data-subject rights requests it receives about callers, with our reasonable assistance where the data is held on our systems.
• It will keep the allergen schema and menu data accurate so that the Service's allergen Q&A audit log reflects reality.

Personal data is stored in Microsoft Azure UK South. We will not transfer personal data outside the UK without:

• A UK adequacy decision, or
• The UK-approved Standard Contractual Clauses with an International Data Transfer Addendum, or
• Another lawful safeguard expressly permitted by the UK GDPR.

Where a subprocessor (e.g. Twilio for some carrier routes, SendGrid for transactional email) processes data outside the UK, the appropriate transfer mechanism is in place.

The Controller may audit our compliance with this DPA once per year at the Controller's reasonable cost, on at least 30 days' written notice, during normal business hours, and subject to confidentiality. We will also make available to the Controller the results of relevant third-party assurance reports we obtain (e.g. when we hold a SOC 2 / ISO 27001 attestation).

The Controller authorises the engagement of the subprocessors listed below. We will notify the Controller at least 30 days before adding or replacing any subprocessor. The Controller may object on reasonable grounds; in that case the parties will discuss in good faith, and if no resolution is reached the Controller may terminate the affected service.

Last subprocessor list update: 18 May 2026.

For each subprocessor, the equivalent of this DPA is in place (Article 28-compliant processor terms, breach-notification obligations, sub-sub-processing transparency, data-subject rights assistance, and audit assistance). Detailed copies are available to the Controller on request via legal@orderbrain.ai.

Encryption

• TLS 1.2+ for every external endpoint (orderbrain.ai, api.orderbrain.ai, app.orderbrain.ai, voice.orderbrain.ai)
• Encryption at rest for Postgres (Azure-managed), blob storage, and Key Vault

Authentication and access

• Email + password + JWT session tokens for the merchant dashboard
• HttpOnly Secure SameSite=Lax cookies for browser sessions
• Allow-listed superadmin emails for the OrderBrain operations console
• Append-only audit log of every super-admin action (super_admin_audit table)

Cross-product integration

• HMAC-SHA256-signed webhooks on every direction of the Savorq MOS integration
• Dual-key rotation windows so key rotation is zero-downtime
• Idempotency-keyed retries on every cross-product call

Operational

• Per-Customer call audio retention default 90 days; configurable
• Automatic deletion at retention end
• Application Insights observability with alerts for 5xx burst, signature failures, and arrears
• Bicep-defined infrastructure as code in a private repository

Personnel

• All staff with access to production data are bound by written confidentiality terms
• Production access is restricted to operations engineers; access is logged