Suzzy LogoSuzzy

GDPR Data Processing Agreement (DPA)

Updated May 2, 2026

Preamble

This Data Processing Agreement (the « DPA ») constitutes an indissociable annex to the Restaurant Terms of Sale (the « Terms ») entered into between SUZZY, SAS with share capital of €3,000, RCS Paris 102 900 487 (the « Processor » or « Suzzy ») and the restaurant having subscribed to a Suzzy Subscription (the « Controller » or « You »). This DPA governs the conditions under which the Processor processes, on behalf of the Controller, the personal data of the Controller's end customers, in accordance with Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data (the « GDPR ») and French Law No. 78-17 of January 6, 1978 as amended.

1. Definitions

Capitalized terms have the meaning given in the Terms or, failing that, in the GDPR. For the purposes of this DPA, the following additional definitions apply:

Controller

The Restaurant having subscribed to a Suzzy Subscription, who determines the purposes and means of processing the personal data of its end customers.

Processor

Suzzy, who processes personal data on behalf of the Controller, strictly within the documented instructions of the latter.

Subprocessor

Any third-party provider engaged by Suzzy to perform specific processing activities on behalf of the Controller (notably Railway, Stripe, Octopush, Resend).

Data

Any personal data as defined in Article 4 of the GDPR, processed by Suzzy within the scope of the Services.

Data Subject

The identified or identifiable natural person to whom the Data relates (notably the Controller's end customers).

2. Object

This DPA governs the conditions under which Suzzy undertakes, as Processor, to perform on behalf of the Controller the processing operations strictly necessary for providing the Services. The Controller remains solely responsible for determining the purposes and means of processing, and for compliance with its own GDPR obligations.

3. Description of processing

The processing carried out by Suzzy on behalf of the Controller has the following characteristics:

3.1 Nature of processing

Hosting, storage, structuring, viewing, communication, making available, backup, deletion of data. Where applicable: sending of transactional notifications (email/SMS) and marketing notifications (subject to the data subject's consent), generation of loyalty passes, light profiling for loyalty purposes (aggregated statistics per customer: number of visits, total amount spent, number of reviews, number of no-shows).

3.2 Purposes

Provision of the Services to the Controller, namely: management of reservations, loyalty program, promotional games, collection and dissemination of reviews, and sending of marketing campaigns authorized by the data subjects.

3.3 Duration

Processing is performed for the duration of the Suzzy Subscription. At the end of the Subscription, Data is returned or deleted in accordance with Article 11 below.

3.4 Categories of Data

  • Identification data: first name, last name, email address, phone number
  • Reservation data: date, time, party size, notes
  • Loyalty data: points, tiers, transactions, Apple Wallet / Google Wallet identifiers
  • Review data: rating, comment, date
  • Game data: participation, win, reward status
  • Marketing consent data: opt-in/opt-out, source, timestamp
  • Navigation data: IP address, technical logs (limited duration)
No sensitive data within the meaning of Article 9 GDPR is processed.

3.5 Categories of data subjects

End customers of the Controller, prospects who interacted with the Restaurant's mini-shop (notably during a no-purchase-required game).

4. Controller obligations

The Controller agrees to:

4.1 Lawfulness of processing

Ensure that data processing performed via the Services is based on a valid legal basis under Article 6 GDPR (contract performance, legitimate interest, consent, etc.).

4.2 Information and consent of data subjects

Inform data subjects of the processing of their Data in accordance with Articles 13 and 14 GDPR, and collect their explicit consent where required (notably for SMS marketing communications under Article L34-5 of the French Postal and Electronic Communications Code).

4.3 Documented instructions

Provide Suzzy with documented instructions regarding processing, and ensure such instructions comply with applicable regulations. Settings chosen in the Suzzy back-office constitute documented instructions for the purposes of this DPA.

5. Suzzy obligations (Processor)

In accordance with Article 28 GDPR, Suzzy agrees to:

5.1 Processing in compliance with instructions

Process Data only based on documented instructions from the Controller, including regarding transfers to third countries or international organizations, unless required by Union or Member State law. In such case, Suzzy informs the Controller of this legal obligation before processing.

5.2 Confidentiality

Ensure that persons authorized to process Data have committed to confidentiality or are under appropriate statutory confidentiality obligations.

5.3 Security measures

Implement appropriate technical and organizational measures to ensure a level of security adapted to the risk, in accordance with Article 32 GDPR: encryption of Data in transit (TLS), access control and strong authentication, logging of Data access, regular backups, incident management procedures, regular security audits.

5.4 Assistance to the Controller

Assist the Controller, where possible, to:
  • respond to data subject rights requests (access, rectification, erasure, restriction, portability, objection);
  • conduct, where applicable, data protection impact assessments (DPIAs);
  • consult the supervisory authority (CNIL) if needed.

5.5 Return / deletion

At the end of the service, Suzzy deletes or returns all personal Data and destroys existing copies, except for legal retention obligations. Return is made in a structured, commonly used and machine-readable format. A 30-day default retention period applies for Data recovery on request.

5.6 Audit

Make available to the Controller all information necessary to demonstrate compliance with the obligations of Article 28 GDPR and allow audits, by itself or by an independent third-party auditor, limited to one audit per year, subject to a reasonable thirty (30) days notice and at the Controller's expense, unless the audit reveals a proven breach by Suzzy.

5.7 Breach notification

Notify the Controller of any personal data breach within 72 hours at the latest after becoming aware of it, by email to the contact address registered in the Controller's account. The notification describes the nature of the breach, the categories and approximate number of data subjects, the likely consequences and the measures taken or envisaged.

6. Subprocessors

6.1 General authorization

The Controller expressly authorizes Suzzy to engage subprocessors (« Subprocessors ») for the provision of the Services.

6.2 List of Subprocessors

As of the date of this DPA, Subprocessors are:
  • Railway Corporation — Platform and Data hosting — 548 Market St, San Francisco, CA 94104, USA
  • Stripe, Inc. — Payment processing — Dublin, Ireland / San Francisco, USA
  • Octopush — Transactional and marketing SMS — France
  • Resend Inc. — Transactional emails — Delaware, USA
  • Apple Inc. and Google LLC — Loyalty pass hosting (Apple Wallet / Google Wallet) — USA

6.3 List evolution

Any change to the Subprocessor list will be notified to the Controller by email or back-office notification, at least thirty (30) days before the new Subprocessor's go-live. The Controller may object to such change within this period by emailing [email protected] with reasoned objection. Failing agreement, the Controller may terminate the Terms without penalty.

7. Transfers outside the European Union

7.1 Principle

Suzzy strives to prioritize Data hosting within the European Union. However, some Subprocessors may be located outside the EU (notably in the United States).

7.2 Standard Contractual Clauses (SCCs)

Any Data transfer to a country outside the EU not benefiting from a European Commission adequacy decision is governed by Standard Contractual Clauses (SCCs) adopted by the European Commission on June 4, 2021 (Implementing Decision (EU) 2021/914), in accordance with Articles 44 to 49 GDPR.

7.3 Transfer to Railway Corporation (USA)

Main Platform and Data hosting is provided by Railway Corporation, established in the United States. This transfer is governed by SCCs signed between Suzzy and Railway, supplemented by additional technical measures: encryption of Data in transit and at rest, logical segregation of customer environments, role-based access control.

8. Data security

Suzzy implements the following technical and organizational measures to ensure Data security:
  • encryption of Data in transit (HTTPS / TLS 1.2+);
  • strong password policy (minimum length, expiration, bcrypt hash);
  • multi-factor authentication available for administrator accounts;
  • role-based access control (RBAC) following least-privilege principle;
  • logging of sensitive operations and log retention;
  • automated regular backups with periodic restoration testing;
  • production environments separated from development and testing environments;
  • regular review of software dependencies and application of security patches.

9. Data breach

In case of Data Breach, Suzzy notifies the Controller within 72 hours of becoming aware. The notification includes:
  • the nature of the breach (categories and approximate number of data subjects and records);
  • contact details of the point of contact for further information;
  • likely consequences;
  • measures taken or envisaged to mitigate consequences.
Suzzy assists the Controller in any notification to the CNIL and to data subjects (Articles 33 and 34 GDPR).

10. End of processing

At the end of this DPA (notably upon Terms termination), Suzzy proceeds, at the Controller's choice and within thirty (30) days:
  • to return Data in a structured, commonly used and machine-readable format (CSV or JSON);
  • or to permanently delete Data, except for legal retention obligations (notably accounting and tax obligations).
Failing express choice within this period, Suzzy will proceed with deletion. A deletion certificate may be issued upon request.

11. Liability

Each party is liable for damages caused by processing resulting from a breach of its GDPR obligations. Suzzy is only liable for damages caused by processing resulting from a breach of its own obligations as Processor or of the Controller's lawful instructions, in accordance with Article 82 GDPR. The liability cap of Article 11 of the Terms fully applies to this DPA.

12. Governing law and jurisdiction

This DPA is governed by French law and the GDPR. Any dispute arising from this DPA falls under the exclusive jurisdiction of the Paris Commercial Court, in accordance with Article 16 of the Terms. The French version of this DPA is the legally binding version in case of discrepancy.

Modification history

Version 1.0 — May 2, 2026

  • Initial version of the DPA