Data Processing Agreement
Effective date: February 21, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between BarOS ApS ("Processor", "BarOS") and the customer using the Service ("Controller", "you"). This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR).
By using the BarOS Service, the Controller instructs the Processor to process personal data as described in this DPA.
1. Definitions
Terms used in this DPA have the meanings given in GDPR Article 4, the Terms of Service, and:
- "Personal Data" means any information relating to an identified or identifiable natural person that the Controller uploads or creates through the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, transmission, and deletion.
- "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope & Roles
- The Controller (you, the venue operator) determines the purposes and means of processing Personal Data within the Service.
- The Processor (BarOS) processes Personal Data solely on behalf of and under the documented instructions of the Controller.
This DPA applies to all Personal Data processed by BarOS in the course of providing the Service, including data relating to the Controller's staff, customers (where applicable), and suppliers.
3. Processing Instructions
The Processor shall process Personal Data only in accordance with the Controller's documented instructions. The Controller's instructions are defined by:
- This DPA and the Terms of Service.
- The Controller's configuration and use of the Service features.
- Any additional written instructions agreed upon by both parties.
If the Processor believes that an instruction from the Controller infringes GDPR or other applicable data protection law, the Processor shall promptly notify the Controller and may suspend the relevant processing until the instruction is amended.
4. Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of bar/taproom management SaaS platform |
| Duration | For the duration of the service agreement, plus the retention period described in Section 12 |
| Nature of processing | Collection, storage, retrieval, analysis, AI-based data extraction, display, export, and deletion |
| Purpose | To provide tap management, invoice processing, sales analytics, and reporting functionality |
| Categories of data subjects | Controller's employees/staff (names, PINs, actions); supplier contacts (names on invoices); POS transaction data (may include customer references) |
| Categories of personal data | Names, staff PINs, email addresses, action logs, supplier contact details from invoices, POS sale identifiers |
No special categories of personal data (Article 9) are intentionally processed.
5. Processor Obligations
BarOS shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures as described in Section 7.
- Respect the conditions for engaging Sub-Processors as described in Section 6.
- Assist the Controller in responding to data subject requests (Section 9).
- Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation).
- At the Controller's choice, delete or return all Personal Data after the end of the service agreement (Section 12).
- Make available all information necessary to demonstrate compliance and allow for audits (Section 10).
6. Sub-Processors
6.1 Authorized Sub-Processors
The Controller provides general written authorization for the Processor to engage the following Sub-Processors:
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Vercel Inc. | Application hosting, edge network, serverless functions | EU (Frankfurt) | All application data in transit and at edge |
| Neon Inc. | PostgreSQL database hosting | EU (AWS eu-central-1, Frankfurt) | All persistent Customer Data and account data |
| Stripe Inc. | Payment processing and subscription billing | EU/US | Billing information, payment card details, customer identifiers |
| Anthropic PBC | AI-powered invoice data extraction (Claude API) | US | Invoice images/PDFs (transient processing, zero-retention API) |
6.2 Changes to Sub-Processors
The Processor shall notify the Controller at least 30 days in advance before adding or replacing a Sub-Processor, providing the Controller an opportunity to object. If the Controller objects on reasonable data protection grounds within 14 days of notification, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected portion of the Service.
6.3 Sub-Processor Obligations
The Processor shall impose the same data protection obligations on each Sub-Processor through a written contract. The Processor remains fully liable to the Controller for the performance of its Sub-Processors.
7. Technical & Organizational Measures
The Processor implements the following measures to ensure a level of security appropriate to the risk (Article 32 GDPR):
Encryption
- All data in transit encrypted with TLS 1.2 or higher.
- Database encryption at rest (AES-256) provided by the hosting infrastructure.
- Passwords hashed using bcrypt with appropriate work factor.
Access Controls
- Role-based access control within the application.
- Principle of least privilege for all internal access to infrastructure and data.
- Multi-factor authentication required for administrative access to hosting and database.
- Staff kiosk access via time-limited PIN with automatic session expiry.
Infrastructure Security
- Application hosted on Vercel's SOC 2 Type II certified infrastructure.
- Database hosted on Neon/AWS with SOC 2 certified data centers in the EU.
- Automated backups with point-in-time recovery capabilities.
- DDoS protection and Web Application Firewall at the edge.
Operational Security
- Regular dependency updates and vulnerability scanning.
- Audit logging of administrative actions and data access.
- Incident response procedures documented and tested.
- Confidentiality obligations for all personnel with access to Personal Data.
8. Data Breach Notification
In the event of a Data Breach involving Personal Data processed under this DPA:
- The Processor shall notify the Controller without undue delay and in any case within72 hours after becoming aware of the breach.
- The notification shall include, to the extent available:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The name and contact details of the Processor's contact point for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
- Where it is not possible to provide all information within 72 hours, the Processor shall provide information in phases as it becomes available.
- The Processor shall cooperate with the Controller in investigating and remediating the breach and in fulfilling the Controller's notification obligations to supervisory authorities and data subjects.
9. Data Subject Requests
The Processor shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, or objection). The Processor shall not respond to such requests directly unless authorized by the Controller.
The Processor shall provide reasonable assistance to the Controller in fulfilling data subject requests, taking into account the nature of the processing and the information available to the Processor.
10. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28.
The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits of the Processor's processing activities, subject to:
- Reasonable advance notice of at least 30 days.
- Audits during normal business hours and conducted in a manner that minimizes disruption.
- Confidentiality obligations regarding any information accessed during the audit.
- No more than one audit per 12-month period, unless a Data Breach has occurred or a supervisory authority requires an additional audit.
Where the Processor undergoes relevant third-party audits or certifications (e.g., SOC 2), it may provide audit reports or certificates in lieu of a direct audit, provided the Controller reasonably agrees.
11. International Transfers
Personal Data is primarily processed within the EU/EEA. Where transfers to third countries occur (specifically to Stripe and Anthropic in the US), the Processor ensures that:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission are in place with each Sub-Processor.
- Transfer Impact Assessments have been conducted where required.
- Supplementary measures are implemented where necessary based on the assessment.
For Anthropic (AI invoice processing), data is processed transiently through the API with zero retention — invoice content is not stored by Anthropic after processing is complete.
12. Termination & Data Deletion
Upon termination or expiry of the service agreement:
- The Processor shall, at the Controller's choice, either return all Personal Data to the Controller in a standard, machine-readable format (CSV), or delete all Personal Data.
- The Controller has 30 days after account closure to request data export. After this period, the Processor shall permanently delete all Personal Data from active systems.
- Backup copies will be purged in accordance with the Processor's backup retention schedule, not to exceed 90 days after deletion from active systems.
- The Processor may retain Personal Data to the extent required by EU or Member State law, in which case the Processor shall inform the Controller of such requirement and limit processing to what is legally required.
13. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor shall be liable for damage caused by processing that violates this DPA or GDPR, in accordance with Article 82 GDPR.
Contact for DPA-related matters:
BarOS ApS
Email: privacy@baros.dk