Data Processing Agreement (DPA)
1. Definitions
For the purposes of this DPA, the terms "personal data", "processing", "controller", "processor", "sub-processor", "data subject" and "personal data breach" shall have the meaning given to them in Article 4 of Regulation (EU) 2016/679 (GDPR).
- "End Customer Data" means personal data of natural persons who make reservations or interact with the Venue's services through the platform (name, phone number, email, reservation data, dietary preferences, reservation history, etc.), and which are processed by the Company on behalf of the Venue.
- "Services" means the functionalities of the Reservation.tools platform that the Venue uses in accordance with the applicable Terms of Use.
- "Agreement" means the Terms of Use of the platform, together with all plans and addenda accepted by the Venue.
2. Subject matter, nature, purpose and duration of processing
| Parameter | Description |
|---|---|
| Subject matter of processing | Processing of personal data of the Venue's end customers, necessary for the provision of the platform's Services |
| Nature of processing | Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure or destruction (all operations under Article 4(2) GDPR), insofar as necessary for the functioning of the platform |
| Purpose of processing | Reservation management, processing of enquiries, sending confirmations and reminders (email/SMS), table and occupancy management for the Venue, maintenance of the Venue's customer database, operational statistics for the Venue |
| Categories of data subjects | End customers of the Venue who make reservations or provide data through the platform |
| Categories of personal data | Names, phone number, email, reservation history, dietary and other preferences, notes from the Venue, external identifiers (Stripe customer ID, Google Reserve User ID — where applicable) |
| Duration of processing | For the duration of the Agreement between the Venue and the Company |
3. Obligations and rights of the Venue (Controller)
The Venue:
a) determines the purposes and means of the processing of End Customer Data; b) warrants that it has a valid legal basis for each processing operation, including for the transfer of such data to the Company; c) provides the necessary information to its end customers (Privacy Notice) regarding the processing of their personal data, including regarding the role of the Company as processor; d) gives documented instructions to the Company regarding the processing (the standard instructions are embedded in the platform's functionality itself; additional instructions may be submitted in writing to [email protected]); e) is responsible for fulfilling data subject requests regarding End Customer Data; f) notifies the Company in a timely manner of any change in its legal status or instructions that affects the processing.
4. Obligations of the Company (Processor)
4.1 Processing only on instructions
The Company processes End Customer Data only on documented instructions from the Venue, including with regard to international transfers, unless required to do so by EU or Bulgarian law. In the latter case, the Company shall inform the Venue of that legal requirement before commencing the processing, unless such law prohibits such notification.
4.2 Confidentiality
The Company ensures that all persons authorised to process End Customer Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security of processing (Article 32 GDPR)
The Company implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including — as applicable:
- Encryption in transit (HTTPS/TLS) and at rest for backups and stored files
- Role-based access control (RBAC) and the principle of least privilege
- Multi-tenant database-level isolation, preventing accidental or deliberate cross-venue access
- Audit logs for material operations
- Hashed passwords, MFA support where applicable
- Automated backups and disaster recovery plan
- Vulnerability management and periodic component updates
A detailed description of the measures is available in Section 12 of the Company's Privacy Policy.
4.4 Sub-processors
The Venue grants a general written authorisation to the Company to engage sub-processors for the processing of End Customer Data. The current list of sub-processors is maintained in Section 7.2 of the Company's Privacy Policy.
In the event of a planned addition or replacement of a sub-processor:
a) the Company shall notify the Venue by email before the new sub-processor commences processing personal data, within a timeframe that allows for reasoned objections; b) the Venue may raise a reasoned objection within a reasonable period; c) in the event of an unresolvable dispute, either party shall have the right to terminate the Agreement, without this giving rise to liability for penalties on the part of the Venue; d) the Company shall impose on each sub-processor data protection contractual obligations that are no less stringent than those set out in this DPA.
The Company shall remain fully liable to the Venue for the performance of the sub-processors' obligations.
4.5 Assistance with data subject rights
The Company shall assist the Venue by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Venue's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (right of access, rectification, erasure, restriction, portability, objection).
Where the Company receives a request directly from a data subject relating to End Customer Data, it shall not respond to the request directly but shall forward it to the relevant Venue without undue delay and shall assist with its fulfilment.
4.6 Assistance with obligations under Articles 32–36 GDPR
The Company shall assist the Venue in meeting its obligations under Article 32 (security), Articles 33 and 34 (breach notification), Article 35 (DPIA — Data Protection Impact Assessment) and Article 36 (prior consultation with the supervisory authority), insofar as this is reasonably necessary having regard to the nature of the processing and the information available to the Company.
4.7 Personal data breach notification
Upon becoming aware of a personal data breach ("data breach") affecting End Customer Data, the Company shall notify the Venue without undue delay after becoming aware of it. The notification shall contain at least:
a) a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records concerned; b) the name and contact details of the Company's contact person; c) a description of the likely consequences of the breach; d) a description of the measures taken or proposed to address the breach and to mitigate its possible adverse effects.
This notification is intended to enable the Venue to fulfil its own obligation to notify the supervisory authority within 72 hours pursuant to Article 33 GDPR.
4.8 Return or deletion of data upon termination
Upon termination of the Agreement (howsoever arising), the Company shall, at the Venue's choice, delete or return all End Customer Data processed on behalf of the Venue, and shall delete existing copies, unless EU or Bulgarian law requires further storage of specific data.
The default behaviour, if the Venue does not make an explicit choice within 30 days after termination, shall be deletion of the data within a reasonable technical timeframe.
4.9 Demonstration of compliance and audit
The Company shall make available to the Venue all information necessary to demonstrate compliance with the obligations under Article 28 GDPR and this DPA. Upon reasoned written request, the Venue may request additional information or conduct an audit — either independently or through an independent auditor — subject to the following conditions:
a) the audit shall be conducted at the Venue's expense; b) the audit shall be scheduled in advance with reasonable notice (typically no less than 30 days) and shall be conducted at a time and in a manner that does not disrupt the Company's operational activities or the security of other clients; c) the auditor shall sign a confidentiality agreement and comply with multi-tenant isolation — no access to other venues' data shall be granted; d) the Company may provide, as an alternative, a report from an external auditor or certification (e.g. ISO 27001, SOC 2), if available.
5. International transfers
Where the processing of End Customer Data involves a transfer to a country outside the EU/EEA, the Company shall apply appropriate safeguards in accordance with Articles 44–49 GDPR — the EU–U.S. Data Privacy Framework (for certified providers), Standard Contractual Clauses (SCCs), or other approved mechanisms.
For details on specific providers and jurisdictions — see Section 7.2 and Section 8 of the Company's Privacy Policy.
6. Term and termination
This DPA shall take effect from the date of the Venue's registration on the platform and shall continue for the duration of the Agreement. Obligations that by their nature should survive termination (confidentiality, security of residual data until deletion, assistance with investigation of past breaches) shall remain in force after termination.
7. Liability
The liability of the parties under this DPA shall be governed by the Agreement and applicable law. No clause of this DPA shall be construed as excluding the liability of the parties towards data subjects under Article 82 GDPR.
8. Governing law and disputes
This DPA shall be governed by Bulgarian law and Regulation (EU) 2016/679. Disputes shall be resolved in accordance with the procedure set out in the Agreement, and in the absence of such a clause — before the competent Bulgarian court.
9. Hierarchy of documents
In the event of a conflict between the Agreement (Terms of Use), this DPA and the Privacy Policy, with regard to the processing of End Customer Data, the provisions of this DPA shall prevail.
"Резервейшън" ЕООД (Reservation Ltd) — UIC 203865762 DPA version: 12 April 2026
App Store
Google Play
Web AppHave questions?