Legal & Trust

Data Processing Agreement

This DPA forms part of the legal framework for the SUMS platform and explains how SUMS processes personal data on behalf of customer organisations in a multi-tenant SaaS environment.

Overview Controller / Processor

1. Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SUMS, a sole trader based in the United Kingdom, acting as Processor, and the customer organisation, acting as Controller, in relation to the processing of personal data within the SUMS platform.

2. Purpose

This DPA governs how the Processor processes personal data on behalf of the Controller in accordance with applicable data protection laws, including the UK GDPR.

3. Roles

The Controller determines:

  • The purpose of processing.
  • The type of data collected.
  • How the platform is used.

The Processor:

  • Processes data only on documented instructions from the Controller.
  • Does not use the data for its own purposes.

4. Nature of Processing

The Processor provides a multi-tenant SaaS platform used for:

Operational Management

Restaurant and operational management, workforce management, and inventory and procurement.

Platform Workflows

Sales and reporting, plus document processing including invoices and uploads.

5. Categories of Data

The Controller may submit the following types of personal data:

  • Staff data, including names, roles, schedules, pay rates, and contact details.
  • User account data, including name, email address, and login details.
  • Operational data linked to individuals.
  • Uploaded documents and files.

6. Special Category Data

The platform is not intended to process special category data, such as health, biometric, or other sensitive personal data.

Controller Responsibility: The Controller is responsible for ensuring such data is not uploaded unless appropriate safeguards are in place.

7. Processor Obligations

The Processor shall:

  • Process data only on Controller instructions.
  • Ensure personnel are subject to confidentiality obligations.
  • Implement appropriate technical and organisational security measures.
  • Assist the Controller with data subject requests.
  • Assist with GDPR compliance where reasonably required.
  • Notify the Controller of any personal data breach without undue delay.

8. Security Measures

The Processor implements:

  • Encryption of sensitive data at rest.
  • Secure data transmission over HTTPS.
  • Role-based access controls.
  • Multi-tenant isolation.
  • Audit logging and monitoring.
  • Secure cloud infrastructure using Render EU and Amazon S3.
Important: Certain sensitive workforce data is encrypted in a way that prevents direct access, including by the Processor.

9. Sub-processors

The Controller authorises the use of the following sub-processors:

  • Infrastructure hosting providers, including Render in the EU region.
  • Storage providers, including Amazon S3.
  • AI processing providers, such as OpenAI and Anthropic Claude.
  • POS and third-party integrations, as enabled by the Controller.

The Processor ensures that all sub-processors are bound by data protection obligations and provide appropriate safeguards.

10. International Transfers

Where data is transferred outside the UK or EEA, the Processor ensures appropriate safeguards are in place, including contractual protections where required.

11. Data Subject Rights

The Processor shall assist the Controller in responding to:

  • Access requests.
  • Rectification requests.
  • Erasure requests.
  • Data portability requests.

The Controller remains responsible for handling these requests.

12. Data Breach

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay.
  • Provide relevant information to support investigation.
  • Take reasonable steps to mitigate impact.

13. Data Retention & Deletion

Upon termination of the service:

  • The Controller may request data export.
  • The Processor will delete data upon request.
  • A full tenant-level data wipe can be performed.
Note: Backup data may be retained temporarily for security and recovery purposes.

14. Audit & Compliance

The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

Formal audits may be conducted where reasonably required, subject to notice and confidentiality.

15. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service.

16. Duration

This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller.

17. Governing Law

This DPA is governed by the laws of England and Wales.