Sunday Data Processing Addendum (the “DPA”)
Last updated: 30 March 2026
The DPA forms part of the Terms and Conditions between Sunday and the Merchant (the “Agreement”) under which Sunday provides technology services to the Merchant. Terms not defined in this DPA shall have the meaning given to them in the Agreement. If any term in this DPA conflicts with any term in the Agreement then this DPA shall prevail. The duration of the processing shall be for the term of the Agreement.
Certain words and phrases in this DPA have specific definitions when they start with capital letters. Where a defined term is used, it either has the meaning set out in annex 1 below (Definitions) or the meaning given to it in the relevant clause of this DPA. ”Data controller”, “data subject”, “personal data”, “process”, “processing”, “data processor” “data subject request”, “personal data breach”, “subprocessors” and “supervisory authority” shall have the meaning given to it in the Data Protection Legislation. Where this DPA refers to Sunday as a "data processor", this shall also mean "service provider" or "contractor" as defined under applicable U.S. state privacy laws (including the CCPA/CPRA). Where this DPA refers to the Merchant as a "data controller", this shall also mean "business" as defined under such laws.
2. PROCESSING PERSONAL DATA AS A DATA CONTROLLER
2.1 This clause 2 applies to the processing of personal data by Sunday where (i) User personal data is received as a result of the User’s direct relationship or intentional interaction with Sunday, such as through the User Services as defined in the User Terms of Services available at https://sundayapp.com/user-terms-of-service/;
and; (ii) personal data is related to the Merchant’s personnel, including servers, and transferred to or made available to Sunday by the Merchant in connection with the provision of the Sunday Services.
and; (ii) personal data is related to the Merchant’s personnel, including servers, and transferred to or made available to Sunday by the Merchant in connection with the provision of the Sunday Services.
2.2 The Merchant acknowledges that Sunday acts as an independent data controller with regards to the ways described in clause 2.1.
2.3 The Merchant understands and acknowledges that personal data in the scope of this clause 2 shall be processed by Sunday in accordance with:
(i) our User Privacy Policy accessible at https://sundayapp.com/privacy-policy/;
and (ii) our Privacy Policy for Merchants accessible at https://sundayapp.com/privacy-policy-waiters-personnel/.
and (ii) our Privacy Policy for Merchants accessible at https://sundayapp.com/privacy-policy-waiters-personnel/.
2.4 The Merchant shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data related to its personnel to Sunday for the duration and purposes of this DPA.
2.5 De-Identification and Derived Data. In the course of its activities as an independent business collecting and processing User Data under this clause 2, Sunday is authorized to de-identify, anonymize and aggregate User personal data to create data sets that do not identify and cannot reasonably be used to identify, directly or indirectly, any User or the Merchant ("Derived Data"), as defined in Section 12.3 of the Agreement. The purposes and modalities of such processing are described in Sunday's User Privacy Policy. Derived Data does not constitute personal data or personal information within the meaning of the Data Protection Legislation (including the CCPA/CPRA). The creation, use and exploitation of Derived Data by Sunday is not subject to the obligations of this DPA relating to the processing of personal data. The Merchant acknowledges that the creation of Derived Data falls within Sunday's own business purposes and does not constitute processing carried out on behalf of the Merchant within the meaning of clause 3 of this DPA.
2.6 De-Identification of Merchant Data for Derived Data. Pursuant to the license granted by the Merchant under Section 12.3(a) of the Agreement, Sunday shall de-identify, anonymize and aggregate personal data contained in Merchant Data (including, where applicable, data relating to the Merchant's personnel) for the purpose of creating Derived Data. For the purposes of clause 3.2 of this DPA, this constitutes a documented instruction from the Merchant, the execution of which results in the creation of data that no longer constitutes personal data or personal information within the meaning of the Data Protection Legislation.
Once Derived Data has been created, it is no longer subject to the obligations of this DPA relating to the processing of personal data. The conditions of use and exploitation of Derived Data are governed exclusively by Section 12.3 of the Agreement.
3. PROCESSING PERSONAL DATA ON BEHALF OF THE MERCHANT
3.1 When Sunday processes personal data in the course of providing the Sunday Services to the Merchant under the Agreement, Sunday will process personal data as a data processor and/or service provider, only for the purpose of providing the Services. The parties agree that annex 2 of this DPA describes the subject matter and details of the processing of personal data. In its capacity as data processor (or service provider under applicable U.S. state privacy laws), Sunday may aggregate or pseudonymize personal data processed on behalf of the Merchant, solely for the purposes described in Annex 2 and in accordance with the Merchant's documented instructions.
It is specified that:
(i) the de-identification and anonymization of User Data for the purpose of creating Derived Data within the meaning of Section 12.3 of the Agreement falls exclusively within clause 2.5 of this DPA and Sunday's status as an independent business;
(ii) the de-identification and anonymization of personal data contained in Merchant Data for the purpose of creating Derived Data is carried out in accordance with the Merchant's documented instruction set out in clause 2.6 of this DPA.
3.2 Sunday shall process personal data in accordance with the Merchant's documented instructions (provided that such instructions are commensurate with the functionalities of the Sunday Services), unless Sunday is required by law to process personal data for any other purpose. If Sunday is of the opinion that an instruction from the Merchant infringes the Data Protection Laws, Sunday shall inform the latter thereof.
3.3 Sunday shall comply with all Data Protection Laws applicable to Sunday in its role as a data processor. The Merchant shall comply with all Data Protection Laws applicable to them as a data controller.
3.4 In the course of providing the Sunday Services, the Merchant acknowledges and hereby grants Sunday general written authorisation to use Subprocessors, listed online at: https://sundayapp.com/sunday-subprocessors/;
(“Subprocessor List”), to process the personal data. Sunday’s use of any specific subprocessor to process the personal data must be in compliance with Data Protection Laws and must be governed by a contract between Sunday and the subprocessor that requires comparable protections to this DPA. If Sunday appoints a new subprocessor or intends to make changes concerning the addition or replacement of subprocessors, such changes will be made to our Subprocessor List. The Merchant will have seven (7) days from the date of the update of our Subprocessor List to object to the change. If the Merchant objects to the appointment of a Subprocessor, the Merchant may terminate the Agreement.
(“Subprocessor List”), to process the personal data. Sunday’s use of any specific subprocessor to process the personal data must be in compliance with Data Protection Laws and must be governed by a contract between Sunday and the subprocessor that requires comparable protections to this DPA. If Sunday appoints a new subprocessor or intends to make changes concerning the addition or replacement of subprocessors, such changes will be made to our Subprocessor List. The Merchant will have seven (7) days from the date of the update of our Subprocessor List to object to the change. If the Merchant objects to the appointment of a Subprocessor, the Merchant may terminate the Agreement.
3.5 Sunday shall assist the Merchant in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
3.6 Sunday shall notify the Merchant without undue delay upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the personal data.
3.7 In order to provide the Sunday Services to the Merchant, Sunday may access and process personal data in any country where Sunday or its subprocessors operate, provided that appropriate safeguards are in place. Where personal data originating from the European Economic Area or the United Kingdom is processed outside those jurisdictions, Sunday and the relevant subprocessor shall ensure that a Valid Transfer Mechanism is in place. Sunday shall comply with all applicable data transfer requirements under the Data Protection Legislation.
3.8 Sunday shall at the written direction of the Merchant, delete or return personal data and copies thereof to the Merchant on termination of this DPA unless required by Data Protection Laws or other applicable laws to store personal data.
3.9 Sunday shall implement, and at all times during this DPA maintain technical and organizational safeguards to protect personal data from unauthorized or unlawful processing or accidental loss or damage: (i) ensuring in each case a level of security appropriate to the risk; and (ii) maintaining PCI DSS level 1 service provider certification; and (iii) in addition maintaining controls in line with accepted industry practices including the International Organization for Standardization's standards: Requirements of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
3.10 At a minimum, Sunday’s safeguards for the protection of personal data shall include: (i) securing, cloud systems, backup systems, and computing equipment, including, but not limited to, all endpoint devices and other equipment with information storage capability; (ii) implementing network, application, database, and platform security; (iii) securing information transmission, storage, and disposal; (iv) implementing authentication and access controls within media, applications, operating systems, and equipment; (v) encrypting personal data at rest where possible; (vi) encrypting personal data transmitted over transit in network; (vii) strictly segregating Merchant data from information of Sunday or its other customers so that Merchant Data is not commingled with any other types of information; (viii) conducting risk assessments, and vulnerability scans and promptly implementing, at Sunday’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (ix) implementing appropriate personnel security and integrity procedures and practices; and (x) providing appropriate information security awareness training to Sunday employees.
Annex 1. Definitions
Data Protection Legislation
all applicable data protection and privacy legislation in force from time to time, including the General Data Protection Regulation ((EU) 2016/679) ("GDPR"); the UK Data Protection Act 2018; the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Connecticut Data Privacy Act; and all other applicable U.S. federal, state and local privacy laws and regulations; ; and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data.
Derived Data
de-identified, anonymized and aggregated data sets created by Sunday from Merchant Data and/or User Data, which do not identify and cannot reasonably be used to identify, directly or indirectly, any User, the Merchant, or any other natural person, and which do not constitute personal data or personal information within the meaning of the Data Protection Legislation. The conditions for the creation and exploitation of Derived Data are set out in clauses 2.5 and 2.6 of this DPA and in Section 12.3 of the Agreement.
Valid Transfer Mechanism
a data transfer mechanism permitted by the Data Protection Laws as a lawful basis for transferring personal data to a recipient located in a third country in the meaning of GDPR and the Data Protection Act 2018.
Annex 2. Description of the processing
Nature and Purpose of the processing
Provision of the Sunday Services to the Merchant; processing of payment transactions; real-time transaction monitoring; reporting and analytics; technical support; integration with the Merchant's point-of-sale (POS) systems; any related support to Merchant as otherwise permitted under the Data Protection Legislation; de-identification, anonymization and aggregation of personal data contained in Merchant Data for the purpose of creating Derived Data, in accordance with the Merchant's documented instruction set out in clause 2.6 of this DPA and Section 12.3 of the Agreement.
Types of personal data
Merchant Data which may include personal data or personal information (in particular data relating to the Merchant's personnel such as first name, surname, contact details, role); transactional data relating to the Merchant's Establishment(s); User personal data to the extent processed on the Merchant's documented instructions.
Categories of data subjects/consumers
Merchant's personnel (including servers); Users (to the extent their data is processed on behalf of the Merchant in accordance with its documented instructions).
Duration of processing
The term of the Agreement, plus the period necessary for the deletion or return of all personal data by Sunday in accordance with clause 3.8 of this DPA.