Sunday Data Processing Addendum (the “DPA”)

The DPA forms part of the Terms and Conditions between Sunday and the Merchant (the “Agreement”) under which Sunday provides technology services to the Merchant. Terms not defined in this DPA shall have the meaning given to them in the Agreement. If any term in this DPA conflicts with any term in the Agreement then this DPA shall prevail. The duration of the processing shall be for the term of the Agreement.
Certain words and phrases in this DPA have specific definitions when they start with capital letters. Where a defined term is used, it either has the meaning set out in annex 1 below (Definitions) or the meaning given to it in the relevant clause of this DPA. ”Data controller”, “data subject”, “personal data”, “process”, “processing”, “data processor” “data subject request”, “personal data breach”, “subprocessors” and “supervisory authority” shall have the meaning given to it in the Data Protection Legislation.

2. PROCESSING PERSONAL DATA AS A DATA CONTROLLER

2.1 This clause 2 applies to the processing of personal data by Sunday where such personal data is (i) received in connection with services provided directly to Users, such as through Sunday’s consumer-facing applications and services and/or (ii) related to the Merchant’s personnel, including servers transferred to or made available to Sunday by the Merchant in connection with the provision of the Sunday Services and the Solution.
2.2 The Merchant acknowledges that Sunday acts as an independent data controller with regards to the ways described in clause 2.1.
2.3 The Merchant understands and acknowledges that personal data in the scope of this clause 2 shall be processed by Sunday in accordance with:
(i) our User Privacy Policy accessible at https://sundayapp.com/privacy-policy/, and (ii) our Privacy Policy for Merchants accessible at https://sundayapp.com/privacy-policy-waiters-personnel/.
2.4 The Merchant shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data related to its personnel to Sunday for the duration and purposes of this DPA.

3. PROCESSING PERSONAL DATA ON BEHALF OF THE MERCHANT

3.1 When Sunday processes personal data in the course of providing the Sunday Services to the Merchant under the Agreement, Sunday will process personal data as a data processor and/or service provider, only for the purpose of providing the Services. The parties agree that annex 2 of this DPA describes the subject matter and details of the processing of personal data. Sunday may aggregate, anonymize or de-identify personal data and process such data for the purposes set out in annex 2 or as otherwise permitted by applicable law.
3.2 Sunday shall process personal data in accordance with the Merchant's documented instructions (provided that such instructions are commensurate with the functionalities of the Sunday Services), unless Sunday is required by law to process personal data for any other purpose. If Sunday is of the opinion that an instruction from the Merchant infringes the Data Protection Laws, Sunday shall inform the latter thereof.
3.3 Sunday shall comply with all Data Protection Laws applicable to Sunday in its role as a data processor. The Merchant shall comply with all Data Protection Laws applicable to them as a data controller.
3.4 In the course of providing the Sunday Services, the Merchant acknowledges and hereby grants Sunday general written authorisation to use Subprocessors, listed online at: https://sundayapp.com/sunday-subprocessors/;
(“Subprocessor List”), to process the personal data. Sunday’s use of any specific subprocessor to process the personal data must be in compliance with Data Protection Laws and must be governed by a contract between Sunday and the subprocessor that requires comparable protections to this DPA. If Sunday appoints a new subprocessor or intends to make changes concerning the addition or replacement of subprocessors, such changes will be made to our Subprocessor List. The Merchant will have seven (7) days from the date of the update of our Subprocessor List to object to the change. If the Merchant objects to the appointment of a Subprocessor, the Merchant may terminate the Agreement.
3.5 Sunday shall assist the Merchant in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
3.6 Sunday shall notify the Merchant without undue delay upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the personal data.
3.7 In order to provide the Sunday Services to the Merchant, Sunday will only access and process personal data from (i) countries in the EEA, (ii) countries or territories formally recognised by the European Commission as providing an adequate level of data protection (“Adequate Countries”) and (iii) third countries or territories provided Sunday and the relevant subprocessor have put a Valid Transfer Mechanism in place.
3.8 Sunday shall at the written direction of the Merchant, delete or return personal data and copies thereof to the Merchant on termination of this DPA unless required by Data Protection Laws or other applicable laws to store personal data.
3.9 Sunday shall implement, and at all times during this DPA maintain technical and organizational safeguards to protect personal data from unauthorized or unlawful processing or accidental loss or damage: (i) ensuring in each case a level of security appropriate to the risk; and (ii) maintaining PCI DSS level 1 service provider certification; and (iii) in addition maintaining controls in line with accepted industry practices including the International Organization for Standardization's standards: Requirements of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
3.10 At a minimum, Sunday’s safeguards for the protection of personal data shall include: (i) securing, cloud systems, backup systems, and computing equipment, including, but not limited to, all endpoint devices and other equipment with information storage capability; (ii) implementing network, application, database, and platform security; (iii) securing information transmission, storage, and disposal; (iv) implementing authentication and access controls within media, applications, operating systems, and equipment; (v) encrypting personal data at rest where possible; (vi) encrypting personal data transmitted over transit in network; (vii) strictly segregating Merchant data from information of Sunday or its other customers so that Merchant Data is not commingled with any other types of information; (viii) conducting risk assessments, and vulnerability scans and promptly implementing, at Sunday’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (ix) implementing appropriate personnel security and integrity procedures and practices; and (x) providing appropriate information security awareness training to Sunday employees.

Annex 1. Definitions

Data Protection Legislation
all applicable data protection and privacy legislation in force from time to time including the General Data Protection Regulation ((EU) 2016/679) (‘GDPR’); the Data Protection Act 2018; the California Consumer Privacy Act, the California Privacy Rights Act; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; any other European Union legislation relating to the use of personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data.
Valid Transfer Mechanism
a data transfer mechanism permitted by the Data Protection Laws as a lawful basis for transferring personal data to a recipient located in a third country in the meaning of GDPR and the Data Protection Act 2018.

Annex 2. Description of the processing

Nature and Purpose of the processing
To provide and improve the Services under the Agreement and any other terms that this DPA is incorporated into, provide any related support to Merchant, as otherwise permitted under European Data Protection Laws, or as initiated by the Merchant from time to time.
Subject Matter, Types of Personal Data and Categories of Data Subjects
Personal data relating to Users.
Duration of processing
The term of the Agreement plus the period from the end of the term until deletion of all personal data by Sunday in accordance with its obligations under this DPA.