Data Processing Agreement
Last updated · 2026-04-16
DineRoute's DPA for customers subject to GDPR, UK GDPR, and CCPA. Includes subprocessor list and international transfer terms.
1. Roles
When DineRoute processes end-customer data on behalf of a restaurant or agency, the customer acts as the data controller and DineRoute acts as a data processor within the meaning of GDPR Article 4(8).
2. Instructions
DineRoute processes personal data only in accordance with customer instructions, documented in the Terms of Service and in customer configuration choices inside the product.
3. Subprocessors
Current material subprocessors:
- Amazon Web Services (hosting, United States, EU regions available on Enterprise)
- Cloudflare (DNS and edge, global)
- Stripe (billing, United States)
- Resend (transactional email, United States)
- PostHog (product analytics, EU hosting available on Enterprise)
We notify customers at least 30 days in advance of any material change to this list.
4. International transfers
For transfers outside the EEA, UK, or Switzerland, DineRoute relies on the EU Standard Contractual Clauses and the UK IDTA, incorporated by reference.
5. Security
Technical and organizational measures include encryption at rest (AES-256) and in transit (TLS 1.2+), least-privilege access controls, audit logging, employee background checks, and annual penetration testing.
6. Data subject rights
DineRoute assists customers in fulfilling data-subject requests received from end-customers within reasonable timelines required by applicable law.
7. Audit
Enterprise customers may request SOC 2 Type II reports annually. Other plans may request summary security whitepapers.