Data Processing Addendum

Effective Date: May 22, 2026  ·  Version 1.0

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written agreement (the “Agreement”) between Pandal Inc. (“Pandal,” “we,” “us,” or “our”), a Delaware corporation, and the customer identified in the Agreement (“Customer,” “you,” or “your”) for the provision of the Pandal services (the “Services”). It governs the processing of personal data in connection with the Services.

To the extent of any conflict between this DPA and the rest of the Agreement, this DPA controls with respect to the processing of personal data.

This DPA is intended to satisfy the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy laws.

1. Definitions

In this DPA:

  • “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of personal data under the Agreement, including the GDPR, UK GDPR, CCPA/CPRA, and any other privacy or data protection laws of the jurisdictions in which Customer or its end users are located.
  • “Customer Personal Data”means personal data that Pandal processes on behalf of Customer in connection with providing the Services. This includes personal data about Customer’s end customers (such as transaction data containing end customer identifiers) and personal data about Customer’s personnel that Customer submits to or generates in the Services.
  • “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Process,” “Processing,” and “Personal Data Breach” have the meanings given to them under Applicable Data Protection Laws.
  • “Subprocessor” means any third party engaged by Pandal to process Customer Personal Data on behalf of Pandal.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries, as in effect from time to time.
  • “Service Provider” has the meaning given to it under the CCPA/CPRA.
  • “Sub-processor List”means the list of Pandal’s current subprocessors, available at pandal.ai/legal/subprocessors.

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

2. Roles and scope

Roles of the parties

For the purposes of this DPA:

As to Customer Personal Data about Customer’s end customers (for example, transaction data containing the email addresses of patrons who dine at Customer’s restaurant), Customer is the Controller and Pandal is the Processor. Pandal will process such data only on Customer’s documented instructions, as set out in this DPA and the Agreement, including any instructions Customer provides through its use of the Services.

As to Customer Personal Data about Customer’s personnel (for example, the names and email addresses of Customer’s employees who use the Services), Customer is the Controller and Pandal is the Processor for purposes of providing the Services. Pandal may separately be a Controller of certain limited information about such personnel for its own legitimate business purposes (such as authentication logs and security records), as described in Pandal’s Privacy Policy.

For purposes of the CCPA/CPRA, Pandal is a Service Provider with respect to Customer Personal Data. Pandal will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes set out in the Agreement or as permitted by the CCPA/CPRA; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between Pandal and Customer; or (d) combine Customer Personal Data with personal information from other sources, except as permitted by the CCPA/CPRA for service-provider purposes.

Subject matter, nature, purpose, and duration

The subject matter, nature, and purpose of the processing are the provision of the Services to Customer as described in the Agreement. The duration of the processing is the term of the Agreement, plus any additional period during which Pandal is permitted or required to retain Customer Personal Data under this DPA or applicable law.

A full description of the categories of Data Subjects, categories of Customer Personal Data, and processing activities is provided in Annex 1.

Customer's responsibilities

Customer represents and warrants that:

  • It has obtained and will maintain all necessary consents, authorizations, and lawful bases under Applicable Data Protection Laws for Pandal to process Customer Personal Data as contemplated by the Agreement
  • It has provided all required notices to Data Subjects about Pandal’s processing of Customer Personal Data
  • Its instructions to Pandal comply with Applicable Data Protection Laws
  • Where Customer authorizes Pandal to connect to a third-party system (such as a point-of-sale, delivery, loyalty, marketing, or reservation system), Customer has the right under its agreements with those third parties to grant such authorization, and such authorization permits Pandal to process the relevant Customer Personal Data

3. Pandal's obligations

Processing instructions

Pandal will process Customer Personal Data only:

  • On Customer’s documented instructions, including those reflected in the Agreement and this DPA, those given through Customer’s use of the Services, and any additional written instructions agreed by the parties
  • As required by applicable law, in which case Pandal will (unless legally prohibited) inform Customer of the legal requirement before processing

If Pandal believes an instruction from Customer violates Applicable Data Protection Laws, Pandal will inform Customer promptly.

Restrictions on Pandal's use of Customer Personal Data

Pandal will not:

  • Sell or share Customer Personal Data (as those terms are defined under the CCPA/CPRA)
  • Use Customer Personal Data for behavioral advertising
  • Use Customer Personal Data to train generalized AI models that benefit other Pandal customers
  • Combine Customer Personal Data with personal information from other Pandal customers or other sources, except as permitted by Section 2 (for Service Provider purposes) or by Section 7 (aggregated and anonymized data)
  • Contact Customer’s end customers directly on Pandal’s own behalf
  • Market to Customer’s end customers
  • Sell Customer’s end customer data
  • Enrich Customer’s end customer data with third-party sources

except, in each case, where Customer explicitly authorizes and directs Pandal to do so as part of Customer’s use of the Services.

Confidentiality

Pandal will ensure that all personnel authorized to process Customer Personal Data are bound by confidentiality obligations and have received appropriate training on data protection. Access to Customer Personal Data is limited to those personnel who need it to perform their roles.

Security

Pandal will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These measures are described in Annex 2 and will be at least as protective as the measures Pandal employs to protect its own confidential information of similar sensitivity.

Pandal will review and, where appropriate, update its security measures from time to time. Pandal may modify Annex 2 provided that the modifications do not materially reduce the level of protection.

Assistance to Customer

Taking into account the nature of the processing and the information available to Pandal, Pandal will:

  • Assist Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Applicable Data Protection Laws (see Section 5)
  • Assist Customer with data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Laws
  • Provide reasonable assistance in connection with Personal Data Breach notifications and investigations (see Section 6)

Pandal may charge a reasonable fee for assistance that exceeds the level of support customarily included in the Services.

4. Subprocessors

General authorization

Customer provides general authorization for Pandal to engage Subprocessors to process Customer Personal Data, subject to the requirements of this Section 4.

Subprocessor obligations

Pandal will:

  • Engage Subprocessors only where they have agreed in writing to data protection obligations no less protective than those in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor
  • Remain liable to Customer for the acts and omissions of its Subprocessors as if they were Pandal’s own
  • Maintain the Sub-processor List at pandal.ai/legal/subprocessors, specifying the name, location, and processing activities of each Subprocessor

Notice of changes and objection

Pandal will provide Customer with at least 15 days’ notice before adding or replacing a Subprocessor. Notice will be provided by updating the Sub-processor List; Customer may subscribe to notifications of changes at the same URL.

If Customer has reasonable, good-faith objections to a new Subprocessor on data protection grounds, Customer must notify Pandal in writing (at info@pandal.ai) within 15 days of receipt of notice. The parties will work together in good faith to resolve the objection. If the parties cannot resolve the objection within 30 days, Customer may terminate the portion of the Services that cannot be provided without the objected-to Subprocessor and, if Customer has paid fees in advance for the terminated portion, Pandal will refund the unused portion of those fees.

5. Data Subject rights

Pandal will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures (insofar as possible) to fulfill Customer’s obligation to respond to Data Subject requests under Applicable Data Protection Laws (including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing).

If Pandal receives a request from a Data Subject regarding Customer Personal Data, Pandal will:

  • Promptly notify Customer of the request, unless prohibited by law
  • Not respond to the request directly, except as instructed by Customer or as required by applicable law

6. Personal Data Breach notification

If Pandal becomes aware of a Personal Data Breach affecting Customer Personal Data, Pandal will:

  • Notify Customer without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide reasonable information to enable Customer to meet its own notification obligations under Applicable Data Protection Laws, including the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address it
  • Cooperate with Customer and provide reasonable assistance in mitigating the effects of the breach

Pandal’s notification of, or response to, a Personal Data Breach will not be construed as an acknowledgment by Pandal of any fault or liability.

7. Aggregated and anonymized data

Pandal may create aggregated and anonymized data derived from Customer Personal Data. Aggregated and anonymized data is data that has been processed in a manner that no individual Data Subject, Customer, or Customer’s personnel can be identified, directly or indirectly, by Pandal or any third party, and the data cannot be reversed to re-identify any individual.

Pandal may use aggregated and anonymized data to operate, improve, and develop the Services, including to train and improve Pandal-internal models that serve all of Pandal’s customers. Aggregated and anonymized data is not Customer Personal Data and is not subject to the restrictions in this DPA.

8. International data transfers

Pandal is established in the United States and processes Customer Personal Data in the United States. Customer authorizes such processing.

Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States or other jurisdictions not recognized by the European Commission (or equivalent UK or Swiss authority) as providing an adequate level of data protection, the parties agree that such transfers will be governed by:

  • The Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission, incorporated into this DPA by reference, with the following specifications:
    • Clause 7 (docking clause): included
    • Clause 9 (use of subprocessors): Option 2 (general written authorization), with the notice period specified in Section 4 of this DPA
    • Clause 11 (redress): the optional language regarding independent dispute resolution is not included
    • Clause 17 (governing law): the laws of the Republic of Ireland
    • Clause 18 (forum and jurisdiction): the courts of the Republic of Ireland
    • Annexes I, II, and III are completed by reference to Annexes 1 and 2 of this DPA and the Sub-processor List
  • For UK transfers, the UK Addendum to the EU Standard Contractual Clauses as issued by the UK Information Commissioner’s Office
  • For Swiss transfers, the SCCs as adapted for Switzerland in accordance with guidance from the Swiss Federal Data Protection and Information Commissioner

To the extent any onward transfer occurs from Pandal to a Subprocessor in a non-adequate jurisdiction, Pandal will ensure that appropriate safeguards (including SCCs where applicable) are in place between Pandal and the Subprocessor.

9. Audit rights

Pandal will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. This information may include:

  • Pandal’s then-current security documentation (such as SOC 2 reports, when available)
  • Responses to standard security questionnaires
  • Written confirmation of compliance with specific provisions of this DPA

Where Customer reasonably determines that the information described above is insufficient, Customer may request an audit of Pandal’s processing of Customer Personal Data, subject to the following:

  • Audits will be conducted no more than once per 12-month period (except where required by a supervisory authority or following a confirmed Personal Data Breach)
  • Audits will be conducted during normal business hours, with reasonable advance notice (at least 30 days), and in a manner that does not unreasonably interfere with Pandal’s operations
  • Customer and any third-party auditor must be bound by appropriate confidentiality obligations
  • The scope of the audit will be agreed by the parties in advance and limited to information reasonably necessary to assess Pandal’s compliance with this DPA
  • Customer will bear the costs of the audit unless the audit reveals material non-compliance, in which case Pandal will bear reasonable costs

10. Deletion and return of Customer Personal Data

Upon termination of the Agreement, Pandal will, at Customer’s choice:

  • Make Customer Personal Data available for export by Customer for a period of 30 days following termination
  • Delete Customer Personal Data in accordance with this Section 10

After the 30-day export window (or such other period specified in the Agreement or by Customer in writing), Pandal will delete Customer Personal Data from Pandal’s active systems within 30 days. Customer Personal Data may persist in backups for up to 14 days after deletion from active systems, after which it will be permanently deleted in the ordinary course of backup rotation.

Pandal may retain Customer Personal Data:

  • As required by applicable law (in which case Pandal will continue to protect it in accordance with this DPA)
  • In aggregated and anonymized form, as described in Section 7

Pandal will provide written confirmation of deletion on request.

11. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement, except where Applicable Data Protection Laws require otherwise.

12. Modifications

We may update this DPA from time to time to reflect changes in applicable law, our Services, or our subprocessor arrangements. When we make material changes, we will notify Customer by email or through the Services and update the “Effective Date” above. Material changes take effect 30 days after notice. Prior versions are archived at pandal.ai/legal/archive.

13. Order of precedence

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of personal data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the SCCs control.

14. Contact

For privacy-related inquiries:

Pandal Inc.

2261 Market Street, STE 73222
San Francisco, CA 94114

Email: info@pandal.ai

Annex 1 — Description of processing

Categories of Data Subjects

  • Customer’s personnel (employees, contractors, and other authorized users of the Services)
  • Customer’s end customers (patrons, guests, members, and other individuals whose personal data is processed by Customer in the operation of its business)
  • Customer’s prospects and contacts (where Customer uses the Services in connection with marketing, loyalty, or customer relationship activities)

Categories of Customer Personal Data

Depending on the integrations enabled and the data Customer submits to the Services, Customer Personal Data may include:

  • Identification and contact data: name, email address, phone number, postal address, business address
  • Transaction data: purchase records, item descriptions, prices, payment method type (excluding full payment card numbers), timestamps, location of transaction
  • Authentication data: user identifiers, hashed identity tokens, session identifiers
  • Customer relationship data: loyalty status, reservation history, marketing preferences, engagement metrics
  • Communications metadata: records of marketing campaigns sent, opens, clicks, unsubscribes
  • Technical data: IP addresses, device identifiers, browser type, log data

Pandal does not process full payment card numbers, government identifiers (such as social security numbers), biometric data, or special categories of personal data (as defined under the GDPR) except where Customer explicitly chooses to submit such data and represents that it has the lawful basis to do so.

Nature and purpose of processing

Pandal processes Customer Personal Data to:

  • Provide the Services to Customer, including ingesting data from authorized integrations, normalizing it into a canonical form, surfacing revenue and margin opportunities, and executing actions Customer approves
  • Authenticate users and secure access to the Services
  • Provide customer support
  • Maintain logs and audit records for security and operational purposes
  • Comply with applicable law

Duration of processing

For the term of the Agreement, plus the retention periods described in Section 10.

Annex 2 — Technical and organizational measures

Pandal implements and maintains the following technical and organizational measures to protect Customer Personal Data.

Access control

  • Multi-factor authentication is required for all production system access by Pandal personnel
  • Access to production systems containing Customer Personal Data is granted on a need-to-know basis and is reviewed regularly
  • Authentication events and administrative actions are logged and monitored
  • Customer authentication uses industry-standard practices including secure session management and brute-force protection
  • Authorization is enforced at multiple layers, including application-level role checks and database-level tenant isolation

Encryption

  • All data is encrypted in transit using TLS 1.2 or higher
  • All data is encrypted at rest using AES-256 or equivalent
  • Sensitive authentication tokens and credentials are additionally protected using application-layer encryption
  • Identity-related personal data (such as email addresses and phone numbers used for identity resolution) is hashed using HMAC-SHA-256 with a per-tenant secret before being used in matching operations

Network security

  • Production infrastructure is segmented from non-production environments
  • Inbound network traffic is filtered through a web application firewall
  • Rate limiting and abuse protection are applied at multiple layers
  • Vulnerability scanning and patching are performed regularly

Operational security

  • Code changes go through review before deployment to production
  • Static analysis and security scanning are integrated into the development pipeline
  • Production secrets are managed through a secrets management system; no secrets are stored in source code or logs
  • Errors and security events are monitored and reviewed

Business continuity

  • Production databases are backed up continuously with point-in-time recovery
  • Backups are encrypted and stored separately from production systems
  • A documented incident response process is maintained

Personnel security

  • All personnel are subject to background checks where permitted by law and to confidentiality obligations
  • Personnel receive training on data protection and security as part of onboarding and on an ongoing basis
  • Access is promptly revoked upon termination of employment or change in role

Subprocessor management

  • Subprocessors are evaluated for security and privacy practices before engagement
  • Subprocessors are bound by written agreements imposing obligations no less protective than those in this DPA
  • Subprocessors are reviewed periodically and as part of any material change

Compliance

Pandal is in the process of completing SOC 2 Type I certification. Reports will be made available to Customer upon completion, subject to confidentiality.

These measures are intended to provide a level of protection appropriate to the risk presented by the processing. Pandal will review and, where appropriate, update these measures from time to time.