Get a Demo

Under 10 Employees? Shop Starter Kit

Toast Merchant Data Processing Addendum

Effective: July 15, 2022

This Merchant Data Processing Addendum (the “Addendum”) forms part of the Merchant Agreement(s) between Toast and the Merchant (collectively the “Agreement”) in relation to both Toast and Merchant’s (each a “Party” or together the “Parties”) Processing of Personal Information under the Agreement. 

Both Toast and Merchant agree to comply in good faith with the terms set out in this Addendum. If and to the extent any language in this Addendum conflicts with the Agreement, this Addendum shall control.

1. Scope and Acknowledgments

1.1     This Addendum is intended to reflect and expand upon the respective obligations of the Parties related to the Processing of Personal Information under the Agreement, including each Party’s compliance with the Applicable Data Protection Laws. 

1.2    As part of the Agreement and the provision of the Services, both Parties agree to comply with all Applicable Data Protection Laws, and not by any act or omission, put the other Party in breach of those Laws.

1.3    Merchant acknowledges that by using the Services, the Personal Information of Merchant, Merchant Employees and Customers will be processed in accordance with Toast’s Privacy Statement found at https://pos.toasttab.com/privacy. Merchant and its Employees are encouraged to read the Privacy Statement carefully, as it forms a binding part of this Agreement and contains important information about individuals’ rights and how Toast manages Personal Information. Merchant shall make the Privacy Statement available to its Employees and Customers (as appropriate) in such manner as Toast may reasonably request from time to time.

1.4    The relationships of the Parties in relation to the Processing of Personal Information are set out in Section 3 of this Addendum. 

2.  Definitions

Unless otherwise set out below, each capitalized term in this Addendum shall have the meaning set out in the Agreement.

2.1    “Alternative Transfer Mechanism” means a mechanism other than the Standard Contractual Clauses that enables the lawful transfer of Personal Information from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to a third country in accordance with Applicable Data Protection Laws, including, but not limited to, programs both approved and operated by the U.S. Department of Commerce and approved by the European Commission or other applicable governmental authority or entity.

2.2     “Applicable Data Protection Laws” means all applicable federal, state, provincial, regional and local laws, directives, regulations, and rules imposed by any government, agency or authority in relation to the processing and security of Personal Information, including, but not limited, to the GDPR, the EU Directive on Privacy and Electronic Communications 2002/58/EC (“PECR”), the data protection law of the United Kingdom, including but not limited to the Data Protection Act of 2018, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), as well as any applicable provincial legislation, and the CCPA as amended, replaced or superseded from time to time.

2.3    “Standard Contractual Clauses” means the applicable standard contractual clauses approved by the European Commission that govern the transfer of Personal information to Controllers or Processors established in third countries that do not ensure an adequate level of data protection pursuant to Article 46 of the GDPR. For the avoidance of doubt, this definition shall also include any standard contractual clauses approved by the United Kingdom. 

2.4    “CCPA” means, as applicable, the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), as amended; (ii) the California Privacy Rights Act of 2020; and (iii) any subsequent replacements to the foregoing laws from time to time. All implementing regulations forming part of the laws above shall also be included in this definition. 

2.5    “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Information. For the purposes of this Agreement, “Controller” includes similarly defined terms under the Applicable Data Protection Laws, including, but not limited to, a “Business.”

2.6    “GDPR” means the European Union’s General Data Protection Regulation (Regulation 2016/679) pertaining to the protection of individuals within the European Economic Area as may be amended, modified, supplemented, restated, or superseded from time to time.

2.7    “Personal Information” means any information relating to an identified or identifiable individual or household. Personal Information may include, but is not limited to, a name, address, contact details, unique identifiers, payment card information, biometric identifiers and information, preferences, history and profile data, IP addresses, and location-based information, but excludes aggregated or anonymized information. Personal Information shall include any information that constitutes “Personal Information” or “Personal Data” under the Applicable Data Protection Laws.

2.8    “Process” or “Processing” means any operation or set of operations performed on Personal Information or sets of Personal Information, whether or not by automated means, including, but not limited to, the collection, recording, access, organisation, structuring, storage, use, adaption, alteration, retrieval, disclosure, restriction, deletion or destruction of Personal Information.

2.9    “Processor" means the entity which processes Personal Information on behalf of a Controller.

2.10    “Sale” or “Sell” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time. 

2.11    “Security Incident” means any accidental or unlawful destruction, loss, alteration, theft, unauthorized disclosure of, or access to, Personal Information.

2.12    “Services” means services provided by Toast to the Merchant under the Agreement.

2.13    “Sub-processor” means any additional authorized Processor engaged by the original Processor that agrees to receive any Personal Information from the Controller as part of the Services.

2.14    “Third Party” means any Controller, Processor or Sub-processor engaged by a Party that agrees to receive Personal Information as part of the Services.

3. Relationship of the Parties and Processing of Personal Information

3.1    Toast provides point-of-sale (“POS”), digital ordering, payroll and related services as detailed in the Agreement. 

3.2    Toast acts as a Controller where Toast processes the Personal Information of Customers and Merchants, and, in specific limited cases, Merchant Employees under the Agreement. In these cases, the Parties agree that Appendix A shall apply to the extent Toast is acting as a Controller.  In cases where the Merchant is also a Controller, the Parties agree that Toast and Merchant shall act as independent “Controllers” under the Agreement and no “Joint Controller” relationship shall exist under the Applicable Data Protection Laws. 

3.3    Toast acts as a Processor on behalf of Merchant where Toast processes the Personal Information of Merchant Employees in connection with the provision of Services that relate to the management and administration of Employees on behalf of the Merchant. In certain instances, Toast may also act as a Processor when Processing the Personal Information of Customers for certain third-party relationships. The Parties agree that Appendix B shall apply to the extent that Toast is acting as a Processor.

4. Security Measures and Incidents

4.1    Security measures. Each Party shall implement and maintain a written information security program embodying all appropriate technical, organizational and administrative security measures required to protect the privacy and security of any Personal Information Processed as part of the Services.  In all cases, the Parties shall be required to implement any and all security measures imposed under the Applicable Data Protection Laws. 

4.2    Written Security Incident response program. Each Party shall implement and maintain a written incident response program for the management of Security Incidents. 

4.3    Notification of a Security Incident. In the event that either Party discovers, is notified of or reasonably suspects the occurrence of a Security Incident impacting any Personal Information Processed under the Agreement, that Party will immediately notify the other Party. In all cases, the timing of such notification shall not exceed seventy-two (72) hours after having become aware of a Security Incident or such other time limit imposed under the Applicable Data Protection Laws.  Each Party’s notice to the other Party of a Security Incident should (where known) contain the following: (i) the facts of the Security Incident, including the date of discovery, a date range of unauthorized activity, and any remediation and mitigation activities that have been taken or put in place; (ii) a description of the categories and approximate number of individuals and records affected by the Security Incident;  (iii) the Party’s assessment, developed through reasonable diligence, of the likely consequences of the Security Incident with respect to the affected Personal Information and affected individuals; and (iv) communicate the name and the contact details of the data protection officer or other contact point where more information can be obtained. 

4.4    Costs and remediation obligations. To the extent any Security Incident is attributable to the actions of a specific Party or its Third Parties, that Party shall be responsible for all costs associated with the Security Incident, including, but limited to, the following: (i) the cost of providing notice to affected individuals; (ii) the cost of providing notice to government agencies, credit bureaus, and/or other entities required to be notified under applicable law; (iii) the cost of providing affected individuals with credit monitoring services (as appropriate or as required by the Applicable Data Protection Laws); (iv) call center support for such affected individuals; (v) the cost of any other measures required under the Applicable Data Protection Laws; and (vi) other losses, liabilities or expenses for which that Party would be liable. In all cases, as to the Personal Information Processed under this Agreement impacted by a Security Incident, the Parties shall, where appropriate and reasonable, cooperate and work together as part of the remediation efforts.

5. Data transfers

5.1    Transfers generally. Each Party shall be permitted to transfer Personal Information under the Agreement provided that such transfers comply with the Applicable Data Protection Laws.

5.2    EEA, Switzerland and UK transfers. In the event either Party Processes the Personal Information of individuals residing in the EEA, Switzerland or the United Kingdom as part of the Services, that Party shall only be permitted to transfer such Personal Information outside those jurisdictions if such transfers comply with the Applicable Data Protection Laws.  

5.3    Use of Standard Contractual Clauses. To the extent any transfer under Section 5.2 is made to a country not deemed adequate by the European Commission or other governmental bodies or is not transferred pursuant to an Alternative Transfer Mechanism, the Parties agree that the relevant set of Standard Contractual Clauses shall be applicable, with the transferring Party acting as the “data exporter” and the receiving Party acting as the “data importer.” In such instances, the Parties will work together to execute the applicable terms or other measures required to comply with the Applicable Data Protection Law. Toast has entered into an intra-company set of Standard Contractual Clauses as part of its compliance with this Section and as part of providing the Services under the Agreement. A copy of those Standard Contractual Clauses can be requested by emailing [email protected]

5.4    Alternative Transfer Mechanisms. If either Party relies on an Alternative Transfer Mechanism as a legal ground for the transfer of Personal Information under the Agreement, that Party shall be responsible for ensuring that the Alternative Transfer Mechanism provides the same level of protection for Personal Information as imposed on the Parties under this Addendum. 

6. Miscellaneous

6.1    Assurances. Notwithstanding any requirements or specific rights granted to the Parties under the Applicable Data Protection Laws, each Party shall, with reasonable notice, have the right to obtain assurances from the other Party to verify each Party’s compliance with the terms of this Addendum if it has a reasonable suspicion of a breach or a potential breach under this Addendum. 

6.2    Survival.  Each Party’s obligations under this Addendum will survive the termination of the Agreement to the extent either Party continues to Process Personal Information covered by the Agreement. 

6.3    Severability. If any court or competent authority decides that any term of this Addendum is held to be invalid, unlawful, or unenforceable to any extent, such term shall, to that extent only, be severed from the remaining terms, which shall continue to be valid to the fullest extent permitted by law. 

6.4    Waiver. Either Party’s failure to enforce any provision of this Addendum shall not constitute a waiver of that or any other provision and will not relieve the other Party from the obligation to comply with such provision. 

Appendix A

Additional Terms Applicable where Toast acts as a Controller

1.  Obligations of the Parties

1.1    Roles. For the purposes of the Processing of the Personal Information under this Appendix A, the Parties agree that both Parties are acting as independent “Controllers”. 

1.2    Processing of Personal Information. Each Party shall only Process Personal Information in line with the terms of the Agreement or as otherwise provided for under the Applicable Data Protection Laws. To the extent either Party is permitted to Process Personal Information outside of the Services, that Party’s envisioned Processing must adhere to the Applicable Data Protection Laws. 

1.3    Specific obligations. Each Party is obligated to manage its respective compliance obligations pursuant to the Applicable Data Protection Laws and putting in place any applicable controls or governance, which may include (i) the provision and maintenance of a privacy statement or similar notice; (ii) providing notices or obtaining any required consents before any initial or subsequent use or disclosure of Personal Information; (iii) fulfilment and management of opt-outs and individual rights requests; (iv) compliance with any applicable direct marketing or spam legislation, and (v) the oversight of Processing operations involving Personal Information. 

1.4    Reasonable support. Where appropriate and reasonable, each Party shall provide reasonable assistance and cooperation in relation to each Party’s compliance obligations under the Agreement and the Applicable Data Protection Laws. This may include support with individual rights requests or notifications from any governmental, regulatory or law enforcement authority pertaining to the Processing of Personal Information under this Addendum. In the event either Party receives a notification or request directed to the other Party pursuant to this Section, that Party shall notify the other Party and shall not respond to the individual or governmental authority making the request unless required to do so under the law (including the Applicable Data Protection Laws). 

1.5    Third Parties. To the extent either Party is permitted to utilize any Third Parties as part of the Services under the Agreement, that Party shall ensure that those relationships are governed by a written agreement that imposes appropriate privacy obligations and security controls that are substantially similar to the measures contained in this Addendum. In all cases, the Party engaging the Third Party shall remain responsible for any acts or omissions of the Third Party to the same extent as if such acts or omissions were attributable to that Party.

1.6    No Sales. Each Party represents and warrants that, to the best of its knowledge, the transfer of Personal Information under the Agreement between the Parties does not constitute a “Sale” under the Applicable Data Protection Laws. The Parties agree that any transfers of Personal Information to Third Parties, whether made directly by a Party or made at the request of the other Party will not constitute a “Sale.”  To the extent any transfer to a Third Party is found to later constitute a “Sale,” the Party responsible for instructing that transfer shall be solely responsible for implementing the appropriate disclosures and managing any subsequent legal obligations (e.g., opt-outs) under the Applicable Data Protection Laws.

Appendix B

Additional Terms Applicable where Toast acts as a Processor

1.  Obligations of the Parties 

1.1    Roles. For the purposes of the Processing of the Personal Information under this Appendix B, the Parties agree that Toast is acting as a Processor on behalf of the Merchant Controller. 

1.2    Documented instructions. Toast agrees to only Process the Personal Information of Merchant in order to provide the Services under this Agreement unless pursuant to any additional written instructions issued by Merchant to Toast or where required by applicable law, in which case Toast will inform Merchant of the legal requirement unless Toast is prohibited from doing so by law. Toast will, unless legally prohibited from doing so, inform Merchant in writing if it reasonably believes Merchant’s instructions violate the Applicable Data Protection Laws. 

1.3    Merchant Obligations.  Merchant represents and warrants that Merchant has a legal basis for processing, and the authority and right, including consent where required, to lawfully transfer to Toast, all Personal Information and any other data or information related to Merchant’s access or use of the Services. Merchant shall comply with all applicable Data Protection Laws and Regulations, including: (i) providing all required notices and appropriate disclosures to all Data Subjects regarding Merchant’s, Toast’s, Payment Provider’s and any third parties acting on Merchant’s behalf, collection, use, Processing and transfer of Personal Information and (ii) obtaining all necessary rights and enforceable consents from the Data Subjects to permit Processing by Toast of Personal Information for the purposes of fulfilling Toast’s obligations, or as otherwise permitted, under the Agreement.

1.4    Sub-processors. To the extent required to carry out the Services and fulfill Toast’s contractual obligations, Merchant agrees to provide a general authorization for Toast to engage Sub-processors. Any Sub-processor relationship must be governed by a written agreement that imposes substantially similar obligations as are imposed on Toast in relation to the Processing of Personal Information found under this Addendum. In all cases, Toast shall remain responsible to Merchant for the failure of any Sub-processors to perform their obligations under this Addendum as part of the Services.

1.5    Reasonable support. Toast shall provide reasonable assistance and cooperation to Merchant in relation to any individual rights requests made pursuant to the Applicable Data Protection Laws. Additionally, upon Merchant’s request, Toast shall provide Merchant with reasonable assistance and cooperation needed to fulfill Merchant’s obligation to carry out a data protection impact assessment related to Merchant’s use of the Services, to the extent that Merchant does not otherwise have access to the relevant information and to the extent that such information is available to Toast. In the event Toast receives a notification or request pursuant to this Section, Toast shall notify the Merchant and shall not respond to the individual or governmental authority making the request unless required to do so under applicable law (including the Applicable Data Protection Laws). 

1.6    Personal Information subject to the GDPR and UK requirements. In addition to the other requirements set out in this Addendum, to the extent Toast Processes Personal Information subject to the GDPR or the relevant United Kingdom data protection legislation, Toast shall comply with all requirements under Article 28 of the GDPR in relation to Toast’s role as a Processor (or the relevant equivalent requirements for the United Kingdom). This includes the contractual obligations set out in Article 28(3), mainly that Toast shall:

  1. Process the Personal Information only on documented instructions from Merchant, including with regard to transfers of Personal Information to a third country or an international organisation, unless required to do so under the Applicable Data Protection Laws to which Toast is subject; in such a case, Toast shall inform Merchant of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;

  2. Ensure that persons authorised to Process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

  3. Take all measures required pursuant to Article 32 of the GDPR;

  4. Respect the conditions referred to in Article 28(2) and (4) for engaging another Processor;

  5. Take into account the nature of the Processing, assist Merchant by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Merchant’s obligation to respond to requests for exercising individual rights laid down in Chapter III of the GDPR;

  6. Assist Merchant in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to Toast;

  7. At the choice of Merchant, delete or return all the Personal Information to Merchant after the end of the provision of Services relating to Processing, and delete existing copies unless the Applicable Data Protection Laws require storage of the Personal Information; and

  8. Make available to Merchant all information necessary to demonstrate compliance with the obligations laid down in Article 28(3) of the GDPR and allow for and contribute to audits, including inspections, conducted by Merchant or another auditor mandated by Merchant.

1.7    Termination. Upon termination of the Agreement, Toast shall return or delete any Personal Information on Merchant’s request. Toast shall not be required to delete Personal Information where retention by Toast is mandatory to comply with applicable legal requirements, or where such retention is in line with Toast’s current data retention schedule.  

1.8    Third Party transfers. Toast is not responsible for the Processing of Personal Information by Third Parties where the Personal Information is sent by Toast on the instructions of the Merchant. 

1.9    CCPA Service Provider obligations and Sales. For the purposes of the CCPA, where applicable, the Parties acknowledge and agree that Toast shall act as a “Service Provider,” as such term is defined in the CCPA, and shall collect, access, maintain, use, process and transfer Personal Information solely for the purpose of performing Toast’s obligations under this Agreement for or on behalf of Toast and for no commercial purpose other than the performance of such obligations.