Get a Free Demo

Toast Merchant Data Processing Addendum

Effective: April 14, 2025


This Merchant Data Processing Addendum (the “Addendum”) is entered into between Toast, Inc., including its subsidiaries and affiliates (referred to generally as “Toast”) and the Merchant and forms part of the agreement(s) entered into between Toast and Merchant (collectively the “Agreement”) and applies where either of the Parties process Personal Information under the Agreement.  

1. INTRODUCTION


1.1  Toast provides services to Merchant under the Agreement that may involve the processing of Personal Information. 
1.2  Both Toast and Merchant (each a “Party” or together the “Parties”) agree to comply in good faith with the terms set out in this Addendum. The Parties wish to set out their mutual obligations in relation to the Processing of Personal Information in this Addendum.
1.3  If any language in this Addendum conflicts with the Agreement, this Addendum shall control.
1.4  Note: presently Toast’s Payroll and Team Management services are not available outside the United States. As a result, various annexes used as part of Toast’s GDPR obligations do not apply to those services.



2. DEFINITIONS


Unless otherwise set out below, each capitalized term in this Addendum shall have the meaning set out in the Agreement.


2.1  “Applicable Data Protection Laws” means all applicable federal, state, provincial and regional laws, directives, regulations, and rules imposed by any government, agency or authority in relation to the processing and security of Personal Information, including, but not limited, to Australian Privacy Laws, the European Union’s General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”), the EU Directive on Privacy and Electronic Communications 2002/58/EC (“PECR”), the data protection law of the United Kingdom, including but not limited to the EU GDPR as incorporated into the United Kingdom, the Data Protection Act 2018 and any additional legislation (“UK GDPR”), Switzerland’s Federal Data Protection Act of 19 June 1992, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), as well as any applicable provincial legislation, the CCPA, and other US Privacy Laws as any of the foregoing may be amended, replaced or superseded. 
2.2  “Australian Privacy Laws” means the Privacy Act 1988 (Cth) and any applicable state legislation governing Personal Information.
2.3  “CCPA” means, as applicable, the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), including as amended by the California Privacy Rights Act of 2020; and any subsequent replacements to the foregoing laws. All implementing regulations forming part of the laws above shall also be included in this definition. 
2.4  “Controller” means the Party that alone or jointly with others determines the purposes and means of the Processing of Personal Information. For the purposes of this Agreement, “Controller” includes similarly defined terms under Applicable Data Protection Laws, including, but not limited to, a “Business”.
2.5  “GDPR” means, as applicable, the EU GDPR and the UK GDPR.
2.6  "Individual” has the same meaning as “consumer” or “data subject” under Applicable Data Protection Laws.
2.7  “Individual Rights Request” means the exercise of an individual’s right connected to the Processing of Personal Information (for example deletion, access or rectification) under the Agreement and shall be understood to have the same meaning as a “data subject rights request”, “a consumer right”, “a personal data rights request”, and similar terms as may be defined under Applicable Data Protection Laws.
2.8  “Processor” means the entity which processes Personal Information on behalf of a Controller. For the purposes of this Agreement, “Controller” includes similarly defined terms under the Applicable Data Protection Laws, including, but not limited to, a “service provider” or “contractor”.
2.9  “Sale” or “Sell” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time.
2.10  “Share” or “Sharing” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time. 
2.11  “Standard Contractual Clauses” or “SCCs” means (i) in respect of EU Personal Information, the Standard Contractual Clauses implemented by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the EU GDPR, as updated or replaced from time to time (“EU Standard Contractual Clauses”) and (ii) in respect of UK Personal Information, means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office (ICO) in accordance with the UK GDPR and the Data Protection Act 2018, as amended or replaced (“UK Addendum”).
2.12  “Sub-processor” means any additional authorised Processor engaged by the original Processor that agrees to receive any Personal Information from the Controller as part of the Services.
2.13  “Third Party” means any Controller, Processor or Sub-processor engaged by a Party that agrees to receive Personal Information as part of the Services.
2.14  “US Privacy Laws” refers to state-specific privacy laws in the United States, including the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and other state-specific privacy laws as any of the foregoing may be amended, replaced or superseded. All implementing regulations forming part of the laws above shall also be included in this definition.


 For the avoidance of doubt, terms defined above as well as other terms not defined in this Addendum such as “processing” and “sensitive personal information” shall have the same meaning as in Applicable Data Protection Laws, and their related terms shall be construed accordingly. Terms in capitals not defined in this Addendum shall have the same meaning as set out in the Merchant Agreement.  


DATA PROCESSING 

 

3.    CONTROLLER OBLIGATIONS  


To the extent Toast and Merchant Process Personal Information as Controllers as part of the Agreement, the Parties agree that:


3.1  Independent controllers: Each Party shall act as independent Controller and no “Joint Controller” relationship shall exist under the Applicable Data Protection Laws. 
3.2  Compliance with law: Both Parties agree to comply with Applicable Data Protection Laws and shall not by any act or omission, put the other Party in breach of those Laws.
3.3  Compliance obligations: Each Party is obligated to manage its respective compliance obligations pursuant to Applicable Data Protection Laws and putting in place any applicable controls or governance, which may include (i) the provision and maintenance of a privacy statement or similar notice for each Party’s respective Processing; (ii) providing written notices to individuals and obtaining any required consents (including consents for secondary uses) before any initial or subsequent use or disclosure of Personal Information; (iii) fulfilment and management of opt-outs and individual rights requests; (iv) compliance with any applicable direct marketing or spam legislation, and (v) the oversight of Processing operations involving Personal Information.
3.4  Individual Rights Requests: Each Party shall comply with Individual Rights Requests under Applicable Data Protection Laws (including the right to withdraw consent, of access, restriction, rectification and erasure) in relation to Personal Information. The Parties shall reasonably cooperate with each other to respond to such requests.
3.5  No Sales or Sharing: Each Party represents and warrants that, to the best of its knowledge, the transfer of Personal Information under the Agreement between the Parties does not constitute a “Sale” or “Sharing” under the Applicable Data Protection Laws. The Parties agree that any transfers of Personal Information to Third Parties, whether made directly by a Party or made at the request of the other Party will not constitute a “Sale” or “Sharing”.


The Merchant:


3.6  Specifically with regard to any Personal Information Merchant collects, uploads or discloses to Toast, Merchant represents and warrants that it has provided the appropriate notices to Individuals and collected any required consents, including in compliance with Sections 3.3 of this Addendum and to facilitate Toast's collection, use and disclosure of such information in accordance with this Agreement and Toast’s Privacy Statement, and otherwise has a lawful basis for processing and disclosing the Personal Information with Toast in connection with the Services.
3.7  Where Merchant directs that Toast disclose Personal Information to any Third Parties (including partners), Merchant agrees that such disclosure is in line with its obligations under Section 3.3 of this Addendum, and any notices and consents referred to in Section 3.6 of this Addendum, and that Merchant as Controller remains responsible for any subsequent processing of Personal Information and its compliance with applicable Data Protection Laws as a result of any such direction to Toast.
3.8  Acknowledges that by using the Services, the Personal Information of Merchant, Merchant Employees and Customers will be processed in accordance with Toast’s Privacy Statement found at https://pos.toasttab.com/privacy. Merchant and its Employees are encouraged to read the Privacy Statement carefully, as it forms a binding part of this Agreement and contains important information about individuals’ rights and how Toast manages Personal Information. Merchant shall make the Privacy Statement available to its Employees and Customers (as appropriate) in such manner as Toast may reasonably request from time to time.



4.    PROCESSOR OBLIGATIONS


To the extent Toast Processes Personal Information as a Processor under the Agreement, Toast agrees that:


4.1  Processing: Toast shall only Process the Personal Information on documented instructions of the Merchant and in order to provide the Services or where required by applicable law, in which case Toast will inform Merchant of the legal requirement unless Toast is prohibited from doing so by law. 
4.2  Audits and Assessments: To the extent required under the Applicable Data Protection Laws, Toast shall make available to Merchant all information necessary to demonstrate compliance with the obligations under such Laws. 
4.3  Confidentiality: Anyone authorized to process Personal Information on behalf of Merchant shall either have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 
4.4  CCPA Service Provider: Where Toast acts as a “service provider” for the purposes of the CCPA, and with respect to Personal Information it processes in such capacity, in addition to the obligations set forth in this DPA and to the extent the CCPA applies: Toast shall not (a) combine Personal Information it receives in in connection with the Services with Personal Information it may receive from other sources (b) “sell” or “share” Personal Information as such terms are defined in the CCPA (c) retain, use, or disclose Personal Information for any purpose other than to provide the Services, and as otherwise permitted by applicable law (including but not limited to Applicable Data Protection Laws), (d) retain, use or disclose Personal Information outside of the direct business relationship between the parties or outside the provision of the Services, and (e) disclose Personal Information to any person without including them on the list of Sub-processors described below. The parties acknowledge that the transfer of Personal Information is in furtherance of a business purpose, described in the Agreement. 
4.5  Sub-processors: Merchant grants Toast a general authorisation to appoint Sub-processors to Process Personal Information under the Agreement and permits each Sub-processor to appoint Sub-processors in accordance with the terms herein. Toast will have a written agreement with the Sub-processor imposing substantially similar obligations as those set out under this Addendum. Toast is responsible to Merchant for the failure of any Sub-processors to perform their obligations under this Addendum. See Annex 3 of this Addendum for a link to a website detailing Toast’s current Sub-processors. By visiting that site, Merchant may also register to be notified of any modifications to the Sub-processor list (a “Notification”). 
4.6  GDPR Sub-processors: In the case of a Sub-processor appointed that will Process Personal Information subject to the GDPR, if Merchant objects on reasonable grounds to the use of a specific Sub-processor it must inform Toast of such objection in writing (by email to privacy@toasttab.com) within 15 days of receipt of Notification. Toast will use reasonable efforts to make available to Merchant a change in the Services or recommend a commercially-reasonable change to the configuration or use of the Services by Merchant to avoid Processing of Personal Information by the objected-to new Subprocessor. Toast shall at its option (a) within a commercially reasonable timeframe find a replacement Sub-processor; or (b) provide a termination right pursuant to the Agreement. Before the Sub-processor first processes Personal Information, Toast agrees to carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Information required by the Agreement. Toast will provide for Merchant to review the form of agreement for such written contract, as Merchant may request up to once per year. 
4.7  Retention and deletion: Upon termination of the Agreement, Toast shall return or delete any Personal Information on Merchant’s request, except where it is required to retain or delete the Personal Information to comply with applicable laws, or, where permitted, such retention is in line with Toast’s current data retention schedule. 
4.8  Government Access Requests: If Toast becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Information of Merchant, whether on a voluntary or a mandatory basis, then unless legally prohibited under applicable law, Toast shall: (1) immediately notify Merchant (2) inform the requestor that Toast is a Processor and is not authorized to disclose the Personal Information (3) inform the requestor that the request must be sent to the Merchant (4) not provide access to the Personal Information unless required by applicable law or authorized by the Merchant in writing. If applicable law prohibits Toast from complying with (1) to (4) above, then Toast shall use any lawful means to challenge (a) disclosure of the Personal Information and (b) the prohibition to notify Merchant. 
4.9  Additional GDPR Processor obligations: In addition to the other requirements set out in this Addendum, to the extent Toast Processes Personal Information subject to the GDPR, UK GDPR or laws of Switzerland, Toast shall comply with all requirements under Article 28 of the GDPR in relation to Toast’s role as a Processor (or the relevant equivalent requirements as applicable). This includes the contractual obligations set out in Article 28(3) as set out in this Addendum. 




5.    SECURITY  


5.1  Security Measures: Taking into account the state of the art, costs of implementation, the nature, scope, context and purpose of the Processing, each Party shall implement and maintain a written information security program embodying all appropriate technical, organizational and administrative security measures required to protect the privacy and security of any Personal Information Processed as part of the Services. In all cases, the Parties shall implement any and all security measures imposed under the Applicable Data Protection Laws. 


6.    SECURITY INCIDENTS  


6.1  Security Incident response program: Each Party shall implement and maintain a written incident response program for the management of Security Incidents. 
6.2  Notification of a Security Incident: If either Party discovers, is notified of or reasonably suspects the occurrence of a Security Incident impacting any Personal Information Processed under the Agreement, that Party will notify the other Party without undue delay. The timing of such notification shall not exceed seventy-two (72) hours after having become aware of a Security Incident or such other time limit imposed under the Applicable Data Protection Laws. Such notice shall (where known) contain the following: (i) the facts of the Security Incident, including the date of discovery, a date range of unauthorized activity, and any remediation and mitigation activities that have been taken or put in place; (ii) a description of the categories and approximate number of individuals and records affected by the Security Incident; (iii) the Party’s assessment, developed through reasonable diligence, of the likely consequences of the Security Incident with respect to the affected Personal Information and affected individuals; and (iv) the name and the contact details of the data protection officer or other contact point where more information can be obtained. The Parties will reasonably assist each with any obligation to inform any impact individuals or any regulatory body of the Security Incident and nothing in this Addendum or the Agreement prohibits a party from complying with any such obligations to the extent required under Applicable Data Protection Laws. 
6.3  Costs and remediation obligations: To the extent any Security Incident is attributable to the actions of a specific Party or its Third Parties, that Party shall be responsible for all costs associated with the Security Incident, including, but limited to, the following: (i) the cost of providing notice to affected individuals; (ii) the cost of providing notice to government agencies, credit bureaus, and/or other entities required to be notified under applicable law; (iii) the cost of providing affected individuals with credit monitoring services (as appropriate or as required by the Applicable Data Protection Laws); (iv) call center support for such affected individuals; (v) the cost of any other measures required under the Applicable Data Protection Laws; and (vi) other losses, liabilities or expenses for which that Party would be liable. In all cases, as to the Personal Information Processed under this Agreement impacted by a Security Incident, the Parties shall, where appropriate and reasonable, cooperate and work together as part of the remediation efforts. 

7.    NOTIFICATIONS AND REQUESTS FROM THIRD PARTIES  

     

71  Reasonable support: Where appropriate, each Party shall provide reasonable assistance and cooperation in relation to each Party’s compliance obligations under the Agreement and under Applicable Data Protection Laws. This may include support with Individual Rights Requests or notifications from any governmental, regulatory or law enforcement authority pertaining to the Processing of Personal Information under this Addendum. In the event either Party receives a notification or request directed to the other Party pursuant to this Section, that Party shall notify the other Party and shall not respond to the individual or governmental authority making the request unless required to do so under the law (including the Applicable Data Protection Laws). Merchant acknowledges that in certain instances it may not be able to respond to requests under this section and as such Merchant hereby authorizes and instructs Toast to take the steps necessary to verify and comply with an Individual Rights Request relating to the processing of Personal Information under the Agreement and any Personal Information that Toast processes on Merchant’s behalf, including any such request that Toast receives directly from an individual. Merchant acknowledges that Toast reserves the right to direct certain Individual Rights Requests to be managed by Merchant, for example where the nature of Merchant’s relationship with an Individual, or the nature of the processing makes Merchant best equipped to address such Request. Should Toast receive a request that is not related to Services under the Agreement but is associated with Merchant, Toast will promptly notify Merchant of such request and/or instruct the consumer to contact the Merchant directly. Should Merchant receive an Individual Rights Request related to the Services that Merchant is unable to complete without assistance, Merchant shall notify Toast, and Toast shall provide reasonable assistance in complying with such request. 
7.2  Third Parties: If either Party engages any Third Parties as part of the Services under the Agreement, that Party shall enter into a written agreement that imposes substantially similar obligations as contained in this Addendum. In all cases, the Party engaging the Third Party is responsible for and remains fully liable for any acts or omissions of the Third Party. For the avoidance of doubt, this includes instances where the Merchant elects to transfer Personal Information to a Third Party, including any third-party partners. 


8.  DATA TRANSFERS  


8.1  Transfers generally: Each Party is permitted to transfer Personal Information under the Agreement to locations around the world provided that such transfers comply with Applicable Data Protection Laws. 
8.2  Transfer Types

(i) Merchant EEA, Switzerland and UK Personal Information is first processed by Toast in the EEA, Switzerland and/or UK and is subsequently transferred to a country not recognized by the European Commission, the UK ICO or the Swiss Federal Data Protection Authority as providing an adequate level of protection of Personal Information (“Third Country”). Such transfers are governed by an intra-company set of Standard Contractual Clauses entered into between Toast Ireland, Toast UK and Toast, Inc. as part of its compliance with this Section and as part of providing the Services under the Agreement. A copy of these Standard Contractual Clauses can be requested by emailing privacy@toasttab.com.

(ii)   Merchant EEA, Switzerland and UK Personal Information is not first processed by Toast in the EEA, Switzerland and/or UK and instead is transferred directly to a Third Country. Such transfers are governed by the Standard Contractual Clauses (including the UK Addendum) which are hereby incorporated by reference with the following selections:


For the purposes of the EEA and Switzerland:


Section Reference
Concept
Selection by the Parties 
Module
In operation
Modules One and Two.  
Section I, Clause 7
Docking
The option under clause 7 shall not apply. 
Section II, Clause 9
Sub-processors
Option 2 (General Written Authorisation) under clause 9 shall apply. See clause 3.2(iii) of this Addendum. 
Section IV, Clause  17
Governing law

Transfers under the EU SCCs will be governed by the laws of Ireland. 


The Swiss Federal Act on Data Protection (FADP) insofar as the transfers are governed by the FADP. 


Section IV, Clause 18(b)
Choice of forum and jurisdiction 
The Courts of Ireland shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the EU SCCs. 
Annex 1.A
List of Parties
See Annex 1 Section A of this Addendum. 
Annex I.B
Description of Transfer 
See Annex 1 Section B of this Addendum. 
Annex I.C
Competent Supervisory Authority

Irish Data Protection Commissioner. 


Federal Data Protection and Information Commissioner insofar as the transfers are governed by the FADP. 


Annex II
Technical and Organisational Measures 
See Annex 2 of this Addendum. 
Annex III
Sub-processors 
See Annex 3 of this Addendum (only for Module Two)
Additional adaptations insofar as the FADP governs the transfers 

The term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of residence (Switzerland) in accordance with Clause 18(c) of the SCCs. 

References to “GDPR” are to be understood as references to FADP. The SCCs shall apply to data pertaining to legal entities until the entry into force of the revised FADP. 



For the purposes of the UK, the parties agree that the EU Standard Contractual Clauses will apply but will be modified and interpreted in accordance with the UK Addendum and agree as follows:


Table or Section Reference

Concept

Selection by the Parties 

Table 1

Parties

See Annex 1 Section A of this Addendum 

Table 2

Selected SCCs, Modules and Selected Clauses

Modules One and Two of the EU Standard Contractual Clauses   entered into on the date of the Agreement. 

Table 3

Appendix Information 

Annex 1.A shall be populated with the information in Annex 1A of this Addendum

Annex 1.B shall be populated with the information in Annex 1B of this Addendum

Annex II shall be populated with Annex 2 of this Addendum

Annex III shall be populated with Annex 3 of this Addendum (only for Module Two)

Table 4

End of UK Addendum when the Approved Addendum changes 

Neither party may end this UK Addendum per Section 19 of the UK Addendum, except as set forth in this Addendum. 

Section I, Clause 7

Docking

The option under clause 7 shall not apply. 

Section II, Clause 9

Sub-processors

Option 2 (General Written Authorisation) under clause 9 shall apply. See clause 3.2(iii) of this Addendum.  

Section II, Clause 11

Redress

The option under clause 11 shall not apply.

Section IV, Clause 17

Governing law

The laws of England and Wales insofar as the transfers are governed by UK Data Protection Law. 

Section IV, Clause 18(b)

Choice of forum and jurisdiction 

The Courts of England and Wales shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the UK Addendum. 

Part 2 

Mandatory Clauses

Mandatory clauses of the UK Addendum as issued by the Information Commissioner’s Office and laid before the United Kingdom Parliament in accordance with section 119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under section 18 of those Mandatory Clauses. section


Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.  

8.3  If the SCCs are implemented, adopted or recognized as a legitimate data transfer mechanism in countries other than the EEA countries, then the Parties shall apply the SCCs Modules One and Two to the transfer of Personal Information originating from such country(-ies). 
8.4  In the event of any changes to the UK Addendum after signature of this Addendum, the Parties agree to cooperate in good faith and repopulate any replacement UK Addendum.
8.5  Alternative Transfer Mechanisms: It is the responsibility of any Party relying on a mechanism other than the Standard Contractual Clauses that enables the lawful transfer of Personal Information from the EEA, UK or Switzerland to a third country in accordance with Applicable Data Protection Laws, including, but not limited to, programs both approved and operated by the U.S. Department of Commerce and approved by the European Commission or other applicable governmental authority or entity such as that arising from the Commission Implementing Decision of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (“EU-U.S. Data Protection Framework”) (an "Alternative Transfer Mechanism") to ensure it provides the same level of protection of Personal Information as imposed under this Addendum. 


9.    Miscellaneous


9.1  Assurances: Notwithstanding any requirements or specific rights granted to the Parties under the Applicable Data Protection Laws, each Party shall, with reasonable notice, have the right to obtain assurances from the other Party to verify each Party’s compliance with the terms of this Addendum if it has a reasonable suspicion of a breach or a potential breach under this Addendum. 
9.2  Survival: Each Party’s obligations under this Addendum will survive the termination of the Agreement to the extent either Party continues to Process Personal Information covered by the Agreement. 
9.3  Severability: If any court or competent authority decides that any term of this Addendum is held to be invalid, unlawful, or unenforceable to any extent, such term shall, to that extent only, be severed from the remaining terms, which shall continue to be valid to the fullest extent permitted by law. 
9.4  Waiver: Either Party’s failure to enforce any provision of this Addendum shall not constitute a waiver of that or any other provision and will not relieve the other Party from the obligation to comply with such provision. 
9.5  Changes to this Addendum: From time to time, subject the Applicable Data Protection Laws, Toast may update this Addendum in accordance with the requirements for updating or modifying the Agreement as set out in the Merchant Agreement including as required to maintain compliance with the Applicable Data Protection Laws, for internal business purposes, or as otherwise provided under the Agreement provided that any such updates do not materially diminish either Party’s ability to comply with the Applicable Data Protection Laws or result in a material detriment to Merchant (as reasonably determined by Toast). The Parties agree that any such updates to this Addendum shall be effective on the publication date, subject to the terms of the Merchant Agreement.



ANNEX 1


A.     LIST OF PARTIES 


  1. Merchant / Data Exporter 

Name

As set forth in the Agreement.

Address

As set forth in the Agreement.

Contact person

As set forth in the Agreement.

Activities related to data transfer under the Clauses:

As set forth in this Addendum and the Agreement. 

Role (controller/processor)

Standard Contractual Clauses Module One: Merchant is the data controller.


  1. Toast / Data Importer 

Name

Toast, Inc.

Address

401 Park Drive, Suite 801, Boston, MA 02215

Contact person

Assistant General Counsel, Privacy;  privacy@toasttab.com 

Activities related to data transfer under the Clauses:

Services associated with facilitation of POS-related, partner and other restaurant-related services for merchants, merchant employees and restaurant guests

Role (controller/processor)

- Standard Contractual Clauses Module One: Toast is the data controller.

- Standard Contractual Clauses Module Two: Toast is the data processor.


B.     DESCRIPTION OF TRANSFER & PROCESSING 



Module One

Merchant is the controller

Toast, Inc. is the controller

Module Two

Toast, Inc. is the processor

Categories of Data Subjects 

Merchants, merchant employees, guests and suppliers.*


Merchants, merchant employees, guests and suppliers.*


Categories of Personal Information

Merchants – name, date of birth (DOB), personal contact details, business contact details, address, ownership information, bank account information, payment card information, credential information, social security number (SSN) or national identifier, driver’s licence information (number, state and expiration), user ID, device ID, IP address.


Merchant employees – name, date of birth (DOB), business contact details, job title, personal contact details, shift and employment information, compensation information, and IP address.


Guests – name, personal contact details, address, payment card number, security code & expiration date, payment ID, amount paid, order details, time/date of the order, transaction ID, transaction details, car colour & make, IP address, DOB (month/day), loyalty card number and information, location information (course and precise), IP address digital ordering account information, earnings/redemptions, preferences & notes, reservation & waitlist details. 

Suppliers – name, business contact details, address, bank account information

Personal information included in the context of Toast, Inc.’s service offerings and ancillary/support services to the Merchant, including the categories listed opposite. 


Sensitive data processed 

To the extent allergy and dietary information is provided and constitutes health data.



To the extent allergy and dietary information is provided and constitutes health data.


Toast may also process sensitive personal data of Merchant employees and guests to the extent Merchant provides it to Toast during the Services. 

Transfer frequency 

There will be continuous transfer and Processing of Personal Information 

Nature of processing

Processing is conducted to provide the Services described in the Agreement. Processor shall Process Personal Data only in accordance with the Agreement. 

Purpose of processing

Toast, Inc. is providing the Services described in the Agreement.

Retention period 


  1. Each Controller will retain the Personal Information in accordance with their respective data retention policies and schedules. 

  2. Merchant may instruct Processor to delete Personal Information as agreed by the Parties and Processor shall promptly delete requested Personal Information. 

  3. Upon termination of the Agreement, Toast shall return or delete any Personal Information on Merchant’s request, except where it is required to retain the Personal Information to comply with applicable laws, or, where permitted, such retention is in line with Toast’s current data retention schedule.


*Note: presently Toast’s Payroll and Team Management services are not available outside the United States. As a result, Annex 1 does not include transfers associated with those services. 


ANNEX 2

Security Measures 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA


EXPLANATORY NOTE:


The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.


Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.


  1. Measures of pseudonymisation and encryption of personal data


Toast maintains policy-based as well as technical controls to ensure that certain information at rest as well in transit is encrypted and adequately secured. Toast also maintains a data masking policy and utilizes both hashing and tokenization for certain information under its control. As a PCI-DSS-compliant Level 1 Service Provider, Toast maintains a number of encryption and data masking controls associated with payment card information and the cardholder data environment. 


  1. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services


Toast maintains a comprehensive information security program, consisting of numerous policies, standards and controls that prescribes a number of administrative, technical and organizational safeguards to ensure the confidentiality, integrity and availability of information entrusted to Toast. These measures include, but are not, limited to various policies and controls relating to access and user management, network security, encryption, network devices and incident response. Toast also maintains a number of data handling policies within the Privacy function. 


  1. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident


Toast maintains a business continuity plan (BCP) and various disaster recovery protocols that include details regarding key personnel, assets and recovery processes to be followed upon the occurrence of a triggering event. This includes the incorporation of emergency evacuation and incident response protocols. These controls ensure that Toast maintains the availability of information as well as measures to backup and/or recover data from critical systems or databases. Toast business continuity and disaster recovery measures also incorporate remote access protocols and the ability of individuals to securely access information systems. 


  1. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing


As a PCI-DSS-compliant Level 1 Service Provider, Toast’s cardholder data environment (including both infrastructure and software) is scanned on a quarterly basis as prescribed by PCI-DSS using an approved third-party scanning vendor. A report of the scanning results is reviewed based on pre-defined thresholds and actioned based on the severity of the risk.


  1. Measures for user identification and authorization


Toast maintains various policies and controls in relation to user authentication and access as part of our information security program. Toast follows the principle of “least privilege” and users are only granted access to systems, applications and services on a need-to-know basis. Toast users maintain unique user credentials for access to systems, and all systems containing data classified as confidential or higher require SSO login, which also requires multi-factor authentication.


  1. Measures for the protection of data during transmission


Toast maintains measures for the encryption of information in transit based on the sensitivity of the information and utilizes industry standard encryption tools. Toast standards prescribe that information in transit utilize TLS 1.2 or higher. Payment card information is encrypted upon swipe/tap/dip via a private or public key and our product is configured to automatically wipe data upon payment authorization. 


  1. Measures for the protection of data during storage


Toast maintains measures for the encryption of information at rest based on the sensitivity of the information and utilizes industry-standard encryption tools.  Acceptable standards for information at rest include the use of OSX or Windows 10 for full-disk encryption and AES 128-bit encryption or higher. Certain information processed by Toast or its third-party service providers is subject to encryption as well as other heightened security standards that may include restricted access and hashing/tokenization. 


  1. Measures for ensuring physical security of locations at which personal data are processed


Toast maintains physical access controls that secure Toast’s offices and facilities as well as access to underlying information (including personal data). These measures include, but are not limited to, the use of security guards, an access management system incorporating electronic badges as well as CCTV. Toast also maintains a visitor policy and access approval process. 


  1. Measures for ensuring events logging


Toast utilizes various monitoring, auditing and logging software and technologies within our systems to detect and alert our employees of security-related or other relevant events. These systems are regularly monitored and analyzed by authorized users as well as members of the Information Security team, including our Security Operations Center.  


  1. Measures for ensuring system configuration, including default configuration


Defined configuration standards exist for Toast hardware as well as for various company-issued IT equipment. These configuration standards are periodically reviewed and implemented to meet our evolving business and security needs. Toast also maintains various network device and other network configuration standards.


  1. Measures for internal IT and IT security governance and management


Toast maintains a formal information security program that is overseen by the Senior Director of Information Security as well as an Information Technology function that is overseen by our Chief Information Officer. Both functions utilize a number of policies, standards and processes as part of the effort to operationalize information security within Toast. The effectiveness of these programs is monitored by Toast’s Risk Management function as well as other functions at Toast. 


  1. Measures for certification/assurance of processes and products


Toast is a PCI-DSS-compliant Level 1 Service Provider and is assessed by a certified QSA as part of that ongoing compliance process. Toast also maintains a SOC 2, Type I report. 


  1. Measures for ensuring data minimisation


As part of Toast’s privacy principles and governance, individuals are only permitted to collect the minimum amount of information necessary for a particular processing purpose. These principles are also reinforced within our product development and change management processes by both the Privacy and Information Security functions within Toast. 


  1. Measures for ensuring data quality


Toast maintains a number of administrative and technical controls pertaining to the access of information. Data is handled differently based on the sensitivity of information and only specifically trained individuals can access our cardholder data environment. As part of Toast's security controls, we maintain various data lineage and logging measures for activities within the Toast platform as well as business justifications for access to certain sets of information.


  1. Measures for ensuring accountability


As part of Toast’s information security program, individuals are required to adhere and attest to their compliance with specific Toast polices in relation to the management of information and information systems. Our policies also prescribe accountability for system owners that are entrusted with the management and upkeep of information within systems that they oversee. Individuals are also provided with unique user ids for access to systems within our infrastructure.


  1. Measures for ensuring limited data retention


As part of Toast’s data retention program, Toast maintains a number of controls relating to data retention including adhering to an internal Data Retention Policy and Schedule. This Policy defines the purposes for which personal information is processed and establishes specific timeframes for data retention.Toast periodically reviews and updates its data retention practices to ensure ongoing compliance with relevant legal requirements and business needs


  1. Measures for allowing data portability and ensuring erasure


Toast US and Toast Ireland have developed internal tools to be able to locate, pull and/or delete applicable personal data related to a data subject request. These tools are regularly tested for their efficacy and functionality, including data portability and erasure. 


For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter




ANNEX 3 

Approved Sub-processors 

A list of Toast’s current Sub-processors can be found at https://pos.toasttab.com/sub-processor-list. By visiting that site,  Merchant may also register to be notified by email of any modifications to the Sub-processor list (a “Notification”).