Effective: July 15, 2022
This Merchant Data Processing Addendum (the “Addendum”) forms part of the Merchant Agreement(s) between Toast and the Merchant (collectively the “Agreement”) in relation to both Toast and Merchant’s (each a “Party” or together the “Parties”) Processing of Personal Information under the Agreement.
Both Toast and Merchant agree to comply in good faith with the terms set out in this Addendum. If and to the extent any language in this Addendum conflicts with the Agreement, this Addendum shall control.
1. Scope and Acknowledgments
1.1 This Addendum is intended to reflect and expand upon the respective obligations of the Parties related to the Processing of Personal Information under the Agreement, including each Party’s compliance with the Applicable Data Protection Laws.
1.2 As part of the Agreement and the provision of the Services, both Parties agree to comply with all Applicable Data Protection Laws, and not by any act or omission, put the other Party in breach of those Laws.
1.3 Merchant acknowledges that by using the Services, the Personal Information of Merchant, Merchant Employees and Customers will be processed in accordance with Toast’s Privacy Statement found at https://pos.toasttab.com/privacy. Merchant and its Employees are encouraged to read the Privacy Statement carefully, as it forms a binding part of this Agreement and contains important information about individuals’ rights and how Toast manages Personal Information. Merchant shall make the Privacy Statement available to its Employees and Customers (as appropriate) in such manner as Toast may reasonably request from time to time.
1.4 The relationships of the Parties in relation to the Processing of Personal Information are set out in Section 3 of this Addendum.
Unless otherwise set out below, each capitalized term in this Addendum shall have the meaning set out in the Agreement.
2.1 “Alternative Transfer Mechanism” means a mechanism other than the Standard Contractual Clauses that enables the lawful transfer of Personal Information from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to a third country in accordance with Applicable Data Protection Laws, including, but not limited to, programs both approved and operated by the U.S. Department of Commerce and approved by the European Commission or other applicable governmental authority or entity.
2.2 “Applicable Data Protection Laws” means all applicable federal, state, provincial, regional and local laws, directives, regulations, and rules imposed by any government, agency or authority in relation to the processing and security of Personal Information, including, but not limited, to the GDPR, the EU Directive on Privacy and Electronic Communications 2002/58/EC (“PECR”), the data protection law of the United Kingdom, including but not limited to the Data Protection Act of 2018, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), as well as any applicable provincial legislation, and the CCPA as amended, replaced or superseded from time to time.
2.3 “Standard Contractual Clauses” means the applicable standard contractual clauses approved by the European Commission that govern the transfer of Personal information to Controllers or Processors established in third countries that do not ensure an adequate level of data protection pursuant to Article 46 of the GDPR. For the avoidance of doubt, this definition shall also include any standard contractual clauses approved by the United Kingdom.
2.4 “CCPA” means, as applicable, the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), as amended; (ii) the California Privacy Rights Act of 2020; and (iii) any subsequent replacements to the foregoing laws from time to time. All implementing regulations forming part of the laws above shall also be included in this definition.
2.5 “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Information. For the purposes of this Agreement, “Controller” includes similarly defined terms under the Applicable Data Protection Laws, including, but not limited to, a “Business.”
2.6 “GDPR” means the European Union’s General Data Protection Regulation (Regulation 2016/679) pertaining to the protection of individuals within the European Economic Area as may be amended, modified, supplemented, restated, or superseded from time to time.
2.7 “Personal Information” means any information relating to an identified or identifiable individual or household. Personal Information may include, but is not limited to, a name, address, contact details, unique identifiers, payment card information, biometric identifiers and information, preferences, history and profile data, IP addresses, and location-based information, but excludes aggregated or anonymized information. Personal Information shall include any information that constitutes “Personal Information” or “Personal Data” under the Applicable Data Protection Laws.
2.8 “Process” or “Processing” means any operation or set of operations performed on Personal Information or sets of Personal Information, whether or not by automated means, including, but not limited to, the collection, recording, access, organisation, structuring, storage, use, adaption, alteration, retrieval, disclosure, restriction, deletion or destruction of Personal Information.
2.9 “Processor" means the entity which processes Personal Information on behalf of a Controller.
2.10 “Sale” or “Sell” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time.
2.11 “Security Incident” means any accidental or unlawful destruction, loss, alteration, theft, unauthorized disclosure of, or access to, Personal Information.
2.12 “Services” means services provided by Toast to the Merchant under the Agreement.
2.13 “Sub-processor” means any additional authorized Processor engaged by the original Processor that agrees to receive any Personal Information from the Controller as part of the Services.
2.14 “Third Party” means any Controller, Processor or Sub-processor engaged by a Party that agrees to receive Personal Information as part of the Services.
3. Relationship of the Parties and Processing of Personal Information
3.1 Toast provides point-of-sale (“POS”), digital ordering, payroll and related services as detailed in the Agreement.
3.2 Toast acts as a Controller where Toast processes the Personal Information of Customers and Merchants, and, in specific limited cases, Merchant Employees under the Agreement. In these cases, the Parties agree that Appendix A shall apply to the extent Toast is acting as a Controller. In cases where the Merchant is also a Controller, the Parties agree that Toast and Merchant shall act as independent “Controllers” under the Agreement and no “Joint Controller” relationship shall exist under the Applicable Data Protection Laws.
3.3 Toast acts as a Processor on behalf of Merchant where Toast processes the Personal Information of Merchant Employees in connection with the provision of Services that relate to the management and administration of Employees on behalf of the Merchant. In certain instances, Toast may also act as a Processor when Processing the Personal Information of Customers for certain third-party relationships. The Parties agree that Appendix B shall apply to the extent that Toast is acting as a Processor.
4. Security Measures and Incidents
4.1 Security measures. Each Party shall implement and maintain a written information security program embodying all appropriate technical, organizational and administrative security measures required to protect the privacy and security of any Personal Information Processed as part of the Services. In all cases, the Parties shall be required to implement any and all security measures imposed under the Applicable Data Protection Laws.
4.2 Written Security Incident response program. Each Party shall implement and maintain a written incident response program for the management of Security Incidents.
4.3 Notification of a Security Incident. In the event that either Party discovers, is notified of or reasonably suspects the occurrence of a Security Incident impacting any Personal Information Processed under the Agreement, that Party will immediately notify the other Party. In all cases, the timing of such notification shall not exceed seventy-two (72) hours after having become aware of a Security Incident or such other time limit imposed under the Applicable Data Protection Laws. Each Party’s notice to the other Party of a Security Incident should (where known) contain the following: (i) the facts of the Security Incident, including the date of discovery, a date range of unauthorized activity, and any remediation and mitigation activities that have been taken or put in place; (ii) a description of the categories and approximate number of individuals and records affected by the Security Incident; (iii) the Party’s assessment, developed through reasonable diligence, of the likely consequences of the Security Incident with respect to the affected Personal Information and affected individuals; and (iv) communicate the name and the contact details of the data protection officer or other contact point where more information can be obtained.
4.4 Costs and remediation obligations. To the extent any Security Incident is attributable to the actions of a specific Party or its Third Parties, that Party shall be responsible for all costs associated with the Security Incident, including, but limited to, the following: (i) the cost of providing notice to affected individuals; (ii) the cost of providing notice to government agencies, credit bureaus, and/or other entities required to be notified under applicable law; (iii) the cost of providing affected individuals with credit monitoring services (as appropriate or as required by the Applicable Data Protection Laws); (iv) call center support for such affected individuals; (v) the cost of any other measures required under the Applicable Data Protection Laws; and (vi) other losses, liabilities or expenses for which that Party would be liable. In all cases, as to the Personal Information Processed under this Agreement impacted by a Security Incident, the Parties shall, where appropriate and reasonable, cooperate and work together as part of the remediation efforts.
5. Data transfers
5.1 Transfers generally. Each Party shall be permitted to transfer Personal Information under the Agreement provided that such transfers comply with the Applicable Data Protection Laws.
5.2 EEA, Switzerland and UK transfers. In the event either Party Processes the Personal Information of individuals residing in the EEA, Switzerland or the United Kingdom as part of the Services, that Party shall only be permitted to transfer such Personal Information outside those jurisdictions if such transfers comply with the Applicable Data Protection Laws.
5.3 Use of Standard Contractual Clauses. To the extent any transfer under Section 5.2 is made to a country not deemed adequate by the European Commission or other governmental bodies or is not transferred pursuant to an Alternative Transfer Mechanism, the Parties agree that the relevant set of Standard Contractual Clauses shall be applicable, with the transferring Party acting as the “data exporter” and the receiving Party acting as the “data importer.” In such instances, the Parties will work together to execute the applicable terms or other measures required to comply with the Applicable Data Protection Law. Toast has entered into an intra-company set of Standard Contractual Clauses as part of its compliance with this Section and as part of providing the Services under the Agreement. A copy of those Standard Contractual Clauses can be requested by emailing [email protected].
5.4 Alternative Transfer Mechanisms. If either Party relies on an Alternative Transfer Mechanism as a legal ground for the transfer of Personal Information under the Agreement, that Party shall be responsible for ensuring that the Alternative Transfer Mechanism provides the same level of protection for Personal Information as imposed on the Parties under this Addendum.
6.1 Assurances. Notwithstanding any requirements or specific rights granted to the Parties under the Applicable Data Protection Laws, each Party shall, with reasonable notice, have the right to obtain assurances from the other Party to verify each Party’s compliance with the terms of this Addendum if it has a reasonable suspicion of a breach or a potential breach under this Addendum.
6.2 Survival. Each Party’s obligations under this Addendum will survive the termination of the Agreement to the extent either Party continues to Process Personal Information covered by the Agreement.
6.3 Severability. If any court or competent authority decides that any term of this Addendum is held to be invalid, unlawful, or unenforceable to any extent, such term shall, to that extent only, be severed from the remaining terms, which shall continue to be valid to the fullest extent permitted by law.
6.4 Waiver. Either Party’s failure to enforce any provision of this Addendum shall not constitute a waiver of that or any other provision and will not relieve the other Party from the obligation to comply with such provision.