Switching to Toast
Feeling limited by your current tech? Toast is here for you, starting with easy onboarding.
Opening a New Restaurant
We'll take care of the technology, so you can focus on what matters most.
Online Ordering
A commission-free solution, totally integrated with your POS for real-time updates.
Payroll Suite
Fast, easy payroll synced right with your POS.
Access Capital
Fast, flexible funding to power your restaurant.
Free Tools and Templates
Guides, e-books, and templates designed to help you run your restaurant business better.
Video Courses
Learn something new today — whether you've got 5 minutes or 50.
Trends and analysis from across the industry
Resources to help you get the most out of Toast
Restaurants of all kinds finding success with Toast
Get rewarded for helping restaurant clients succeed
Explore new and upcoming Toast solutions
Toast solutions for any concept
Run your business with online ordering, payroll, and more
Tools, insights, and advice
Front of house, back of house, and online seamlessly connect and work in sync.
Toast is designed for restaurant success. Customize Toast to fit the needs of your restaurant type.
Industry Insights
Toast Support
Customer Stories
Local Partner Advocates
Innovation at Toast
Effective: December 20, 2023
This Merchant Data Processing Addendum (the “Addendum”) is entered into between Toast, Inc., including its subsidiaries and affiliates (referred to generally as “Toast”) and the Merchant and forms part of the agreement(s) entered into between Toast and Merchant (collectively the “Agreement”) and applies where either of the Parties process Personal Information under the Agreement.
1. INTRODUCTION
2. DEFINITIONS
Unless otherwise set out below, each capitalized term in this Addendum shall have the meaning set out in the Agreement.
For the avoidance of doubt, terms defined above as well as other terms not defined in this Addendum such as “processing” and “sensitive personal information” shall have the same meaning as in Applicable Data Protection Laws, and their related terms shall be construed accordingly.
DATA PROCESSING
3. CONTROLLER OBLIGATIONS
To the extent Toast and Merchant Process Personal Information as Controllers as part of the Agreement, the Parties agree that:
The Merchant:
4. PROCESSOR OBLIGATIONS
To the extent Toast Processes Personal Information as a Processor under the Agreement, Toast agrees that:
5. SECURITY
6. SECURITY INCIDENTS
7. NOTIFICATIONS AND REQUESTS FROM THIRD PARTIES
8. DATA TRANSFERS
(i) Merchant EEA, Switzerland and UK Personal Information is first processed by Toast in the EEA, Switzerland and/or UK and is subsequently transferred to a country not recognized by the European Commission, the UK ICO or the Swiss Federal Data Protection Authority as providing an adequate level of protection of Personal Information (“Third Country”). Such transfers are governed by an intra-company set of Standard Contractual Clauses entered into between Toast Ireland, Toast UK and Toast, Inc. as part of its compliance with this Section and as part of providing the Services under the Agreement. A copy of these Standard Contractual Clauses can be requested by emailing privacy@toasttab.com.
(ii) Merchant EEA, Switzerland and UK Personal Information is not first processed by Toast in the EEA, Switzerland and/or UK and instead is transferred directly to a Third Country. Such transfers are governed by the Standard Contractual Clauses (including the UK Addendum) which are hereby incorporated by reference with the following selections:
For the purposes of the EEA and Switzerland:
Transfers under the EU SCCs will be governed by the laws of Ireland.
The Swiss Federal Act on Data Protection (FADP) insofar as the transfers are governed by the FADP.
Irish Data Protection Commissioner.
Federal Data Protection and Information Commissioner insofar as the transfers are governed by the FADP.
The term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of residence (Switzerland) in accordance with Clause 18(c) of the SCCs.
References to “GDPR” are to be understood as references to FADP. The SCCs shall apply to data pertaining to legal entities until the entry into force of the revised FADP.
For the purposes of the UK, the parties agree that the EU Standard Contractual Clauses will apply but will be modified and interpreted in accordance with the UK Addendum and agree as follows:
Table or Section Reference
Concept
Selection by the Parties
Table 1
Parties
See Annex 1 Section A of this Addendum
Table 2
Selected SCCs, Modules and Selected Clauses
Modules One and Two of the EU Standard Contractual Clauses entered into on the date of the Agreement.
Table 3
Appendix Information
Annex 1.A shall be populated with the information in Annex 1A of this Addendum
Annex 1.B shall be populated with the information in Annex 1B of this Addendum
Annex II shall be populated with Annex 2 of this Addendum
Annex III shall be populated with Annex 3 of this Addendum (only for Module Two)
Table 4
End of UK Addendum when the Approved Addendum changes
Neither party may end this UK Addendum per Section 19 of the UK Addendum, except as set forth in this Addendum.
Section I, Clause 7
Docking
The option under clause 7 shall not apply.
Section II, Clause 9
Sub-processors
Option 2 (General Written Authorisation) under clause 9 shall apply. See clause 3.2(iii) of this Addendum.
Section II, Clause 11
Redress
The option under clause 11 shall not apply.
Section IV, Clause 17
Governing law
The laws of England and Wales insofar as the transfers are governed by UK Data Protection Law.
Section IV, Clause 18(b)
Choice of forum and jurisdiction
The Courts of England and Wales shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the UK Addendum.
Part 2
Mandatory Clauses
Mandatory clauses of the UK Addendum as issued by the Information Commissioner’s Office and laid before the United Kingdom Parliament in accordance with section 119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under section 18 of those Mandatory Clauses. section
Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
9. Miscellaneous
ANNEX 1
A. LIST OF PARTIES
Merchant / Data Exporter
Name
As set forth in the Agreement.
Address
Contact person
Activities related to data transfer under the Clauses:
As set forth in this Addendum and the Agreement.
Role (controller/processor)
Standard Contractual Clauses Module One: Merchant is the data controller.
Toast / Data Importer
Toast, Inc.
401 Park Drive, Suite 801, Boston, MA 02215
Assistant General Counsel, Privacy; privacy@toasttab.com
Services associated with facilitation of POS-related, partner and other restaurant-related services for merchants, merchant employees and restaurant guests
- Standard Contractual Clauses Module One: Toast is the data controller.
- Standard Contractual Clauses Module Two: Toast is the data processor.
B. DESCRIPTION OF TRANSFER & PROCESSING
Module One
Merchant is the controller
Toast, Inc. is the controller
Module Two
Toast, Inc. is the processor
Categories of Data Subjects
Merchants, merchant employees, guests and suppliers.*
Categories of Personal Information
Merchants – name, date of birth (DOB), personal contact details, business contact details, address, ownership information, bank account information, payment card information, credential information, social security number (SSN) or national identifier, driver’s licence information (number, state and expiration), user ID, device ID, IP address.
Merchant employees – name, date of birth (DOB), business contact details, job title, personal contact details, shift and employment information, compensation information, and IP address.
Guests – name, personal contact details, address, payment card number, security code & expiration date, payment ID, amount paid, order details, time/date of the order, transaction ID, transaction details, car colour & make, IP address, DOB (month/day), loyalty card number and information, location information (course and precise), IP address digital ordering account information, earnings/redemptions, preferences & notes, reservation & waitlist details.
Suppliers – name, business contact details, address, bank account information
Personal information included in the context of Toast, Inc.’s service offerings and ancillary/support services to the Merchant, including the categories listed opposite.
Sensitive data processed
To the extent allergy and dietary information is provided and constitutes health data.
Toast may also process sensitive personal data of Merchant employees and guests to the extent Merchant provides it to Toast during the Services.
Transfer frequency
There will be continuous transfer and Processing of Personal Information
Nature of processing
Processing is conducted to provide the Services described in the Agreement. Processor shall Process Personal Data only in accordance with the Agreement.
Purpose of processing
Toast, Inc. is providing the Services described in the Agreement.
Retention period
Each Controller will retain the Personal Information in accordance with their respective data retention policies and schedules.
Merchant may instruct Processor to delete Personal Information as agreed by the Parties and Processor shall promptly delete requested Personal Information.
Upon termination of the Agreement, Toast shall return or delete any Personal Information on Merchant’s request, except where it is required to retain the Personal Information to comply with applicable laws, or, where permitted, such retention is in line with Toast’s current data retention schedule.
*Note: presently Toast’s Payroll and Team Management services are not available outside the United States. As a result, Annex 1 does not include transfers associated with those services.
ANNEX 2
Security Measures
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
EXPLANATORY NOTE:
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymisation and encryption of personal data
Toast maintains policy-based as well as technical controls to ensure that certain information at rest as well in transit is encrypted and adequately secured. Toast also maintains a data masking policy and utilizes both hashing and tokenization for certain information under its control. As a PCI-DSS-compliant Level 1 Service Provider, Toast maintains a number of encryption and data masking controls associated with payment card information and the cardholder data environment.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Toast maintains a comprehensive information security program, consisting of numerous policies, standards and controls that prescribes a number of administrative, technical and organizational safeguards to ensure the confidentiality, integrity and availability of information entrusted to Toast. These measures include, but are not, limited to various policies and controls relating to access and user management, network security, encryption, network devices and incident response. Toast also maintains a number of data handling policies within the Privacy function.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Toast maintains a business continuity plan (BCP) and various disaster recovery protocols that include details regarding key personnel, assets and recovery processes to be followed upon the occurrence of a triggering event. This includes the incorporation of emergency evacuation and incident response protocols. These controls ensure that Toast maintains the availability of information as well as measures to backup and/or recover data from critical systems or databases. Toast business continuity and disaster recovery measures also incorporate remote access protocols and the ability of individuals to securely access information systems.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
As a PCI-DSS-compliant Level 1 Service Provider, Toast’s cardholder data environment (including both infrastructure and software) is scanned on a quarterly basis as prescribed by PCI-DSS using an approved third-party scanning vendor. A report of the scanning results is reviewed based on pre-defined thresholds and actioned based on the severity of the risk.
Measures for user identification and authorization
Toast maintains various policies and controls in relation to user authentication and access as part of our information security program. Toast follows the principle of “least privilege” and users are only granted access to systems, applications and services on a need-to-know basis. Toast users maintain unique user credentials for access to systems, and all systems containing data classified as confidential or higher require SSO login, which also requires multi-factor authentication.
Measures for the protection of data during transmission
Toast maintains measures for the encryption of information in transit based on the sensitivity of the information and utilizes industry standard encryption tools. Toast standards prescribe that information in transit utilize TLS 1.2 or higher. Payment card information is encrypted upon swipe/tap/dip via a private or public key and our product is configured to automatically wipe data upon payment authorization.
Measures for the protection of data during storage
Toast maintains measures for the encryption of information at rest based on the sensitivity of the information and utilizes industry-standard encryption tools. Acceptable standards for information at rest include the use of OSX or Windows 10 for full-disk encryption and AES 128-bit encryption or higher. Certain information processed by Toast or its third-party service providers is subject to encryption as well as other heightened security standards that may include restricted access and hashing/tokenization.
Measures for ensuring physical security of locations at which personal data are processed
Toast maintains physical access controls that secure Toast’s offices and facilities as well as access to underlying information (including personal data). These measures include, but are not limited to, the use of security guards, an access management system incorporating electronic badges as well as CCTV. Toast also maintains a visitor policy and access approval process.
Measures for ensuring events logging
Toast utilizes various monitoring, auditing and logging software and technologies within our systems to detect and alert our employees of security-related or other relevant events. These systems are regularly monitored and analyzed by authorized users as well as members of the Information Security team, including our Security Operations Center.
Measures for ensuring system configuration, including default configuration
Defined configuration standards exist for Toast hardware as well as for various company-issued IT equipment. These configuration standards are periodically reviewed and implemented to meet our evolving business and security needs. Toast also maintains various network device and other network configuration standards.
Measures for internal IT and IT security governance and management
Toast maintains a formal information security program that is overseen by the Senior Director of Information Security as well as an Information Technology function that is overseen by our Chief Information Officer. Both functions utilize a number of policies, standards and processes as part of the effort to operationalize information security within Toast. The effectiveness of these programs is monitored by Toast’s Risk Management function as well as other functions at Toast.
Measures for certification/assurance of processes and products
Toast is a PCI-DSS-compliant Level 1 Service Provider and is assessed by a certified QSA as part of that ongoing compliance process. Toast also maintains a SOC 2, Type I report.
Measures for ensuring data minimisation
As part of Toast’s privacy principles and governance, individuals are only permitted to collect the minimum amount of information necessary for a particular processing purpose. These principles are also reinforced within our product development and change management processes by both the Privacy and Information Security functions within Toast.
Measures for ensuring data quality
Toast maintains a number of administrative and technical controls pertaining to the access of information. Data is handled differently based on the sensitivity of information and only specifically trained individuals can access our cardholder data environment. As part of Toast's security controls, we maintain various data lineage and logging measures for activities within the Toast platform as well as business justifications for access to certain sets of information.
Measures for ensuring accountability
As part of Toast’s information security program, individuals are required to adhere and attest to their compliance with specific Toast polices in relation to the management of information and information systems. Our policies also prescribe accountability for system owners that are entrusted with the management and upkeep of information within systems that they oversee. Individuals are also provided with unique user ids for access to systems within our infrastructure.
Measures for ensuring limited data retention
As part of Toast’s data retention program, Toast maintains a number of controls relating to data retention including adhering to an internal Data Retention Policy and Schedule. This Policy defines the purposes for which personal information is processed and establishes specific timeframes for data retention.Toast periodically reviews and updates its data retention practices to ensure ongoing compliance with relevant legal requirements and business needs
Measures for allowing data portability and ensuring erasure
Toast US and Toast Ireland have developed internal tools to be able to locate, pull and/or delete applicable personal data related to a data subject request. These tools are regularly tested for their efficacy and functionality, including data portability and erasure.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
ANNEX 3
Approved Sub-processors
A list of Toast’s current Sub-processors can be found at https://pos.toasttab.com/sub-processor-list. By visiting that site, Merchant may also register to be notified by email of any modifications to the Sub-processor list (a “Notification”).