Data Processing Agreement

Effective: 2 May 2026 Last updated: 2 May 2026 Version: 1.0

Short version. If you are a restaurant in the EU/EEA, UK, or Switzerland and the personal data you process with VerifyEat triggers GDPR or FADP obligations, this Data Processing Agreement (DPA) becomes part of your contract with us. Because VerifyEat is local-first, our role as processor is intentionally narrow — we mostly act on your data only when you trigger a sync, translation, or hosted page.

1. Parties & relationship

This DPA is concluded between:

The Customer — the natural or legal person who has purchased a VerifyEat subscription or uses the Service ("Controller").
VerifyEat — Catalin Ionut Portan, independent developer based in Switzerland ("Processor").

This DPA forms part of, and is subject to, the Terms of Service. In case of conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

2. Scope & subject matter

The Processor processes personal data on behalf of the Controller only to the extent strictly necessary to provide the Service. Specifically:

Local app usage: No processing by us occurs. All data stays on the Controller's Mac.
AI translations: Triggered by the Controller, processed by Anthropic (a sub-processor) using the Controller's own API key. We facilitate but do not store the request or response.
Hosted Pages add-on (when launched): We will host menu data the Controller chooses to publish, on infrastructure operated by Cloudflare.
Account & billing: App Store subscriptions are handled by Apple. VerifyEat stores only the local subscription entitlement state needed to unlock the app.

3. Data categories & data subjects

Data subject	Categories of personal data
The Controller (you)	Email, billing details, IP address (server logs), support correspondence.
Restaurant staff (if used)	Names entered as menu authors (rare; optional).
Restaurant customers (end-users scanning QR codes)	None collected by us. Public QR pages are static content; no analytics or accounts.

The Service is not designed to process special categories of personal data within the meaning of Art. 9 GDPR. The Controller is responsible for not entering such data unless strictly necessary and lawful.

4. Processor obligations

The Processor shall:

Process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do otherwise by Swiss or EU law (in which case the Processor shall inform the Controller before processing, unless that law prohibits such notification).
Ensure that persons authorised to process the personal data are bound by confidentiality.
Implement appropriate technical and organisational measures (see Section 6).
Assist the Controller in fulfilling its obligations to respond to data subject requests.
Make available all information necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Controller authorises the Processor to engage sub-processors to provide parts of the Service. The current list is published at verifyeat.com/legal/subprocessors and forms part of this DPA.

The Processor shall:

Inform the Controller of any intended changes (addition or replacement) at least 30 days in advance.
Impose data-protection obligations on each sub-processor at least as stringent as those in this DPA.
Remain fully liable to the Controller for the performance of each sub-processor.

6. Security measures

The Processor implements the following technical and organisational measures (TOMs), described in detail on the Security page:

Encryption of personal data in transit (HTTPS / TLS 1.2+).
Encryption of sensitive material at rest where applicable (macOS Keychain for the Anthropic API key on the Customer's Mac).
Strict access controls following the principle of least privilege.
Regular dependency updates and security review.
Backup and recovery procedures appropriate to the local-first architecture (the Customer is responsible for backing up local data; export tools provided).
Incident response procedures (see Section 9).

7. International transfers

Where personal data is transferred outside Switzerland or the EU/EEA — for example, when AI translations are sent to Anthropic in the United States — the Processor relies on the European Commission's Standard Contractual Clauses (Module 3, Processor-to-Processor) and equivalent Swiss-compatible safeguards adopted by the FDPIC.

8. Data subject rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from data subjects (access, rectification, erasure, restriction, portability, objection).

If a data subject contacts the Processor directly, the Processor shall, where practicable and lawful, redirect the request to the Controller without responding to the substance.

9. Personal data breaches

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification shall include, to the extent known: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

10. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. Given the size of the Processor and the local-first architecture, audits will normally be satisfied by written information requests and self-assessment reports, with on-site audits arranged only where strictly required by law and at the Controller's expense, on reasonable notice.

11. Return & deletion

Upon termination of the contract, the Processor shall, at the Controller's choice:

Return all personal data to the Controller (export tools are provided in the app), or
Delete all personal data in the Processor's possession, unless retention is required by Swiss or EU law (e.g., 10-year tax record retention for billing data).

The Controller acknowledges that local data on its own Mac is not under the Processor's control and must be deleted by the Controller itself.

12. Liability

Liability under this DPA is limited as set out in the Terms of Service. Statutory liability under GDPR and FADP is unaffected.

13. Governing law

This DPA is governed by Swiss law. To the extent that EU GDPR applies, both parties agree that the EU SCCs (Decision 2021/914) are incorporated and prevail in case of conflict regarding international transfers.

14. Annex — Standard Contractual Clauses

For data transfers from EU/EEA-based Controllers, the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Module 3, Processor-to-Processor) are incorporated by reference and considered executed by the parties through acceptance of these Terms.

For Swiss-only relationships, the Swiss FDPIC's adapted version of the SCCs applies.

How to execute this DPA. By using a paid VerifyEat subscription, the Controller is deemed to have accepted this DPA. If your procurement process requires a signed copy, email hello@verifyeat.com with your company details — we will return a counter-signed PDF within 5 business days.