Skip to content
Sign inGet started
03Legal · DPA

Data Processing Agreement

The Article 28 GDPR data-processing terms that apply when COTRONIKA EOOD processes personal data on behalf of a Customer through the UXO platform.

Last updated
21 May 2026
Sections
18
Reading time
~14 min

01Parties and scope

This Data Processing Agreement (the “DPA”) forms part of the agreement between COTRONIKA EOOD, a Bulgarian limited-liability company with UIC 202457989 and registered office in Sofia 1700, Bulgaria (the “Processor”), and the Customer (the “Controller”) for use of the UXO platform under the Terms of Service at /legal/terms(the “Agreement”).

The DPA applies whenever the Processor processes personal data on behalf of the Controller as part of providing the Service. Where the Processor processes personal data in its own right (for example, Customer’s billing data and the contact details of authorised staff users), it does so as a controller in accordance with the Privacy Policy at /legal/privacy — that processing is outside the scope of this DPA.

If there is any conflict between this DPA and the Agreement, this DPA prevails for matters concerning the processing of personal data on the Controller’s behalf.

02Definitions

Capitalised terms not defined here have the meaning given to them in the Agreement. The terms “personal data”, “processing”, “controller”, “processor”, “data subject”, “sub-processor” and “personal data breach” have the meanings given in Article 4 of Regulation (EU) 2016/679 (the “GDPR”).

Applicable Data Protection Law
The GDPR, the EU Member State laws implementing or supplementing it (including the Bulgarian Personal Data Protection Act), and any other data-protection or privacy law applicable to the Processor’s processing of personal data under this DPA.
EEA
The European Economic Area.
SCCs
The Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021.
Customer Personal Data
Personal data processed by the Processor on behalf of the Controller under this DPA.

03Roles and processing instructions

The parties acknowledge that, in relation to the Customer Personal Data, the Controller is the data controller and the Processor is the data processor. The Controller’s documented instructions to the Processor consist of the Agreement, this DPA and any further instructions reasonably given through the Service’s configuration options or in writing.

The Processor will process Customer Personal Data only on documented instructions from the Controller and only for the purposes described in Annex I, unless Applicable Data Protection Law requires otherwise. If the Processor believes an instruction infringes Applicable Data Protection Law, it will tell the Controller and may refuse to act on the instruction.

The Controller warrants that it has the right and the lawful basis to make Customer Personal Data available to the Processor and to instruct the Processor to carry out the processing described in this DPA. The Controller is responsible for providing required information to data subjects, for handling its relationship with data subjects and for obtaining consent where consent is the lawful basis for processing.

04Processor obligations (Article 28(3) GDPR)

The Processor will:

  • process Customer Personal Data only on documented instructions from the Controller, including with regard to international transfers (see Section 9);
  • ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • implement the technical and organisational measures set out in Annex II to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to it;
  • respect the conditions in this DPA for engaging sub-processors (Section 5);
  • taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests from data subjects (Section 7);
  • assist the Controller in ensuring compliance with the obligations in Articles 32 to 36 GDPR (security, breach notification, data-protection impact assessment, prior consultation), taking into account the nature of the processing and the information available to the Processor;
  • at the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of the services and delete existing copies, unless Applicable Data Protection Law requires storage (see Section 10);
  • make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, as set out in Section 8.

05Sub-processors

General authorisation

The Controller gives the Processor a general authorisation to engage the sub-processors listed in Annex III at the date of this DPA. The Processor remains fully liable to the Controller for the performance of any sub-processor’s obligations.

New or replacement sub-processors

The Processor will inform the Controller in advance of any intended addition or replacement of a sub-processor, giving the Controller a reasonable opportunity to object on data-protection grounds. Notice will be given by email to the primary account contact, or by an in-product or website announcement maintained for that purpose, at least thirty days before the change takes effect.

Objection

The Controller may object on reasonable, documented data-protection grounds during the notice period. The parties will discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the affected portion of the Service by giving written notice; the Processor will refund any prepaid Fees for the unused portion of that Service from the date of termination.

Sub-processor obligations

Where the Processor engages a sub-processor, it will impose on the sub-processor the same data-protection obligations as are set out in this DPA, by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR.

06Personal data breach notification

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. Notification will be sent to the email address tied to the Controller’s primary account contact and will include, to the extent the information is then known to the Processor:

  • a description of the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned;
  • the name and contact details of the Processor’s contact point;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Where it is not possible to provide all of this information at once, the Processor will provide it in phases as it becomes available, without further undue delay.

Notification of a breach is not an acknowledgement of fault or liability by the Processor.

07Assistance with data-subject rights

The Service provides the Controller with self-service tools to respond to data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection under Articles 15-22 GDPR (for example, the staff dashboard exports order history and customer contact records, and the Controller can delete records directly).

Where the self-service tools are not sufficient, taking into account the nature of the processing, the Processor will provide reasonable assistance to the Controller in responding to a data-subject request. The Processor may charge a reasonable fee for assistance that is manifestly unfounded or excessive, in particular because of its repetitive character.

If the Processor receives a data-subject request directly from a data subject in relation to Customer Personal Data, it will inform the data subject to address the request to the Controller and will notify the Controller without undue delay.

08Audits

The Processor will make available to the Controller, on reasonable written request, the information necessary to demonstrate compliance with its obligations under Article 28 GDPR.

Where the Controller reasonably considers that the information provided is not sufficient to demonstrate compliance, the Controller may carry out an audit at most once per calendar year, by sending written notice at least thirty days in advance. Audits will be conducted during business hours, will respect the confidentiality of other customers’ data, will not unreasonably interfere with the Processor’s business and will be performed by the Controller or a qualified independent third-party auditor under appropriate confidentiality obligations. The Controller bears the costs of its audit unless the audit identifies a material breach of this DPA attributable to the Processor.

More frequent audits may be required if a supervisory authority directs the Controller to conduct one, or following a personal data breach that materially affects the Controller’s data.

09International transfers

The Processor primarily processes Customer Personal Data within Bulgaria (EU). Where the Processor or a sub-processor transfers Customer Personal Data to a country outside the EEA that is not covered by an adequacy decision under Article 45 GDPR, the parties agree that the transfer will be carried out under appropriate safeguards within the meaning of Article 46 GDPR, which will be:

  • the SCCs, executed between the data exporter and the data importer in the applicable Module form, with the choices and optional clauses set out in Annex IV; or
  • where the importer self-certifies under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), the adequacy decision in combination with the importer’s self-certification.

The Processor will, where required, carry out a transfer impact assessment and will implement supplementary measures where reasonably necessary to ensure that the level of protection guaranteed by the GDPR is not undermined.

10Return or deletion of data

On termination of the Agreement and at the Controller’s choice, the Processor will:

  • return all Customer Personal Data to the Controller in a structured, commonly used and machine-readable format through the Service’s export tools or other reasonable means; or
  • delete all Customer Personal Data.

Within three months of termination, the Processor will delete Customer Personal Data from production systems and from routine backups within ordinary operational cycles, except where Applicable Data Protection Law or other applicable law requires further retention (for example, accounting and tax records) or where retention is necessary for the establishment, exercise or defence of legal claims. Any retained data remains subject to this DPA.

11Liability and term

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA excludes or limits a party’s liability for fraud, gross negligence, wilful misconduct or any liability that cannot be limited or excluded under Applicable Data Protection Law.

This DPA enters into force on the date the parties enter into the Agreement and continues until the Processor has deleted or returned all Customer Personal Data in accordance with Section 10. The obligations under this DPA survive termination of the Agreement for as long as the Processor retains Customer Personal Data.

12Governing law

This DPA is governed by the laws of the Republic of Bulgaria without regard to its conflict-of-laws rules. The courts of Sofia City have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, except where Applicable Data Protection Law confers exclusive jurisdiction on a different forum.

13Contact

Questions about this DPA, requests to exercise rights on behalf of data subjects, or notices required under it should be sent to [email protected] or by post to COTRONIKA EOOD, Sofia 1700, Bulgaria.

A1Annex I — Description of processing

Subject matter

Processing of personal data by the Processor on behalf of the Controller for the purpose of providing the UXO platform under the Agreement.

Duration

For the term of the Agreement and for any period thereafter during which the Processor retains Customer Personal Data in accordance with Section 10.

Nature and purpose of processing

Hosting, storage, retrieval, display, transmission, consultation, organisation, structuring, indexing, search, pseudonymisation, deletion and other operations necessary to operate the UXO platform features that the Controller chooses to use, including digital menus, QR ordering, pickup and delivery flows, reservations, the staff dashboard, the marketplace surface and supporting analytics.

Categories of data subjects

  • Guests of the Controller’s venues who scan a QR code, place orders, make reservations or otherwise interact with customer-facing surfaces.
  • The Controller’s authorised staff members who use the staff dashboard, the kitchen / bar queues or the printer service.
  • Where applicable, suppliers and other business contacts the Controller adds to its venue.

Categories of personal data

  • Contact and identification data — name, email, phone, delivery address.
  • Order and reservation data — items, variants, notes, times, table or pickup/delivery details, payment status.
  • Account data — language preference, saved addresses, authentication tokens.
  • Staff data — name, role, contact details, session tokens, activity logs.
  • Technical and connection data — IP address, device, browser, approximate location, server logs and security telemetry.

The Service is not designed to process special categories of personal data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR). The Controller undertakes not to upload such data without first agreeing additional safeguards with the Processor in writing.

A2Annex II — Technical and organisational measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk to the rights and freedoms of natural persons, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Current measures include:

Confidentiality

  • TLS 1.2+ encryption in transit for all traffic to and from the Service.
  • Encryption at rest for production databases and backups using industry-standard algorithms.
  • Role-based access control with the principle of least privilege. Staff access to production data is limited to the individuals whose role requires it.
  • Multi-tenancy isolation enforced at every database query through a mandatory restaurant tenancy filter.
  • Passwords stored as salted hashes using a slow, memory-hard algorithm. Session tokens are rotated and expire.

Integrity

  • Code change-management process with peer review of changes to production systems.
  • Automated continuous-integration build and test pipeline before deployment.
  • Audit logs of administrative actions, signed and tamper-evident.

Availability and resilience

  • Redundant production infrastructure with regular automated backups.
  • DDoS protection and a web-application firewall via Cloudflare.
  • Capacity planning and monitoring of system health.
  • Documented incident-response procedures with a defined escalation chain.

Periodic testing and review

  • Routine vulnerability patching of the operating system, language runtime, framework, dependencies and infrastructure components.
  • Periodic review of supplier security posture for the sub-processors listed in Annex III.
  • Periodic review and update of these technical and organisational measures.

The Processor may update the measures from time to time to reflect changes in the state of the art and the risk profile of the Service, provided that the updated measures do not materially reduce the level of protection.

A3Annex III — Current sub-processors

The current sub-processors engaged by the Processor in providing the Service are listed below. The list reflects the position as of the “Last updated” date and is maintained in line with Section 5.

Sub-processorPurposeLocation
COTRONIKA EOOD (own infrastructure)Application hosting, primary database, file storage, backups, SMTP email delivery, subscription management (self-hosted WHMCS), error monitoringBulgaria (EU)
Cloudflare, Inc.DNS, CDN, DDoS protection, web-application firewall, Turnstile bot detectionUSA, with EU points of presence
Stripe Payments Europe LtdPayment processing for subscription fees and other paid transactionsIreland (EU), with USA parent
Anthropic PBCImage-to-text conversion (OCR) of paper menus uploaded via the menu-scan feature only; the Service does not send Customer Personal Data through this feature in the ordinary course of operationUSA
Google Ireland Ltd (Google Analytics)Web analytics on the uxo.bg marketing site onlyIreland (EU), with USA parent

A4Annex IV — SCC module selections

Where the SCCs apply to a transfer under Section 9, the following choices are made in advance:

  • Module.Module Two (transfer controller-to-processor) applies between the Controller and any non-EEA sub-processor engaged directly by the Controller. Module Three (transfer processor-to-processor) applies between the Processor and any non-EEA sub-processor it engages on the Controller’s behalf.
  • Clause 7 (docking clause). Applies. Other Controllers and Processors may accede to the SCCs in accordance with this clause.
  • Clause 9 (sub-processors). Option 2 (general written authorisation), with a notice period as set out in Section 5.
  • Clause 11 (redress). The optional language permitting the data subject to lodge a complaint with an independent dispute-resolution body is not selected.
  • Clause 17 (governing law). Bulgarian law.
  • Clause 18 (forum and jurisdiction). The courts of Sofia City, Bulgaria.
  • Annex I.A (parties). The Controller is identified by the account details provided to the Processor; the Processor is COTRONIKA EOOD; the data-protection contact for both parties is [email protected]for the Processor and the Controller’s account email for the Controller.
  • Annex I.B (description). As set out in Annex I to this DPA.
  • Annex II (security measures). As set out in Annex II to this DPA.
  • Annex III (sub-processors). As set out in Annex III to this DPA.

14Updates to this DPA

The Processor may update this DPA from time to time, for example to reflect changes in the law, in the Service’s functionality or in its sub-processors. The Processor will give reasonable advance notice of material changes to the primary account contact. Updates that do not materially reduce the level of protection of Customer Personal Data may take effect on the date they are posted to this page.

Ready for QR menu, table orders, pickup and delivery in one?
Free to start and local visibility included.

Start freeTalk to us