THIS DATA PROCESSING AGREEMENT (“AGREEMENT”) IS A LEGAL AGREEMENT WHICH FORMS AN INTEGRAL PART OF AND APPLIES IN ADDITION TO THE EXISTING BIT SERVICES SERVICE AGREEMENT (“SERVICE AGREEMENT”) CONCLUDED BY AND BETWEEN THE CUSTOMER AND BIT SERVICES (BOTH AS DEFINED IN THE SERVICE AGREEMENT) IN CONNECTION WITH THE PROVISION OF SERVICES WHICH INCLUDES VARIOUS DATA PROCESSING SERVICES TO CUSTOMER (“SERVICES”).
- BIT SERVICES MAY, AT ANY TIME, AND AT BIT SERVICES’S SOLE DISCRETION, MAKE IMMATERIAL CHANGES TO THIS AGREEMENT. BIT SERVICES WILL INFORM CUSTOMER OF SUCH CHANGES.
- Terms used in this Agreement have the same meaning as those used in the Service Agreement, unless explicitly provided otherwise. If there are any conflicts or inconsistencies between the Service Agreement and this Agreement, this Agreement prevails.
- When carrying out the Services, Bit Services may be provided access to or otherwise obtain or handle information relating to identified or identifiable individuals (“Personal Data”). The engaged processors, subject-matter, duration, nature and purposes of the processing, as well as the type of Personal Data and categories of individuals whose data are processed are set forth in Annex 1, which forms an integral part of the Agreement.
- Bit Services may only process Personal Data on behalf of Customer and solely for the purposes identified in this Agreement.
- Bit Services may engage the processors stipulated in Annex 1and any other processors to process Personal Data on Customer’s behalf. Bit Services shall inform Customer of any intended changes concerning the addition or replacement of (sub-) processors that process Personal Data of Customer and give Customer the opportunity to object to such changes.
- Bit Services shall ensure that any processing shall be fair, lawful, and consistent with Bit Services’s obligations under this Agreement and compliant with applicable data protection law. In particular, Bit Services shall ensure that any person engaged in providing the Services on its behalf, shall:
- process Personal Data only on the documented instructions of Customer; If Bit Services is required to process Personal Data in compliance with a law of the European Union or a Member State to which Bit Services is subject, it will inform Customer of such legal requirement prior to such processing, unless a law of the European Union or a Member State to which Bit Services is subject prohibits it from doing so;
- ensure appropriate protection of Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where processing involves a transmission of Personal Data over a network, and against all other unlawful forms of processing;
- comply with the security requirements set forth in Annex 2,taking into consideration the state of the art, the costs of implementation and the nature, scope, context and purposes of processing;
- assist the Customer in ensuring compliance with the obligations regarding security measures and conducting data protection impact assessments, where necessary pursuant to Articles 32-36 of of the General Data Protection Regulation, 2016/679;
- not disclose Personal Data to any third party or unauthorized persons, unless Customer has given its prior written consent to such disclosure and subject to the conditions laid down under section 6 of this Agreement;
- hold Personal Data in strict confidentiality and require employees and any other person under its authority who will be provided access to or will otherwise process Personal Data are held to the same level of confidentiality in accordance with the requirements of the Agreement (including during the term of their employment or engagement and thereafter);
- promptly notify Customer if it receives a request from an individual with respect to Personal Data, including but not limited to information access requests, information rectification requests, requests for blocking, erasure, or portability of Personal Data and shall not respond to any such requests unless expressly authorized to do so by Customer or unless required under a law of the European Union or a Member State to which Bit Services is subject; Additionally, Bit Services shall ensure that it has implemented technical and organizational measures to assist Customer in fulfilling its obligation to respond to any such requests from an individual with respect to Personal Data processed;
- promptly notify Customer if in Bit Services’s view an instruction given by Customer infringes applicable laws and regulations, including data protection laws, or a change in the applicable laws and regulations is likely to have a substantially adverse effect on its ability to comply with its obligations under this Agreement;
- promptly (and in any event within thirty-six (36) hours) after becoming aware, notify Customer of any facts known to Bit Services concerning any actual or suspected accidental or unauthorized access, disclosure or use, or accidental or unauthorized loss, damage or destruction of Personal Data by any current or former employee, contractor or agent of Bit Services or by any other person or third party;
- cooperate fully with Customer in the event of any accidental or unauthorized access, disclosure or use, or accidental or unauthorized loss, damage or destruction of Personal Data by any current or former employee, contractor or agent of Bit Services or by any other person or third party, to limit the unauthorized disclosure or use, seek the return of any Personal Data, and assist in providing notice to competent regulators and affected individuals if requested by Customer;
- promptly and properly deal with enquiries and requests from Customer in relation to the processing of Personal Data under this Agreement and provide other reasonable assistance and support;
- assist and support Customer in the event of an investigation by a data protection regulator or similar authority, if and to the extent that such investigation relates to the processing of Personal Data under this Agreement;
- Upon termination or expiration of the Services for whatever reason, or upon request by Customer, Bit Services shall immediately cease to process Personal Data and shall promptly return to Customer all such Personal Data, or delete the same, in accordance with such instructions as may be given by Customer at that time, unless it is required to store the Personal Data under a law of the European Union or a Member State to which Bit Services is subject or unless explicitly agreed otherwise with Customer. The obligations set out in this section shall remain in force notwithstanding termination or expiration of this Agreement.
- Bit Services shall ensure that any employee, agent, independent contractor, or any other person engaging in the provision of the Services and who has access to Personal Data of Customer, shall comply with all information protection and privacy laws and regulations (including any and all legislative and/or regulatory amendments or successors thereto), applicable to Bit Services.
- Bit Services may only subcontract (part of the) Services to third parties (including Bit Services’s establishments outside the EEA) if Bit Services ensures that such third parties are bound in writing to the same obligations and Customer is awarded the same rights contained in this Agreement with regard to such third parties.
- In the event that (i) Bit Services is unable to comply with the material obligations stated in this Agreement, where any obligation required by law (including, but not limited to, Article 28 of the General Data Protection Regulation, No. 2016/679) is considered material, or (ii) Bit Services becomes aware of any circumstance or change in applicable data protection law that is likely to have a substantial adverse effect on Bit Services’s ability to meet its obligations under the Agreement, Bit Services shall promptly notify Customer to this effect, and Customer shall then be entitled, at its option, to (i) suspend all transfers of Personal Data until such time that the non-compliance is remedied, (ii) require Bit Services to cease processing relevant Personal Data until such time that the non-compliance is remedied, and/or (iii) immediately terminate this Agreement.
- Bit Services will make available to the Customer all information necessary to demonstrate compliance with the obligations regarding the processing of Personal Data provided to Bit Services as a data processor.
- Audit and Compliance.
- Bit Services shall make the processing systems, facilities and supporting documentation relevant to the processing of Personal Data available for an audit by Customer or a qualified independent assessor selected by Customer and provide all assistance Customer may reasonably require for the audit. If the audit demonstrates that Bit Services has breached any obligation under the Agreement, Bit Services shall immediately cure that breach;
- In case of inspection or audits by a competent governmental authority relating to the processing of personal data, Bit Services shall make available its relevant processing systems, facilities and supporting documentation to the relevant competent public authority for an inspection or audit if this is necessary to comply with applicable laws. In the event of any inspection or audit, each party shall provide all reasonable assistance to the other party in responding to that inspection or audit. If a competent public authority deems the processing of Personal Data under this Agreement unlawful, the parties shall take immediate action to ensure future compliance with applicable data protection law;
- Bit Services shall promptly inform Customer if: (i) it receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the processing of Personal Data under this Agreement, except where Bit Services is otherwise prohibited by law from making such disclosure; or (ii) it intends to disclose Personal Data to any competent public authority.
Annex 1: Description of Bit Services’s processing activities
Details of the processing
Bit Services is a provider of software as a service for point of sale solutions for the retail and hospitality industry as well as the provider of an online platform that can be used for eCommerce purposes. Bit Services shall process Personal Data on behalf of the Customer to provide these services to the Customer pursuant to the Service Agreement and any additional purposes as instructed by Customer when using the Services.
Type of personal data
Depending on how the Customer chooses to use the Services, Bit Services may process the following types of personal data:
First name, Last name
Business Information (e-mail address, business address, registration number, tax registration number)
Contact information (e-mail address, home address, phone number)
Date of Birth
Business bank account details
Duration (retention terms)
Each type of personal data will be deleted upon receipt of an instruction thereto from the Customer
Categories of individuals whose data are processed
Persons who are using the Customer’s services.
Employees and other persons authorized by the Customer who have access to and use the Services.
Customer hereby gives Bit Services permission to engage the following (sub-) processors on Bit Services’s behalf:
Type of Services
Name (sub-) processor
Description of processing
Country of establishment
Storing of personal data received from the Customer to perform Customer support services
Analysis of non-personal data for statistical purposes.
Storing of personal data on cloud servers
Amazon Web Services, Inc
Storing of personal data on cloud servers
Sending of email receipts on behalf of retailers to customers
WhatsApp Ireland, Ltd
Multiplatform messaging app used for our services.
Tanla Solutions, Inc
Cloud based Communications Platform as a Service
Annex 2: Description of Bit Services’s Security Measures
Bit Services has taken appropriate and sufficient technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where processing involves a transmission of Personal Data over a network, and against all other unlawful forms of processing.
The following description provides an overview of the technical and organizational security measures implemented. Such measures shall include, but are not limited to :
Bit Services will process the Personal Data as a Data processor, only for the purpose of providing the Services in accordance with documented instruction from the Customer (provided that such instructions are commensurate with the functionalities of the Services), and as may be agreed to with you.
Bit Services implements and maintains appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.
Bit Services ensures that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Personal Data.
In-transit: Bit Services makes HTTPS encryption available on every one of its login interfaces and on every customer site hosted on the Bit Services products. Bit Services’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Bit Services stores user passwords following industry standard practices for security.
Preventing Unauthorized Product Access
Outsourced processing: Bit Services hosts its services on third party Hosting infrastructure in form of data centers and Infrastructure-as-a-Service (IaaS). Additionally, Bit Services maintains contractual relationships with vendors in order to provide the service in accordance with our Data Processing Agreement. Bit Services relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Bit Services hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II, ISO 27001 and PCI DSS compliance, among other certifications.
Authentication: Bit Services implemented a uniform password policy for its customer products. All users who needs to interact with the products via any interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Bit Services’s product is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Preventing Unauthorized Product Use
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: Bit Services implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available services.
Vulnerability scanning: Bit Services regularly scans its infrastructure and web services for known vulnerabilities and remediate on them in a timely manner.
Limitations of Privilege & Authorization Requirements
Product access: A subset of Bit Services’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Employees are granted access by role. Log-ins to data storage or processing systems are logged.
Database access: Customer data is accessible and manageable only by properly authorized staff. Direct database query access is restricted, and application access rights are established and enforced.
Incident Management Control
Detection: Bit Services designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Bit Services personnel, including security, operations, and support personnel are responsive to known incidents.
Response and tracking: Bit Services maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident remediation. Suspected and confirmed security incidents are investigated by security, operations or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, Bit Services will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Bit Services becomes aware of unlawful access to Customer data stored within its products, Bit Services will: Notify the affected Customers of the incident; Provide a description of the steps Bit Services is taking to resolve the incident; Provide status updates to the Customer contact, as it deems necessary or is legally required. Notification of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Bit Services selects, which may include via email or telephone.
For more detailed information on the latest state of art measures, please contact us directly.