FR Contact us

Data Processing Addendum

Last updated: April 10, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between MOMO INVEST ("Service", "Processor") and the restaurant subscribing to the Service platform ("Client", "Controller").

This DPA reflects the parties' obligations under the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Roles

The Client is the Controller and Service is the Processor within the meaning of Article 28 GDPR. Service processes Personal Data solely on behalf of the Client and under the Client's documented instructions.

2. Scope of processing

  • Subject matter: provision of the Service reservation management platform
  • Duration: term of the agreement + retention periods (see §10)
  • Nature and purpose: storage, organization, retrieval, and transmission of reservation and guest management data
  • Categories of data subjects: restaurant guests (diners), restaurant staff members

3. Processor's obligations

  • Process Personal Data only on documented instructions from the Controller
  • Ensure confidentiality of persons authorized to process the data
  • Implement the technical and organizational measures described below
  • Comply with sub-processor requirements
  • Assist the Controller in responding to data subject requests
  • Assist the Controller with obligations under Articles 32-36 GDPR
  • Delete or return Personal Data at the end of the service

4. Data breach notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach.

5. Sub-processors

The Controller grants the Processor a general written authorization to engage Sub-processors. The current list is available at /en/legal/sub-processors. The Processor notifies the Controller by email at least 15 days before any change.

6. Data subject rights

The Processor assists the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). If a data subject contacts the Processor directly, the Processor forwards the request to the Controller.

7. International transfers

Personal Data is stored and processed within the European Union (Google Cloud Platform, europe-west9 region, Paris). Transfers outside the EEA are covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

8. Audits

The Controller may audit compliance with this DPA once per calendar year, with 20 business days' notice. Audits may be conducted remotely or on-site, during normal business hours.

9. Retention and deletion

Upon termination of the agreement, the Controller may request data export within 30 days. The Processor then deletes all Personal Data within 90 days.

Annex 1 — Categories of personal data

Guest data

  • Identity: first name, last name
  • Contact: email, phone
  • Health: allergies, dietary preferences (Article 9 GDPR)
  • Behavioral: visit history, no-shows, cancellations
  • Preferences: VIP, blacklist, language
  • Marketing consent: email and SMS with timestamps

Staff data

  • First name, last name, email, role, permissions, authentication tokens

Annex 2 — Technical and organizational measures

Infrastructure security

  • Hosting on GCP europe-west9 (Paris)
  • Encryption at rest AES-256, in transit TLS 1.2+
  • Network isolation: private VPC for database and cache
  • Secret management: Google Secret Manager + External Secrets Operator

Application security

  • JWT authentication with token rotation and theft detection
  • Passwords: bcrypt
  • Mobile credentials: iOS Keychain (hardware-backed encryption)
  • Authorization: 5-tier role hierarchy
  • Immutable audit log for every reservation status change

Operational security

  • IAM-based access control, Workload Identity Federation
  • GitOps deployment (Flux v2)
  • Automated backups, point-in-time recovery
  • Continuous monitoring, Slack alerts