Olo Data Processing Addendum

Last Updated: February 14, 2023

‍This Data Processing Addendum, including all schedules and exhibits attached hereto (“DPA”) is entered into between the company accessing or using Olo’s products or services (“Company”) and Olo Inc. (“Processor”) in connection with Processor’s provision of services to Company under any existing, written, and currently valid agreements (collectively, “Agreement”). It applies where Processor’s Processing of Personal Data on behalf of Company is subject to Applicable Data Protection Law. Notwithstanding the foregoing, this DPA does not apply to any Personal Data processed by Processor in connection with Borderless Olo Pay, with respect to which Processor acts as a Controller (as defined below) and with respect to which the parties acknowledge and agree that they are independent Controllers. This DPA is hereby incorporated by reference into the Agreement.

‍We reserve the right to modify this DPA at any time. If we make material changes to this DPA, we will notify you by updating the date of this DPA. The current version of this DPA will always be posted at this page. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this DPA and the Agreement, this DPA will govern. This DPA will survive termination of the Agreement. Company and Processor agree as follows:‍

1. Definitions

  • a. "Applicable Data Protection Law" means all applicable data protection laws, rules, regulations, orders, ordinances, regulatory guidance, and industry self-regulations.
  • b. "Controller" means an entity that, alone or jointly with others, determines the purposes for and means of Processing. “Controller” has the same meaning as “Business,” as that term is defined under Applicable Data Protection Law.
  • c. "Data Subject" means an identified or identifiable natural person.
  • d. "De-Identified Data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject or as that term is otherwise defined under Applicable Data Protection Law.
  • e. "Personal Data" means information that Processor Processes on Company’s behalf that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject, or as that term or a similar term is defined under Applicable Data Protection Law.
  • f. "Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including, but not limited to, accessing, collecting, recording, organizing, structuring, using, storing, transferring, retaining, disclosing, selling, sharing, deleting, and destroying Personal Data.
  • g. "Processor" means a natural or legal person that Processes Personal Data on a Controller’s behalf. “Processor” has the same meaning as “Service Provider,” as that term is defined under Applicable Data Protection Law.
  • h. "Processor Systems" means the facilities, systems, equipment, hardware, and software Processor and Processor’s subprocessors use to Process Personal Data.
  • i. "Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Processor.

2. Roles and Responsibilities

Processor will Process Personal Data on Company’s behalf, as described in more detail in Schedule 1. As between Company and Processor, Company will be the Controller and Processor will be the Processor. Processor is fully responsible for any authorized or unauthorized Processing of Personal Data. Processor agrees to:

  • a. Process Personal Data solely in accordance with Company’s documented instructions and for the specific business purposes and services specified in the Agreement and this DPA;
  • b. except as permitted by Applicable Data Protection Law, not retain, use, disclose, or otherwise Process Personal Data (i) for any purposes other than those specified in the Agreement and in Schedule 1; (ii) for any commercial purpose other than the specific business purposes specified in the Agreement and the DPA, including to provide services to a different business; and (iii) outside the direct business relationship between Company and Processor, including to combine or update Personal Data with information received from or on behalf of another source or collected from Processor’s own interactions with a Data Subject;
  • c. not “sell” or “share” Personal Data, as Applicable Data Protection Law defines those terms;
  • d. treat all Personal Data as the confidential information of Company;
  • e. ensure that persons who Process Personal Data on Processor’s behalf (such as employees) are bound by obligations of confidentiality;
  • f. at Company’s request, update, correct, delete, supplement, transfer, and provide Company with access to Personal Data in Processor’s possession or control;
  • g. cooperate with and assist Company, insofar as is reasonable, to enable Company to comply with Applicable Data Protection Law including to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law;
  • h. upon Processor’s or a subprocessor’s receipt of a legally-binding request for access to Personal Data from a public authority and where permitted by applicable law, timely notify Company of the request for access and provide details about the requesting party, the types of Personal Data requested, and the purpose and methods of the disclosure (so as to provide Company the opportunity to comply with its notice and consent obligations with respect to affected Data Subjects or oppose the disclosure and obtain a protective order or seek other relief); and
  • i. with respect to any De-Identified Data that Processor Processes under the Agreement: (i) take reasonable measures to ensure that such data cannot be associated with a Data Subject; (ii) Process such data only in a de-identified fashion; (iii) not attempt to re-identify such data; and (iv) contractually obligate any recipients of such data to comply with this section.

3. Data Subject Requests

Company will inform Processor of any Data Subject request with which the parties must comply including, but not limited to, requests to access, update, correct, delete, or transfer Personal Data, restrict or stop certain Processing, or obtain additional details about how Personal Data is Processed. Company will provide the information necessary for Processor to comply with such requests, and Processor will cooperate, and follow any instructions Company issues, in responding to such requests in a timely and lawful manner. Processor will provide confirmation and supporting documentation that verifies its compliance with this section, upon request.‍

4. Subprocessors

If Processor wishes to subcontract any Processing of Personal Data to a third party, Processor shall notify Company at least ten (10) business days prior to engaging a subprocessor. Company shall have the opportunity to object to the use of a subprocessor to the extent such opportunity is required by Applicable Data Protection Law. If the objection cannot be resolved, either Company or Processor may terminate Processor’s services and the associated Agreement.‍

5. Security Safeguards

Processor will implement appropriate administrative, technical, and organizational safeguards to ensure the confidentiality, integrity, and availability of Personal Data and prevent any unauthorized or unlawful Processing of such data. The safeguards will be appropriate to the nature of the Personal Data, meet or exceed prevailing industry standards, and comply with Applicable Data Protection Law.

6. Audits; Monitoring Compliance

  • a. Processor will procure annual SSAE 18 Type II or SOC2 audits (or audits of a substantially similar standard) conducted by an independent third party. The results of the most recent audit (“Audit Results”) will be provided to Company in a form reasonably acceptable to Company within thirty (30) days of Company’s written request. The Audit Reports will be considered Processor’s confidential information. Processor will promptly correct each material vulnerability uncovered in the audit at its sole cost and expense and will certify in writing to Company that it has corrected all such vulnerabilities.
  • b. Company agrees to exercise its audit rights by first requesting the Audit Results as described in Section 6(a). Company will only request additional information or an on-site audit of Processor to the extent the Audit Results are not reasonably sufficient to enable Company to evaluate Company’s compliance with this DPA and/or Applicable Data Protection Law. Except in the event of a Security Breach or regulatory investigation, Company will provide no less than 30 days’ advance notice of its request for an on-site audit and will cooperate in good faith with Processor to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party).
  • c. Company has the right to take reasonable and appropriate steps to ensure that Processor uses Personal Data in a manner that is consistent with Company’s obligations under Applicable Data Protection Law including, but not limited to, conducting audits of Processor Systems no more than once every 12 months.

7. Security Breach

  • a. In the event Processor has actual knowledge of a Security Breach, Processor will promptly: (i) notify Company in writing of the Security Breach; and (ii) help Company investigate and remediate the Security Breach.
  • b. In the event of a Security Breach, Company has the right to control the breach notification process including, but not limited to, control over notifying any individuals, regulators, and supervisory authorities, or third parties of the Security Breach, unless Applicable Data Protection Law dictates otherwise.

8. Return or Destruction of Personal Data

Upon Company’s request, or immediately upon termination of the Agreement, Processor will cease all Processing of Personal Data and, at Company’s direction, either (a) return such data to Company or (b) destroy such data and certify such destruction to Company in writing. Processor is permitted to retain Personal Data where it has a legal requirement to do so.

9. Third-Party Beneficiaries

The parties agree that Company’s subsidiaries and affiliates are intended third-party beneficiaries of this DPA.

10. Noncompliance; Remedies

If Processor determines that it can no longer meet its obligations under this DPA, it will promptly notify Company. Processor will cooperate with Company’s reasonable requests regarding any unauthorized Processing of Personal Data.

Schedule 1

Scope of Processing

1. Controller / Data Exporter

Name Company
Activities relevant to the data Processed under the DPA: Company is the owner of a restaurant brand that operates corporate-owned restaurants and/or a franchised system with independent store owner franchisees operating under a trade name owned by Company, and is contracting with Processor for its online ordering, delivery enablement, guest engagement, payment processing and/or other associated services and solutions.

2. Processor / Data Importer

Name: Olo Inc.
Address: 99 Hudson Street, Floor 10
New York, NY 10013
Activities relevant to the data Processed under the DPA: Processor is a United States-based provider of e-commerce, delivery enablement, payment, customer engagement and other associated solutions and services.
Point of Contact: Stephanie Margulies
Vice President, Legal
steph.margulies@olo.com

3. Subject Matter of Processing

The Processing is in relation to Processor’s provision of services under the Agreement.

‍4. Duration of Processing

The Processing will begin after the Effective Date and will end upon expiration or termination of the Agreement.

5. Nature and Purpose of Processing

The nature and purposes of Processing include processing and fulfilling online order and delivery transactions; verifying customer information; processing payments; creating and maintaining guest profiles; providing software to enable Company to manage consumer marketing campaigns; and conducting analytics.

‍6. Types of Personal Data

Contact information; location information; and transaction information.

7. Categories of Data Subjects

Customers

8. Period of Data Retention by Processor

Processor will retain the Personal Data until the date that is ninety (90) days following termination of the Agreement, unless otherwise agreed to by the parties.

‍9. Period of Data Retention by Processor

The technical and organizational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons are: (a) secure business facilities, data centers, servers, and back-up systems and disaster recovery; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) encryption of Personal Data placed on any electronic notebook, portable hard drive or removable electronic media with information storage capability, such as compact discs, USB drives, flash drives, tapes; (e) encryption of Personal Data in transit over public networks; (f) segregating Personal Data from information of other clients of Olo; and (g) personnel security and integrity including, but not limited to, background checks consistent with applicable law.

For transfers to (sub)processors, the specific technical and organization measures to be taken by the (sub)processor to be able to provide assistance to the controller and, for transfers from a processor to a subprocessor, to the data exporter, are described in the DPA.

The specific technical and organizational measures Processor will take to assist Company in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights under Applicable Data Protection Law are described in the DPA.