This Data Processing Addendum (“DPA”) forms part of the Terms of Service between DATAENGINE LLC, doing business as ApronPrep (“Processor”), and the customer entity accepting these terms (“Customer”). This DPA applies where ApronPrep processes personal data on Customer’s behalf in connection with the Service.
In the event of a conflict between this DPA and the Terms of Service, this DPA will control with respect to the processing of Personal Data, except to the extent the Terms of Service provide greater protection to Personal Data.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person that is submitted to the Service by or on behalf of Customer.
“Data Subject” means an identifiable natural person whose Personal Data is processed under this DPA.
“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, or deletion.
“Subprocessor” means any third party engaged by ApronPrep to process Personal Data on Customer’s behalf.
“Sensitive Data” means the categories of Personal Data identified as sensitive in Section 3.4 of this DPA.
2. Roles of the Parties
Customer is the Data Controller with respect to Personal Data submitted through the Service. Nothing in this DPA requires ApronPrep to act as Customer’s legal, tax, regulatory, employer, or filing agent.
ApronPrep is the Data Processor with respect to such Personal Data, acting only on Customer’s instructions as documented in this DPA and the Terms of Service.
3. Scope of Processing
3.1 Subject Matter
Provision of AI-assisted compliance documentation services, including preparation of regulatory, employment, tax, licensing, food safety, and workplace safety documents for restaurant operators.
3.2 Duration
For the duration of Customer’s use of the Service and the applicable retention period for each data category, as described in Section 7 of the Privacy Policy and Section 4(f) of this DPA.
3.3 Nature and Purpose of Processing
Processing Personal Data to: (i) provide, operate, and support the Service; (ii) generate AI-assisted document Outputs based on Customer’s Inputs; (iii) store and retrieve documents prepared by Customer; (iv) provide customer support; and (v) maintain the security and reliability of the Service. Any model-improvement or product-improvement use of Personal Data will be limited to data that has first been anonymized or aggregated, as described in the Privacy Policy and Terms.
ApronPrep does not use identifiable Sensitive Data (including SSNs, immigration information, financial account data) or OSHA injury records for model training, product analytics, or purposes other than the specific Service functions for which they were submitted.
3.4 Categories of Personal Data
ApronPrep processes the following categories of Personal Data on behalf of Customer:
- (a) Business and Operator Data: Business name, EIN, business address and contact information, license and permit identifiers, ownership information.
- (b) Employee Identity Data: Employee names, contact information, job titles, employment dates.
- (c) Employment Eligibility Data [SENSITIVE]: Form I-9 document types, document identification numbers, expiration dates, citizenship and work authorization status, E-Verify case identifiers.
- (d) Tax and Wage Data [SENSITIVE]: Employee and employer SSNs and EINs, federal and state tax withholding elections, wage amounts, tip income, unemployment tax account identifiers.
- (e) Financial Account Data [SENSITIVE]: Bank routing and account numbers submitted in connection with EFTPS enrollment and related tax payment registrations.
- (f) Workplace Safety Data: OSHA Form 300A injury and illness records, including employee names, job classifications, injury descriptions, and related incident information.
- (g) Training and Certification Data: Food handler and food protection manager certifications, allergen awareness training records, sexual harassment prevention training records, and equivalent state-required training certifications.
- (h) Food Safety and Operational Data: HACCP plan content, food establishment plan review submissions, allergen and food safety procedure records.
Data categories marked [SENSITIVE] are subject to enhanced security controls, including encryption at rest, and restricted use as described in this DPA.
The foregoing categories do not include, and Customer may not submit to the Service, Protected Health Information as defined under HIPAA. ApronPrep does not act as a Business Associate under HIPAA and has not entered into any Business Associate Agreement with Customer. Customer represents and warrants that it will not submit Protected Health Information to the Service under any circumstances.
3.5 Categories of Data Subjects
Customer’s authorized users; Customer’s current and former employees and workers whose information is included in documents submitted to the Service.
4. Processor Obligations
ApronPrep shall:
- (a) Process Personal Data only on Customer’s documented instructions as set forth in this DPA and the Terms of Service, unless otherwise required by applicable law. Customer’s use of the Service, configuration choices, and acceptance of these Terms and the Privacy Policy constitute Customer’s documented instructions for the Processing described in this DPA.
- (b) Implement and maintain the security measures described in Section 7 of this DPA.
- (c) Ensure that personnel who access Personal Data are subject to appropriate confidentiality obligations.
- (d) Assist Customer, to the extent reasonably practicable and using commercially reasonable efforts and consistent with the nature of the processing, with fulfilling Customer’s obligations to respond to Data Subject rights requests under applicable law.
- (e) Notify Customer of a confirmed Personal Data breach involving Customer’s data without undue delay. Such notification will include, to the extent reasonably available at the time of notification: (i) a description of the nature of the breach; (ii) the categories and approximate number of affected Data Subjects; (iii) the categories and approximate volume of affected Personal Data; (iv) the identity of the ApronPrep contact handling the matter; and (v) a description of measures taken or proposed to address and mitigate the breach.
- (f) Upon termination or expiration of the Service, ApronPrep will retain Customer’s Personal Data for a period of up to ninety (90) days to allow for account reactivation or data retrieval. Following that period, ApronPrep may delete Customer’s Personal Data in the ordinary course of its data management practices. At any time, Customer may submit a written request to [email protected] requesting deletion of its Personal Data, and ApronPrep will use commercially reasonable efforts to honor such request within ninety (90) days, except as required to be retained by applicable law or maintained in encrypted backup or log archives pursuant to ApronPrep’s standard retention practices. Such retained backup or log data will remain subject to applicable security controls and ordinary retention/deletion schedules. ApronPrep may retain anonymized or aggregated data indefinitely.
5. Customer Obligations
Customer represents and warrants that:
- (a) It has all necessary rights, consents, and legal authority to submit the Personal Data it provides to the Service, including appropriate legal bases for processing employee data under applicable federal and state law.
- (b) Employee Personal Data submitted to the Service has been collected in compliance with applicable employment, privacy, and data protection law, including any applicable employee notice requirements.
- (c) It will review, verify, and validate all Outputs before submission to any government authority, regulatory agency, or third party.
6. Subprocessors
Customer authorizes ApronPrep to engage Subprocessors to assist in providing the Service. ApronPrep currently uses Subprocessors in the following categories:
- Cloud infrastructure and hosting providers
- Payment processors (including Stripe, Inc.)
- Analytics and monitoring service providers
- Customer support platform providers
ApronPrep maintains a current list of Subprocessors, which will be made available to Customer upon written request. ApronPrep may update its Subprocessors at any time at its discretion. ApronPrep remains responsible for each Subprocessor’s compliance with the obligations of this DPA.
7. Security Measures
ApronPrep implements reasonable technical and organizational security measures designed to protect Personal Data, including:
- Encryption of Personal Data in transit using TLS
- Encryption at rest for Sensitive Data categories
- Access controls limiting Personal Data access to authorized personnel
- Confidentiality obligations for personnel with access to Personal Data
- Incident response procedures
ApronPrep may update its security measures at any time. Any such updates will not materially diminish the core protective measures expressly described in this DPA without corresponding update to applicable customer-facing disclosures or agreements.
8. Audit Rights
ApronPrep may, at its sole discretion, provide Customer with documentation or certifications relating to its security practices upon written request. ApronPrep is not obligated to conduct, facilitate, or accommodate any audit, inspection, or review of its systems, processes, or data handling practices.
9. Regulatory Records — Specific Processor Acknowledgments
The parties acknowledge that certain categories of Personal Data processed under this DPA are subject to specific regulatory requirements that bind Customer independently of this DPA:
(a) I-9 Records.
Customer remains solely responsible for the retention, correction, re-verification, and production of Form I-9 records pursuant to 8 C.F.R. § 274a.2. ApronPrep’s processing of I-9 data is limited to document preparation assistance. ApronPrep does not act as Customer’s employer agent under IRCA and does not submit E-Verify queries on Customer’s behalf.
(b) OSHA Records.
Customer remains solely responsible for maintaining, correcting, and posting workplace injury and illness records in compliance with 29 C.F.R. Part 1904. ApronPrep assists in preparing OSHA Form 300A and related records but does not assume Customer’s independent OSHA recordkeeping obligations.
(c) Tax Records.
Customer remains solely responsible for the accuracy, completeness, timely filing, and retention of all tax-related documents. ApronPrep is not a tax preparer and does not file, sign, or certify any tax document on Customer’s behalf.
10. Future Direct Submission Features
When ApronPrep introduces Submission Features enabling direct electronic transmission of documents to government portals or agencies, additional processing terms will apply. Such terms will be provided to Customer for acceptance before the relevant Submission Feature is activated. Those additional terms will specify, at minimum: the government systems to which data may be transmitted; the data categories involved; the applicable security measures; and any agency-specific authorization requirements. Such additional terms may also include agency-specific authorization requirements, data-flow descriptions, support limitations, and allocation of responsibility for submission outcomes.
Until Submission Features are made available and additional terms accepted by Customer, ApronPrep does not transmit any Personal Data to any government portal or agency on Customer’s behalf.
11. International Data Transfers
The Service is currently operated from and intended for use within the United States. ApronPrep does not intentionally transfer Personal Data to recipients outside the United States in connection with the Service. If ApronPrep’s data processing practices change to involve international transfers, this DPA will be updated accordingly and Customer will be notified.
12. Liability
Liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.
13. Governing Law
This DPA is governed by the laws of the State of New Hampshire, without regard to conflict of laws principles, consistent with the governing law provision of the Terms of Service.