StreetEat Data Processing Agreement
Effective Date: January 24, 2026
This Data Processing Agreement ("DPA") forms part of the StreetEat Terms of Service and applies to all vendors using the StreetEat platform. By accepting these terms, you acknowledge and agree to the data processing practices outlined below.
1. Definitions
For the purposes of this DPA:
- "Data Controller" means you, the vendor, who determines the purposes and means of processing personal data.
- "Data Processor" means StreetEat, which processes personal data on behalf of the Data Controller.
- "Personal Data" means any information relating to an identified or identifiable individual, including but not limited to customer names, email addresses, phone numbers, payment information, and order history.
- "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- "Data Subject" means an individual whose personal data is processed.
- "Subprocessor" means any third party engaged by StreetEat to process personal data on behalf of the Data Controller.
- "Data Breach" means unauthorized access, disclosure, alteration, or destruction of personal data.
2. Scope and Purpose
2.1 Purpose of Processing
StreetEat processes personal data solely for the purpose of providing the StreetEat platform services, which include:
- Facilitating transactions between vendors and customers
- Processing payments and subscription fees
- Providing vendor dashboard and menu management tools
- Displaying vendor location and menu information to customers
- Facilitating customer reviews and ratings
- Sending transactional notifications (orders, payments, account updates)
- Providing customer support
- Ensuring platform security and preventing fraud
2.2 Types of Personal Data Processed
StreetEat processes the following categories of personal data on behalf of vendors:
- Customer Data: Names, email addresses, phone numbers, delivery addresses, order history, payment information, dietary preferences
- Vendor Data: Business name, contact information, business licenses, food handler certifications, menu items, pricing, location data
- Transaction Data: Order details, payment amounts, timestamps, payment methods
- Usage Data: App interactions, search queries, click patterns, device information
- Communication Data: Customer support messages, review content, vendor notifications
2.3 Data Subjects
Personal data relates to the following categories of data subjects:
- Customers who order from vendors through the StreetEat platform
- Vendors who use the StreetEat platform to sell food products
- Vendor employees who access the vendor dashboard
3. Data Controller Obligations
As the Data Controller, you (the vendor) agree to:
- Lawful Processing: Ensure that you have a lawful basis for processing personal data and have obtained all necessary consents from data subjects.
- Accurate Instructions: Provide clear and lawful instructions to StreetEat regarding data processing.
- Data Accuracy: Ensure that personal data you provide to StreetEat is accurate, complete, and up-to-date.
- Data Subject Rights: Respond to data subject requests (access, deletion, correction) and cooperate with StreetEat to fulfill these requests.
- Privacy Notice: Provide clear privacy notices to your customers explaining how their data will be processed by you and StreetEat.
- Compliance: Comply with all applicable data protection laws and regulations.
4. Data Processor Obligations
As the Data Processor, StreetEat agrees to:
- Process Only as Instructed: Process personal data only in accordance with your documented instructions (as outlined in this DPA and the Terms of Service), unless required by law to process data differently.
- Confidentiality: Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
- Security Measures: Implement appropriate technical and organizational security measures to protect personal data (see Section 5).
- Subprocessor Management: Only engage subprocessors in accordance with Section 7 and ensure they are bound by equivalent data protection obligations.
- Data Subject Rights: Assist you in responding to data subject requests for access, deletion, correction, and other rights (see Section 6).
- Data Breach Notification: Notify you of any data breach within 72 hours of becoming aware of the breach (see Section 8).
- Data Deletion: Delete or return personal data upon termination of services, unless required by law to retain data.
- Audit Cooperation: Provide reasonable cooperation for audits and inspections (see Section 9).
- Documentation: Maintain records of all processing activities and make them available upon request.
5. Security Measures
StreetEat implements the following technical and organizational security measures to protect personal data:
5.1 Technical Measures
- Encryption: All data transmitted between users and StreetEat servers is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using industry-standard encryption (AES-256).
- Access Controls: Role-based access controls (RBAC) ensure that only authorized personnel can access personal data. Multi-factor authentication (MFA) is required for all staff accounts.
- Firewall Protection: Network firewalls protect StreetEat infrastructure from unauthorized access.
- Intrusion Detection: Automated intrusion detection and prevention systems monitor for suspicious activity.
- Data Backups: Regular automated backups with encryption and geographic redundancy.
- Vulnerability Scanning: Regular security assessments and vulnerability scans.
- Secure Development: Secure coding practices, code reviews, and security testing.
5.2 Organizational Measures
- Staff Training: All employees receive annual data protection and security training.
- Background Checks: Background checks for employees with access to personal data.
- Confidentiality Agreements: All employees and contractors sign confidentiality agreements.
- Incident Response Plan: Documented data breach response plan with defined roles and escalation procedures.
- Vendor Management: Security requirements for all third-party vendors and subprocessors.
- Data Minimization: Collection and retention of only the personal data necessary for service delivery.
- Access Logging: All access to personal data is logged and audited regularly.
6. Data Subject Rights
StreetEat will assist vendors in fulfilling data subject rights requests, including:
6.1 Right to Access
Data subjects can request access to their personal data. StreetEat provides a data export feature allowing vendors to download all personal data in machine-readable format (JSON).
6.2 Right to Deletion
Data subjects can request deletion of their personal data. StreetEat provides account deletion functionality that permanently deletes all personal data within 30 days, subject to legal retention requirements.
6.3 Right to Correction
Data subjects can request correction of inaccurate personal data. StreetEat provides account settings where users can update their information.
6.4 Right to Opt-Out
Data subjects can opt-out of certain data processing activities, including:
- Marketing emails and SMS (CAN-SPAM and TCPA compliance)
- Sale of personal data to third parties (CCPA compliance)
- Non-essential cookies and analytics (cookie consent)
- Location tracking (GPS tracking can be disabled)
6.5 Response Timeline
StreetEat will respond to data subject rights requests within 30 days (or 45 days for complex requests with notice to the data subject).
7. Subprocessors
7.1 Authorized Subprocessors
StreetEat engages the following subprocessors to assist in providing services:
| Subprocessor |
Service Provided |
Data Location |
| Google Cloud Platform (Firebase) |
Database, authentication, cloud storage, hosting |
United States (us-central1) |
| Stripe, Inc. |
Payment processing |
United States |
| Vercel, Inc. |
Web hosting, edge functions |
United States (global CDN) |
| MapTiler AG |
Map tiles and geocoding services |
Switzerland |
| Mapbox, Inc. |
Alternative map provider (optional) |
United States |
For a complete and up-to-date list of subprocessors, please visit: StreetEat Subprocessors List
7.2 Subprocessor Due Diligence
StreetEat ensures that all subprocessors:
- Provide sufficient guarantees to implement appropriate technical and organizational security measures
- Are contractually bound by data protection obligations equivalent to those in this DPA
- Comply with applicable data protection laws and regulations
- Are subject to regular security audits and assessments
7.3 Notification of New Subprocessors
StreetEat will provide vendors with at least 30 days' advance notice before engaging any new subprocessor. Notice will be provided via:
- Email notification to the vendor's registered email address
- Update to the Subprocessors List (with effective date)
- In-app notification (vendor dashboard)
7.4 Objection to New Subprocessors
Vendors may object to the use of a new subprocessor on reasonable grounds related to data protection. Objections must be submitted in writing within 15 days of notification. If StreetEat cannot accommodate the objection, either party may terminate the agreement with 30 days' notice.
8. Data Breach Notification
8.1 Notification Timeline
StreetEat will notify vendors of any data breach affecting their personal data within 72 hours of becoming aware of the breach.
8.2 Breach Notification Contents
Breach notifications will include:
- Description of the nature of the breach (type of data, approximate number of records affected)
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate harm
- Contact information for StreetEat's data protection officer or incident response team
- Whether the breach requires notification to data subjects or regulatory authorities
8.3 Breach Response Cooperation
StreetEat will:
- Cooperate with vendors in investigating and remediating the breach
- Provide reasonable assistance in notifying data subjects and regulatory authorities, if required
- Document all breach-related activities and make records available for audit
- Implement additional security measures to prevent recurrence
8.4 Vendor Responsibilities
Upon receiving breach notification, vendors are responsible for:
- Assessing whether notification to data subjects is required under applicable law
- Notifying regulatory authorities if required (e.g., state attorneys general, FTC)
- Communicating with affected customers as appropriate
- Documenting all breach response activities
9. Audit Rights
9.1 Audit Cooperation
StreetEat will provide reasonable cooperation for vendor audits and inspections to verify compliance with this DPA, including:
- Providing documentation of security measures and data processing activities
- Responding to written questions about data protection practices
- Allowing inspection of relevant systems and processes (subject to confidentiality and security requirements)
9.2 Audit Limitations
Audit rights are subject to the following limitations:
- Vendors must provide at least 30 days' advance notice of audit requests
- Audits may be conducted no more than once per year, unless triggered by a data breach
- Audits must not disrupt StreetEat's normal business operations
- Auditors must sign confidentiality agreements before accessing StreetEat systems
- Vendors are responsible for all costs associated with audits (unless audit reveals material non-compliance)
9.3 Third-Party Certifications
StreetEat maintains industry-standard security certifications and attestations, which may be provided in lieu of on-site audits:
- PCI DSS SAQ A (Self-Assessment Questionnaire for payment processing)
- SOC 2 Type II audit report (subject to NDA, upon request)
- Third-party security assessments and penetration tests (executive summaries available)
10. Data Transfers
10.1 Data Location
Personal data is primarily stored in the United States (Google Cloud us-central1 region). Data may be transferred to other locations where StreetEat or its subprocessors operate, including:
- United States (primary storage and processing)
- Switzerland (map services via MapTiler)
- Global CDN edge locations (Vercel)
10.2 Cross-Border Transfers
StreetEat ensures that all cross-border data transfers comply with applicable data protection laws through appropriate safeguards, including:
- Contractual clauses with subprocessors
- Adherence to industry-standard security frameworks
- Data encryption in transit and at rest
11. Data Retention and Deletion
11.1 Retention Periods
StreetEat retains personal data for the following periods (see Data Retention Policy for complete details):
- Active vendor accounts: Duration of account + 30 days after deletion
- Financial records: 7 years (IRS requirement)
- Consent records: 3 years after withdrawal
- Location history: 90 days (or until disabled by vendor)
- Customer reviews: 3 years after vendor deletion (then anonymized)
11.2 Automated Deletion
StreetEat implements automated data deletion processes to enforce retention policies:
- Daily cleanup of location history >90 days
- Daily purge of soft-deleted accounts after 30-day grace period
- Weekly archival of old financial records to cold storage
- Monthly compliance audits to identify retention policy violations
11.3 Deletion Upon Termination
Upon termination of the vendor's use of StreetEat services, StreetEat will:
- Delete all personal data within 30 days, subject to legal retention requirements
- Provide confirmation of deletion upon request
- Retain only data required by law (financial records, tax documents, legal hold)
12. Liability and Indemnification
12.1 Limitation of Liability
StreetEat's liability for data processing violations is limited as follows:
- Total liability shall not exceed the fees paid by the vendor in the 12 months preceding the claim
- StreetEat is not liable for breaches caused by vendor's instructions, actions, or negligence
- StreetEat is not liable for subprocessor breaches if StreetEat exercised reasonable due diligence
12.2 Vendor Indemnification
Vendor agrees to indemnify StreetEat for claims arising from:
- Vendor's violation of data protection laws
- Vendor's unlawful instructions to StreetEat
- Vendor's failure to obtain necessary consents from data subjects
- Inaccurate or misleading data provided by vendor
13. Term and Termination
13.1 Term
This DPA is effective as of the date vendor accepts the StreetEat Terms of Service and remains in effect until termination of the vendor's use of StreetEat services.
13.2 Termination
This DPA may be terminated:
- By either party with 30 days' written notice
- Immediately by StreetEat if vendor materially breaches data protection obligations
- Immediately by vendor if StreetEat materially breaches this DPA and fails to cure within 30 days
- Upon termination of the StreetEat Terms of Service
13.3 Effect of Termination
Upon termination:
- StreetEat will cease processing personal data (except as required for deletion/archival)
- StreetEat will delete or return all personal data within 30 days (subject to legal requirements)
- Vendor's data export will be available for 30 days after termination
- Provisions relating to confidentiality, liability, and indemnification survive termination
14. Updates to DPA
14.1 DPA Modifications
StreetEat may update this DPA from time to time to reflect:
- Changes in data protection laws
- New service features or processing activities
- Security improvements
- Changes to subprocessors
14.2 Notification of Changes
Material changes to this DPA will be communicated via:
- Email notification to vendor's registered email address (at least 30 days before effective date)
- In-app notification (vendor dashboard)
- Update to "Effective Date" at the top of this document
14.3 Acceptance of Updates
Continued use of StreetEat services after the effective date constitutes acceptance of the updated DPA. Vendors who do not accept updates may terminate their account with 30 days' notice.
15. Contact Information
15.1 Data Protection Officer
For questions or concerns about data processing, contact StreetEat's Data Protection Officer:
Email: privacy@streeteat.com
Subject Line: "DPA Inquiry - [Vendor Name]"
Response Time: Within 5 business days
15.2 Data Breach Reporting
To report a suspected data breach:
Email: security@streeteat.com
Subject Line: "URGENT: Data Breach Report"
24/7 Hotline: Available upon request for verified vendors
15.3 Subprocessor Objections
To object to a new subprocessor:
Email: privacy@streeteat.com
Subject Line: "Subprocessor Objection - [Subprocessor Name]"
Deadline: Within 15 days of notification
By accepting the StreetEat Terms of Service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.
This document was last updated on January 24, 2026.
Version 1.0