Data Processing Addendum

This Data Processing Addendum ("DPA") forms an integral part of the Terms and Conditions (the "Main Agreement") entered into between Mosey Limited, a company registered in Ireland with company number 714173 and registered address at 77 Camden Street Lower, Dublin, Ireland, D02 XE80 ("Mosey" or "Processor") and the Business that has agreed to the Main Agreement ("Controller").

This DPA governs the processing of Personal Data by Mosey as a Processor on behalf of the Controller in connection with the provision of the Service, as defined in the Main Agreement. The parties agree to the terms herein to comply with the requirements of applicable Data Protection Laws concerning data processing.

1. DEFINITIONS

Unless otherwise defined herein, capitalized terms used in this DPA shall have the meanings set forth in the Main Agreement. The following terms shall have the meanings set forth below:

"Controller": Refers to the Business (legal entity or individual) that has entered into the Main Agreement with Mosey and determines the purposes and means of the processing of Personal Data. Each Business utilising Mosey's services under the Main Agreement is a Controller for the Personal Data it provides or makes accessible to Mosey for processing under this DPA.
"Data Protection Laws": All applicable laws and regulations relating to the processing of Personal Data and privacy, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time.
"Data Subject": An identified or identifiable natural person to whom Personal Data relates.
"Main Agreement": The Terms and Conditions governing the use of the Mosey Service between Mosey and the Controller.
"Personal Data": Any information relating to an identified or identifiable natural person that is processed by Mosey on behalf of the Controller pursuant to or in connection with the Main Agreement.
"Processor": Mosey Limited, acting as a data processor on behalf of the Controller.
"Service": The Mosey mobile application, web application, all associated features, applications, services, technologies, and software provided by Mosey, as defined in the Main Agreement.
"Sub-processor": Any third party appointed by Mosey to process Personal Data on behalf of Mosey in connection with the Main Agreement.

2. ROLES AND RESPONSIBILITIES

Roles of the Parties. The parties acknowledge and agree that for the purposes of the Data Protection Laws, the Controller is the data controller, and Mosey is the data processor, with respect to the Personal Data processed under this DPA.
Details of Processing.
1. Subject matter and duration of the processing: The subject matter of the processing is the Personal Data provided by the Controller to Mosey or collected by Mosey on behalf of the Controller for the purpose of providing the Service as outlined in the Main Agreement. The processing will continue for the duration of the Main Agreement, unless otherwise specified herein.
2. Nature and purpose of the processing: The processing involves Mosey providing platform services, including but not limited to:
  - Managing reservations and bookings for the Controller's customers.
  - Facilitating customer relationship management (CRM) functionalities for the Controller.
  - Providing staff management tools for the Controller's employees.
  - Enabling the Controller to post and manage job applications.
  - Processing data related to the sale of Vouchers and Tickets on behalf of the Controller.
  - Providing analytics and reporting to the Controller regarding their use of the Service.
  - Supporting communication features between the Controller and its customers (Users) or staff. The purpose of the processing is to enable the Controller to effectively manage and operate its business activities facilitated by the Mosey Service.
  - Coordinating delivery and collection services between Businesses and drivers
  - Sending targeted notifications to customers on behalf of Businesses
  - Managing unified customer relationships across multiple Business locations
  - Processing payment and revenue sharing for delivery and notification services
3. Type of Personal Data processed: The types of Personal Data processed may include, but are not limited to:
  - For Customers of the Business (Users): Names, contact details (email, phone number), reservation details (date, time, guest count, special requests), order details, payment card details (processed by third-party payment processors), communication history.
  - For Staff of the Business: Names, contact details, employment details (e.g., job role, schedule), performance data (if managed through the Service), training logs, compliance documents.
  - For Job Applicants to the Business: Names, contact details, CVs/resumes, application details, interview notes.
  - Other data types as necessary for the specific features utilized by the Controller within the Service.
  - Delivery addresses and contact information
  - Order history and preferences across multiple Business locations
  - Marketing communication preferences and consent records
  - Driver contact information and service records
4. Categories of Data Subjects: The categories of Data Subjects whose Personal Data is processed may include:
  - Customers of the Controller (Mosey Users making reservations, ordering, or interacting with the Business).
  - Employees/Staff of the Controller.
  - Job applicants to the Controller.
  - Customers placing delivery and collection orders
  - Users receiving targeted business notifications
  - Customers of multi-location Business groups
Controller's Responsibilities. The Controller represents and warrants that:
1. It has instructed Mosey to process Personal Data in accordance with this DPA and the Main Agreement.
2. All Personal Data provided to Mosey or processed through the Service on the Controller's behalf has been collected and will be processed by the Controller in compliance with Data Protection Laws, including having a valid legal basis for such processing and providing all necessary privacy notices to Data Subjects.
3. It is solely responsible for determining the specific purposes and means of processing Personal Data, and for the accuracy, quality, and legality of Personal Data provided to Mosey.
4. It will notify Mosey without undue delay in writing of any changes to its processing instructions or requirements under Data Protection Laws.
5. It is responsible for its own compliance with Data Protection Laws regarding the Personal Data it processes.
6. It will establish and maintain appropriate security measures to protect Personal Data in its possession or control, including data submitted to Mosey.

3. PROCESSOR'S OBLIGATIONS

Processing on Instructions. Mosey shall process Personal Data only on the documented instructions of the Controller, including those set out in the Main Agreement and this DPA, unless required to do so by applicable law to which Mosey is subject. In such a case, Mosey shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Confidentiality. Mosey shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security. Mosey shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures shall include, as appropriate, the measures identified in Annex 1 (Security Measures).
Assistance to Controller. Mosey shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Data Protection Laws. Mosey shall:
1. Promptly notify the Controller if it receives a request from a Data Subject concerning their Personal Data processed on behalf of the Controller under this DPA.
2. Not respond to that request directly unless authorized or required to do so by the Controller.
3. Provide the Controller with the necessary information and reasonable assistance to enable the Controller to respond to the Data Subject request in compliance with Data Protection Laws.
Data Breach Notification. Mosey shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Such notification shall include, at a minimum, the information required by Data Protection Laws and will assist the Controller in meeting its obligations under the Data Protection Laws regarding the notification of a Personal Data Breach.
Assistance with DPIAs and Prior Consultation. Mosey shall provide reasonable assistance to the Controller with regard to the Controller's obligations to carry out data protection impact assessments and to undertake prior consultation with supervisory authorities, where required under Data Protection Laws, taking into account the nature of the processing and the information available to Mosey.
Deletion or Return of Personal Data. Upon termination or expiration of the Main Agreement, or at the Controller's written request (subject to Section 3.7.2 below), Mosey shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.
1. Mosey shall confirm deletion or return within a reasonable timeframe, unless otherwise agreed.
2. Mosey may retain Personal Data if required by law, subject to such retention being in compliance with Data Protection Laws and Mosey safeguarding the data against further processing.
Audits and Inspections. Mosey shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, provided that:
1. The Controller gives Mosey reasonable notice of such audit or inspection (at least 30 days).
2. Audits are conducted during normal business hours and in a manner that does not unreasonably interfere with Mosey's operations.
3. The Controller bears the cost of the audit.
4. Any information disclosed during an audit is treated as confidential.
5. Audits are limited to one per year, unless a Personal Data Breach or other compelling reason arises.

4. SUB-PROCESSING

Authorisation. The Controller specifically authorises Mosey to engage the Sub-processors listed in Annex 2 (List of Sub-processors). Mosey shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes.
Processor's Obligations regarding Sub-processors. Where Mosey engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, Mosey shall ensure that the same data protection obligations as set out in this DPA are imposed on that Sub-processor by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Laws. Mosey shall remain fully liable to the Controller for the performance of that Sub-processor’s obligations.
Data Subject Disputes:

(a) Primary Responsibility: The Business (Data Controller) is primarily responsible for responding to data subject requests, complaints, and disputes regarding Personal Data processed through the Platform.

(b) Assistance Obligations: Mosey will provide reasonable assistance to Businesses in responding to data subject requests, including providing relevant technical information and facilitating data deletion where technically feasible.

(c) Direct Contact Requirements: Businesses must maintain accessible contact information for data protection inquiries and respond to data subject requests within legal timeframes.

(d) Escalation Process: If a data subject cannot reach the Business or receives inadequate response, they may contact Mosey, who will attempt to facilitate resolution between the parties.

(e) Technical Limitations: Mosey's ability to assist is limited to technical platform capabilities and does not extend to legal advice or determinations about data processing lawfulness.

5. INTERNATIONAL DATA TRANSFERS

Mosey may transfer Personal Data to countries outside of the European Economic Area (EEA) for the purpose of providing the Service. Where Personal Data is transferred outside the EEA, Mosey shall ensure that the transfer is subject to appropriate safeguards as required by Data Protection Laws, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision, or other valid transfer mechanisms.
The Controller acknowledges that Mosey's ability to provide the Service may rely on such international transfers.

6. LIABILITY

Each party’s liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Main Agreement.
The Controller shall indemnify and hold Mosey harmless from any claims, damages, or expenses arising from the Controller's breach of its obligations under this DPA or Data Protection Laws.

7. GENERAL TERMS

Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the laws of Ireland. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland.
Entire Agreement. This DPA, together with the Main Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, negotiations, and discussions between the parties relating to the processing of Personal Data. In the event of a conflict between the terms of this DPA and the Main Agreement concerning data processing, the terms of this DPA shall prevail.
Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Counterparts. This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

ANNEX 1: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Pseudonymisation and encryption of Personal Data:

Data at rest encryption:

PostgreSQL database connections use SSL encryption with sslconfiguration across all Lambda functions
S3 storage for media files with AWS-managed encryption
Database credentials and sensitive data stored in environment variables and AWS stage variables

Data in transit encryption:

All API communications use HTTPS/TLS encryption
Database connections encrypted via SSL
AWS Cognito authentication with secure token transmission
Stripe payment processing with encrypted API communications

Pseudonymisation techniques:

User IDs use UUID format for pseudonymisation
Custom user attributes in Cognito (custom:restaurant_id, custom:user_type)
Database uses UUID primary keys throughout the schema

The ability to ensure ongoing confidentiality, integrity, availability and resilience:

Access controls:

JWT token-based authentication with AWS Cognito
Role-based access control with restaurant ownership verification
Custom token verification functions in Lambda handlers
Method-level authorization (GET/POST restrictions)

Network security:

API Gateway with CORS configuration
Lambda functions with VPC configuration
Database access restricted to Lambda functions only
Redundancy and failover:
AWS Lambda serverless architecture provides automatic scaling
PostgreSQL database with connection pooling
S3 for media storage with AWS redundancy

Security testing:

Comprehensive logging throughout the application (1072+ console.log statements across 157 files)
Error handling and logging in all Lambda functions
Input validation on all API endpoints

The ability to restore availability and access to Personal Data:

Backup mechanisms:

PostgreSQL database with standard backup capabilities
S3 bucket for media files with AWS backup features
Database schema versioning with migration scripts
Lambda function code versioning through Git

Disaster recovery:

AWS infrastructure provides built-in disaster recovery
Multi-AZ deployment capabilities
Database connection pooling for resilience

Process for regularly testing, assessing and evaluating security measures:

Security audits:

Comprehensive logging system for monitoring
Error tracking and debugging capabilities
Database query logging and monitoring
API Gateway access logs

Compliance reviews:

Structured database schema with proper constraints
Input validation on all endpoints
SQL injection prevention through parameterized queries

Measures for user identification and authorisation:

Multi-factor authentication:

AWS Cognito integration with email verification
Strong password policies (minimum 8 characters, mixed case, numbers, special characters)
JWT token-based session management
Token expiration and refresh mechanisms

Session management:

JWT tokens with expiration handling
Secure token storage in mobile app
Automatic token refresh in mobile application

Measures for the protection of data during transmission and storage:

Encryption protocols:

HTTPS for all API communications
SSL/TLS for database connections
AWS S3 encryption for file storage
Stripe encryption for payment data

Secure storage:

Environment variables for sensitive configuration
AWS stage variables for production secrets
Database credentials encrypted in transit
S3 bucket with proper access controls

Measures for ensuring physical security:

Data center security:

AWS infrastructure with physical access controls
EU-West-1 region deployment
AWS data center security standards
Environmental controls managed by AWS

Measures for ensuring events logging:

Centralized logging:

CloudWatch integration for Lambda functions
Database query logging
API Gateway access logs
Comprehensive error logging throughout application
Notification system with delivery tracking

Audit trails:

User action logging in Lambda functions
Database transaction logging
Payment processing logs via Stripe
Notification delivery logs
Measures for ensuring system configuration:
Secure configuration:
Environment-based configuration management
AWS stage variables for production settings
Database connection pooling configuration
CORS configuration for API endpoints

Change management:

Git-based version control
Lambda function deployment through AWS
Database migration scripts
Configuration validation in code

Measures for internal IT and IT security governance:

Security policies:

Code review processes through Git
Environment separation (dev/prod)
Access control through AWS IAM
Database user management

Staff training:

Development team security awareness
Code documentation and comments
Error handling best practices
Security-focused development patterns

Measures for certification/assurance:

Third-party integrations:

AWS Cognito for authentication (SOC 2 compliant)
Stripe for payment processing (PCI DSS compliant)
AWS infrastructure (ISO 27001, SOC 2, etc.)
PostgreSQL database with security features

Measures for ensuring data minimisation:

Data collection:

Only necessary user attributes collected
Restaurant-specific data isolation
User preference settings for notifications
Minimal data retention in logs
Database schema designed for specific business needs only

ANNEX 2: LIST OF SUB-PROCESSORS

The Controller hereby authorises Mosey to engage the following categories of Sub-processors to perform specific processing activities on behalf of the Controller under this DPA:

Cloud Infrastructure Providers: For hosting and storage of Personal Data.
Sub-processor Name: Amazon Web Services (AWS)
Location: Ireland (eu-west-1)
Purpose: Hosting of the Mosey platform, data storage, computing resources, Lambda functions, API Gateway, S3 storage, and database hosting.

Payment Processing Providers: For facilitating transactions such as deposits, Vouchers, and Tickets.

Sub-processor Name: Stripe, Inc.
Location: Ireland, United Kingdom, United States
Purpose: Secure processing of payment card details, transaction facilitation, payment intent creation, payout processing, and financial data management.

Authentication and Identity Management Services:

Sub-processor Name: AWS Cognito
Location: Ireland (eu-west-1)
Purpose: User authentication, identity management for both Users and Businesses, JWT token generation and validation, user registration and login services.

Real-time Communication Services:

Sub-processor Name: AWS API Gateway WebSocket
Location: Ireland (eu-west-1)
Purpose: Real-time messaging between users and businesses, WebSocket connections for live chat functionality, instant notifications delivery.

Analytics and Monitoring Services (for Processor's internal use for service delivery and not for Controller's specific data analytics, unless explicitly sub-processing Controller data):

Sub-processor Name: Google Analytics
Location: United States
Purpose: Platform performance monitoring, user engagement tracking, error logging, and service delivery analytics.

Google Analytics ID: G-C7MK8LDR99

Sub-processor Name: AWS CloudWatch

Location: Ireland (eu-west-1)
Purpose: Lambda function monitoring, error tracking, performance metrics, and system health monitoring.

Mobile Application Development and Distribution:

Sub-processor Name: Expo (Expo Go, EAS Build)
Location: United States
Purpose: Mobile application development framework, build services, and development tools for the mobile application.

Sub-processor Name: Google Play Store
Location: Global
Purpose: Distribution and hosting of the Android mobile application.

Database and Storage Services:

Sub-processor Name: PostgreSQL (via AWS RDS)
Location: Ireland (eu-west-1)
Purpose: Primary database storage for user data, business information, transactions, and application data.

Sub-processor Name: AWS S3
Location: Ireland (eu-west-1)
Purpose: Media file storage, image hosting, document storage, and backup services.

Other Third-Party Service Providers:

Sub-processor Name: AWS Lambda
Location: Ireland (eu-west-1)
Purpose: Serverless computing for API endpoints, business logic processing, and data manipulation.

Sub-processor Name: AWS API Gateway
Location: Ireland (eu-west-1)
Purpose: API management, request routing, authentication, and CORS handling.

Sub-processor Name: PostGIS (via AWS RDS)
Location: Ireland (eu-west-1)
Purpose: Geographic data processing and spatial queries for location-based services.

ANNEX 3: DELIVERY AND NOTIFICATION DATA PROCESSING

3.1 Delivery Data Processing

Purpose: Order fulfillment coordination
Data Categories: Delivery addresses, contact information, order details
Retention: Until order completion plus 30 days for support purposes
Sharing: With assigned delivery drivers and fulfilling Business only

3.2 Notification Data Processing

Purpose: Targeted in-app marketing communications
Data Categories: First names, venue visit history, individual Business consent records
Retention: Until consent is withdrawn or account deletion
Sharing: Notification content only; customer contact details not shared with Businesses

3.3 Multi-Location Data Processing

Purpose: Coordinated operations across Business locations
Data Categories: Customer interactions and preferences maintained separately per location
Retention: As per standard customer data retention policies
Access Control: Primary managers can access all locations; location managers restricted to their venue only

Mosey will update this Annex from time to time to reflect any changes to its Sub-processors. The Controller will be informed of any new or replacement Sub-processors in accordance with Section 4.1 of this DPA.