Qoro
機能ブログ会社概要料金プラン
ログイン無料トライアルを開始

お使いの言語ではコンテンツをご利用いただけません

この文書は現在、トルコ語と英語のみで公開されています。トルコを拠点とするお客様にとっての拘束力のあるバージョンはトルコ語であり、その他のすべての法域では英語です。

ヒント:ブラウザの組み込み翻訳機能を使用して、このドキュメントをご自身の言語でお読みいただけます。

英語で表示拘束力ありトルコ語で表示

データ処理契約

v1.0発効日: 2026年4月23日更新日: 2026年4月23日

概要

GDPR第28条に基づく、処理者と管理者間の条件。副処理者とセキュリティを含みます。

1. Summary

This Data Processing Agreement (“DPA”) governs the relationship between Flexton LLC (the “Processor”) and the Tenant (the “Controller”) whenever Flexton processes personal data on the Tenant's behalf under the Terms of Service, and is intended to comply with GDPR Article 28 and KVKK. The DPA is an integral part of the Terms (Terms §9/9.2 — “Exhibit A”).

2. Definitions

Terms not defined here (“Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Breach”, “Transfer”) have the meanings given to them under GDPR and KVKK.

  • Controller: The Tenant using Qoro — regarding End Customer data.
  • Processor: Flexton LLC.
  • Sub-processor: Third-party infrastructure / processing providers used by Flexton to deliver the Qoro platform (Exhibit A).

3. Processing Details

  • Subject matter: Provision of the Qoro platform — orders, menu, customer interaction, payments, reporting.
  • Duration: The term of the subscription under the Terms of Service.
  • Nature and purpose: Data processing activities required for the Tenant's operational use of the Qoro platform.
  • Categories of data: See Privacy Policy §3 — Tenant account data, Tenant data, End Customer order data, technical/usage data.
  • Data subjects: Tenant staff; End Customers (Tenant's guests).

4. Processor Obligations

  • Process personal data only on the Controller's documented instructions, unless required otherwise by law.
  • Ensure that personnel authorised to access the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures under GDPR Art. 32 / KVKK Art. 12 (see Exhibit B).
  • Engage sub-processors only under §5, binding them to obligations equivalent to those in this DPA.
  • Reasonably assist the Controller in fulfilling its own obligations (data subject rights, breach notification, impact assessments).
  • On termination, return personal data to the Controller or — unless otherwise instructed or legally required to retain — delete it.

5. Sub-processors

The Controller grants general authorisation for the Processor to use the sub-processors listed in Exhibit A. The Processor gives the Controller at least 30 days' notice before adding or changing sub-processors. The Controller may object on reasonable grounds; if not resolved, the Controller may terminate the subscription for the affected service.

6. Assistance with Rights Requests

The Processor provides reasonable technical and organisational measures — e.g. access/correction/deletion/export interfaces and APIs — to help the Controller respond to data subject requests (GDPR Art. 15–22 / KVKK Art. 11). An in-platform Privacy Centre for self-service tools arrives in Blok G-II.

7. Security Measures

The Processor implements the security measures listed in Exhibit B and reviews them in line with evolving risks and technology.

8. Breach Notification

Upon becoming aware of a personal data breach, the Processor notifies the Controller without undue delay and at the latest within 72 hours. The notice includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per year (or more frequently on reasonable grounds), subject to prior written notice. To avoid operational security risks on a multi-tenant platform, audits are reasonably structured through third-party reports (ISO 27001, SOC 2, etc.). A reasonable fee may apply to direct on-site audit requests.

10. International Transfers

Some sub-processors listed in Exhibit A are established outside the EU (United States). For such transfers, the EU Commission's Standard Contractual Clauses (SCC) 2021/914 (Module 2 — Controller-to-Processor; Module 3 — Processor-to-Sub-processor) apply. For transfers originating in Turkey, safeguards under KVKK Art. 9 (commitment / explicit consent) apply.

11. Termination & Return/Deletion

Upon termination of the Terms, Tenant Data is retained in a 30-day read-only export window, then deleted. Upon Controller's request, data is returned instead. Records subject to statutory retention (e.g. invoices) are archived in anonymised form.

Exhibit A — Sub-processors

Sub-processors used to provide Qoro and their roles. Each sub-processor is bound by a GDPR Art. 28 data processing agreement. The current list is published on this page; changes follow the notice process in §5.

  • Application hosting / edge: US + EU-West (global edge). Purpose: application server, SSR render, edge middleware. Transfer: US and EU-West.
  • Database & authentication: EU-West (Frankfurt/Ireland). Purpose: storage of Tenant and End Customer data, auth session management.
  • Payment processor: US/Ireland. Purpose: subscription fee collection, invoice PDF generation. Transfer: US (SCC Module 3).
  • Email delivery: EU-West. Purpose: transactional emails (order confirmations, invoices, password resets) and — with explicit consent — marketing emails.
  • Error monitoring: EU-West. Purpose: platform error and performance monitoring. Active only with user's analytics cookie consent.
  • Bot defence: Global edge (Cloudflare). Purpose: form/bot protection (Turnstile), DDoS mitigation.

Exhibit B — Security Measures

  • Encryption: TLS 1.2+ in transit; AES-256 at rest.
  • Row-Level Security (RLS): tenant isolation at the database layer.
  • Authentication: bcrypt/argon2 password hashing, optional WebAuthn/passkey, two-factor authentication.
  • Access control: least-privilege, role-based access (RBAC), platform audit log, mandatory 2FA for staff accounts.
  • Backups: daily automated backups; tested disaster recovery plan.
  • Network & infrastructure security: WAF, rate limiting, Turnstile bot defence, security monitoring and alerting.
  • Logging & monitoring: auth audit log, system security log, configuration change tracking.
  • Security processes: incident response runbook; third-party security review (annual); GDPR/KVKK DPIA process.
  • Data minimisation: End Customer name / phone / email are not collected by default — only when optionally enabled by the Tenant.

Contact

Data-protection contact: hello@qoro.cc
Flexton LLC, 7901 4th St N, Suite 300, St. Petersburg, FL 33702, United States.

お問い合わせ

hello@qoro.cc

適用される法律に基づき、法的要請には30日以内に対応いたします。

法人

Flexton LLC
7901 4th St N, Suite 300
St. Petersburg, FL 33702
United States

言語と拘束力のあるバージョン

これらの文書はトルコ語と英語で公開されています。トルコに居住する企業およびエンドユーザーの場合、拘束力のあるテキストはトルコ語であり、その他のすべての法域では拘束力のあるテキストは英語です。他の言語への翻訳は便宜のために提供されるものであり、拘束力はありません。この条項は、個々のユーザーが現地法の下で利用できる強制的な消費者保護の権利に影響を与えるものではありません。

各文書のバージョン履歴は、次回の重要な改訂時に公開されます。

店舗のデジタル化、始めませんか?

クレジットカード不要・いつでもキャンセル可能

14日間の無料トライアルを始める
Qoro

お客様はQRをスキャンしてメニューを閲覧し、テーブルで注文・お支払い、またはテイクアウトが可能です。キッチンは注文を即座に確認し、スタッフが提供、レジは自動で締められます。これらすべてを一つのパネルで管理いただけます。.

製品

  • 機能
  • ソリューション
  • ブログ
  • 更新履歴
  • QRメニューガイド
  • QRメニュー比較
  • 料金プラン

会社情報

  • 会社概要
  • お問い合わせ
  • ログイン

法務

  • プライバシーポリシー
  • KVKK
  • 利用規約
  • Cookie
  • データ管理者
  • すべての法的文書
© 2026 Qoro ·Flexton LLC

Flexton LLC · 7901 4th St N, Suite 300, St. Petersburg, FL 33702, USA

hello@qoro.cc·
  • English
  • Türkçe
  • Español
  • Français
  • Deutsch
  • العربية
  • Русский
  • 中文
  • 日本語
  • Italiano
  • Português (BR)
  • Nederlands
  • Bahasa Indonesia
  • हिन्दी
  • 한국어
  • Polski
  • Ελληνικά