Conteúdo não disponível no seu idioma
Este documento está atualmente publicado apenas em turco e inglês. A versão vinculativa para clientes baseados na Turquia é em turco; para todas as outras jurisdições, é em inglês.
Dica: use o recurso de tradução integrado do seu navegador para ler este documento em seu idioma.
Acordo de Processamento de Dados
Resumo
Termos de processador-controlador sob o Artigo 28 da GDPR, incluindo sub-processadores e segurança.
1. Summary
This Data Processing Agreement (“DPA”) governs the relationship between Flexton LLC (the “Processor”) and the Tenant (the “Controller”) whenever Flexton processes personal data on the Tenant's behalf under the Terms of Service, and is intended to comply with GDPR Article 28 and KVKK. The DPA is an integral part of the Terms (Terms §9/9.2 — “Exhibit A”).
2. Definitions
Terms not defined here (“Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Breach”, “Transfer”) have the meanings given to them under GDPR and KVKK.
- Controller: The Tenant using Qoro — regarding End Customer data.
- Processor: Flexton LLC.
- Sub-processor: Third-party infrastructure / processing providers used by Flexton to deliver the Qoro platform (Exhibit A).
3. Processing Details
- Subject matter: Provision of the Qoro platform — orders, menu, customer interaction, payments, reporting.
- Duration: The term of the subscription under the Terms of Service.
- Nature and purpose: Data processing activities required for the Tenant's operational use of the Qoro platform.
- Categories of data: See Privacy Policy §3 — Tenant account data, Tenant data, End Customer order data, technical/usage data.
- Data subjects: Tenant staff; End Customers (Tenant's guests).
4. Processor Obligations
- Process personal data only on the Controller's documented instructions, unless required otherwise by law.
- Ensure that personnel authorised to access the data are bound by confidentiality.
- Implement appropriate technical and organisational measures under GDPR Art. 32 / KVKK Art. 12 (see Exhibit B).
- Engage sub-processors only under §5, binding them to obligations equivalent to those in this DPA.
- Reasonably assist the Controller in fulfilling its own obligations (data subject rights, breach notification, impact assessments).
- On termination, return personal data to the Controller or — unless otherwise instructed or legally required to retain — delete it.
5. Sub-processors
The Controller grants general authorisation for the Processor to use the sub-processors listed in Exhibit A. The Processor gives the Controller at least 30 days' notice before adding or changing sub-processors. The Controller may object on reasonable grounds; if not resolved, the Controller may terminate the subscription for the affected service.
6. Assistance with Rights Requests
The Processor provides reasonable technical and organisational measures — e.g. access/correction/deletion/export interfaces and APIs — to help the Controller respond to data subject requests (GDPR Art. 15–22 / KVKK Art. 11). An in-platform Privacy Centre for self-service tools arrives in Blok G-II.
7. Security Measures
The Processor implements the security measures listed in Exhibit B and reviews them in line with evolving risks and technology.
8. Breach Notification
Upon becoming aware of a personal data breach, the Processor notifies the Controller without undue delay and at the latest within 72 hours. The notice includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
9. Audit Rights
The Controller may audit the Processor's compliance with this DPA once per year (or more frequently on reasonable grounds), subject to prior written notice. To avoid operational security risks on a multi-tenant platform, audits are reasonably structured through third-party reports (ISO 27001, SOC 2, etc.). A reasonable fee may apply to direct on-site audit requests.
10. International Transfers
Some sub-processors listed in Exhibit A are established outside the EU (United States). For such transfers, the EU Commission's Standard Contractual Clauses (SCC) 2021/914 (Module 2 — Controller-to-Processor; Module 3 — Processor-to-Sub-processor) apply. For transfers originating in Turkey, safeguards under KVKK Art. 9 (commitment / explicit consent) apply.
11. Termination & Return/Deletion
Upon termination of the Terms, Tenant Data is retained in a 30-day read-only export window, then deleted. Upon Controller's request, data is returned instead. Records subject to statutory retention (e.g. invoices) are archived in anonymised form.
Exhibit A — Sub-processors
Sub-processors used to provide Qoro and their roles. Each sub-processor is bound by a GDPR Art. 28 data processing agreement. The current list is published on this page; changes follow the notice process in §5.
- Application hosting / edge: US + EU-West (global edge). Purpose: application server, SSR render, edge middleware. Transfer: US and EU-West.
- Database & authentication: EU-West (Frankfurt/Ireland). Purpose: storage of Tenant and End Customer data, auth session management.
- Payment processor: US/Ireland. Purpose: subscription fee collection, invoice PDF generation. Transfer: US (SCC Module 3).
- Email delivery: EU-West. Purpose: transactional emails (order confirmations, invoices, password resets) and — with explicit consent — marketing emails.
- Error monitoring: EU-West. Purpose: platform error and performance monitoring. Active only with user's analytics cookie consent.
- Bot defence: Global edge (Cloudflare). Purpose: form/bot protection (Turnstile), DDoS mitigation.
Exhibit B — Security Measures
- Encryption: TLS 1.2+ in transit; AES-256 at rest.
- Row-Level Security (RLS): tenant isolation at the database layer.
- Authentication: bcrypt/argon2 password hashing, optional WebAuthn/passkey, two-factor authentication.
- Access control: least-privilege, role-based access (RBAC), platform audit log, mandatory 2FA for staff accounts.
- Backups: daily automated backups; tested disaster recovery plan.
- Network & infrastructure security: WAF, rate limiting, Turnstile bot defence, security monitoring and alerting.
- Logging & monitoring: auth audit log, system security log, configuration change tracking.
- Security processes: incident response runbook; third-party security review (annual); GDPR/KVKK DPIA process.
- Data minimisation: End Customer name / phone / email are not collected by default — only when optionally enabled by the Tenant.
Contact
Data-protection contact: hello@qoro.cc
Flexton LLC, 7901 4th St N, Suite 300, St. Petersburg, FL 33702, United States.