Qoro
功能博客关于定价
登录开始免费试用

您的语言不提供此内容

本文件目前仅以土耳其语和英语发布。对于土耳其境内的客户,具有约束力的版本是土耳其语;对于所有其他司法管辖区,则是英语。

提示:使用浏览器的内置翻译功能,即可以您的语言阅读本文档。

以英语查看具有约束力以土耳其语查看

数据处理协议

v1.0生效日期: 2026年4月23日更新日期: 2026年4月23日

摘要

根据 GDPR 第 28 条规定的处理者-控制者条款,包括子处理者和安全。

1. Summary

This Data Processing Agreement (“DPA”) governs the relationship between Flexton LLC (the “Processor”) and the Tenant (the “Controller”) whenever Flexton processes personal data on the Tenant's behalf under the Terms of Service, and is intended to comply with GDPR Article 28 and KVKK. The DPA is an integral part of the Terms (Terms §9/9.2 — “Exhibit A”).

2. Definitions

Terms not defined here (“Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Breach”, “Transfer”) have the meanings given to them under GDPR and KVKK.

  • Controller: The Tenant using Qoro — regarding End Customer data.
  • Processor: Flexton LLC.
  • Sub-processor: Third-party infrastructure / processing providers used by Flexton to deliver the Qoro platform (Exhibit A).

3. Processing Details

  • Subject matter: Provision of the Qoro platform — orders, menu, customer interaction, payments, reporting.
  • Duration: The term of the subscription under the Terms of Service.
  • Nature and purpose: Data processing activities required for the Tenant's operational use of the Qoro platform.
  • Categories of data: See Privacy Policy §3 — Tenant account data, Tenant data, End Customer order data, technical/usage data.
  • Data subjects: Tenant staff; End Customers (Tenant's guests).

4. Processor Obligations

  • Process personal data only on the Controller's documented instructions, unless required otherwise by law.
  • Ensure that personnel authorised to access the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures under GDPR Art. 32 / KVKK Art. 12 (see Exhibit B).
  • Engage sub-processors only under §5, binding them to obligations equivalent to those in this DPA.
  • Reasonably assist the Controller in fulfilling its own obligations (data subject rights, breach notification, impact assessments).
  • On termination, return personal data to the Controller or — unless otherwise instructed or legally required to retain — delete it.

5. Sub-processors

The Controller grants general authorisation for the Processor to use the sub-processors listed in Exhibit A. The Processor gives the Controller at least 30 days' notice before adding or changing sub-processors. The Controller may object on reasonable grounds; if not resolved, the Controller may terminate the subscription for the affected service.

6. Assistance with Rights Requests

The Processor provides reasonable technical and organisational measures — e.g. access/correction/deletion/export interfaces and APIs — to help the Controller respond to data subject requests (GDPR Art. 15–22 / KVKK Art. 11). An in-platform Privacy Centre for self-service tools arrives in Blok G-II.

7. Security Measures

The Processor implements the security measures listed in Exhibit B and reviews them in line with evolving risks and technology.

8. Breach Notification

Upon becoming aware of a personal data breach, the Processor notifies the Controller without undue delay and at the latest within 72 hours. The notice includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per year (or more frequently on reasonable grounds), subject to prior written notice. To avoid operational security risks on a multi-tenant platform, audits are reasonably structured through third-party reports (ISO 27001, SOC 2, etc.). A reasonable fee may apply to direct on-site audit requests.

10. International Transfers

Some sub-processors listed in Exhibit A are established outside the EU (United States). For such transfers, the EU Commission's Standard Contractual Clauses (SCC) 2021/914 (Module 2 — Controller-to-Processor; Module 3 — Processor-to-Sub-processor) apply. For transfers originating in Turkey, safeguards under KVKK Art. 9 (commitment / explicit consent) apply.

11. Termination & Return/Deletion

Upon termination of the Terms, Tenant Data is retained in a 30-day read-only export window, then deleted. Upon Controller's request, data is returned instead. Records subject to statutory retention (e.g. invoices) are archived in anonymised form.

Exhibit A — Sub-processors

Sub-processors used to provide Qoro and their roles. Each sub-processor is bound by a GDPR Art. 28 data processing agreement. The current list is published on this page; changes follow the notice process in §5.

  • Application hosting / edge: US + EU-West (global edge). Purpose: application server, SSR render, edge middleware. Transfer: US and EU-West.
  • Database & authentication: EU-West (Frankfurt/Ireland). Purpose: storage of Tenant and End Customer data, auth session management.
  • Payment processor: US/Ireland. Purpose: subscription fee collection, invoice PDF generation. Transfer: US (SCC Module 3).
  • Email delivery: EU-West. Purpose: transactional emails (order confirmations, invoices, password resets) and — with explicit consent — marketing emails.
  • Error monitoring: EU-West. Purpose: platform error and performance monitoring. Active only with user's analytics cookie consent.
  • Bot defence: Global edge (Cloudflare). Purpose: form/bot protection (Turnstile), DDoS mitigation.

Exhibit B — Security Measures

  • Encryption: TLS 1.2+ in transit; AES-256 at rest.
  • Row-Level Security (RLS): tenant isolation at the database layer.
  • Authentication: bcrypt/argon2 password hashing, optional WebAuthn/passkey, two-factor authentication.
  • Access control: least-privilege, role-based access (RBAC), platform audit log, mandatory 2FA for staff accounts.
  • Backups: daily automated backups; tested disaster recovery plan.
  • Network & infrastructure security: WAF, rate limiting, Turnstile bot defence, security monitoring and alerting.
  • Logging & monitoring: auth audit log, system security log, configuration change tracking.
  • Security processes: incident response runbook; third-party security review (annual); GDPR/KVKK DPIA process.
  • Data minimisation: End Customer name / phone / email are not collected by default — only when optionally enabled by the Tenant.

Contact

Data-protection contact: hello@qoro.cc
Flexton LLC, 7901 4th St N, Suite 300, St. Petersburg, FL 33702, United States.

联系方式

hello@qoro.cc

我们将在30天内根据适用法律回应法律请求。

法律实体

Flexton LLC
7901 4th St N, Suite 300
St. Petersburg, FL 33702
United States

语言与约束版本

这些文件以土耳其语和英语发布。对于居住在土耳其的企业和最终用户,具有约束力的文本是土耳其语;对于所有其他司法管辖区,具有约束力的文本是英语。其他语言的翻译仅为方便起见,不具有约束力。本条款不影响个人用户根据其当地法律享有的强制性消费者保护权利。

每份文件的版本历史将在下一次重大修订时一并发布。

准备好将您的店铺数字化了吗?

无需信用卡·随时取消

开始 14 天免费试用
Qoro

顾客扫码、浏览菜单、点餐、在餐桌支付或外带。厨房即时接收订单,服务员上菜,账单自动结清。所有操作尽在一个面板。.

产品

  • 功能
  • 解决方案
  • 博客
  • 更新日志
  • 二维码菜单指南
  • 二维码菜单对比
  • 定价

公司

  • 关于
  • 联系我们
  • 登录

法律

  • 隐私
  • KVKK
  • 条款
  • Cookie
  • 数据控制者
  • 所有法律文件
© 2026 Qoro ·Flexton LLC

Flexton LLC · 7901 4th St N, Suite 300, St. Petersburg, FL 33702, USA

hello@qoro.cc·
  • English
  • Türkçe
  • Español
  • Français
  • Deutsch
  • العربية
  • Русский
  • 中文
  • 日本語
  • Italiano
  • Português (BR)
  • Nederlands
  • Bahasa Indonesia
  • हिन्दी
  • 한국어
  • Polski
  • Ελληνικά