Data Processing Agreement

Data Processing Agreement (DPA)

This DPA is part of the Agreement between LB Trading GmbH ("noon", "Processor") and the Partner Café ("Controller").

1. Definitions

• Personal Data: Any information relating to identified or identifiable individuals
• Processing: Any operation performed on personal data
• Data Subject: The individual whose data is processed

2. Scope of Processing

noon processes on behalf of the Partner:

• Customer usernames when they visit
• Tap-in timestamps
• Redemption records
• Aggregated demographic data

3. noon's Obligations

noon will:

• Process data only on Partner's instructions
• Ensure confidentiality
• Implement appropriate security measures
• Assist with data subject requests
• Notify of security breaches promptly
• Delete data upon termination

4. Security Measures

We implement:

• Encryption in transit and at rest
• Access controls
• Regular security testing
• Employee training
• Incident response procedures

5. Sub-processors

Current sub-processors:

• Supabase (EU) — Database hosting
• Vercel (EU/US) — App hosting

We'll notify Partners before adding new sub-processors.

6. International Transfers

Data stays primarily in the EU. For any transfers outside the EU, we use:

• EU Standard Contractual Clauses
• Additional safeguards as needed

7. Audits

Partners may:

• Request compliance documentation
• Conduct audits with reasonable notice
• Review third-party audit reports

8. Data Breaches

In case of a breach, noon will:

• Notify Partner within 24 hours
• Document the nature and scope
• Take remedial action
• Provide investigation reports

9. Termination

Upon termination, noon will:

• Stop processing
• Delete or return data
• Confirm deletion in writing

10. Liability

Each party remains responsible for:

• Their own GDPR compliance
• Their own security practices
• Their own data subject relationships

Contact

Data Protection: hello@noon-loyalty.com
Address: LB Trading GmbH, Eustrasse 56, 6313 Menzingen, Switzerland