Data Processing Agreement

Last updated: 28 March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Anseko Ltd. ("Processor", "we", "us", "our") and the Client ("Controller", "you", "your") for the provision of the InstantCafeSite platform and related services ("Services") as described in our terms and conditions.

This DPA sets out the terms that apply when Personal Data is processed by the Processor on behalf of the Controller in connection with the Services. The purpose of this DPA is to ensure that the processing of Personal Data is carried out in accordance with applicable data protection legislation, including the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the General Data Protection Regulation ((EU) 2016/679) ("GDPR").

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Controller" means the Client who determines the purposes and means of the processing of Personal Data, being the restaurant or cafe owner who creates and manages a website through the Services.
• "Data Protection Legislation" means the UK GDPR, the Data Protection Act 2018, the GDPR, and any successor legislation, together with all applicable national implementing laws, regulations, and secondary legislation, as amended from time to time.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. "Process", "Processes", and "Processed" shall be construed accordingly.
• "Processor" means Anseko Ltd. (company number 16289154), registered at 2 Frederick Street, Kings Cross, London, WC1X 0ND, United Kingdom, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller in connection with the Services.
• "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses approved by the European Commission or the UK Information Commissioner's Office for the transfer of Personal Data to third countries.
• "Supervisory Authority" means the Information Commissioner's Office ("ICO") in the United Kingdom, or any other competent data protection authority with jurisdiction over the processing activities under this DPA.

2. Scope and Purpose of Processing

2.1 The Processor provides the InstantCafeSite platform, a software-as-a-service solution that enables Controllers to create and manage restaurant and cafe websites. The Processor processes Personal Data solely for the purpose of providing the Services to the Controller in accordance with the Controller's instructions and the terms of this DPA.

2.2 The scope of processing under this DPA is limited to the Controller's own account data and website content. Client websites created through the Services are display-only and do not collect any personal data from website visitors. There are no contact forms, reservation systems, newsletter signups, visitor registration mechanisms, or any other means of end-user data collection on client websites. Accordingly, no end-user or visitor Personal Data is processed by the Processor on behalf of the Controller.

2.3 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. Types of Personal Data Processed

3.1 The categories of Personal Data processed by the Processor on behalf of the Controller are limited to:

• Account Data: The Controller's name, email address, and hashed password credentials used to access and manage the Services.
• Website Content: Text, images, menu items, pricing information, and other content uploaded or entered by the Controller for display on their restaurant or cafe website.
• Website Configuration: Template selections, theme settings, image settings, and other configuration preferences set by the Controller.

3.2 The categories of Data Subjects are limited to the Controller and any authorised users of the Controller's account.

3.3 The Processor does not process any special categories of Personal Data on behalf of the Controller.

3.4 For the avoidance of doubt, the Processor does not process any Personal Data of the Controller's customers, website visitors, or other third parties through the Services.

4. Processor Obligations

4.1 Compliance with Instructions. The Processor shall process Personal Data only in accordance with the Controller's documented instructions, as set out in this DPA and the terms of the Services, unless otherwise required by applicable law.

4.2 Confidentiality. The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be limited to those personnel who require such access for the performance of the Services.

4.3 Security. The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, as set out in Section 8 of this DPA.

4.4 Assistance with Data Subject Rights. The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subjects' rights under the Data Protection Legislation. Where the Processor receives a request from a Data Subject in relation to the Controller's Personal Data, the Processor shall promptly notify the Controller and shall not respond to such request except on the Controller's documented instructions or as required by applicable law.

4.5 Assistance with Compliance Obligations. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (and equivalent provisions of the UK GDPR), taking into account the nature of processing and the information available to the Processor, including:

• (a) ensuring the security of processing;
• (b) notifying Personal Data Breaches to the Supervisory Authority and Data Subjects;
• (c) carrying out data protection impact assessments; and
• (d) consulting with the Supervisory Authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk.

4.6 Deletion and Return of Data. Upon termination of the Services and subject to Section 9 of this DPA, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data.

4.7 Demonstration of Compliance. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and the Data Protection Legislation, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as set out in Section 11 of this DPA.

5. Sub-processors

5.1 The Controller provides general authorisation for the Processor to engage the Sub-processors listed below. The Processor shall ensure that any Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

5.2 The following Sub-processors are engaged as at the date of this DPA:

5.3 The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes. Such notification shall be provided at least thirty (30) days prior to the engagement of any new Sub-processor.

5.4 Where the Controller objects to the engagement of a new Sub-processor on reasonable grounds relating to the protection of Personal Data, the parties shall discuss the Controller's concerns in good faith. If the parties are unable to reach a resolution, the Controller may terminate the Services by providing written notice to the Processor.

5.5 Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the Processor shall impose on that Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

5.6 The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA.

6. Data Transfers

6.1 The primary data storage and processing for the Services takes place on servers operated by Hetzner Online GmbH, located in Germany within the European Economic Area ("EEA"). Personal Data is stored and processed within the EEA by default.

6.2 Where Personal Data is transferred to a Sub-processor located outside the EEA or the United Kingdom, the Processor shall ensure that appropriate safeguards are in place in accordance with the Data Protection Legislation. Such safeguards include, but are not limited to:

• (a) Standard Contractual Clauses approved by the European Commission or the UK Secretary of State;
• (b) an adequacy decision by the European Commission or the UK Secretary of State in respect of the recipient country; or
• (c) other legally recognised transfer mechanisms under the Data Protection Legislation.

6.3 Cloudflare, Inc. may process data globally as part of its content delivery network operations. Cloudflare has Standard Contractual Clauses and appropriate supplementary measures in place to ensure an adequate level of protection for Personal Data.

6.4 Stripe, Inc. processes payment data in the United States and other jurisdictions. Stripe has Standard Contractual Clauses in place and is PCI DSS Level 1 certified. The Processor does not store, process, or have access to the Controller's payment card details; such data is processed directly by Stripe.

7. Security Measures

7.1 The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

• (a) Encryption in transit: All data transmitted between the Controller and the Services is encrypted using TLS (Transport Layer Security).
• (b) Encryption at rest: Personal Data stored on the Processor's servers is encrypted at rest.
• (c) Access controls: Access to Personal Data is restricted to authorised personnel on a need-to-know basis. Authentication mechanisms, including password hashing, are used to protect account credentials.
• (d) Infrastructure security: The Services are hosted on Hetzner infrastructure within the EEA, benefiting from Hetzner's physical security measures, including controlled access to data centres.
• (e) Regular backups: The Processor maintains regular backups of data to ensure availability and enable recovery in the event of a physical or technical incident.
• (f) Secure media storage: Media files are stored on Cloudflare R2 with access controls to prevent unauthorised access.
• (g) Incident response: The Processor maintains procedures for detecting, reporting, and responding to Personal Data Breaches.

7.2 The Processor shall regularly review and, where necessary, update the security measures to ensure continued appropriateness, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

8. Data Retention and Deletion

8.1 The Processor shall retain Personal Data for the duration of the Controller's active use of the Services and for such period thereafter as is necessary to comply with the Processor's legal obligations, resolve disputes, and enforce agreements.

8.2 Upon termination of the Controller's account, the Processor shall delete the Controller's Personal Data, including website content, account data, and associated media files, within ninety (90) days of account termination, unless:

• (a) applicable law requires the Processor to retain certain data for a longer period;
• (b) the Controller requests the return of data prior to deletion, in which case the Processor shall make such data available in a commonly used format within a reasonable timeframe; or
• (c) the data has been anonymised such that the Controller or any Data Subject can no longer be identified.

8.3 Backups containing the Controller's data may be retained for a further period in accordance with the Processor's standard backup rotation schedule, after which they shall be securely deleted.

9. Personal Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

9.2 Such notification shall include, to the extent available:

• (a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
• (b) the name and contact details of the Processor's point of contact from whom more information may be obtained;
• (c) a description of the likely consequences of the Personal Data Breach; and
• (d) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without undue further delay.

9.4 The Processor shall cooperate with and assist the Controller in complying with the Controller's breach notification obligations under the Data Protection Legislation.

10. Audit Rights

10.1 The Processor shall make available to the Controller, on request, all information reasonably necessary to demonstrate compliance with this DPA and the Data Protection Legislation.

10.2 The Controller may, upon reasonable written notice of not less than thirty (30) days, request an audit of the Processor's processing activities and security measures relevant to the protection of Personal Data under this DPA. Such audits shall:

• (a) be conducted during normal business hours;
• (b) not unreasonably disrupt the Processor's operations;
• (c) be subject to appropriate confidentiality obligations; and
• (d) be limited to once per twelve-month period, unless a Personal Data Breach has occurred or the Controller is required by a Supervisory Authority to conduct an additional audit.

10.3 The Controller shall bear its own costs in connection with any audit. Where an audit requires the Processor to devote material resources, the Processor may charge a reasonable fee, agreed in advance, for its assistance.

10.4 As an alternative to an on-site audit, the Processor may, at its discretion, provide the Controller with a summary of relevant security certifications, audit reports, or other documentation that reasonably demonstrates the Processor's compliance with this DPA.

11. Term and Termination

11.1 This DPA shall come into effect on the date the Controller begins using the Services and shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller.

11.2 This DPA shall automatically terminate upon the termination or expiry of the Controller's account and the completion of the Processor's obligations under Section 8 (Data Retention and Deletion).

11.3 The provisions of this DPA that by their nature should survive termination shall survive, including but not limited to obligations relating to confidentiality, data deletion, and liability.

12. Liability

12.1 The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the terms and conditions governing the Services, except that no limitation or exclusion shall apply to the extent prohibited by the Data Protection Legislation.

12.2 Each party shall be liable for damage caused by processing that infringes the Data Protection Legislation in accordance with the allocation of responsibility set out in the GDPR and UK GDPR.

13. Governing Law and Jurisdiction

13.1 This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.

13.2 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

14. Contact Information

For any queries regarding this DPA or the processing of Personal Data, please contact:

Anseko Ltd. 2 Frederick Street, Kings Cross, London, WC1X 0ND, United Kingdom Email: hello@instantcafesite.com Website: https://instantcafesite.com

For details on how we handle Personal Data more generally, please refer to our Privacy Policy.