Data Processing Agreement
Last updated: March 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between BevSync ("Processor") and the Organization subscribing to the BevSync platform ("Controller"). It governs the processing of personal data by BevSync on behalf of the Controller in connection with the BevSync service.
This DPA supplements our Terms of Service and Privacy Policy. In the event of a conflict, this DPA takes precedence with respect to data processing matters.
2. Roles & Definitions
- "Controller" means the Organization that determines the purposes and means of processing personal data through the BevSync platform.
- "Processor" means BevSync, which processes personal data on behalf of and under the instructions of the Controller.
- "Data Subject" means the individual to whom personal data relates — typically the Controller's team members (Users) and, where applicable, business contacts (distributor contacts, brand contacts).
- "Sub-Processor" means a third party engaged by BevSync to process personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Service.
3. Processing Purposes
BevSync processes personal data solely for the purpose of providing the Service as described in our Terms of Service. Specific processing activities include:
- Authenticating and managing user accounts
- Providing the platform features (inventory, analytics, reporting, POS sync)
- Sending transactional and notification emails on behalf of the Controller
- Generating reports and analytics from Controller-provided data
- Synchronizing sales data from POS systems connected by the Controller (with automatic PII stripping)
- Maintaining audit logs for security and accountability
- Providing customer support when requested
4. Categories of Personal Data
| Category | Data Elements | Data Subjects |
|---|---|---|
| Account identity | Email address, full name, phone number (optional) | Users (team members) |
| Authentication | Hashed password (stored by Supabase Auth only), session tokens | Users |
| Organization info | Business name, billing email, phone, website | Organization representatives |
| Business contacts | Distributor and brand contact names, emails, phone numbers | Third-party business contacts |
| Team invitations | Invitee email address, assigned role | Prospective users |
| Audit & security | IP address (unauthorized access attempts only), last login timestamp, audit trail entries | Users |
Note on POS data: Customer PII from POS sales transactions is automatically stripped before storage. BevSync does not store end-consumer personal data. See Section 5 of our Privacy Policy for details.
5. Sub-Processors
BevSync engages the following Sub-Processors to provide the Service. The Controller authorizes BevSync to use these Sub-Processors:
Required Sub-Processors
| Sub-Processor | Purpose | Data Shared | Region |
|---|---|---|---|
| Supabase (Supabase Inc.) | Authentication, database hosting, file storage | All platform data: user accounts, business data, auth sessions, report files | US |
| Resend (Resend Inc.) | Transactional email delivery | Recipient email addresses, email subject and body content | US |
| Netlify (Netlify Inc.) | Web hosting, serverless functions, background tasks | HTTP request/response data, application execution | US |
Optional Sub-Processors (Controller-Initiated)
| Sub-Processor | Purpose | Data Shared | Region |
|---|---|---|---|
| Google (Google LLC) | Location address autocomplete | Search queries (business names, addresses) | US |
| Square (Block Inc.) | POS integration (OAuth) | Read-only sales transactions and menu items | US |
| Toast (Toast Inc.) | POS integration (API) | Read-only sales transactions and menu items | US |
| Clover (Fiserv Inc.) | POS integration (OAuth) | Read-only sales transactions and menu items | US |
| Omnivore (NCR Corporation) | POS integration (API key) | Read-only sales transactions | US |
BevSync will notify the Controller at least 30 days before engaging a new Sub-Processor that processes personal data. The Controller may object by contacting us within that period; if the objection cannot be resolved, the Controller may terminate the agreement.
6. Security Measures
BevSync implements the following technical and organizational measures to protect personal data:
- HTTPS encryption for all traffic in transit
- Encryption at rest for all database and storage data (Supabase-managed)
- AES-256-GCM encryption for POS integration credentials
- Password hashing managed exclusively by Supabase Auth (never stored in application database)
- Optional TOTP-based multi-factor authentication
- Rate limiting on authentication endpoints (10 requests per 60 seconds per IP)
- Multi-tenancy isolation — all queries scoped to the authenticated Organization ID
- Row-level security (RLS) enabled on database tables
- Role-based access control with per-location permission scoping
- Comprehensive audit logging of significant actions
- Automatic PII stripping from POS sales data before storage
- HMAC-SHA256 webhook signature verification for POS providers
For additional detail, see our Security page.
7. Data Breach Notification
In the event of a personal data breach, BevSync will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide details about the nature of the breach, the categories and approximate number of Data Subjects affected, and the likely consequences
- Describe the measures taken or proposed to address the breach and mitigate its effects
- Cooperate with the Controller in notifying relevant supervisory authorities and affected Data Subjects as required by applicable law
8. Data Subject Rights
BevSync will assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection law, including:
- Right of access — viewable via the platform UI and data export
- Right to rectification — editable via the platform UI
- Right to erasure — account deletion via Settings > Security; data export available beforehand
- Right to data portability — full export in JSON or CSV via Settings > Data
- Right to restrict processing — disconnect integrations, deactivate products, or disable locations
The platform provides self-service tools for most rights. For requests that cannot be handled through the platform, contact support@bevsync.net. BevSync will respond within 30 days.
9. Data Deletion on Termination
Upon termination of the agreement between the Controller and BevSync:
- A 30-day grace period applies, during which the Controller may export all data
- After the grace period, BevSync will delete all personal data from active systems, except where retention is required by law
- Audit log entries containing personal data references may be retained for legal compliance purposes
- The Controller's Supabase Auth user records are permanently deleted upon account deletion
10. Audit Rights
The Controller has the right to verify BevSync's compliance with this DPA. BevSync will:
- Make available information necessary to demonstrate compliance upon reasonable request
- Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice (at least 30 days)
- Provide relevant certifications and audit reports from Sub-Processors upon request
11. International Data Transfers
All personal data is stored and processed in the United States. BevSync and all Sub-Processors operate in the US.
If the Controller is located in the European Economic Area (EEA), United Kingdom, or Switzerland, the transfer of personal data to the US is governed by this DPA and any applicable Standard Contractual Clauses (SCCs). Controllers requiring executed SCCs should contact us at support@bevsync.net.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
13. Term & Termination
This DPA is effective for the duration of the Controller's use of the BevSync service. It automatically terminates when the underlying agreement (Terms of Service) terminates. Obligations related to data deletion, confidentiality, and cooperation with regulatory authorities survive termination.
14. Changes to This DPA
BevSync may update this DPA to reflect changes in our data processing practices, Sub-Processors, or applicable law. Material changes will be communicated to the Controller via email with at least 30 days' advance notice.
15. Contact
For questions about this DPA, to request an executed copy, or to exercise any rights under this agreement, contact:
Email: support@bevsync.net
Website: bevsync.net