v.2026.2
tendypos.com/legal/dpa-v2026-2 • legal@tendypos.com
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Tendy Master Subscription Agreement located at tendypos.com/legal/msa-v2026-2 (the “Agreement”) between Tendy Inc. (“Tendy”) and the Merchant identified in the Order Form. This DPA governs Tendy’s Processing of Personal Data on behalf of the Merchant in connection with the Products. In the event of a conflict between this DPA and the rest of the Agreement with respect to the Processing of Personal Data, this DPA prevails. In all other respects the Agreement remains in full force.
Capitalized terms not defined here have the meaning given in the Agreement.
“Applicable Privacy Laws” means all privacy and data-protection laws applicable to the Processing of Personal Data under the Agreement, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Act respecting the protection of personal information in the private sector (“Law 25”), and, where Tendy Processes Personal Data of individuals in the European Economic Area, the EU General Data Protection Regulation 2016/679 (“GDPR”).
“Merchant” acts as the controller (GDPR) and the organization having decision-making authority (PIPEDA / Law 25) in respect of the Personal Data. “Tendy” acts as the processor / service provider that Processes Personal Data on the Merchant’s behalf and on its documented instructions.
“Personal Data” means information about an identifiable individual that Tendy Processes on the Merchant’s behalf through the Products. “Data Subject” means the individual to whom Personal Data relates.
“Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, use, storage, disclosure, retention, and deletion. “Sub-processor” means a third party engaged by Tendy to Process Personal Data. “Confidentiality Incident / Personal Data Breach” means any unauthorized access to, use of, loss of, communication of, or other breach of security safeguards protecting Personal Data.
As between the parties, the Merchant determines the purposes and means of Processing Personal Data and is responsible for the lawfulness of that Processing, including obtaining all necessary consents and providing all required notices to Data Subjects. Tendy Processes Personal Data only as a processor / service provider acting on the Merchant’s behalf. The subject-matter, duration, nature and purpose of the Processing, the categories of Personal Data, and the categories of Data Subjects are set out in Annex 1.
Documented instructions. Tendy will Process Personal Data only on the Merchant’s documented instructions, including as set out in the Agreement, this DPA, and the Order Form, and as necessary to provide and support the Products, unless required to act otherwise by applicable law (in which case Tendy will, where legally permitted, inform the Merchant of that legal requirement before Processing).
No secondary use. Tendy will not sell Personal Data and will not retain, use, or disclose Personal Data for any purpose other than performing the Products and the services under the Agreement, except for the use of de-identified, anonymized, and aggregated data as expressly permitted under Section 7.2 of the Agreement.
Confidentiality of personnel. Tendy will ensure that persons authorized to Process Personal Data are bound by appropriate obligations of confidentiality and have received appropriate training.
Notice to Merchant. Tendy will notify the Merchant, without undue delay, if Tendy determines that an instruction infringes Applicable Privacy Laws or if Tendy can no longer meet its obligations under this DPA.
Tendy will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against a Confidentiality Incident, taking into account the nature of the Personal Data and the risks involved. A summary of those measures is set out in Annex 2. The Merchant acknowledges that it is responsible for its own use of the Products, including configuring available security controls, managing User access, and maintaining the security of its account credentials, as described in Section 2.3 of the Agreement.
General authorization. The Merchant grants Tendy general authorization to engage Sub-processors to support the provision of the Products. A current list of Sub-processors is maintained in Annex 3 or at the URL referenced therein.
Flow-down. Tendy will impose data-protection obligations on each Sub-processor that are substantially equivalent to those in this DPA, and remains responsible for each Sub-processor’s performance.
Changes. Tendy will provide the Merchant with notice of any intended addition or replacement of a Sub-processor (by email or by updating the list) at least thirty (30) days before the change takes effect. If the Merchant has a reasonable, data-protection-based objection, the parties will work in good faith to address it; if it cannot be resolved, the Merchant may terminate the affected Products as set out in the Agreement.
Data Subject requests. Taking into account the nature of the Processing, Tendy will provide reasonable assistance (including through the Products’ self-service functionality and data-export tools) to enable the Merchant to respond to requests from Data Subjects to access, correct, delete, de-index, port, or otherwise act on their Personal Data. If Tendy receives such a request directly, it will, where lawful, refer the Data Subject to the Merchant.
Privacy assessments. Tendy will provide the Merchant with reasonably available information necessary to assist the Merchant in conducting any privacy impact assessment or assessment of privacy-related factors required under Applicable Privacy Laws (including Law 25), and in consulting with a supervisory authority where required.
Tendy will notify the Merchant without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Confidentiality Incident affecting the Merchant’s Personal Data. The notice will describe, to the extent known, the nature of the incident, the categories and approximate volume of Personal Data and Data Subjects affected, the likely consequences, and the measures taken or proposed to address it. Tendy will provide reasonable cooperation to assist the Merchant in meeting its own notification and record-keeping obligations to regulators (including the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, or a GDPR supervisory authority) and to affected individuals. Each party is responsible for making its own legally required notifications.
Tendy may Process and store Personal Data in Canada and in other jurisdictions where Tendy or its Sub-processors operate. Where Tendy transfers Personal Data subject to Law 25 outside Quebec, it will conduct or assist the Merchant in conducting any required privacy assessment of the transfer. Where Tendy transfers Personal Data subject to the GDPR outside the EEA to a jurisdiction without an adequacy decision, the parties agree that the European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor), as published and amended from time to time, are incorporated by reference and apply to that transfer, with this DPA and its Annexes supplying the required details.
Tendy will maintain records of its Processing activities sufficient to demonstrate compliance with this DPA and will make available to the Merchant, on reasonable written request and no more than once per twelve (12) month period (unless required more frequently by a regulator), information reasonably necessary to demonstrate compliance. Where an on-site audit is legally required, it will be conducted on reasonable advance notice, during business hours, subject to confidentiality obligations, and in a manner that does not unreasonably disrupt Tendy’s operations.
On termination or expiry of the Agreement, Tendy will handle Personal Data in accordance with Section 7.3 of the Agreement: Tendy will retain Merchant Content (including Personal Data) for the sixty (60) day Retention Period during which the Merchant may export its data in CSV or JSON format, after which Tendy may permanently delete it, except where retention is required by applicable law or to the extent data has been de-identified, anonymized, and aggregated as permitted under Section 7.2. Where the Order Form provides for an extended retention period (for example, ninety (90) days), that period applies.
The parties acknowledge that the Merchant is responsible for designating a person in charge of the protection of personal information within its organization. Tendy’s privacy contact is legal@tendypos.com.
Tendy will assist the Merchant, as described in Sections 6 and 7, in meeting its Law 25 obligations, including maintaining a register of confidentiality incidents and assessing the risk of serious injury arising from any incident.
Tendy will not use Personal Data to render a decision based exclusively on automated Processing of that data on the Merchant’s behalf except as instructed by the Merchant and disclosed by the Merchant to the relevant Data Subjects.
Where the GDPR applies, this DPA is intended to satisfy Article 28(3). The clauses of this DPA addressing documented instructions, confidentiality, security, Sub-processors, assistance with Data Subject rights, breach notification, deletion, and audit constitute the corresponding Article 28(3) commitments, and the international-transfer mechanism in Section 8 applies.
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in Section 14 of the Agreement, and any reference in Section 14 to the Agreement includes this DPA.
This DPA takes effect on the Effective Date of the Agreement and continues for as long as Tendy Processes Personal Data on the Merchant’s behalf. Sections that by their nature should survive termination (including Sections 7, 9, 10, and 13) survive. Except as expressly modified here, the Agreement, including its governing law and dispute-resolution provisions (Section 17), applies to this DPA.
Tendy maintains, at minimum, the following categories of measures, which may be updated provided the overall level of protection is not reduced:
Encryption of Personal Data in transit and at rest using industry-standard protocols.
Role-based access controls and the principle of least privilege for personnel access to Personal Data.
Authentication controls, including support for strong credentials and access logging.
Network and infrastructure protections, including firewalls and monitoring of the hosting environment.
Regular backups and documented restoration procedures.
Personnel confidentiality obligations and privacy/security training.
Vulnerability management, patching, and periodic security testing.
An incident-response process supporting the notification obligations in Section 7.
Tendy engages the Sub-processors listed below to support the provision of the Products. A current version of this list is maintained at tendypos.com/legal/subprocessors. Only third parties that Process Merchant Personal Data on Tendy’s behalf are listed. Several Sub-processors Process Personal Data in the United States; the international-transfer mechanisms in Section 8 — including the Law 25 transfer assessment and, where the GDPR applies, the Standard Contractual Clauses — apply to those transfers.
Note: tools used solely for Tendy’s internal business (e.g. its sales CRM), and payment processors that contract directly with Merchants, are not Sub-processors of Merchant Personal Data and are not listed here.