Data Processing Addendum (DPA)
Effective date: 2026-05-10.
This DPA forms part of the agreement between you (the Customer / Controller) and Bina (the Processor). It governs the processing of personal data of your customers (Data Subjects) on the Bina platform.
1. Subject matter and duration
Bina processes Customer Data on Customer's behalf to provide the service for the duration of the agreement and a 90-day post-termination retention window for export purposes.
2. Nature and purpose
Storage, retrieval, computation, and AI inference — strictly to operate the service as Customer instructs through the Bina application interface.
3. Categories of Data Subjects
- Customer's end customers (people who order via QR / WhatsApp / etc.)
- Customer's staff (cashiers, managers, kitchen)
- Customer's suppliers (when Customer adds them to Bina)
4. Categories of personal data
- Identity: name, optional phone, optional email
- Order content: items, modifiers, total, payment method (no card numbers)
- Operational: shift attendance, role assignments
5. Sub-processors
Bina uses the following sub-processors. We notify Customer before adding new ones:
- Supabase (database, EU/Frankfurt)
- Vercel (frontend hosting)
- Railway (API hosting)
- Clerk (auth)
- Anthropic (AI inference, no training on Customer Data)
- Resend (transactional email)
- PostHog EU (analytics)
- Sentry (error tracking)
- Stripe (payments — when activated by Customer)
- Meta WhatsApp Business API (when activated by Customer)
6. Security
Bina implements row-level multi-tenant isolation, encrypted data in transit (TLS) and at rest, append-only audit logging, idempotent mutations to prevent state corruption, daily encrypted database snapshots, and request-ID correlation for incident response.
7. Data subject rights
Bina supports access, correction, portability (CSV export), and deletion requests. Customers can satisfy most rights directly via the dashboard; for the rest, we respond to written requests within 30 days.
8. Data transfers
Primary processing happens in the EU. Some sub-processors may transfer data to other regions (e.g. AI inference). Where required, transfers are governed by Standard Contractual Clauses or equivalents.
9. Breach notification
Bina notifies Customer within 72 hours of becoming aware of a personal data breach affecting Customer Data, with sufficient detail for Customer to meet its own notification obligations.
10. Audit rights
Customer can request a copy of Bina's most recent SOC 2 / ISO 27001 report (when available) once per year, or an alternative attestation. On-site audits are available with reasonable notice and at Customer's expense.
11. Termination
On termination, Bina returns or deletes Customer Data per Customer's instruction within 90 days, except where legal retention applies.