Our Privacy Policy
Efective from May 2025
Last Updated on June 2026
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement or other written agreement ("Agreement") between Ando Technologies, Inc ("Ando" or "Processor") and the Customer that has subscribed to the Services ("Customer" or "Controller"). It applies whenever Ando Processes Personal Data on behalf of Customer in connection with the Services. Capitalized terms not defined here have the meanings given in the Agreement.
Definitions
"Customer Data" means data, including Personal Data, that Customer or its Users submit to or that is generated by the Services on Customer's behalf.
"Personal Data," "Processing," "Controller," "Processor," "Data Subject," "Supervisory Authority," and "Sub-processor" have the meanings given in the GDPR, UK GDPR, or, where applicable, the CCPA/CPRA.
"Applicable Data Protection Law" means the GDPR, UK GDPR, the Swiss FADP, the CCPA/CPRA, and any other data protection or privacy law applicable to the Processing.
"Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Commission Decision (EU) 2021/914), and the corresponding UK addendum, as in effect from time to time.
Roles of the Parties
The parties acknowledge that, for Personal Data Processed under the Agreement: (a) Customer is the Controller (or, where Customer acts as a processor for a third party, the Processor); and (b) Ando is the Processor (or Sub-processor) acting on documented instructions from Customer.
Ando will Process Personal Data only for the purposes set out in the Agreement, this DPA, and any further written instructions from Customer that are consistent with the Agreement.
Subject Matter, Duration, Nature, and Purpose
Customer Instructions and Compliance
Ando will:
Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Ando will inform Customer of that legal requirement before Processing unless prohibited by law).
Promptly inform Customer if, in Ando's opinion, an instruction infringes Applicable Data Protection Law.
Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.
Confidentiality
Ando ensures that personnel authorized to Process Personal Data are bound by confidentiality obligations (whether contractual or statutory) and are trained on the protection of Personal Data.
Security Measures
Ando has implemented and will maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including:
Encryption of Personal Data in transit (TLS 1.2+) and at rest (AWS KMS-managed keys).
Tenant isolation enforced through row-level security policies in the Ando database and through scoped credentials per tenant.
Access controls based on least privilege, role-based access, secrets management via AWS Secrets Manager, and audit logging of administrative actions.
Network security including private VPC isolation of databases and stateful resources, bastion-based administrative access, and security-group restrictions.
Application security including peer code review, dependency vulnerability scanning, secure SDLC practices, and security review for material changes.
Vulnerability management and patching for operating systems, runtimes, and dependencies on a defined cadence.
Backup and disaster recovery of Customer Data, with point-in-time-recovery enabled for production databases.
Incident detection through monitoring and error tracking (Sentry) and on-call response procedures.
Personnel security including background checks where permitted by law and onboarding security training.
A more detailed description of security measures is set out in Annex II.
Sub-processors
Customer authorizes Ando to engage Sub-processors as needed to provide the Services. Ando's current Sub-processors are listed at [URL of subprocessor list] ("Sub-processor List"). Ando will:
Maintain the Sub-processor List and update it before adding or replacing a Sub-processor.
Provide Customer with at least [30] days' prior notice of any new Sub-processor (e.g., via email, in-app notice, or subscription to the Sub-processor List).
Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
Remain liable for the acts and omissions of its Sub-processors.
Customer may object to a new Sub-processor on reasonable data protection grounds within [15] days of notice. The parties will work in good faith to resolve the objection; if unresolved, Customer may terminate the affected portion
of the Services and receive a pro-rata refund for unused pre-paid fees.
International Transfers
Where Personal Data subject to GDPR, UK GDPR, or Swiss FADP is transferred from the EEA, UK, or Switzerland to a country not deemed to provide an adequate level of data protection, the transfer will be governed by:
the EU SCCs (Module 2 or Module 3, as applicable), incorporated by reference into this DPA;
for transfers from the UK, the UK Addendum to the EU SCCs; and
for transfers from Switzerland, the SCCs as amended for Swiss FADP purposes.
The parties will complete the Annexes to the SCCs using the information in Annex I and Annex II of this DPA. Where Customer is itself acting as a processor for a third-party controller, the parties agree Module 3 applies.
Data Subject Rights
Taking into account the nature of the Processing, Ando will provide reasonable assistance, through appropriate technical and organizational measures, to enable Customer to fulfill its obligations to respond to requests from Data Subjects (access, correction, deletion, portability, restriction, or objection).
If a Data Subject contacts Ando directly with such a request, Ando will, unless legally prohibited, promptly notify Customer and not respond to the request itself except to direct the Data Subject to Customer.
Personal Data Breach
Ando will notify Customer without undue delay, and in any event within [72] hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Notification will include, to the extent known: the nature of the breach, categories and approximate volume of affected data and Data Subjects, likely consequences, and measures taken or proposed to address the breach and mitigate adverse effects. Ando will provide further updates as additional information becomes available.
Data Protection Impact Assessments
Ando will provide Customer with reasonable cooperation and assistance with data protection impact assessments and consultations with Supervisory Authorities, in each case in relation to the Services and to the extent required by Applicable Data Protection Law.
Deletion or Return of Personal Data
Upon termination or expiration of the Agreement, Ando will, at Customer's election, delete or return all Customer Data containing Personal Data within [30] days, except where retention is required by applicable law. Operational backups containing Personal Data age out on a [N]-day rolling cycle and are inaccessible for production use during that period.
Audit Rights
Ando will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice, and no more than once per twelve-month period (unless an audit is reasonably required following a Personal Data Breach), Customer or a mutually agreed independent auditor may audit Ando's compliance with this DPA, subject to confidentiality obligations and Ando's reasonable security, scheduling, and access restrictions.
Where Ando holds third-party certifications or audit reports (e.g., SOC 2, ISO 27001) that are sufficient to address the audit subject matter, Ando may provide those reports in lieu of an on-site audit.
CCPA / U.S. State Privacy Terms
Where the CCPA/CPRA or another U.S. state privacy law applies, Ando is acting as a "service provider" (CCPA) or "processor" (other state laws). Ando will not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than for the business purposes specified in the Agreement; (iii) retain, use, or disclose Personal Data outside the direct business relationship between Ando and Customer; or (iv) combine Personal Data received from Customer with personal information received from other sources, except as permitted by applicable law. Ando will provide the same level of privacy protection as is required of Customer under applicable U.S. state privacy laws and will notify Customer if it can no longer meet its obligations.
Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.
Liability
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs control.
Order of Precedence; Term; Survival
This DPA takes effect on the date the Agreement takes effect and continues for the duration of the Agreement and for as long as Ando Processes Personal Data on Customer's behalf. Provisions that by their nature should survive termination (including Sections 6, 10, 12, 13, 14, and 15) will survive.
Annex I — Description of Processing
Subject matter of Processing: Provision of the Services described in the Agreement, including labor scheduling, forecasting, attendance, reporting, notifications, and AI-assisted workflow features.
Duration of Processing: The duration of the Agreement, plus any post-termination period permitted under Section 12.
Nature and purpose of Processing: Collection, storage, retrieval, organization, transmission, display, deletion, and other Processing operations necessary to operate the Services.
Categories of Data Subjects:
Customer's employees, contractors, and managers ("Users")
Customer's administrative personnel
Other individuals whose Personal Data Customer chooses to submit through the Services
Categories of Personal Data:
Identification and contact data (name, preferred name, email, phone, mailing address)
Employment data (job role, department, jobsite, employment status, wage, schedule, attendance, tipped status)
Demographic data where provided (date of birth, gender, pronouns)
Sensitive Personal Data where provided by Customer (Social Security Number or equivalent national identifier)
Authentication and device data (Cognito identifiers, push notification tokens, device platform)
Geolocation data (clock-in/clock-out GPS coordinates where the User's device permits)
Operational and diagnostic data (IP address, browser/device identifiers, error logs, audit logs)
Communications metadata (notification delivery records)
Special category data: Generally none, except SSN-equivalent identifiers where provided by Customer. Ando treats SSN/equivalent identifiers as sensitive and applies field-level encryption and stricter access controls.
Frequency of Processing: Continuous, for the duration of the Agreement.
Retention period: As set forth in the Agreement, the Privacy Policy, and Section 12 of this DPA.
Annex II — Technical and Organizational Security Measures
[Lawyer should expand into a detailed checklist; the items in Section 6 of this DPA are the starting point. Typical structure: Access Control · Encryption · Pseudonymization · Confidentiality · Integrity · Availability · Resilience · Testing · Vendor Management · Incident Response · Personnel Security · Physical Security · Data Minimization · Logging and Monitoring · Backup and Recovery.]