DPA

Data Processing Addendum

Effective 1 January 2026. This DPA forms part of the Terms of Service for any Customer for whom TapReceipt processes personal data.

Subject matter and duration

TapReceipt processes personal data on behalf of the Customer for the purpose of providing the Service. Processing continues for the duration of the subscription plus the retention windows described below.

Nature and purpose of processing

Issuing, storing and serving digital receipts; sending transactional emails; providing the merchant dashboard; producing aggregated analytics for the Customer; meeting tax-record obligations on the Customer’s behalf where applicable.

Categories of data

  • Merchant contact details (name, email, role).
  • Billing details (entity name, VAT, address).
  • Receipt content (line items, totals, timestamps, terminal ID).
  • Operational telemetry (puck IDs, tap counts, error rates).

Data subjects

  • The Customer’s employees and authorised users of the dashboard and API.
  • Where receipts contain personal data identifying a shopper (e.g. name typed by the cashier), the data subjects also include those shoppers.

Security measures

  • SOC 2 Type II audited annually; report available on request under NDA.
  • Encryption in transit (TLS 1.2+) and at rest (AES-256, per-merchant keys).
  • Role-based access, hardware MFA for all engineers, no production access from personal devices.
  • Audit logging of every administrative action, retained 12 months.
  • Annual penetration test by a CREST-certified third party.

Sub-processors

TapReceipt engages the sub-processors listed below. We notify Customers at least 30 days before adding a new sub-processor; Customers may object on reasonable grounds.

International transfers

Personal data is hosted in the EU. Where a sub-processor is located outside the EEA, transfers are governed by the European Commission’s Standard Contractual Clauses (2021/914) supplemented by encryption and access-control measures.

Data subject requests

TapReceipt assists the Customer in responding to data subject requests by providing reasonable tools (export, deletion, rectification) within the dashboard and API. Where TapReceipt receives a request directly from a data subject, we forward it to the Customer without undue delay.

Breach notification

TapReceipt notifies the Customer within 48 hours of becoming aware of a personal data breach that affects the Customer’s data, including the nature of the breach, affected data, and mitigations.

Audits

The Customer may audit TapReceipt’s compliance with this DPA on reasonable notice and at the Customer’s cost, no more than once per calendar year. Our SOC 2 Type II report normally satisfies this right.

SUB-PROCESSORS

The current list

Amazon Web ServicesCloud hosting (compute, storage, networking)EU (Frankfurt)
CloudflareCDN, DDoS protection, edge TLS terminationEU (multi)
StripePayment processing for subscriptionsEU (Dublin) / US (SCCs)
PostmarkTransactional email deliveryEU (Dublin)
SentryError tracking (no PII; scrubbed payloads)EU (Frankfurt)
PlainCustomer support toolingEU (Ireland)