Data Processing Addendum

FoodMenuChat Data Processing Addendum (DPA) Effective Date: November 7, 2025 Last updated: November 7, 2025 Company (Processor): ConnectoDigital LLC, New York, NY, USA Contact: support@foodmenuchat.com This Data Processing Addendum (“DPA”) forms part of the agreement between ConnectoDigital LLC (“Processor,” “we,” “us”) and the restaurant/business customer (“Controller,” “you”) governing your use of FoodMenuChat (the “Service”). This DPA applies to the extent we process Personal Data on your behalf as Processor. Related documents: Privacy Policy Terms and Conditions Sub-processors List Definitions “Personal Data” means information relating to an identified or identifiable natural person. “Processing” means any operation performed on Personal Data (e.g., collection, storage, disclosure, deletion). “Controller” means the entity that determines the purposes and means of Processing. “Processor” means the entity that processes Personal Data on behalf of the Controller. The terms “personal data,” “processing,” “controller,” and “processor” have the meanings given in applicable data protection laws, including GDPR where applicable. Roles and Scope 2.1 Controller (Restaurant/Business). You are the Controller of end-customer Personal Data collected through your FoodMenuChat menu/order experience, and any other Personal Data you submit to the Service as Controller. 2.2 Processor (ConnectoDigital LLC). We act as Processor when we process Personal Data on your behalf to provide and support the Service. 2.3 Our independent processing. We may process certain data as a Controller for our own business purposes (e.g., account administration, billing, fraud prevention). That processing is described in our Privacy Policy. Processing Instructions 3.1 Documented instructions. We will process Personal Data only on your documented instructions, including as necessary to provide the Service, as described in this DPA, the agreement/Terms, and your configuration and use of the Service. 3.2 Lawful instruction requirement. You represent that your instructions comply with applicable law. You are responsible for establishing a lawful basis for Processing and providing any required notices and disclosures to end-customers. 3.3 If instructions conflict with law. If we believe an instruction violates applicable law, we will notify you (unless prohibited by law). Details of Processing 4.1 Subject matter. Providing the FoodMenuChat Service: hosting digital menus, capturing order details, facilitating initiation of a starter message, operating and securing the platform, and providing support. 4.2 Duration. Processing continues for the term of your subscription and any additional period required to provide post-termination export/deletion as described in Section 10. 4.3 Categories of Data Subjects. • Restaurant admins/users (account users) • Restaurant end-customers (people placing orders or submitting details via your pages) 4.4 Categories of Personal Data (as configured by you). • End-customer data you choose to collect (e.g., name, phone, order items, notes) • Technical/log data (e.g., IP address, device/browser identifiers) where linkable to a person • Restaurant admin account details (e.g., name, email, role/permissions) 4.5 Nature and purpose of processing. • Hosting, transmitting, and displaying menu and order data • Creating and presenting order summaries and starter message flows • Securing, debugging, monitoring, and supporting the Service • Preventing fraud/abuse and enforcing platform integrity Processor Obligations 5.1 Confidentiality. We will ensure persons authorized to process Personal Data are bound by confidentiality obligations. 5.2 Security. We will implement appropriate technical and organizational measures to protect Personal Data, including measures described in Section 8. 5.3 Assistance with compliance. Considering the nature of processing and information available to us, we will reasonably assist you with: • responding to data subject requests (Section 9), and • conducting data protection impact assessments and consultations where required, to the extent applicable and reasonable. 5.4 Personal Data Breach notification. We will notify you without undue delay after becoming aware of a Personal Data Breach involving Personal Data processed on your behalf, and provide available information to support your compliance obligations. 5.5 No sale of Personal Data. We do not “sell” end-customer Personal Data processed on your behalf. 5.6 Deletion/return. At termination, we will handle return/deletion as described in Section 10, unless retention is required by law. Sub-processing 6.1 Authorization. You grant us a general authorization to engage Sub-processors to support delivery of the Service. 6.2 List and updates. Our current Sub-processors are listed at /page/privacy-policy-subprocessors. We will update this list as Sub-processors change. 6.3 Sub-processor obligations. We will impose data protection obligations on Sub-processors that are no less protective than this DPA for the relevant processing, including confidentiality and security obligations. 6.4 Responsibility. We remain responsible for Sub-processors’ performance of their obligations to the extent required by applicable law. International Transfers If Personal Data is transferred internationally, we will implement appropriate safeguards where required by law (for example, Standard Contractual Clauses and/or other legally recognized transfer mechanisms). Where needed, we will make available additional information about the transfer mechanism upon request. Security Measures (Summary) We maintain a security program appropriate to the nature of the Service and data processed, which may include: • Access controls (role-based access; least privilege) • Administrative safeguards (policies, training where appropriate, vendor controls) • Encryption in transit • Logging and monitoring • Backup and recovery processes • Separation/tenant isolation where applicable • Incident response procedures • MFA for administrative access (where supported/required internally) You are responsible for securing your own account credentials, endpoints, and any devices used to access the Service. Data Subject Requests 9.1 Requests received by you. You are responsible for responding to end-customer data subject requests. 9.2 Requests received by us. If we receive a data subject request regarding Personal Data processed on your behalf, we will, where appropriate, direct the requester to you and/or notify you, unless prohibited by law. 9.3 Assistance. We will provide reasonable assistance to help you fulfill requests, to the extent feasible within the Service and subject to security and legal constraints. Return, Export, and Deletion 10.1 Export window. During your subscription and for 15 days after termination, you may request an export by emailing support@foodmenuchat.com . Exports will be provided in a commercially reasonable format we are able to provide (e.g., CSV/JSON or database export) within a reasonable time. 10.2 Deletion. After the export window, we will delete or anonymize Personal Data processed on your behalf within a commercially reasonable period, unless retention is required by law or needed to resolve disputes, enforce agreements, or protect the Service. 10.3 System data. Certain security logs, derived analytics, or system-level records may be retained as necessary for security, compliance, and operational integrity, consistent with our Privacy Policy. Audits and Information 11.1 Information. Upon reasonable request, we will provide information necessary to demonstrate compliance with this DPA, to the extent we can do so without compromising security or exposing other customers’ confidential information. 11.2 Audit. Where required by applicable law, audits may be conducted by you or an independent auditor under reasonable conditions (advance notice, scope limits, confidentiality), no more than once annually unless a material incident requires more frequent review. Audits must not unreasonably interfere with operations. Liability and Precedence 12.1 Liability. Liability under this DPA is subject to the limitations and exclusions in the main agreement/Terms, unless applicable law requires otherwise. 12.2 Order of precedence. If there is a conflict between this DPA and the main agreement regarding Processing of Personal Data, this DPA controls for that subject matter. Contact Questions about this DPA: support@foodmenuchat.com