Guest It
Home
Solutions
HACCP & Compliance Guest Ordering Box Operations Event Auditing Staffing Team Surveys & AI Insights
Contact
Log In

Data Processing Agreement

Information for B2B clients about data processing arrangements

Last updated: 25 March 2026

Overview #

Guest It LTD ("Guest It", "we", "us") acts as a data processor on behalf of our B2B clients (the "data controller") when handling personal data through our platform. We offer a Data Processing Agreement (DPA) to all enterprise and venue clients in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This page provides an overview of what our DPA covers. The full DPA document is available upon request and can be executed as part of your service agreement with Guest It.

What the DPA Covers #

Our Data Processing Agreement addresses:

  • The scope and purpose of data processing activities
  • Obligations and rights of the data controller and data processor
  • Technical and organisational security measures in place
  • Sub-processor engagement and approval procedures
  • Data breach notification procedures (within 72 hours)
  • Data subject access request (DSAR) assistance
  • Data retention and deletion policies
  • Cross-border transfer safeguards (where applicable)
  • Audit and compliance verification rights

Data Categories #

Depending on which Guest It modules your venue uses, the categories of personal data processed may include:

  • Guest data — names, email addresses, phone numbers, dietary preferences, and order history collected via QR chatbot or concierge app
  • Staff data — names, contact details, bank details for payroll, GPS clock-in/out location, shift history, and performance ratings
  • Manager and team member data — names, login credentials, and operational activity logs
  • Survey respondent data — names, email addresses, and survey responses

Full details of the personal data we collect and how it is used are set out in our Privacy Policy.

Security Measures #

Guest It maintains appropriate technical and organisational measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Infrastructure hosted on AWS (EU-West region) with SOC 2 compliance
  • Role-based access control and least-privilege access policies
  • Regular security assessments and vulnerability monitoring
  • Automated soft-deletion with configurable retention periods and hard-deletion after expiry
  • Consent audit trail for all data processing consent events

Sub-processors #

Guest It engages a limited number of sub-processors to deliver our services. Key sub-processors include:

  • Amazon Web Services (AWS) — cloud infrastructure and data storage
  • OpenAI — AI-powered analytics and chatbot functionality
  • Twilio — SMS notifications and communication
  • Stripe — payment processing (where applicable)

A complete and current list of sub-processors is included in the full DPA document. We will notify you of any changes to our sub-processor list in advance, giving you the opportunity to object.

Data Subject Rights #

Guest It provides tooling to assist data controllers in responding to data subject requests, including:

  • Right of access — data export functionality for responding to DSARs
  • Right to erasure — soft-deletion with automated hard-deletion after the retention period
  • Right to rectification — editable records across all platform modules
  • Consent management — auditable consent records with version tracking

Requesting a DPA #

To request a copy of our Data Processing Agreement or to discuss your data protection requirements, please contact us:

We aim to provide the DPA document within 2 business days of your request. The DPA can be executed as a standalone agreement or incorporated into your existing service contract.