Skip to content
Guest It
Home
Solutions
HACCP & Compliance Guest Ordering Box Operations Event Auditing Staffing Team Surveys & AI Insights
Contact
Log In

Data Processing Agreement

Information for B2B clients about data processing arrangements

Last updated: 24 May 2026

Overview #

Guest It LTD ("Guest It", "we", "us") acts as a data processor on behalf of our B2B clients (the "data controller") when handling personal data through our platform. We offer a Data Processing Agreement (DPA) to all enterprise and venue clients in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This page provides an overview of what our DPA covers. The full DPA document is available upon request and can be executed as part of your service agreement with Guest It.

What the DPA Covers #

Our Data Processing Agreement addresses:

  • The scope and purpose of data processing activities
  • Obligations and rights of the data controller and data processor
  • Technical and organisational security measures in place
  • Sub-processor engagement and approval procedures
  • Data breach notification procedures (within 72 hours)
  • Data subject access request (DSAR) assistance
  • Data retention and deletion policies
  • Cross-border transfer safeguards (where applicable)
  • Audit and compliance verification rights

Data Categories #

Depending on which Guest It modules your venue uses, the categories of personal data processed may include:

  • Guest data — names, email addresses, phone numbers, dietary preferences, and order history collected via QR chatbot or concierge app
  • Staff data — names, contact details, bank details for payroll, GPS clock-in/out location, shift history, and performance ratings
  • Manager and team member data — names, login credentials, and operational activity logs
  • Survey respondent data — names, email addresses, and survey responses

Full details of the personal data we collect and how it is used are set out in our Privacy Policy.

Security Measures #

Guest It maintains appropriate technical and organisational measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Infrastructure hosted on AWS in the UK (eu-west-2, London) primary region, with EU (eu-west-1, Ireland) used for cross-region backup. AWS itself is independently audited under SOC 1/2/3, ISO 27001 and other recognised frameworks.
  • Role-based access control and least-privilege access policies
  • Regular security assessments and vulnerability monitoring
  • Automated soft-deletion with configurable retention periods and hard-deletion after expiry
  • Consent audit trail for all data processing consent events

Sub-processors #

Guest It engages a limited number of sub-processors to deliver our services. Key sub-processors include:

  • Amazon Web Services (AWS) — cloud hosting, RDS PostgreSQL, S3 storage, ElastiCache (Redis), SES email delivery, CloudFront content delivery, Location Service. Production data is processed in the UK (eu-west-2, London), with cross-region backup snapshots in the EU (eu-west-1, Ireland).
  • OpenAI — AI-powered analytics, summaries and chatbot inference. United States.
  • Twilio — SMS and phone number verification. United States.
  • Google Cloud — chatbot translation via Google Cloud Translate. United States.
  • Microsoft 365 — internal mail, OneDrive and SharePoint. European Union.
  • Sentry — application error monitoring. Region per Sentry account configuration.
  • Expo — mobile push notifications and over-the-air updates. United States.

A complete and current list of sub-processors is included in the full DPA document. We will notify you of any changes to our sub-processor list in advance, giving you the opportunity to object.

Data Subject Rights #

Guest It provides tooling to assist data controllers in responding to data subject requests, including:

  • Right of access — data export functionality for responding to DSARs
  • Right to erasure — soft-deletion with automated hard-deletion after the retention period
  • Right to rectification — editable records across all platform modules
  • Consent management — auditable consent records with version tracking

Requesting a DPA #

To request a copy of our Data Processing Agreement or to discuss your data protection requirements, please contact us:

We aim to provide the DPA document within 2 business days of your request. The DPA can be executed as a standalone agreement or incorporated into your existing service contract.