B2B draft
A working DPA framework for venues that use Hallify to process guest, staff, and operational records.
This document is a product-accurate draft prepared for lawyer review. It is not final legal advice, and the final legal entity, address, governing law, liability language, breach timelines, and regional notices must be confirmed before launch.
This draft DPA describes how Hallify expects to process personal data on behalf of venue customers when providing restaurant operations software.
It should be finalized by counsel and attached to signed customer agreements before production B2B rollout.
The venue is generally the controller for venue workspace data, including guest records, staff records, reservations, waitlists, operational notes, payroll-related configuration, and local compliance decisions.
Hallify is generally the processor for that workspace data and processes it according to the venue's instructions and the product's documented behavior.
Hallify processes workspace data to host the service, authenticate users, enforce roles, display operational modules, calculate analytics, create audit logs, provide support, prevent abuse, and maintain security.
The venue must ensure it has the right to submit personal data to Hallify and to instruct Hallify to process it.
Hallify's technical and organizational measures should include HTTPS, HttpOnly auth cookies, role-based access, audit logs, abuse throttling, database-backed records, operational monitoring, and restricted administrative access.
Additional production measures such as backup policy, access reviews, incident response, encryption commitments, and vulnerability management should be finalized before launch.
Hallify may use subprocessors for hosting, database storage, analytics, verification delivery, support, observability, and other service operations.
The public Subprocessors page should list active providers and any providers that remain to be confirmed before launch.
Hallify should help venues respond to access, correction, deletion, anonymization, export, objection, and restriction requests where the request relates to venue-controlled data.
Hallify may redirect requesters to the venue when the venue is the controller and Hallify cannot verify or decide the request independently.
At termination or upon valid instruction, Hallify should return, delete, or anonymize venue data where feasible and lawful.
Some records may need to be retained for security, audit integrity, financial reconciliation, legal obligations, dispute resolution, or backup lifecycle limits.
Counsel must finalize breach notice timelines, international transfer mechanisms, subprocessors objection process, liability allocation, audit rights, local law addenda, and signed agreement precedence.
This draft should not be used as a final DPA without legal review.
Questions or legal requests
Email hello@hallify.co and include the venue, account, or request context so Hallify can route the request correctly.
Active development
Hallify is moving quickly toward production readiness. You will see frequent improvements and new operational features appear as we harden the product with real restaurant workflows.
Free access right now
Open Hallify now, create or enter a venue workspace, and explore the complete operational flow that is already available.
No public launch pricing is active yet.