Data Processing Addendum (DPA)
Last Updated: June 25, 2026. Supplements each Baked In Terms of Service.
This Data Processing Addendum ("DPA") supplements the Baked In Terms of Service ("Agreement") entered into by and between Pinecrest Way Holdings LLC ("Processor") and the merchant entity utilizing the App ("Controller").
1. Scope and Authority
This DPA applies to all processing of personal data, transaction data, or consumer POS records accessed via platform APIs on behalf of the Controller through the use of the App. The parties agree that the merchant acts as the Data Controller, and the App provider acts strictly as the Data Processor.
2. Processing Instructions
Processor shall process data only on behalf of and in accordance with the documented instructions of the Controller, including configurations selected within the App UI to automate cash-discount or marked-up pricing catalog updates. Processor shall not use, retain, or disclose Controller data for any purpose outside the direct commercial relationship established by the Agreement, satisfying the "service provider" requirements of the California Consumer Privacy Act (CCPA) as amended by the CPRA.
3. Personnel Security
Processor ensures that all individuals authorized to process Controller data are subject to strict obligations of confidentiality and have undergone appropriate security training.
4. Sub-Processors
Controller grants generalized authorization for Processor to utilize third-party infrastructure providers (such as Stripe for billing processing or cloud hosting providers) to deliver the service. Processor remains liable for the performance of its sub-processors' data protection obligations.
5. Security Measures
Processor shall implement and maintain appropriate technical and organizational measures designed to protect Controller data against unauthorized access, accidental loss, alteration, or disclosure, commensurate with the risk profile of commercial point-of-sale transactional data.
6. Audit and Information Rights
Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to reasonable inquiries or data verification processes conducted by the Controller or a card-network compliance auditor.
7. Data Deletion upon Termination
Upon expiration or termination of the primary Agreement, Processor shall, at the choice of the Controller, delete or return all cached operational transaction or configuration data within thirty (30) days, unless applicable law or platform marketplace rules require continued retention.