BeverageStack
Legal

Data Processing Policy

Data Processing Agreement-style policy for BeverageStack customer workspaces.

Applies to
Customer workspace data, authorised users and service delivery processing
Document type
Website and platform policy
Version
v1.0 — Effective 25 June 2026
At a glance
This document sets out how BeverageStack processes personal data on behalf of customers when delivering the platform, including GDPR processor obligations, US service-provider commitments, sub-processor controls, security measures and data-return or deletion rules.

1. Purpose and role of this document

This Data Processing Policy is intended to operate as a data-processing agreement for BeverageStack customer relationships unless a separately signed data-processing agreement applies. It applies when BeverageStack processes personal data on behalf of a customer in connection with the BeverageStack platform, onboarding, support, maintenance and related services.

This document should be read with the Privacy Policy, Security Policy, Terms of Use and any written customer agreement or order form.

2. Data-protection roles

Processing contextRole
Customer workspace data entered or generated by authorised usersThe customer is usually the controller under GDPR, or business under applicable US privacy law. BeverageStack is usually the processor or service provider.
Website visitors, sales prospects, direct BeverageStack communications and platform administration recordsBeverageStack is usually the controller or business responsible for its own processing.
Aggregated, de-identified or anonymised operational insightsBeverageStack may use such information for analytics, security, benchmarking, product improvement and service development, provided it does not identify a customer, user or individual.

3. Processing instructions

BeverageStack will process customer personal data only on documented instructions from the customer, including through the customer agreement, platform configuration, authorised user activity, administrator settings, support requests and this policy. BeverageStack may also process data where required by law, in which case it will notify the customer unless legally prohibited.

If BeverageStack believes an instruction breaches applicable data-protection law, it may notify the customer and suspend the relevant processing where appropriate.

4. Processing details

ItemDescription
Subject matterProvision, operation, support, improvement and security of BeverageStack and related business services.
DurationFor the term of the customer relationship and any post-termination period required for deletion, return, legal retention, audit, security or dispute purposes.
Nature of processingHosting, storage, retrieval, access control, transmission, analysis, support, troubleshooting, backup, deletion, reporting, audit logging and security monitoring.
PurposeTo deliver a connected operating workspace for beverage distribution, including inventory, batches, purchasing, sales orders, pricing, CRM, reporting, permissions and audit history.
Data subjectsAuthorised users, customer personnel, supplier contacts, customer contacts, account contacts, business leads, warehouse or sales contacts and other individuals whose details are entered by the customer.
Personal data categoriesNames, business contact details, roles, account ownership, customer or supplier references, communication notes, order/contact history, platform usage, audit logs and technical identifiers.
Sensitive dataNot intended. Customers must not submit special-category or highly sensitive personal data unless expressly agreed and legally supported.

5. Confidentiality and personnel access

BeverageStack will ensure that personnel authorised to process customer personal data are subject to suitable confidentiality obligations and receive access only where needed for service delivery, security, support, administration or compliance. Access should be limited, role-based and reviewed as appropriate.

6. Sub-processors

  • Sub-processors must be subject to written terms requiring appropriate data-protection and security obligations.
  • BeverageStack will use reasonable diligence when selecting sub-processors.
  • Where required, BeverageStack will make information about material sub-processors available to customers through the website, platform, agreement or another reasonable channel.
  • Customers may object to a new sub-processor where applicable law or the relevant agreement gives them that right.

7. International transfers

Where customer personal data is transferred from the EU, EEA, UK or Switzerland to a country without an adequacy decision, BeverageStack will use appropriate transfer safeguards. These may include standard contractual clauses, UK transfer mechanisms, supplementary measures, transfer risk assessments and contractual restrictions on onward transfers.

8. Security measures

  • role-based access controls and account permissions;
  • authentication and session-security controls;
  • audit logs for key platform activity;
  • encryption in transit where supported;
  • segregation of customer workspaces and controlled administrative access;
  • backup, recovery and change-management procedures;
  • security monitoring, vulnerability management and incident-response processes;
  • confidentiality obligations and access review for personnel and service providers.

9. Assistance with rights and compliance

Taking account of the nature of processing and information available to BeverageStack, BeverageStack will provide reasonable assistance to customers with data-subject rights requests, security obligations, data-protection impact assessments, regulatory consultation and other processor-assistance obligations required by applicable law.

Where a rights request is received directly by BeverageStack for customer workspace data, BeverageStack may refer the request to the relevant customer unless legally required to act directly.

10. Personal data breach handling

BeverageStack will notify affected customers without undue delay after becoming aware of a personal data breach involving customer personal data, where required by applicable law. The notice will include available information about the nature of the breach, likely consequences, affected data, mitigation steps and recommended customer actions, subject to investigation status and legal restrictions.

Customers are responsible for determining whether regulator, data-subject, consumer, contractual or other notifications are required, unless a separate written agreement states otherwise.

11. Return, deletion and retention

Following termination or expiry of the customer relationship, BeverageStack will return, delete or anonymise customer personal data in accordance with the customer agreement, platform functionality and applicable law. Some records may be retained where required for legal, tax, accounting, security, audit, dispute-resolution or backup integrity purposes.

12. Audit and information rights

BeverageStack will make available reasonable information necessary to demonstrate compliance with processor obligations, subject to confidentiality, security, trade-secret protection and protection of other customers. Audits must be reasonable in scope, frequency and timing and must not compromise platform security or operational integrity.

13. US service-provider terms

  • BeverageStack will not sell customer personal data.
  • BeverageStack will not share customer personal data for cross-context behavioural advertising except as expressly instructed or permitted by the customer and law.
  • BeverageStack will not combine customer personal data with personal data from other sources except where permitted for security, fraud prevention, service improvement, internal operations or other legally permitted service-provider purposes.
  • BeverageStack will require relevant service providers to observe appropriate restrictions and security obligations.

14. Customer responsibilities

  • ensure it has a lawful basis and necessary notices for personal data entered into BeverageStack;
  • manage authorised users, roles, permissions and offboarding;
  • avoid uploading prohibited, unnecessary, special-category or highly sensitive data;
  • respond to privacy rights requests and regulatory enquiries relating to customer workspace data;
  • review outputs, exports, reports and records for business accuracy and legal compliance;
  • use BeverageStack in accordance with the Terms of Use, Security Policy and applicable law.

15. Order of precedence

If this Data Processing Policy conflicts with a signed data-processing agreement or customer agreement, the signed agreement will prevail for that customer. If there is no signed agreement, this policy governs data-processing terms to the extent permitted by law.