Data Protection

Fleksa, Inc. Effective Date: December 2024 Last Updated: December 2024

1. Overview

Fleksa, Inc. is committed to protecting the data entrusted to us by our customers. This document describes our data protection practices, security measures, and compliance frameworks.

2. Data Categories

2.1 Customer Business Data

Restaurant information (name, location, hours)
Menu data and pricing
Operational settings and preferences

2.2 Transaction Data

Order information
Payment transaction records
Reservation details

2.3 End User Data

Customer contact information (for reservations/delivery)
Order history
Payment method identifiers (tokenized)

2.4 Employee Data

Staff account credentials
Access permissions
Activity logs

3. Data Processing

3.1 Lawful Basis

We process data based on:

Contract Performance: To provide our services
Legitimate Interest: To improve services and prevent fraud
Legal Obligation: To comply with laws and regulations
Consent: For optional services like marketing

3.2 Data Minimization

We collect only the data necessary to provide our services and retain it only as long as needed.

3.3 Purpose Limitation

Data is used only for the purposes disclosed in our Privacy Policy.

4. Security Measures

4.1 Technical Security

Encryption:

All data in transit encrypted via TLS 1.2+
Sensitive data at rest encrypted using AES-256
Payment card data handled by PCI-DSS compliant processors

Access Controls:

Role-based access control (RBAC)
Multi-factor authentication available
Regular access reviews

Infrastructure:

Cloud hosting with SOC 2 certified providers
Network segmentation and firewalls
DDoS protection

4.2 Operational Security

Monitoring:

24/7 system monitoring
Intrusion detection systems
Automated alerting for anomalies

Incident Response:

Documented incident response procedures
Regular drills and testing
Notification procedures for data breaches

4.3 Organizational Security

Personnel:

Background checks for employees with data access
Regular security awareness training
Confidentiality agreements

Vendors:

Security assessments for third-party vendors
Data processing agreements in place
Regular vendor reviews

5. Data Residency

5.1 Primary Storage

Customer data is primarily stored in data centers located in the United States.

5.2 Backup Locations

Backups may be stored in geographically distributed locations within the United States for disaster recovery purposes.

5.3 International Transfers

If data is transferred outside the US, we implement appropriate safeguards such as Standard Contractual Clauses.

6. Data Retention

Data Type	Retention Period	Basis
Account information	Duration of account + 90 days	Service provision
Transaction records	7 years	Legal/tax requirements
System logs	12 months	Security monitoring
Marketing data	Until opt-out	Consent

7. Subprocessors

We use the following categories of subprocessors:

Category	Purpose	Location
Cloud Infrastructure	Hosting and compute	United States
Payment Processing	Payment transactions	United States
Email Services	Transactional emails	United States
Analytics	Usage analytics	United States