Data Protection
Data protection practices and security measures at Fleksa, Inc.
Data Protection
Fleksa, Inc. Effective Date: December 2024 Last Updated: December 2024
1. Overview
Fleksa, Inc. is committed to protecting the data entrusted to us by our customers. This document describes our data protection practices, security measures, and compliance frameworks.
2. Data Categories
2.1 Customer Business Data
- Restaurant information (name, location, hours)
- Menu data and pricing
- Operational settings and preferences
2.2 Transaction Data
- Order information
- Payment transaction records
- Reservation details
2.3 End User Data
- Customer contact information (for reservations/delivery)
- Order history
- Payment method identifiers (tokenized)
2.4 Employee Data
- Staff account credentials
- Access permissions
- Activity logs
3. Data Processing
3.1 Lawful Basis
We process data based on:
- Contract Performance: To provide our services
- Legitimate Interest: To improve services and prevent fraud
- Legal Obligation: To comply with laws and regulations
- Consent: For optional services like marketing
3.2 Data Minimization
We collect only the data necessary to provide our services and retain it only as long as needed.
3.3 Purpose Limitation
Data is used only for the purposes disclosed in our Privacy Policy.
4. Security Measures
4.1 Technical Security
Encryption:
- All data in transit encrypted via TLS 1.2+
- Sensitive data at rest encrypted using AES-256
- Payment card data handled by PCI-DSS compliant processors
Access Controls:
- Role-based access control (RBAC)
- Multi-factor authentication available
- Regular access reviews
Infrastructure:
- Cloud hosting with SOC 2 certified providers
- Network segmentation and firewalls
- DDoS protection
4.2 Operational Security
Monitoring:
- 24/7 system monitoring
- Intrusion detection systems
- Automated alerting for anomalies
Incident Response:
- Documented incident response procedures
- Regular drills and testing
- Notification procedures for data breaches
4.3 Organizational Security
Personnel:
- Background checks for employees with data access
- Regular security awareness training
- Confidentiality agreements
Vendors:
- Security assessments for third-party vendors
- Data processing agreements in place
- Regular vendor reviews
5. Data Residency
5.1 Primary Storage
Customer data is primarily stored in data centers located in the United States.
5.2 Backup Locations
Backups may be stored in geographically distributed locations within the United States for disaster recovery purposes.
5.3 International Transfers
If data is transferred outside the US, we implement appropriate safeguards such as Standard Contractual Clauses.
6. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account information | Duration of account + 90 days | Service provision |
| Transaction records | 7 years | Legal/tax requirements |
| System logs | 12 months | Security monitoring |
| Marketing data | Until opt-out | Consent |
7. Subprocessors
A current, versioned list of subprocessors is maintained at /en/legal/us/subprocessors. Snapshot:
| Vendor | Purpose | Country |
|---|---|---|
| Vercel Inc. | Hosting, CDN, edge network | USA (EU region available) |
| Supabase Inc. | Database, auth, storage | USA / EU |
| Cloudflare Inc. | DNS, DDoS, WAF, CDN | Global |
| Stripe, Inc. | Payment processing | USA |
| Resend Inc. | Transactional & marketing email | USA |
| PostHog Inc. | Product analytics | USA / EU |
| Vercel AI Gateway | LLM routing | USA |
| Anthropic PBC | LLM (zero retention) | USA |
| OpenAI, LLC | LLM (zero retention) | USA |
| Google LLC | LLM (Gemini), Maps, GBP, Firebase Auth | USA |
| Langfuse GmbH | LLM tracing & observability | Germany |
| DataForSEO LLC | SEO data | USA / EU |
| Serper.dev | Search-result data | USA |
| Twilio Inc. | SMS / voice (when enabled) | USA |
| Sentry (Functional Software, Inc.) | Error monitoring | USA / EU |
We will provide at least 30 days' advance notice (via email and an updated subprocessor page) before engaging a new subprocessor that materially affects how customer personal data is processed.
8. Your Rights
8.1 Access
Request a copy of your personal data.
8.2 Portability
Receive your data in a structured, machine-readable format.
8.3 Rectification
Request correction of inaccurate data.
8.4 Erasure
Request deletion of your data (subject to legal requirements).
8.5 Restriction
Request limitation of processing in certain circumstances.
8.6 Objection
Object to processing based on legitimate interests.
9. Breach Notification
In the event of a data breach that poses a risk to your rights:
- We will notify affected customers within 72 hours
- We will provide details of the breach and remediation steps
- We will notify regulatory authorities as required
10. Compliance
10.1 Industry Standards
- PCI-DSS compliance for payment processing
- SOC 2 Type II certification (in progress)
- Regular third-party security audits
10.2 Privacy Laws
- California Consumer Privacy Act (CCPA/CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Other applicable state privacy laws
11. Data Processing Agreement
A standard Data Processing Agreement (DPA) is available at /en/legal/us/dpa. The DPA includes:
- Roles (controller / processor) and scope of processing
- Security commitments (TOMs)
- Sub-processor terms (notification, objection rights)
- International transfer terms (EU SCCs, UK IDTA, Swiss FADP module) when applicable
- Audit rights and reporting
- Liability and indemnity flow-down
Enterprise customers requiring negotiated terms may contact sales@fleksa.com.
12. Contact
Data Protection Inquiries: Email: privacy@fleksa.com Phone: +1 512-777-0405
Fleksa, Inc. 10900 Research Blvd 160c 1059 Austin, TX 78759, USA