AITableFlow Data Processing Agreement

Effective Date: June 29, 2026 Last Updated: June 29, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between AI TABLE FLOW LLC ("AITableFlow," "Processor," "Service Provider," "we," or "us") and the customer that has agreed to the AITableFlow Terms of Service ("Customer," "Controller," or "you") (together, the "Agreement") and governs AITableFlow's processing of Personal Data on Customer's behalf in connection with the Services.

AI TABLE FLOW LLC is an Illinois limited liability company (File No. 18300931).

1. Parties and Roles

For the personal data of Customer's guests and patrons processed through the Services ("Customer Personal Data"):

• Customer is the Controller (and, under the CCPA, the Business). Customer determines the purposes and means of processing.
• AITableFlow is the Processor (and, under the CCPA, the Service Provider). AITableFlow processes Customer Personal Data only on Customer's documented instructions and to provide the Services.
• Sub-processors are the third parties AITableFlow engages to help deliver the Services, listed in Annex 3.

To the extent AITableFlow processes information as a controller (for example, account, billing, and Site-visitor data), that processing is governed by the AITableFlow Privacy Policy, not this DPA.

2. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. For this DPA:

• "Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing, including the EU/UK General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act as amended ("CCPA").
• "Personal Data," "Controller," "Processor," "Data Subject," "Processing," and "Personal Data Breach" have the meanings given under GDPR (or their equivalents under other Applicable Data Protection Law).
• "Business," "Service Provider," "Sale," "Share," and "Consumer" have the meanings given under the CCPA.
• "Standard Contractual Clauses" / "SCCs" means the clauses approved for international transfers of Personal Data, where applicable.

3. Processing on Documented Instructions

AITableFlow will process Customer Personal Data only:

• to provide, maintain, and support the Services;
• in accordance with Customer's documented instructions, including those in the Agreement and this DPA; and
• as otherwise required by law (in which case AITableFlow will, where legally permitted, notify Customer first).

AITableFlow will not process Customer Personal Data for any other purpose, and will not retain, use, or disclose it outside the direct business relationship or for any purpose other than the Services, except as permitted by Applicable Data Protection Law. The Details of Processing are set out in Annex 1.

4. Confidentiality

AITableFlow will ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as needed to perform the Services.

5. Security Measures

AITableFlow will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature and risk of the processing. Those measures are described in Annex 2.

6. Sub-Processors

• Authorization. Customer authorizes AITableFlow to engage the sub-processors listed in Annex 3 to process Customer Personal Data. This includes any reservation platform (e.g., SevenRooms, OpenTable, resOS) that Customer elects to integrate.
• Flow-down terms. AITableFlow will impose data protection obligations on each sub-processor that are substantially the same as those in this DPA, and remains responsible for each sub-processor's performance. Where Customer directly contracts a reservation platform, that platform also acts under Customer's own agreement with it.
• Changes and right to object. AITableFlow will provide notice (for example, by updating Annex 3 or its website) before adding or replacing a sub-processor. Customer may object on reasonable data-protection grounds within thirty (30) days of such notice; if the parties cannot resolve the objection, Customer may terminate the affected Services.

7. Assistance with Data-Subject Rights

Taking into account the nature of the processing, AITableFlow will provide reasonable assistance to enable Customer to respond to requests from Data Subjects (or Consumers) to exercise their rights of access, correction, deletion, restriction, portability, and objection (or opt-out). If AITableFlow receives such a request directly, it will, where permitted, promptly forward it to Customer and not respond except on Customer's instructions.

8. Personal Data Breach Notification

AITableFlow will notify Customer without undue delay, and in any case within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and the measures taken or proposed. AITableFlow will reasonably cooperate with Customer's investigation and remediation.

9. Audits

AITableFlow will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or a mutually agreed independent auditor, on reasonable prior notice, no more than once per year (except where required by a regulator or following a Personal Data Breach), during business hours, and subject to confidentiality. AITableFlow may satisfy audit requests by providing relevant third-party certifications or reports where available.

10. International Transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, including the Standard Contractual Clauses, which are incorporated by reference where applicable. AITableFlow is primarily US-facing; international transfers are handled via Standard Contractual Clauses where applicable.

11. Deletion or Return on Termination

On termination or expiry of the Services, and at Customer's choice, AITableFlow will delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by law. Deletion timelines are subject to backup-rotation cycles and sub-processor capabilities. AITableFlow will delete or return Customer Personal Data within thirty (30) days of termination or expiry of the Services, except to the extent retention is required by law.

12. CCPA Terms (Service Provider)

With respect to Customer Personal Data subject to the CCPA, AITableFlow acts as a Service Provider and certifies that it will not:

• Sell or Share Customer Personal Data;
• retain, use, or disclose Customer Personal Data for any purpose other than performing the Services, or outside the direct business relationship, or for a commercial purpose other than the Services; or
• combine Customer Personal Data with other data except as permitted by the CCPA.

AITableFlow will comply with applicable CCPA obligations and will notify Customer if it determines it can no longer meet its obligations as a Service Provider.

13. Liability and Order of Precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls; for international transfers, the SCCs (where applicable) control over this DPA.

Annex 1 — Details of Processing

• Subject matter: AITableFlow's provision of the AI front-of-house Services to Customer.
• Duration: For the term of the Agreement, plus any post-termination retention period in Section 11.
• Nature and purpose: Answering calls and web/social messages; recording and transcribing calls; capturing and (where integrated) booking reservations; handling to-go orders; requesting reviews; running guest win-back; and maintaining CRM records on Customer's behalf.
• Types of Personal Data: Names; phone numbers; email addresses; (where relevant) addresses; the content of communications (calls, SMS, web chat, social messages, email); call recordings and transcripts; reservation, party-size, seating, dietary/preference, to-go order, and guest-history details; and other data Customer provides or generates through the Services.
• Categories of Data Subjects: Customer's guests and patrons (e.g., diners contacting the restaurant), and Customer's personnel who use the Services.
• Special categories of data: Generally not intended to be processed; Customer should not submit special-category data through the Services. Note, however, that dietary/allergy preferences may be incidentally processed in the course of capturing reservations and to-go orders and may reveal health-related information; such data should be handled as potentially sensitive.

Annex 2 — Technical and Organizational Security Measures

AITableFlow maintains measures including, as applicable:

• Encryption of data in transit (TLS) and reliance on providers that encrypt data at rest.
• Access controls — role-based access, least-privilege, and unique credentials; multi-factor authentication for administrative access where supported.
• Network and application security — use of reputable infrastructure (e.g., Cloudflare) for DDoS protection, firewalling, and CDN security.
• Secrets management — credentials stored in a secrets manager, not in code or chat.
• Logging and monitoring of administrative and processing activity.
• Sub-processor diligence — engaging established providers with their own security programs.
• Personnel — confidentiality obligations and need-to-know access.
• Incident response — procedures to detect, investigate, and report Personal Data Breaches.
• Data minimization and retention controls aligned with the Agreement.

Annex 3 — Approved Sub-Processors