Effective Date: June 16, 2026 | Gatheround LLC, Atlanta, Georgia

Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Gatheround LLC, a Georgia limited liability company (“Gatheround”, “Processor”), and the Customer identified in the associated Subscription Agreement (“Customer”, “Controller”). This DPA is incorporated into and forms part of the Subscription Agreement. In the event of conflict with respect to data processing matters, this DPA governs.

1. Definitions

2. Scope and Roles

Customer is the Controller of Personal Data submitted to the Service. Gatheround is the Processor, acting solely on Customer’s documented instructions. Gatheround’s processing of Aggregated Data is outside the scope of this DPA.

3. Customer Obligations

Customer warrants that:

  1. it has all necessary rights and consents to submit Personal Data;
  2. its instructions comply with Applicable Data Protection Law;
  3. it has provided required notices to Data Subjects;
  4. it maintains lawful privacy notices for individuals whose data is processed; and
  5. it will not submit Personal Data of individuals under 13 without appropriate consent, and will not use the Service to process special categories of sensitive personal data beyond what is necessary for catering management purposes.

4. Gatheround’s Obligations as Processor

4.1 Processing Instructions

Gatheround will process Personal Data only on Customer’s documented instructions except where required by law. Gatheround will notify Customer before legally required inconsistent processing to the extent permitted by law.

4.2 Confidentiality of Personnel

Personnel authorized to process Personal Data are subject to confidentiality obligations and have received data protection training.

4.3 Security Measures

Gatheround implements and maintains:

  1. TLS 1.2+ encryption in transit and industry-standard encryption at rest;
  2. role-based access controls;
  3. multi-factor authentication for all administrator accounts;
  4. automated daily backups with offsite redundancy;
  5. monitoring and logging of unauthorized access;
  6. periodic review of security controls; and
  7. a documented incident response process.

4.4 Assistance with Data Subject Rights

Gatheround will provide reasonable technical assistance for Data Subject requests (access, correction, deletion, restriction, portability) to the extent technically feasible. Customer is responsible for responding to Data Subjects.

4.5 Security Incident Notification

Gatheround will notify Customer within 72 hours of a confirmed Security Incident, including: (a) nature and scope; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; and (d) measures taken. Notification does not constitute acknowledgment of fault.

4.6 Data Protection Impact Assessments

Upon written request and at Customer’s expense, Gatheround will provide information necessary for Customer to conduct a data protection impact assessment, to the extent within Gatheround’s control and not revealing confidential information of other customers.

4.7 Deletion or Return of Personal Data

Upon termination or written request, Gatheround will within 90 days either: (a) provide a complete export of Customer Data in CSV or JSON format, or (b) securely delete all Personal Data, except where required by law. Written certification of deletion is available upon request. This obligation does not apply to Aggregated Data.

5. Sub-processors

5.1 Authorized Sub-processors

Customer authorizes Gatheround to engage the following sub-processors:

5.2 Changes to Sub-processors

Gatheround will notify Customer at least 14 days before engaging new sub-processors. Customer may object on data protection grounds within 14 days. If unresolved within 30 days, Customer may terminate without penalty and receive a prorated refund.

5.3 Sub-processor Obligations

Gatheround imposes data protection obligations on sub-processors no less protective than this DPA and remains liable for their performance.

6. International Data Transfers

All Personal Data is stored and processed in the United States. Gatheround does not transfer Personal Data outside the US as part of standard service delivery. Customers with EU/EEA, UK, or similar data subjects should contact hello@gatheround.io before submitting such data.

7. California Consumer Privacy Act (CCPA / CPRA)

As a service provider, Gatheround will:

  1. process Personal Data only for specified purposes;
  2. not sell or share Personal Data;
  3. not retain, use, or disclose Personal Data outside the direct business relationship;
  4. not combine Customer Personal Data with data from other sources except as permitted by law;
  5. provide the same level of privacy protection required of businesses under CCPA/CPRA; and
  6. notify Customer if it can no longer meet these obligations.

Gatheround certifies it understands and will comply with these restrictions.

8. Audit Rights

Once per year, upon 30 days written notice and at Customer’s expense, Customer may request a written summary of Gatheround’s security practices. Gatheround may satisfy this through a summary report or third-party certification (e.g., SOC 2). On-site audits require prior written consent.

9. Liability

Liability under this DPA is subject to the limitations in the Subscription Agreement. The total aggregate cap applies once across all claims under both documents. Nothing limits liability for death or personal injury caused by negligence, fraud, or willful misconduct.

10. Term

This DPA is effective for the duration of the Subscription Agreement. Obligations survive until Personal Data is deleted or returned per Section 4.7.

11. Governing Law

Georgia law governs. Disputes resolved as provided in the Subscription Agreement, including mandatory arbitration and class action waiver.

12. Contact

Data protection inquiries:
Gatheround LLC
Attn: Data Protection
Atlanta, Georgia
Email: hello@gatheround.io

One more thing: the world works better when people are kind to each other. We built this platform for people who feed people — and there's something quietly beautiful about that. Be good to your clients, your staff, and your vendors. It matters more than the software.