Effective date: 23 May 2026  ·  Version: 2.0

This agreement is governed by, and is intended to comply with, the Personal Data Protection Law of the Sultanate of Oman (Royal Decree No. 6/2022) and its Executive Regulations.

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Async Solution Services LLC ("Async Solution", "we", "us", or "our"), the operator of the oFatoura platform, and the subscribing restaurant ("you", the "Restaurant"). It governs the processing of personal data carried out by Async Solution on the Restaurant's behalf and applies whenever Async Solution acts as a processor under the Personal Data Protection Law (Royal Decree No. 6/2022) and its Executive Regulations (the "PDPL"), supervised by the Ministry of Transport, Communications and Information Technology ("MTCIT").

1. Definitions

  • Controller — the party that determines the purposes and means of processing personal data (here, the Restaurant for its customer and staff data).
  • Processor — the party that processes personal data on behalf of, and on the documented instructions of, the controller (here, Async Solution).
  • Sub-processor — any third party engaged by the processor to process personal data.
  • Personal data — any data relating to an identified or identifiable natural person.
  • Data subject — the natural person to whom personal data relates.

2. Roles of the parties

For personal data the Restaurant enters into the Service about its own customers and staff, the Restaurant is the controller and Async Solution is the processor. Async Solution processes such data only to provide the Service and on the Restaurant's documented instructions. Async Solution acts as a controller in respect of the Restaurant's own account, billing, and support data, as described in the Privacy Policy.

3. Scope and instructions

Async Solution processes personal data only on the Restaurant's documented instructions, including those given through normal use of the Service and configuration of its features, and as required by Omani law. If we believe an instruction breaches the PDPL, we will inform the Restaurant.

4. Categories of data subjects and data

  • Data subjects: the Restaurant's customers and staff.
  • Customer data: contact details (name, phone, email where provided), order history, reservations, and preferences.
  • Staff data: limited to shift open/close times, cash-handling entries, and role/permission settings. The platform does not hold wages, payroll, or formal attendance records.

5. Confidentiality

We ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations and process the data only as instructed.

6. Security measures

We apply technical and organisational measures appropriate to the risk, consistent with our Privacy Policy, including:

  • Encryption of data in transit (TLS) and of stored credentials
  • Role-based access controls and least-privilege access
  • Audit logging of sensitive actions
  • Regular backups and recovery procedures
  • Restricted access to personal data on a need-to-know basis

7. Sub-processors

The Restaurant consents to our use of sub-processors to deliver the Service, including cloud hosting within Oman, licensed payment processors, and communication providers. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain responsible for their performance. We will inform the Restaurant of intended changes to sub-processors so it may object on reasonable grounds.

8. Data location and transfers

Personal data processed under this DPA is hosted and stored on infrastructure located within the Sultanate of Oman. We do not transfer personal data outside Oman except where permitted under the PDPL and carried out with the safeguards it requires, including any approval required from MTCIT.

9. Assisting the controller

Taking into account the nature of the processing, we provide reasonable assistance to the Restaurant in responding to data-subject requests (such as access, correction, and deletion) within the 45-day PDPL response period, and in meeting its security and breach-notification obligations. Where we receive a request directly from a data subject relating to the Restaurant's data, we refer it to the Restaurant.

10. Personal data breach handling

On becoming aware of a personal data breach affecting the Restaurant's data, we notify the Restaurant without undue delay and, where feasible, within 72 hours, with the information the Restaurant needs to meet its own notification obligations to MTCIT and, where required, to affected data subjects.

11. Audit and cooperation

We make available information reasonably necessary to demonstrate compliance with this DPA and cooperate with reasonable audits, subject to confidentiality and to protecting the data of other customers.

12. Duration and termination

This DPA applies for as long as we process personal data on the Restaurant's behalf. On termination of the Service, we return or delete the Restaurant's personal data at its choice, subject to any retention required by Omani law (including tax, VAT, and accounting record-keeping).

13. Staff data and the Restaurant's employer obligations

Staff data in the platform is limited to shift/cash/role data as described in section 4. The Restaurant remains the employer and is solely responsible for its obligations under the Labour Law (Royal Decree No. 53/2023) and for the lawful processing of any employee data it holds outside the Service.

14. Liability

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where such limitation is not permitted under Omani law.

15. Governing law

This DPA is governed by the laws of the Sultanate of Oman and disputes are subject to the competent courts of Muscat.

16. Contact us

For any question regarding this DPA, please contact:

Async Solution Services LLC (operator of oFatoura)
Commercial Registration No.: [to be completed]
Address: Office 202, Al-Qurrum 29, Muscat, Sultanate of Oman
Email: support@asyncsolution.com

This document is provided for transparency and does not constitute legal advice. It should be reviewed by qualified legal counsel before publication.