International Security - Attestation of Data Protection Impact Assessment (DPIA)


This document is an attestation of 365 Retail Markets' Data Protection Impact Assessment (DPIA) report. The full DPIA is protected by NDA, and can be requested by completing the form found at Data Protection Impact Assessment Report request.


General Information

  • Document Revision Date: April 29, 2024

  • Contact Information
  • Description of the services performed: 365 Retail Markets is a global leader in unattended retail technology. We provide one-of-a-kind solutions designed to maximize the performance of any retail environment. Our innovative products are found in break rooms, cafés, warehouses, dining halls, and transit locations all over the globe.

  • Describe the scope of the Processing
    • Facilitate financial transactions, typically for food service, vending, and convenience items

    • Verifying your identity and account

    • Protecting and defending our rights and properties, including intellectual property

    • Complying with laws and regulations that apply to us, as well as responding to requests from law enforcement or government authorities or as otherwise required by law

    • Improving your experience with our products and services

    • Undertaking or contemplating any merger, acquisition, reorganization, sale of assets or other business transaction

    • Understanding and improving our Systems, user experience, and customer relationships

    • Investigating, preventing, and protecting against fraud, security risks, threats to users and others

    • Enabling our business operations.


365 Retail Markets' Role in the Controller-Processor Relationship

As between the customer and 365 Retail Markets, for purposes of GDPR the customer is the controller, and 365 Retail Markets is the processor.


Data Retention

Users can request their data be deleted at any time by emailing or filling out the data protection officer contact form at

Retention by data classification is outlined below:

  • Biometric data: 1 year of account inactivity. Biometric data is not required to use the system.

  • Personal information: 5 years of account inactivity. A shorter retention period is not possible due to accounts often carrying a monetary stored value account balance.

  • Cancel images: 90 days. From some POS devices, if you cancel a purchase, we retain a screenshot of any canceled items along with a photograph of the user. We collect this information for the purpose of monitoring kiosk sites for theft and removal of unpaid products.

  • Computer vision images: Videos and images of transactions, which may incidentally include a person's likeness, including your face and hands, are deidentified after 30 days and cannot be reidentified.

  • All other transactional data: deleted after 3 years.


Countries for Processing

Data is processed in the country where the system is used and in the United States.


Data Protection Controls

The following security controls are in place to ensure the data is protected to the standards of the GDPR.



  • Identity and access to data and systems is restricted following the least privileged model through logical and physical access management processes and enforced policies.

  • Endpoint security systems are in place to protect the distributed network of endpoints.

  • Monitoring and alerting are used across the ecosystem to proactively identify and respond to incidents.

  • Secure development policies and procedures are in place to ensure secure development, testing, implementation, and change management for system components.

  • Regular security training is required for all employees, with tailored security training for those with elevated privileges to systems.

  • Cloud infrastructure security standards have been established for IPS/IDS, patching, secure templates, monitoring, and related controls.

  • Key vendors are onboarded and monitored through a Vendor Management Program.



  • Systems are proactively monitored for uptime and service disruptions to ensure service commitments.

  • Disaster recovery and business continuity plans have been established, and annual simulations are conducted on key systems.

  • Incident response plans are in place to ensure service disruptions are addressed in a consistent manner with the utmost urgency.

  • System maintenance is performed at regular intervals during off-peak hours to ensure systems run with optimal performance.

  • Infrastructure and data flow diagrams are reviewed annually to ensure critical systems are robust and resilient.



  • Data classifications have been established so that policies and processes are tailored to ensure maximum controls are in place for confidential data.

  • Security policies are in place to restrict access to confidential data.

  • Industry standard encryption technologies are used to protect data both in transit and at rest.

  • Access and privilege reviews are conducted at least quarterly to ensure data access is in line with policies and agreements.

  • System access onboarding is centrally controlled at the organizational level.



  • Annual PCI DSS and SOC2 audits are conducted.

  • Quarterly ASV scans and annual penetration tests are performed in compliance with PCI DSS and other industry standards.

  • Annual board sponsored audits are conducted following industry standard frameworks.

  • Security policies are reviewed and updated annually.

  • New and emerging legislation and regulations are monitored using industry leading law firms to ensure Systems are compliant.

  • Processes are in place to ensure System User rights as granted by global, federal, and state laws are respected.

  • Out of support endpoint upgrade programs are in place for Operators to ensure their assets are compliant.



Consumer facing policies can be found at

  • Notice: Consumers are presented with a Privacy Notice, and they must affirmatively accept the notice before creating an account in the System. The Privacy Notice references the Terms of Service.

  • Biometric Data Privacy Policy: Consumers who elect to add a biometric authentication method to their account must affirmatively accept a separate Biometric Data Privacy Policy.


Sale of Personal Information

Consumers have the right to opt-out of the sale of personal information at any time. Note that in the preceding twelve (12) months, we have not sold and will not sell any personal information to non-affiliated third parties. We also have not and will not sell the personal information of minors under 16 years of age to non-affiliated third parties.