POS Integration Checklist: 12 Things to Verify Before Signing in 2026
Practical checklist for POS integration with a Voice AI system. 12 points that often get missed in contracts and can cost you thousands of euros later. Six technical, six commercial, plus five anti-patterns from real contracts.
Andreas Juric is the founder of Stari Vuk AI Agency and has been building voice AI systems for restaurants across Croatia and DACH since 2023.
Technical checks (points 1-6)
Point 1 — integration direction: read-only or two-way. AI that just reads the menu from the POS covers 80% of cases. Two-way (AI sends orders directly into the POS) cuts manual entry to 0% and reduces errors below 2%. Point 2 — stock sync: webhook (instant) or polling (every 30 seconds). Webhook prevents orders for out-of-stock items. Point 3 — item mapping: who does it and is it in the package. POS has Margherita Pizza 32cm, web says Margherita large, AI must know they are the same.
Point 4 — modifiers: can the AI offer no cheese, extra thin, half veggie. Every POS stores them differently, must be mapped. Point 5 — fiscalization: who handles fiscal POS or AI. Correct answer: POS. AI only enters items, POS fiscalizes per the legal process. No extra complexity for you. Point 6 — offline fallback: what happens if the POS crashes mid-call. AI must have a local queue that waits and syncs once connectivity returns.
Commercial checks (points 7-12)
Point 7 — setup fee: is there a one-time charge. Standard integration with a ready connector is usually included in monthly pricing. A hidden setup fee of 1500-3000 EUR is a red flag. Point 8 — lock-in: how long are you bound. Monthly cancellation is the 2026 standard. Annual lock-in without an exit clause is a negotiation flag. Point 9 — data ownership: who owns reservation and transaction data. You, not the vendor. Verify this is explicitly in the contract, not implied.
Point 10 — volume-based billing: what happens if you exceed the limit. Per-call billing can escalate fast. Flat subscription with a defined buffer zone (e.g. 200 calls +10% buffer) is safer. Point 11 — uptime SLA: guaranteed uptime must be 99.5%+. What happens during a weekend outage in peak season? Compensation (credit-week or refund) explicitly in the contract. Point 12 — GDPR DPA: Data Processing Agreement. EU server, ISO 27001 or SOC 2 certification, max 24 months data retention. Without a DPA, both parties are liable under GDPR Article 28.
Five contract traps often hidden in the fine print
First trap: vague language on data ownership — clauses granting the vendor a perpetual irrevocable license to your data. If you cannot edit that clause, do not sign. Second trap: high egress cost — how much it costs to export your data if you cancel. Industry standard is free in JSON/CSV/SQL format. PDF-only export is a red flag (vendor hostage situation).
Third trap: subprocessor clause — the vendor sends data to third parties (analytics, monitoring, cloud hosting). If the list is not exhaustive and fixed, you can have a GDPR problem without knowing. Fourth trap: automatic renewal with price increase — the contract auto-renews for 12 months and the price can rise 10-15%. The correct clause should cap at 5% annual increase with 60 days advance notice. Fifth trap: data deletion on cancellation — how long your data is retained after termination. Industry standard is 30-90 days, not 12+ months.
Quick assessment before signing
If 9 or more of 12 technical and commercial points are answered satisfactorily — the contract is likely OK. If 6-8 — negotiate on the rest before signing. Under 6 — that is not a serious partner and you should look elsewhere. One additional check: ask for references from similar restaurants that have already implemented. A serious vendor has 5+ comparable clients they can name. Without references, that is a red light.
A practical example: for restaurants with local POS systems not on the ready-connector list, custom middleware typically costs 500-1500 EUR one-time and takes 2-4 weeks. A vendor who refuses middleware development or asks more than 3000 EUR for an average-complexity POS is worth walking away from. There is also the question: who does the item mapping in the POS? You (bad, time loss), the vendor one-off (OK), or the vendor continuously (best for growth).
What to verify in the contract: practical checklist
Five concrete clauses you must read before signing: (1) Service Level Agreement — minimum 99.5% uptime with compensation, (2) Data Processing Agreement — GDPR Article 28 compliant, EU server, list of subprocessors, (3) Data portability — export in JSON or CSV for free, not PDF-only, (4) Termination — monthly cancellation without penalty, data retention max 90 days after, (5) Pricing escalation — max 5% annual increase with 60 days advance notice.
Plus one practical check: ask to see their DPA text BEFORE signing the main contract. A serious vendor has a standard DPA on their website or sends it within 24 hours. A vendor that drags or delays the DPA — probably has no compliant document, which means your company carries the GDPR risk. Without a DPA, the penalty is up to 4% of global revenue or 20 million EUR (whichever is higher).
Frequently asked questions
Why do I need two-way POS integration?
One-way (menu read only) covers 80% of cases. Two-way lets the AI send orders directly into the POS and sync stock — cutting manual entry to 0% and reducing errors below 2%. For restaurants with 30+ reservations daily, the ROI difference is 200-500 EUR monthly in fewer errors and freed-up staff time.
Which POS systems are out-of-the-box supported?
Toast, Square, Lightspeed, Revel, Oracle MICROS, Orderbird (DACH), Gastrofix plus several regional European POS systems. For these, integration takes 2-7 days and requires no development on your side. For non-standard POS, custom middleware costs 500-1500 EUR one-time.
What are the red flags in a POS integration contract?
Five main ones: (1) vague data ownership with perpetual license to the vendor, (2) high egress cost or PDF-only export, (3) non-fixed subprocessor list, (4) automatic renewal with price increase over 5%, (5) data deletion over 90 days after cancellation. Refuse any of these five.
What about Croatian and DACH fiscal compliance?
Fiscalization runs in the POS, not the AI. The AI only enters items, the POS handles the legal fiscal process (TSE in Germany, RKSV in Austria, Fiscal Memorandum in Croatia). No extra complexity for you. That is an important reason why integration must be read-only or two-way with the POS as the master system.
What is the real cost of a GDPR-non-compliant POS integration?
Direct penalty up to 4% of global annual revenue or 20 million EUR (whichever is higher). Plus reputational damage and possible guest lawsuits. Realistically for an average European restaurant in case of a data breach, 25,000-100,000 EUR per incident, plus legal costs. That is why a DPA and ISO 27001 are not optional.
How do you negotiate better contract terms?
Three strong cards. First: show a serious competitor offer (even if technically worse). Second: agree to a 12-month contract in exchange for 15-20% discount and fixed pricing. Third: ask for a 30-90 day trial period with cancellation rights without penalty. Vendors who refuse all three usually do not have a strong position.
Restoran.team — INDI Monika Kunstek · Drašković 3 A-D, 42220 Novi Marof, Croatia · VAT: HR66987567542