Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between Synkonic ("Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") for the use of the Synkonic platform and services (the "Agreement").

This DPA sets forth the terms and conditions under which the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Service. This DPA is designed to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws.

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Controller" means the entity that determines the purposes and means of processing Personal Data -- i.e., you, the customer.
• "Processor" means the entity that processes Personal Data on behalf of the Controller -- i.e., Synkonic.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor in connection with the provision of the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Synkonic backup and recovery service. The nature and purpose of Processing includes:

• Automated backup of data from connected third-party SaaS platforms (including Zendesk, Dotloop, DocuSign, and Google Workspace)
• Storage of backup data in encrypted form within the Processor's infrastructure
• Point-in-time restore and data recovery operations as initiated by the Controller
• Search, export, and browsing of backup data through the Service interface

Categories of Data Subjects may include the Controller's customers, employees, contractors, partners, and any other individuals whose data is stored within the connected SaaS platforms. Categories of Personal Data may include names, email addresses, phone numbers, support ticket content, documents, transaction records, and other data present in the backed-up services.

The duration of Processing shall be for the term of the Agreement, plus any applicable data retention period as defined in the Agreement.

3. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless legally prohibited from doing so)
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including AES-256 encryption at rest, TLS 1.2+ encryption in transit, access controls, and regular security assessments
• Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller, as described in Section 4
• Assist the Controller in ensuring compliance with obligations relating to the security of Processing, notification of Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage
• Make available to the Controller all information necessary to demonstrate compliance with obligations and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection laws

4. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors, subject to the following conditions:

• The Processor shall maintain a current list of Sub-processors and make it available to the Controller upon request
• The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object
• If the Controller reasonably objects to a new Sub-processor, the Processor shall use commercially reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable alternative. If no alternative is possible, either party may terminate the applicable Service with written notice
• The Processor shall impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA
• The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations

5. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of:

• Access to their Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data ("right to be forgotten")
• Restriction of Processing
• Data portability
• Objection to Processing

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's prior written authorization, unless legally required to do so.

The Processor shall provide the Controller with self-service tools within the Service to facilitate responses to Data Subject requests, including data export and deletion capabilities.

6. Data Breach Notification

The Processor shall notify the Controller of any Data Breach without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected
• The name and contact details of the Processor's data protection officer or other contact point
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach. The Processor shall not inform any third party of a Data Breach without first obtaining the Controller's written consent, unless notification is required by applicable law.

7. Data Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA), the United Kingdom, or Switzerland without ensuring that adequate safeguards are in place in accordance with applicable data protection laws. Adequate safeguards may include:

• Standard Contractual Clauses (SCCs): The parties agree to enter into the SCCs approved by the European Commission (Commission Implementing Decision (EU) 2021/914) for transfers to countries not covered by an adequacy decision. The applicable module shall be Module Two (Controller to Processor)
• Adequacy Decisions: Transfers to countries that the European Commission has determined provide an adequate level of data protection
• Supplementary Measures: Where necessary, additional technical, organizational, or contractual measures shall be implemented to ensure that the level of protection of Personal Data is not undermined

The Processor shall provide the Controller with information regarding the transfer mechanisms in place upon request. The Controller may specify data residency requirements, and the Processor shall process and store Personal Data in accordance with such requirements where technically feasible.

8. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and applicable data protection laws. The Controller (or its appointed independent auditor) may conduct audits of the Processor's Processing activities, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice of any audit, unless an audit is required due to a Data Breach or regulatory investigation
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
• The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor
• Audit results shall be treated as confidential information of the Processor
• Where available, the Processor may satisfy audit obligations by providing the Controller with copies of relevant third-party audit reports (such as SOC 2 Type II reports), certifications, or summaries

The Processor shall promptly remediate any non-compliance identified during an audit and shall provide the Controller with evidence of remediation.

9. Term and Termination

This DPA shall remain in effect for the duration of the Agreement and for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination or expiration of the Agreement:

• The Processor shall, at the Controller's election, return or delete all Personal Data within 30 days of the effective date of termination, unless applicable law requires continued storage
• The Controller may request an export of all Personal Data in a structured, commonly used, and machine-readable format before deletion
• The Processor shall provide written confirmation of deletion upon the Controller's request
• Obligations under this DPA that by their nature should survive termination shall remain in effect, including confidentiality obligations, audit rights (for a reasonable period), and any obligations relating to Data Breaches that occurred during the term

10. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability with respect to any rights of Data Subjects under applicable data protection laws.

11. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except where applicable data protection laws require otherwise. Where the GDPR applies, the provisions of this DPA shall be interpreted in accordance with the GDPR. Where there is a conflict between the Agreement and this DPA with respect to data protection matters, this DPA shall prevail.

12. Contact

For questions, concerns, or requests relating to this Data Processing Agreement, please contact us:

• DPA Inquiries: [email protected]
• Data Protection Officer: [email protected]
• Privacy Team: [email protected]
• Website: synkonic.com