Scope and incorporation
This Data Processing Agreement, or DPA, applies when it is incorporated into a signed agreement, order, statement of work, product subscription, pilot, managed services agreement, or other written contract between SynchrotronAI Inc. and a customer. It is a public reference for the data protection terms SynchrotronAI expects to use when processing personal data on behalf of business customers.
If a signed agreement includes different data processing terms, those signed terms control for the covered engagement. If there is a conflict between this DPA and an order, the order controls for project-specific processing details, provided the order does not reduce legally required data protection obligations.
Definitions
Customer Personal Data means personal data, personal information, or similar regulated information that SynchrotronAI processes on behalf of a customer under an applicable agreement. Processing means any operation performed on Customer Personal Data, including collection, use, storage, transmission, analysis, hosting, support, deletion, or disclosure.
Customer means the entity that signs an applicable agreement with SynchrotronAI. SynchrotronAI means SynchrotronAI Inc. Applicable Data Protection Laws means privacy, data protection, cybersecurity, breach notification, and similar laws that apply to the processing under the agreement.
Subprocessor means a third-party provider engaged by SynchrotronAI to process Customer Personal Data to provide the contracted services. Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by SynchrotronAI.
Roles
For Customer Personal Data processed under customer instructions, the customer is the controller, business, or equivalent decision-making party, and SynchrotronAI is the processor, service provider, contractor, or equivalent service party. If SynchrotronAI independently determines the purposes and means of processing for its own business operations, it acts as an independent controller for that limited processing.
Each party is responsible for complying with laws that apply to its role. Customer is responsible for having a lawful basis, notices, consents, rights processes, data minimization decisions, and authorization to provide Customer Personal Data to SynchrotronAI.
Customer instructions
SynchrotronAI will process Customer Personal Data only to provide the contracted products, services, hosting, support, managed services, security, billing, and related operations; to comply with customer instructions; to comply with applicable law; or as otherwise permitted by the agreement.
Customer instructions are documented in the signed agreement, order, statement of work, support request, product configuration, administrator action, approved integration, and reasonable written instructions consistent with the engagement. SynchrotronAI may notify Customer if it believes an instruction violates applicable law, third-party terms, or security requirements.
Customer obligations
Customer is responsible for the accuracy, quality, legality, and relevance of Customer Personal Data and for providing notices, obtaining consents, selecting lawful bases, responding to individuals, honoring opt-out signals, and ensuring that Customer's use of SynchrotronAI services complies with Applicable Data Protection Laws.
Customer must not provide sensitive or regulated data unless the applicable agreement authorizes that data and defines appropriate safeguards.
Confidentiality
SynchrotronAI will require personnel who access Customer Personal Data to be bound by confidentiality obligations or comparable professional duties. Access will be limited to personnel and providers who need access for the contracted purpose.
Security measures
SynchrotronAI will maintain administrative, technical, and organizational safeguards designed to protect Customer Personal Data from unauthorized access, destruction, loss, alteration, or disclosure. Measures may include access controls, least-privilege practices, cloud security controls, encryption where appropriate, logging, monitoring, secure development practices, vendor review, incident response, and backup or recovery controls appropriate to the engagement.
Security responsibilities may be shared with the customer depending on the deployment model. Customer remains responsible for customer-managed environments, identity providers, endpoint security, permissions, source data, instructions, administrator actions, and third-party systems not controlled by SynchrotronAI.
Personnel access
SynchrotronAI will limit personnel access to Customer Personal Data to individuals who need access to provide the services, support the engagement, secure systems, comply with law, or perform related business operations. Personnel with access must be subject to confidentiality obligations or comparable professional duties.
Subprocessors
Customer authorizes SynchrotronAI to use subprocessors to provide products, services, hosting, security, payments, CRM, support, cloud infrastructure, development, deployment, monitoring, and operations. The current core subprocessor list is available at Subprocessors.
SynchrotronAI will impose written obligations on subprocessors that are designed to protect Customer Personal Data consistent with this DPA and the services they provide. SynchrotronAI remains responsible for subprocessors' performance of their data protection obligations to the extent required by the applicable agreement and law.
Subprocessor changes and objections
SynchrotronAI may update subprocessors as its business, products, services, cloud providers, and customer architectures evolve. Customers with a signed DPA may object to a new subprocessor when they have a reasonable, documented data protection concern. If the parties cannot resolve the concern, the available remedy will be the one stated in the applicable agreement, which may include terminating the affected service.
Assistance
Taking into account the nature of processing and information available to SynchrotronAI, SynchrotronAI will provide reasonable assistance for data subject requests, security assessments, data protection impact assessments, regulatory inquiries, and customer compliance obligations when required by applicable law and the agreement.
SynchrotronAI may charge reasonable fees for assistance that is outside standard support, not caused by SynchrotronAI, or not required by the applicable agreement.
Data subject requests
If SynchrotronAI receives a request directly from an individual about Customer Personal Data, SynchrotronAI may redirect the request to Customer unless legally prohibited. Customer is responsible for responding to individuals when Customer acts as controller, business, or equivalent decision-maker.
Security incidents
SynchrotronAI will notify Customer without undue delay after confirming a security incident involving Customer Personal Data that requires notice under applicable law or the agreement. Notice may include available information about the nature of the incident, affected data, known impact, mitigation steps, and points of contact.
Customer is responsible for determining whether it must notify regulators, individuals, customers, partners, or other parties unless the signed agreement assigns that responsibility differently.
SynchrotronAI's notice of a Security Incident is not an admission of fault or liability. SynchrotronAI may delay or limit information when disclosure would compromise security, violate law, or impair an investigation.
Return and deletion
At the end of the applicable engagement, SynchrotronAI will return, delete, de-identify, aggregate, or archive Customer Personal Data according to the signed agreement, customer instructions, product functionality, legal obligations, backup practices, dispute needs, security requirements, and legitimate business recordkeeping requirements.
Backup, log, and archive copies may persist for a limited period until overwritten or deleted through normal retention cycles, provided they remain protected.
International transfers
SynchrotronAI is based in the United States and uses providers that may process data in the United States and other countries. If an engagement requires specific transfer safeguards, standard contractual clauses, regional processing, or data residency commitments, those terms must be included in the signed agreement or order.
Where the EU GDPR, UK GDPR, Swiss data protection law, or similar law requires transfer safeguards, the parties may incorporate appropriate standard contractual clauses, UK addendum terms, Swiss-specific terms, or other lawful transfer mechanisms into the applicable agreement.
Competent authority
Where a DPA exhibit requires a competent supervisory authority for EU, UK, or Swiss transfer terms, the parties should identify it in the signed agreement based on the customer's establishment, representative, data subjects, processing context, and applicable law.
U.S. state privacy commitments
Where SynchrotronAI processes Customer Personal Data as a service provider, contractor, processor, or similar role under U.S. state privacy laws, SynchrotronAI will not sell Customer Personal Data, share it for cross-context behavioral advertising, retain or use it outside the contracted business purpose, or combine it with other data except as permitted by applicable law and the agreement.
SynchrotronAI will notify Customer if it determines it can no longer meet its applicable service provider, contractor, or processor obligations.
Audits and information
SynchrotronAI will make reasonable information available to demonstrate compliance with this DPA when required by applicable law and the signed agreement. Audits must be scoped, scheduled, and conducted in a manner that protects security, confidentiality, other customers, and SynchrotronAI operations. Third-party certifications, reports, security summaries, questionnaires, or written responses may be used when appropriate.
On-site audits, penetration tests, source code review, customer access to production systems, or direct provider audits require prior written approval and may be denied or limited to protect security, confidentiality, availability, and third-party obligations.
Liability and order of precedence
The liability limits, exclusions, remedies, and dispute terms in the applicable signed agreement apply to this DPA unless legally prohibited. This DPA does not expand liability beyond the signed agreement unless required by applicable law.
Annex A: processing details
Subject matter: SynchrotronAI processing of Customer Personal Data to provide products, professional services, managed services, cloud engineering, integrations, automation, hosting, support, security, billing, and related operations.
Duration: The term of the applicable agreement plus any period required for deletion, backup retention, legal compliance, dispute resolution, security, or recordkeeping.
Nature and purpose: collection, organization, storage, hosting, transmission, analysis, transformation, enrichment, retrieval, consultation, support, troubleshooting, deletion, and other processing needed to provide the contracted engagement.
Data subjects: customer employees, contractors, administrators, users, prospects, customers, vendors, business contacts, and other people whose data is provided by Customer or processed through the engagement.
Data categories: contact details, business identifiers, account data, authentication metadata, workflow records, system metadata, documents, support communications, logs, usage data, integration records, and other data described in the applicable order.
Sensitive data: SynchrotronAI does not request sensitive data through public intake. Sensitive or regulated data should be processed only when the signed agreement and architecture specifically authorize it and define appropriate controls.
Annex B: technical and organizational measures
SynchrotronAI's measures may include least-privilege access, authentication controls, access reviews, encryption in transit, encryption at rest where supported by the platform, network and cloud security controls, monitoring, logging, backup practices, secure software development, dependency review, change management, incident response, confidentiality obligations, vendor management, and employee or contractor security expectations.
Specific measures may vary by product, project, cloud provider, customer environment, and written scope. Customer-specific security commitments should be documented in the applicable agreement.
Access control: role-based access where practical, limited administrative access, credential protection, access removal when no longer needed, and separation between customer environments when supported by the architecture.
Application security: code review, dependency review, testing, change tracking, secrets handling, input validation, authorization checks, and deployment review appropriate to the project.
Infrastructure security: provider-native controls, network configuration, logging, monitoring, backups, recovery planning, and configuration management appropriate to the selected cloud model.
Operational security: incident response, vendor review, support procedures, confidentiality expectations, recordkeeping, and customer escalation paths.
Annex C: subprocessors
The current core subprocessor list is published at Subprocessors. The exact provider set may vary by product, project, managed services scope, customer-selected cloud, integration, support model, and deployment architecture.
Contact
Questions about this DPA may be submitted through the workflow review intake or by email at [email protected].