EU
Synaptico — LegalBack to platform
Template notice. This DPA must be reviewed and adapted by a Belgian lawyer to reflect the final sub-processor list, security measures and contracting model before signature.

Data Processing Addendum

Version 2026-04-20.1 · Effective 20 April 2026

1. Parties and scope

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Synaptico (“Processor”, “Synaptico”) and the Customer (“Controller”) and applies to any processing of personal data carried out by Synaptico on behalf of the Controller through the Service. It is concluded under Article 28(3) GDPR.

2. Subject matter, duration, nature and purpose

  • Subject matter: provision of the Synaptico platform for AI-Act governance and related services.
  • Duration: the term of the Terms of Service, plus any period during which return or deletion of Customer Data takes place.
  • Nature and purpose: hosting, storing, processing, analysing and displaying Customer Data to deliver the Service; providing support; maintaining security and auditability.

3. Types of personal data and categories of data subjects

Processor processes the categories described in Annex I. These typically include names, job titles, business contact data and narrative text contained in documents the Controller uploads. The Controller represents that it will not upload special-category personal data (Article 9 GDPR) unless it has informed Synaptico in writing and obtained explicit agreement on the applicable safeguards.

4. Controller and processor obligations

The Controller warrants it has a valid legal basis for the processing it instructs Synaptico to carry out and that it has provided the transparency information required by Articles 13 and 14 GDPR to data subjects.

The Processor will: (a) process personal data only on documented instructions from the Controller, including those embodied in the Service; (b) ensure staff accessing personal data are under a duty of confidentiality; (c) implement the measures in Annex II; (d) assist the Controller with data-subject requests and DPIAs where required; (e) notify the Controller without undue delay (and in any event within 48 hours where feasible) after becoming aware of a personal-data breach affecting Customer Data.

5. Sub-processors

The Controller grants a general authorisation for the use of sub-processors. The current list is at [/legal/sub-processors — TBC]. We will give at least thirty (30) days’ prior notice of any intended change, during which the Controller may object on reasonable data-protection grounds. If the parties cannot agree, the Controller may terminate the affected part of the Service with a pro-rata refund for prepaid unused fees.

6. International transfers

Where personal data is transferred outside the EEA, the transfer is governed by the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), module 3 (processor to sub-processor) or module 2 (controller to processor), as applicable, which are incorporated by reference. Synaptico will implement supplementary measures where a transfer-impact assessment indicates they are required.

7. Audits

On request and with reasonable notice, the Processor will provide the Controller with the information necessary to demonstrate compliance with Article 28 GDPR. The Controller may audit no more than once per calendar year (unless mandated by a supervisory authority), at its own cost, during business hours, under a non-disclosure agreement, and without disrupting the Service or other customers’ data.

8. Return and deletion

On termination, the Processor will, at the Controller’s choice, return or delete all Customer Data containing personal data, unless retention is required by Union or Member State law. Deletion will take place within ninety (90) days of termination unless the Controller requests a longer retention for its own audit purposes.

9. Liability

The limitations and exclusions of liability in the Terms of Service apply to claims under this DPA, except where Article 82 GDPR or other mandatory law precludes their application.

10. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails on matters of data protection. The Standard Contractual Clauses, when incorporated, prevail over both to the extent of any conflict.

Annex I — Processing details

  • Categories of data subjects:Controller’s personnel and contractors; individuals referenced in documents the Controller uploads (e.g. employees, candidates, customers).
  • Categories of personal data: identification and contact data; professional information; free-text narratives; technical identifiers (IP, user-agent); authentication data for platform users.
  • Processing operations: collection, storage, retrieval, use, disclosure to sub-processors identified in the sub-processor list, erasure.
  • Nature of processing: electronic, on hosted infrastructure within the EEA (primary) with limited transfers outside the EEA under SCCs where disclosed.

Annex II — Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest for stored Customer Data and backups.
  • Role-based access control with least-privilege defaults; MFA for administrative access.
  • Segregation of production and non-production environments.
  • Centralised audit logging and monitoring with alerting on anomalous access patterns.
  • Backups with documented restore procedures and tested annually.
  • Vulnerability management and periodic third-party penetration testing.
  • Secure development lifecycle: code review, dependency scanning, secrets management.
  • Incident-response plan with defined severity levels, escalation, and post-incident review.
  • Confidentiality obligations and regular training for personnel.
  • Physical security at our hosting providers’ data centres is managed by those providers under ISO 27001 / SOC 2 controls.