SyncallyData Processing Agreement
This Data Processing Agreement ("DPA") governs the processing of personal data by Syncally on behalf of our customers.
1. Definitions
This DPA forms part of the Terms of Service between Syncally ("Processor") and the Customer ("Controller").
- Personal Data: Information relating to an identifiable natural person.
- Subprocessor: A third-party data processor engaged by Syncally.
- Security Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, or disclosure of personal data.
2. Processing Scope
2.1 Subject Matter
Processing of engineering data, including codebases, meeting transcripts, and tasks, to provide the Syncally platform services.
2.2 Nature and Purpose
Collection, storage, retrieval, and analysis of data via AI models to generate insights and improve engineering productivity.
2.3 Data Subjects
Customer's employees, contractors, and collaborators utilizing the platform.
3. Roles and Obligations
3.1 Controller (You)
- Ensure lawful basis for processing.
- Provide necessary notices to data subjects.
- Do not upload sensitive data (health/biometric) without prior agreement.
3.2 Processor (Us)
- Process data only on documented instructions.
- Ensure persons authorized to process data are committed to confidentiality.
- Assist Controller with Data Subject Rights requests.
- Notify Controller of any Security Breach without undue delay (max 72h).
4. Sub-Processors
You authorize us to engage the following sub-processors to provide the Service:
| Sub-Processor | Service / Purpose | Location |
|---|---|---|
| Neon Database | Primary Database (PostgreSQL) | USA |
| Supabase | Object Storage | USA |
| OpenAI | LLM Processing & Embeddings | USA |
| Google Gemini | LLM Processing | USA |
| AssemblyAI | Audio Transcription | USA |
| Inngest | Background Job Processing | USA |
| Vercel | Hosting & Edge Functions | USA |
| Polar.sh | Payment Processing (Merchant of Record) | EU |
| Resend | Transactional Emails | USA |
We will notify you of any intended changes concerning the addition or replacement of other processors at least 30 days in advance via email.
5. Security Measures (TOMs)
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
- Encryption: Data is encrypted in transit using TLS 1.3 and at rest using AES-256.
- Access Control: Strict role-based access control (RBAC) and Multi-Factor Authentication (MFA) for all internal staff access.
- Vulnerability Management: Regular security scans and dependency updates.
- Physical Security: We rely on our cloud providers (Azure/AWS via Vercel/Neon) who maintain ISO 27001/SOC 2 certified data centers.
- Disaster Recovery: Daily encrypted backups with 30-day retention and regular restoration testing.
6. International Transfers
- Data Location: Primary processing occurs in the United States (Azure East US 2).
- Safeguards: For transfers from the EEA/UK to countries not deemed adequate, we rely on the Standard Contractual Clauses (SCCs). By executing this DPA, the SCCs are incorporated by reference.
7. Data Retention & Deletion
- During Term: Data is retained for as long as your account is active. Meeting audio is deleted 7 days after processing.
- Termination: Upon termination of the Service, you may retrieve your data. All Personal Data will be deleted within 30 days of account deletion, except where required by law.
- Backups: Backups are overwritten on a rolling 30-day basis.
8. Audits
You may audit our compliance with this DPA up to once per year. Such audits must be conducted during regular business hours, with at least 30 days' prior written notice, and without disrupting our business operations.
9. Contact
For privacy and security inquiries:
[email protected]