# Data Processing Addendum (DPA)

**Effective Date:** _____________________

**Between:**

- **Customer** ("Controller"): _________________________________
- **SynquoRum** ("Processor"): The operator of the SynquoRum service

This Data Processing Addendum ("**DPA**") is incorporated into and forms part of the Terms of Service (the "**Agreement**") between Customer and SynquoRum (collectively, the "**Parties**"). It governs the Processing of Personal Data by SynquoRum on behalf of Customer in connection with the SynquoRum service ("**Service**").

This DPA reflects the Parties' agreement on the terms required by Article 28 of Regulation (EU) 2016/679 ("**GDPR**") and equivalent provisions of the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act ("**CCPA/CPRA**"), the Personal Information Protection Act of Japan, and other applicable data protection laws.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the subject matter herein.

---

## 1. Definitions

1.1 **"Personal Data"** means any information relating to an identified or identifiable natural person processed by SynquoRum on behalf of Customer in connection with the Service.

1.2 **"Process," "Processing," "Processed"** have the meanings given in the GDPR.

1.3 **"Subprocessor"** means any third party engaged by SynquoRum to Process Personal Data.

1.4 **"Data Subject"** means an identified or identifiable natural person to whom Personal Data relates.

1.5 **"Standard Contractual Clauses" or "SCCs"** means the clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.6 Other capitalized terms have the meanings set forth in the Agreement or applicable law.

---

## 2. Scope and Roles

2.1 **Roles.** With respect to Personal Data Processed under the Agreement, Customer is the Controller and SynquoRum is the Processor. Customer determines the purposes and means of Processing.

2.2 **Customer's Compliance.** Customer represents and warrants that (a) it has obtained all necessary consents, provided required notices, and has a lawful basis for the Processing of Personal Data through the Service; (b) it is authorized to provide Personal Data to SynquoRum; and (c) instructions to SynquoRum are lawful.

2.3 **Subject Matter.** The subject matter of Processing is the operation of the SynquoRum multi-AI orchestration service.

2.4 **Duration.** The duration of Processing is the term of the Agreement, plus any retention period required by law.

2.5 **Nature and Purpose.** The nature and purpose of Processing are described in **Annex 1**.

2.6 **Categories of Data.** The categories of Personal Data Processed are described in **Annex 1**.

2.7 **Categories of Data Subjects.** The categories of Data Subjects are described in **Annex 1**.

---

## 3. Processor Obligations

SynquoRum shall, in its capacity as Processor:

3.1 **(a) Documented Instructions.** Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which SynquoRum is subject. The Agreement (including this DPA) constitutes Customer's complete and final instructions.

3.2 **(b) Confidentiality.** Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 **(c) Security Measures.** Implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, as described in **Annex 2** (Technical and Organizational Measures), in compliance with GDPR Article 32.

3.4 **(d) Subprocessors.** Engage Subprocessors only with the prior general written authorization of Customer (granted by signing this DPA). The current list of authorized Subprocessors is set forth in **Annex 3**. SynquoRum shall:

  (i) inform Customer of any intended changes concerning the addition or replacement of Subprocessors at least 30 days in advance, giving Customer the opportunity to object;

  (ii) impose on each Subprocessor data protection obligations no less protective than those in this DPA;

  (iii) remain fully liable to Customer for the performance of each Subprocessor's obligations.

3.5 **(e) Data Subject Rights.** Taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR.

3.6 **(f) Security Incidents and DPIA Assistance.** Assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to SynquoRum. This includes:

  (i) **Security Incident Notification:** Notify Customer without undue delay, and in any event within **72 hours**, after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. The notification shall include, to the extent known: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

  (ii) **DPIA Support:** Provide reasonable cooperation and assistance with Customer's Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities.

3.7 **(g) Deletion or Return.** At Customer's choice, delete or return all Personal Data after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage. Default behavior: SynquoRum permanently deletes Personal Data within 30 days of Agreement termination, except where retention is required by law (e.g., 7-year tax record retention under Japanese Corporate Tax Act).

3.8 **(h) Audit Rights.** Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. SynquoRum may satisfy this obligation by providing copies of relevant SOC 2, ISO 27001, or equivalent third-party audit reports upon written request, no more than once per year (unless triggered by a Personal Data Breach or specific concern).

---

## 4. International Data Transfers

4.1 **Primary Storage Location.** Personal Data is primarily Processed in the **United States** (Vercel, Supabase, Sentry, Inngest, Stripe). Customer expressly authorizes such transfers as necessary for the provision of the Service.

4.2 **Transfers from EU/EEA, UK, and Switzerland.**

  (i) **SCCs:** SynquoRum and its Subprocessors rely on the **Standard Contractual Clauses (Module 2: Controller to Processor)** adopted by Commission Implementing Decision (EU) 2021/914, which are hereby incorporated by reference. Customer is the data exporter; SynquoRum is the data importer.

  (ii) **UK Addendum:** For transfers from the United Kingdom, the **UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses** (Version B1.0, 21 March 2022) is incorporated by reference.

  (iii) **Swiss Addendum:** For transfers from Switzerland, the SCCs are amended such that references to GDPR shall be deemed to include the Swiss Federal Act on Data Protection.

4.3 **EU-US Data Privacy Framework.** Where applicable, transfers may also rely on the **EU-US Data Privacy Framework (DPF)** (as adopted by Commission Implementing Decision (EU) 2023/1795).

4.4 **Transfer Impact Assessment.** SynquoRum has conducted a Transfer Impact Assessment (TIA) considering the legal environment of receiving jurisdictions (including FISA 702 and Executive Order 12333 in the US) and has implemented supplementary measures where necessary, including encryption in transit and at rest, strong access controls, and minimization of Personal Data transferred.

4.5 **Other Jurisdictions.** Transfers to or from jurisdictions other than EU/EEA/UK (e.g., to comply with PIPL, LGPD, PIPA, DPDP Act, POPIA, PDPA) are subject to applicable cross-border transfer requirements of the Customer's home jurisdiction.

---

## 5. Customer Personal Data Categories

The following categories of Personal Data may be Processed under this DPA. Customer shall use the Service only for the categories indicated.

| Category | Examples | Sensitivity |
|---|---|---|
| Identity / Account | Email, display name, locale, timezone | Standard |
| Authentication | Hashed passwords (bcrypt), OAuth IDs, session tokens | High |
| Content | Chat history, files, folders, notes, AI prompts and outputs | Variable (Customer-controlled) |
| Usage | Access logs, point usage, error logs | Standard |
| Billing | Stripe customer ID, plan type (no card data — handled by Stripe directly) | Standard |
| Consent Records | Terms / privacy version, IP, user agent at signup | Standard |

**Special Categories of Personal Data (GDPR Art. 9):** SynquoRum is **not designed** to Process special categories of data (health, biometric, genetic, sexual orientation, political opinions, etc.). Customer agrees not to submit such data to the Service unless the Parties execute a separate written agreement with additional safeguards.

---

## 6. Customer's Obligations

6.1 **Lawful Basis.** Customer shall ensure that it has a valid lawful basis for Processing all Personal Data submitted to the Service.

6.2 **Notice to Data Subjects.** Customer shall provide all required notices and obtain all required consents from Data Subjects.

6.3 **Compliance with Instructions.** Customer's instructions shall comply with applicable data protection laws. Customer shall not require SynquoRum to Process Personal Data in a manner that would violate applicable law.

6.4 **Sensitivity of Submitted Data.** Customer is solely responsible for the type of data it submits to the Service. Customer shall not submit special categories of Personal Data without the safeguards described in Section 5 above.

---

## 7. Liability and Indemnification

Each Party's liability under this DPA is subject to the liability provisions in the Agreement (including Section 20 of the Terms of Service). For clarity, the limitations of liability in the Agreement apply to each Party's aggregate liability under both the Agreement and this DPA.

---

## 8. Term and Termination

This DPA enters into effect upon execution and remains effective until the termination of the Agreement, except for provisions that, by their nature, survive termination (including Sections 3.7, 4, and 7).

---

## 9. Miscellaneous

9.1 **Order of Precedence.** In case of conflict between the Agreement and this DPA, this DPA prevails on data protection matters.

9.2 **Governing Law.** This DPA is governed by the law specified in the Agreement (Japanese law, with mandatory provisions of the Customer's jurisdiction prevailing where required by law).

9.3 **Severability.** If any provision is found to be unenforceable, the remaining provisions remain in effect.

9.4 **Amendments.** Amendments must be in writing and signed by authorized representatives of both Parties.

---

## Annex 1 — Description of Processing

**Subject matter and duration:** As specified in the Agreement.

**Nature and purpose of Processing:**
- Hosting and operating the SynquoRum multi-AI orchestration platform
- Authentication and session management
- Storing and displaying Customer Content (chats, files, folders)
- Relaying API requests from Customer to third-party AI services using Customer-provided API keys (BYOK model)
- Billing and payment processing
- Error monitoring and security incident response
- Customer support

**Categories of Data Subjects:**
- Customer's authorized end users
- Customer's employees / agents

**Categories of Personal Data:** As described in Section 5.

**Frequency:** Continuous, for the duration of the Agreement.

---

## Annex 2 — Technical and Organizational Measures (TOMs)

SynquoRum implements the following TOMs in accordance with GDPR Article 32:

### Technical Measures

- **Encryption in transit:** TLS 1.2+ for all communications
- **Encryption at rest:** AES-256-GCM for API keys; bcrypt for passwords; Supabase / Vercel infrastructure-level encryption for stored data
- **Access control:** Supabase Row Level Security (RLS); least-privilege principle for administrative access
- **Authentication:** Supabase Auth with OAuth (Google, GitHub) and PKCE; HttpOnly + Secure cookies; SameSite=Lax
- **Network security:** Cloudflare DDoS protection; Vercel Web Application Firewall; CSP, COOP, CORP headers
- **Vulnerability management:** Dependabot for dependency updates; Semgrep SAST and GitLeaks integrated into CI; weekly OWASP ZAP DAST scans
- **Monitoring:** Sentry for error tracking with PII scrubbing; comprehensive audit logging (audit_logs table) at SOC 2 grade
- **Resilience:** Vercel multi-region edge; Supabase point-in-time recovery; rolling backups (max 30 days)

### Organizational Measures

- **Role-based access control:** Personal Data access limited to necessary personnel
- **Personnel training:** Continuous data protection education (currently founder-only during beta)
- **Subprocessor management:** Annual review of subprocessor DPAs
- **Incident response plan:** Documented SOP for breach detection, containment, notification, and post-mortem
- **Data minimization:** Only data necessary for the Service is collected

### Data Recovery Capabilities

- Automated daily backups (rolling 30 days)
- Tested restore procedures (quarterly)
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 24 hours

---

## Annex 3 — Authorized Subprocessors

The following Subprocessors are authorized as of the Effective Date:

| Subprocessor | Service | Location | Compliance |
|---|---|---|---|
| **Stripe, Inc.** | Payment processing, customer balance | United States (with EU presence via Stripe Payments Europe Ltd) | PCI DSS Level 1, GDPR DPA, SOC 1/2 Type 2 |
| **Vercel Inc.** | Hosting and edge network | United States | GDPR DPA, SOC 2 Type 2 |
| **Supabase Inc.** | Database, authentication, storage | United States (AWS us-east-1) | GDPR DPA, SOC 2 Type 2, HIPAA-eligible |
| **Functional Software, Inc. (Sentry)** | Error monitoring | United States | GDPR DPA, SOC 2 |
| **Inngest, Inc.** | Background jobs and webhook processing | United States | GDPR DPA, SOC 2 |
| **Cloudflare, Inc.** | DNS, CDN, email routing, DDoS protection | Global edge network | GDPR DPA, SOC 2 Type 2, ISO 27001 |

SynquoRum will provide at least 30 days' notice of any new Subprocessor addition, allowing Customer to object. Notice will be provided via email to Customer's designated contact.

---

## Signatures

**Customer:**
Name: _________________________________
Title: _________________________________
Date: _________________________________
Signature: _________________________________

**SynquoRum (Processor):**
Name: _________________________________
Title: _________________________________
Date: _________________________________
Signature: _________________________________

---

*This DPA template is version **1.0.0** (effective date matches the date of the Agreement). For questions about this DPA, please contact <support@synquorum.com>.*

*Last updated: May 15, 2026*

*This document is provided as a downloadable Markdown / PDF / DOCX template. Customers requiring electronic signatures may request DocuSign or equivalent processing.*