Early access opens soon — special launch offer.

Data Processing Addendum

The GDPR Art. 28 agreement that governs how Syncek processes personal data on your behalf.

Last updated: April 20, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service ("Agreement") between Syncek SL ("Syncek", "Processor") and you or the organization you represent ("Customer", "Controller"). It is accepted on a click-through basis when you accept the Terms: by entering into the Agreement you also enter into this DPA for any Customer Data that constitutes personal information under applicable data-protection law. A counter-signed PDF version is available on request at legal@syncek.com; the click-through and counter-signed versions are legally equivalent.

This DPA is drafted to satisfy Art. 28 of Regulation (EU) 2016/679 (GDPR), Art. 28 of the UK GDPR, and the Swiss Federal Act on Data Protection (FADP). In the event of any conflict between this DPA and the Agreement, this DPA prevails as to the processing of personal information.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service. In addition:

  • Applicable Data Protection Law means the GDPR, the UK GDPR, the Swiss FADP, Spanish Organic Law 3/2018 (LOPDGDD), and any other data-protection law applicable to a party's processing of personal information under the Agreement.
  • Customer Personal Data means personal information (as defined by Applicable Data Protection Law) contained in Customer Data and processed by Syncek on Customer's behalf under the Agreement.
  • Data Subject, Controller, Processor, Sub-processor, Personal Data Breach, and Supervisory Authority have the meanings given in Art. 4 GDPR.
  • EU SCCs means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
  • UK IDTA means the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner under s.119A of the UK Data Protection Act 2018.

2. Roles and scope

For Customer Personal Data processed under the Agreement, Customer is the Controller and Syncek is the Processor. Customer determines the purposes and means of processing and remains responsible for its lawful basis, notice, and data-subject rights toward the individuals whose data it uploads.

3. Duration, nature, purpose, and categories of data

  • Duration. This DPA applies for the duration of the Agreement plus any period during which Syncek retains Customer Personal Data under Section 9.
  • Nature and purpose of processing. Hosting, storing, organizing, structuring, retrieving, consulting, adapting, transmitting, backing up, and deleting Customer Personal Data in order to provide the Service (a CRM platform) to Customer.
  • Categories of Data Subjects. Customer's contacts, leads, prospects, customers, vendors, partners, employees, and any other individuals whose information Customer uploads to a Syncek workspace; and Customer's own personnel (workspace members).
  • Categories of Customer Personal Data. Names, email addresses, phone numbers, postal addresses, employer, job title, deal/pipeline information, activity and communication logs, notes, uploaded files, and any custom fields Customer configures. Customer is contractually prohibited from uploading special-category data (Art. 9 GDPR), U.S. PHI, PCI card numbers beyond Stripe's scope, or children's data (see the Acceptable Use Policy).

4. Syncek's obligations as Processor (Art. 28(3) GDPR)

  • Documented instructions. Syncek processes Customer Personal Data only on Customer's documented instructions, including those set out in the Agreement, configuration of the Service, and written follow-up instructions — unless required to do otherwise by EU or Member State law, in which case Syncek will inform Customer of that legal requirement before processing, unless prohibited by law.
  • Confidentiality. Syncek ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations.
  • Security. Syncek implements the technical and organizational measures described in Annex II (Section 12 below) to ensure a level of security appropriate to the risk (Art. 32 GDPR).
  • Sub-processors. Section 5.
  • Assistance with Data Subject rights. Taking into account the nature of the processing, Syncek assists Customer by providing features that enable Customer to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection) — principally, export and deletion tools within the Service. Where a feature is not sufficient, Syncek will assist by other reasonable means upon written request.
  • Assistance with DPIAs and Supervisory Authority consultations. Upon request, Syncek will assist Customer with Arts. 32–36 GDPR taking into account the information available to Syncek.
  • Breach notification. Syncek will notify Customer without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information reasonably necessary for Customer to meet its own notification duties under Arts. 33–34 GDPR.
  • Deletion or return. Upon termination of the Agreement, Syncek will delete Customer Personal Data from production systems promptly and from routine backups within thirty (30) days, unless EU or Member State law requires continued storage. Customer may export its data from the Service before deletion.
  • Audit. Syncek will make available to Customer information necessary to demonstrate compliance with Art. 28 GDPR. On reasonable prior written request and no more than once per year (save in the event of a confirmed Personal Data Breach), Customer or an independent auditor mandated by Customer may audit Syncek's compliance; Syncek may satisfy the audit right by providing then-current third-party audit reports or security questionnaires.

5. Sub-processors (Art. 28(2)–(4) GDPR)

Customer provides a general written authorization for Syncek to engage the sub-processors listed on our Sub-processors page, together with any additional sub-processors Syncek notifies under this Section.

Before engaging a new or replacing an existing sub-processor, Syncek will update the sub-processors list and provide at least thirty (30) days' advance notice. Customer may object on reasonable grounds related to data protection by written notice to legal@syncek.com within that 30-day window. If the parties cannot agree on a resolution, Customer may terminate the affected Service on written notice, and Syncek will refund any prepaid fees for services not yet rendered in the terminated portion.

Syncek imposes on each sub-processor data-protection obligations equivalent in substance to those in this DPA and remains liable for the acts and omissions of its sub-processors as if they were its own.

6. International data transfers (Chapter V GDPR)

Customer Personal Data is primarily stored in the European Union. Where transfers to third countries are required to provide the Service:

  • EU-US Data Privacy Framework. Where the recipient is certified under the EU-US DPF, the transfer is made in reliance on the Commission's adequacy decision of 10 July 2023.
  • EU SCCs. Where the DPF is unavailable and the recipient is outside the EEA or a country with an adequacy decision, the parties hereby enter into Module Two (Controller-to-Processor) of the EU SCCs, which is incorporated into this DPA by reference and completed as follows: (i) Clause 7 (docking clause) is included; (ii) Clause 9 option 2 (general authorization) applies with a 30-day change-notice period; (iii) Clause 11 option: no independent dispute-resolution body is designated; (iv) Clause 17 governing law: Spain; (v) Clause 18 forum: courts of Valencia, Spain; (vi) Annex I.A lists the parties (Customer as data exporter, Syncek as data importer); (vii) Annex I.B references Section 3 of this DPA; (viii) Annex I.C identifies the competent Supervisory Authority (AEPD); (ix) Annex II references Section 12 of this DPA; (x) Annex III references the sub-processors list on our Sub-processors page.
  • UK IDTA. For transfers subject to the UK GDPR, the parties enter into the UK IDTA, which modifies the EU SCCs as necessary to comply with UK law.
  • Swiss FADP. For transfers subject to Swiss law, references to the GDPR in the EU SCCs are read as references to the FADP, the competent authority is the FDPIC, and the clauses protect Swiss residents' rights.
  • Supplementary measures. TLS in transit, encryption at rest, strict role-based access control, audit logging, and transfer-impact assessments where required.

7. Data subject requests

If Syncek receives a request from a Data Subject concerning Customer Personal Data, we will without undue delay inform the Data Subject that Customer is the Controller and will refer the request to Customer, unless Applicable Data Protection Law prohibits such referral.

8. Customer obligations

Customer warrants and undertakes that:

  • it has established, and will maintain throughout the duration of the Agreement, a lawful basis for the processing of Customer Personal Data under Art. 6 GDPR (and, if applicable, Arts. 9–10 GDPR);
  • it has provided the transparency information required by Arts. 13–14 GDPR to Data Subjects;
  • its instructions to Syncek will at all times comply with Applicable Data Protection Law; and
  • it will not upload Customer Personal Data that the Service is not authorized to process under the Agreement or the Acceptable Use Policy.

9. Return and deletion

During the Agreement, Customer can at any time export Customer Personal Data or delete workspace objects using in-product tools. Upon termination or expiry of the Agreement, Syncek will delete Customer Personal Data from production systems within a reasonable period (typically within thirty (30) days) and from routine backups within a further thirty (30) days, unless Union or Member State law requires continued storage, in which case Syncek will isolate and protect the data pending deletion.

10. Liability

Each party's liability under this DPA is subject to the aggregate limitation of liability set out in the Agreement. Nothing in this DPA limits liabilities that cannot be excluded under Applicable Data Protection Law, including liability of either party to Data Subjects under Art. 82 GDPR.

11. Governing law; order of precedence; termination

This DPA is governed by the law of Spain. The courts of Valencia, Spain have exclusive jurisdiction, subject to the consumer carve-out in the Terms of Service. In the event of conflict between this DPA and the EU SCCs, the EU SCCs prevail; in the event of conflict between this DPA and the Agreement, this DPA prevails as to the processing of personal information. This DPA terminates automatically upon termination of the Agreement, without prejudice to obligations that by their nature survive.

12. Annex II — Technical and organizational measures (Art. 32 GDPR)

  • Encryption. TLS 1.2 or higher for data in transit; AES-256 or equivalent for data at rest. Sensitive customer secrets (API credentials, integration tokens) are encrypted at the application layer using a key-management service.
  • Access control. Role-based access for Syncek personnel with least-privilege defaults, multi-factor authentication, and centralized identity.
  • Confidentiality of personnel. All personnel bound by written confidentiality obligations; access granted on a need-to-know basis and revoked on role change or termination.
  • Data segregation. Logical segregation of customer workspaces at the application layer; row-level tenancy enforced by workspace identifiers on every query.
  • Vulnerability management. Automated dependency and code scanners; patching prioritized by severity; penetration testing cadence published on our Security page.
  • Logging and monitoring. Security and audit logs collected and retained with integrity protections; alerting for anomalous access or authentication.
  • Backup and recovery. Regular automated backups; documented recovery procedures; backup retention limited to thirty (30) days in rolling production backups.
  • Incident response. Formal incident-response plan with roles, escalation paths, and 48-hour breach-notification target to Customer.
  • Physical security. Provided by our cloud and colocation vendors; certifications (e.g., ISO 27001, SOC 2) documented by each vendor.
  • Organizational measures. Privacy-by-design in feature planning; periodic training for personnel who process Customer Personal Data; written policies on access control, cryptography, and secure development.

13. Contact

Questions about this DPA or to request a counter-signed copy: legal@syncek.com.