Synchronise AI
PrivacySub-processorsCookieTermsLogin
Legal

Data Processing Addendum.

This Addendum (“DPA”) governs how Synchronise AI processes the customer data you connect, where we act as your processor. It forms part of, and is incorporated into, our Terms of Service. A countersigned copy for your records is available on request.

v2026.07 · effective 2 July 2026← Back to Privacy Policy
01

Roles & scope

In short

This DPA applies when we process customer data on your behalf. You're the controller; we're the processor.

For the connected source data and the outputs derived from it, you are the controller (or processor for your own customers) and Synchronise AIis the processor (a “service provider” under US law). For account, billing, and product-usage data, Synchronise AI is the controller, governed by the Privacy Policy. Capitalised terms not defined here have the meaning given in the Terms.

02

Details of processing

In short

What we process, why, for how long, and whose data — the particulars required by GDPR Article 28.

  • Subject matter & duration: processing of connected customer data for the term of your subscription, until deletion.
  • Nature & purpose: reading product signal in memory to generate cited insights, themes, and outputs, including via agents you configure.
  • Types of data: the content of the sources you connect (events, tickets, threads, issues, pages, docs, recordings) and the personal data they may contain.
  • Categories of data subjects: your users, customers, and team members as represented in those sources.

We process customer data only on your documented instructions — including those given through the product — unless required by law.

03

Confidentiality & security

In short

We keep customer data confidential and apply the technical and organisational measures in Annex A.

Personnel authorised to process customer data are bound by confidentiality. We maintain the technical and organisational measures set out in Annex A — including per-table row-level isolation, encryption in transit and at rest by our infrastructure providers, and least-privilege access. We do not maintain a parallel datastore mirroring your connected sources; workspace data is held in Tokyo, Japan.

04

Sub-processors

In short

You authorise the sub-processors we list, and we tell you before adding a new one that handles customer data.

You provide general authorisation for Synchronise AI to engage the sub-processors listed on the Sub-processors page. We impose data-protection obligations on each that are no less protective than this DPA, and we remain responsible for their performance. We will notify workspace admins before a new sub-processor handling customer data takes effect. You may object on reasonable data-protection grounds within 30 days; if we cannot accommodate the objection, you may terminate the affected service.

05

International transfers

In short

Cross-border transfers rely on Standard Contractual Clauses or the UK IDTA.

Where processing involves transferring personal data out of the UK or EEA to a country without an adequacy decision, the EU Standard Contractual Clauses are incorporated into this DPA and apply on their Module Two (controller-to-processor) terms, and Module Three (processor-to-processor) for onward transfers to our sub-processors, with Synchronise AI as data importer. The UK International Data Transfer Addendum applies to UK data and the Swiss addendum to Swiss data.

06

Assistance with data-subject requests

In short

We help you respond to access, deletion, and correction requests from data subjects.

Taking into account the nature of the processing, we assist you with appropriate measures to fulfil your obligation to respond to data-subject requests, and to meet your security, breach, and impact-assessment obligations under applicable law. Most requests can be actioned directly in-app; for the rest, email gautham@synchronise.ai.

07

Personal data breach

In short

We notify you without undue delay after becoming aware of a breach affecting your data.

We notify you without undue delay after becoming aware of a personal data breach affecting customer data, with the information you reasonably need to meet your own notification obligations. Report suspected incidents to gautham@synchronise.ai with the subject incident.

08

Deletion & return

In short

On termination we delete or return customer data; live data immediately, backups within 30 days.

On termination, or on your request, we delete or return customer data within a commercially reasonable period and delete existing copies, except where we are required by law to retain it. Live workspace data is removed immediately by cascade; residual copies in routine backups are overwritten on our database provider's standard cycle, consistent with the retention schedule in the Privacy Policy.

09

Audit & information

In short

We demonstrate compliance through this DPA, sub-processor attestations, and a security questionnaire; on-site audits are available under tight conditions.

We make available the information reasonably necessary to demonstrate compliance with this DPA — principally this document, the sub-processor attestations referenced here, and our responses to a reasonable security questionnaire. If that is insufficient for a regulator or a documented compliance obligation, you may request an on-site audit on reasonable prior notice, no more than once a year, during business hours, subject to confidentiality and at your cost. We may rely on independent third-party reports where available.

10

US state privacy laws

In short

For US customers we act as a “service provider” and never sell or share your data.

Where the California Consumer Privacy Act (as amended by the CPRA) or a comparable US state law applies, Synchronise AIacts as a “service provider” (or processor) and processes customer data only to provide the service under this DPA and the Terms. We do not “sell” or “share” customer data for cross-context behavioural advertising, do not retain, use, or disclose it outside that direct business relationship, and do not combine it with personal information from other sources except as permitted by law.

11

Liability

In short

Liability under this DPA is governed by the limitation of liability in the Terms.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the exclusions and limitations of liability in the Terms of Service. This DPA does not create a separate or additional liability cap.

12

General

In short

This DPA is part of the Terms; if they conflict on data protection, this DPA wins. A signed copy is available on request.

This DPA is incorporated into and forms part of the Terms of Service. To the extent of any conflict on the subject of personal-data processing, this DPA prevails. For a countersigned copy, or to raise a data-protection question, email gautham@synchronise.ai.

Annex A

Technical & organisational measures

We maintain the measures below, in part through our infrastructure providers (see Sub-processors). They are appropriate to the risk and evolve as the product matures.

  • Access control & tenant isolation — PostgreSQL row-level security on every table, per-workspace policies, least-privilege service access, and OAuth/SSO sign-in.
  • Encryption — TLS in transit and AES-256 at rest, provided by our database and hosting providers.
  • Credential handling — third-party OAuth tokens held by our connection broker, not by us; application secrets in managed secret stores.
  • Application & network security — HMAC-signed internal endpoints, rate limiting, and scoped, short-lived tool sessions for agents.
  • Data minimisation — no parallel mirror of connected sources; we persist chat history, working files, outputs, and uploads, not bulk source records.
  • Availability & recovery — managed Postgres with routine backups by our database provider.
  • Sub-processor management — flow-down obligations and advance notice of changes.
  • Personnel — confidentiality obligations for everyone with access.
Related documents
  • Privacy PolicyWhat we collect, why, and your rights.
  • Sub-processorsThe services that help run Synchronise AI.
  • Cookie NoticeWhat we set in your browser and why.
  • Terms of ServiceThe agreement that governs use of the product.

Synchronise AI · ABN 68 960 446 366 · Gautham Srinivas, founder · Tokyo, Japan data residency. Questions and requests: gautham@synchronise.ai.

© Synchronise AI. This page supersedes any prior version. We email workspace admins before material changes take effect.