Data Processing
Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Synchronise ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of alignment monitoring services.

This DPA applies to the processing of personal data by Synchronise on behalf of the Controller in connection with the Services, as defined in our Terms of Service.

2. Definitions

• ■Personal Data: Any information relating to an identified or identifiable natural person.
• ■Processing: Any operation performed on Personal Data, including collection, storage, retrieval, and deletion.
• ■Sub-processor: Any third party engaged by Synchronise to process Personal Data on behalf of the Controller.
• ■Data Subject: The individual to whom Personal Data relates.

3. Scope of Processing

Synchronise processes the following categories of Personal Data:

• ■User identifiers (names, email addresses) from connected sources
• ■Ticket assignee information from Jira
• ■Document author information from Notion, Confluence, or Google Docs
• ■Message sender information from Slack (when connected)

Read-only access: Synchronise operates with read-only permissions. We do not modify, delete, or write data to your connected sources.

4. Data Security

Synchronise implements appropriate technical and organizational measures to protect Personal Data, including:

• ■Encryption of data at rest using AES-256
• ■Encryption of data in transit using TLS 1.3
• ■Access controls and authentication requirements
• ■Regular security assessments and penetration testing
• ■Incident response procedures

5. Sub-processors

Synchronise uses the following sub-processors:

We will notify you of any changes to sub-processors with at least 30 days' notice.

6. Data Retention

Personal Data is retained only for as long as necessary to provide the Services. Upon termination of your account:

• ■All Personal Data is deleted within 30 days
• ■Backups are purged within 90 days
• ■You may request immediate deletion at any time

7. Data Subject Rights

Synchronise will assist you in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including:

• ■Right of access
• ■Right to rectification
• ■Right to erasure ("right to be forgotten")
• ■Right to restriction of processing
• ■Right to data portability

8. Data Breach Notification

In the event of a Personal Data breach, Synchronise will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, and measures taken to address the breach.

9. International Transfers

Where Personal Data is transferred outside the European Economic Area, Synchronise ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10. AI & Machine Learning

Synchronise uses AI to analyze alignment between your sources. Important commitments:

• ■No training on your data: Your data is never used to train AI models
• ■Ephemeral processing: AI analysis is performed in real-time and not stored beyond the immediate operation
• ■No cross-customer learning: Insights from your data are never shared or applied to other customers

11. Audit Rights

Upon reasonable notice, you may audit Synchronise's compliance with this DPA. Synchronise will provide access to relevant documentation, including security certifications, audit reports, and compliance records.

12. Contact

For questions about this DPA or to exercise any rights, contact us at privacy@synchronise.ai.