Updated: April 15, 2026
This Data Processing Addendum (“DPA”) forms partof the Synthelio Terms of Service (the “Terms”) between Synthelio Group sp. zo.o. (“Synthelio”) and the Customer. By accepting the Terms, the Customeraccepts this DPA on behalf of itself and any affiliates whose personal data isprocessed via the Services. No separate signature is required. In the event ofa conflict between this DPA and the Terms with respect to the processing ofpersonal data, this DPA prevails.
1.1. This DPA applieswhenever Synthelio processes personal data on behalf of the Customer inconnection with the Services. Capitalized terms not defined here have themeanings given in the Terms.
1.2. The Customer is the“Controller” and Synthelio is the “Processor” for personal data processed underthe Terms, as those terms are defined in Regulation (EU) 2016/679 (the “GDPR”).
1.3. This DPA reflects therequirements of Article 28 of the GDPR and other applicable data protectionlaws (“Applicable Data Protection Laws”), including the Polish Personal DataProtection Act of 10 May 2018.
• “Controller,” “Processor,” “Data Subject,” “PersonalData,” “Processing,” “Personal Data Breach,” and “Supervisory Authority” havethe meanings in Article 4 of the GDPR.
• “Customer Personal Data” means Personal Data withinCustomer Data (as defined in the Terms) that Synthelio processes on behalf ofthe Customer.
• “Sub-processor” means any third party engaged bySynthelio to process Customer Personal Data on its behalf.
• “SCCs” means the Standard Contractual Clauses set outin Commission Implementing Decision (EU) 2021/914, Module Two(Controller-to-Processor).
3.1. Synthelio shallprocess Customer Personal Data only on documented instructions from theCustomer, including with regard to transfers to a third country, unlessrequired to do otherwise by EU or Member State law. In such a case, Synthelioshall inform the Customer of that legal requirement before processing, unlessthe law prohibits this on important grounds of public interest.
3.2. The Terms, this DPA,the Customer’s account configuration, and the Customer’s reasonable use of theServices constitute the Customer’s complete and final documented instructions.Any additional instructions must be agreed in writing.
3.3. The details of theprocessing (categories of Data Subjects, categories of Personal Data, natureand purpose of processing, and retention) are set out in Annex I.
3.4. Synthelio shallpromptly inform the Customer if, in its opinion, an instruction infringesApplicable Data Protection Laws.
Synthelio shall ensurethat persons authorized to process Customer Personal Data are bound byconfidentiality obligations (whether by contract or statute) and have receivedappropriate training on their data protection responsibilities.
5.1. Taking into accountthe state of the art, the costs of implementation, and the nature, scope,context, and purposes of processing, as well as the risks to Data Subjects,Synthelio shall implement appropriate technical and organizational measures to ensurea level of security appropriate to the risk. The measures in place aredescribed in Annex II.
5.2. Synthelio shallregularly test, assess, and evaluate the effectiveness of these measures andshall update them as appropriate.
6.1. The Customer grantsSynthelio general authorization to engage the Sub-processors listed in AnnexIII.
6.2. Synthelio shall givethe Customer at least thirty (30) days’ prior written notice (by email to theCustomer’s designated billing or administrative contact, or by in-productnotice) of any intended addition or replacement of Sub-processors. The Customermay object on reasonable data protection grounds by notifying Synthelio inwriting within the notice period. If the parties cannot resolve the objectionin good faith, the Customer may terminate the affected portion of the Serviceswithout penalty, with a pro-rated refund of any prepaid Fees for the unusedportion.
6.3. Synthelio shallimpose on each Sub-processor, by written contract, data protection obligationsequivalent to those in this DPA, in particular providing sufficient guaranteesto implement appropriate technical and organizational measures so that processingmeets the requirements of the GDPR.
6.4. Synthelio remainsfully liable to the Customer for the performance of each Sub-processor’sobligations.
7.1. Taking into accountthe nature of the processing, Synthelio shall assist the Customer byappropriate technical and organizational measures, insofar as possible, infulfilling the Customer’s obligations to respond to requests from Data Subjectsunder Chapter III of the GDPR (access, rectification, erasure, restriction,portability, and objection). To the extent the Services allow the Customer toperform such actions directly, the Customer is responsible for doing so.
7.2. If Synthelio receivesa Data Subject request directly, it shall not respond except to confirm receiptand direct the Data Subject to the Customer, and shall forward the request tothe Customer without undue delay.
Synthelio shall assist theCustomer in ensuring compliance with its obligations under Articles 32 to 36 ofthe GDPR (security, breach notification, data protection impact assessments,and prior consultation), taking into account the nature of the processing andthe information available to Synthelio.
9.1. Synthelio shallnotify the Customer without undue delay after becoming aware of a Personal DataBreach affecting Customer Personal Data.
9.2. The notificationshall, to the extent possible, include:
(a) adescription of the nature of the breach, including, where possible, thecategories and approximate number of Data Subjects and Personal Data recordsconcerned;
(b) thename and contact details of Synthelio’s data protection contact;
(c) thelikely consequences of the breach; and
(d) themeasures taken or proposed to address the breach, including measures tomitigate its possible adverse effects.
9.3. Where it is notpossible to provide all information at once, it may be provided in phaseswithout further undue delay.
10.1. Upon termination orexpiry of the Terms, Synthelio shall, at the Customer’s choice, delete orreturn Customer Personal Data and delete existing copies, unless EU or MemberState law requires retention.
10.2. The Customer maymake this choice via the export functionality of the Services or by writtennotice within thirty (30) days of termination. Absent such choice, Synthelioshall delete Customer Personal Data within ninety (90) days of termination, subjectto retention required by law or routine backup cycles, during which the dataremains subject to this DPA.
11.1. Synthelio shall makeavailable to the Customer information reasonably necessary to demonstratecompliance with this DPA and Article 28 of the GDPR.
11.2. Synthelio shallallow for and contribute to audits by the Customer or an auditor mandated bythe Customer. To the extent reasonable, audit rights may be satisfied bySynthelio providing third-party audit reports, certifications (such as ISO27001 or SOC 2 where available), or written responses to a securityquestionnaire.
11.3. On-site audits, ifrequired, shall be conducted no more than once per calendar year (except whererequired by a Supervisory Authority or following a confirmed Personal DataBreach), on at least thirty (30) days’ prior written notice, during normal businesshours, and in a manner that does not unreasonably interfere with Synthelio’soperations. The Customer bears all costs of any audit unless materialnon-compliance is identified.
12.1. The partiesacknowledge that processing under this DPA involves the transfer of CustomerPersonal Data outside the European Economic Area (“EEA”), in particular toSub-processors located in the United States.
12.2. For any suchtransfer that does not benefit from an adequacy decision, the partiesincorporate by reference the SCCs (Commission Implementing Decision (EU)2021/914), Module Two (Controller-to-Processor), as set out in Annex IV.
12.3. For purposes of theSCCs:
• the Customer is the “data exporter” and Synthelio isthe “data importer”;
• Clause 7 (docking clause) is included;
• under Clause 9, Option 2 (general writtenauthorization) is selected, with the notice period in Section 6.2 above;
• under Clause 11, the optional independent disputeresolution language is not included;
• under Clause 17, the SCCs are governed by the laws ofthe Republic of Poland;
• under Clause 18, the courts of Warsaw, Poland haveexclusive jurisdiction; and
• Annexes I, II, and III to the SCCs are populated byAnnexes I, II, and III of this DPA, respectively.
12.4. Synthelio shallconduct, and assist the Customer in conducting, transfer impact assessmentswhere required, and shall implement supplementary measures as appropriate.
Liability under this DPAis subject to the limitations and exclusions set out in the Terms, except forliability that cannot be limited under Applicable Data Protection Laws,including liability to Data Subjects under Article 82 of the GDPR.
This DPA takes effect whenthe Customer accepts the Terms and remains in effect for the duration of theTerms. Provisions that by their nature should survive, including Section 10(Return and Deletion), Section 11 (Audits), and Section 13 (Liability), shallsurvive termination.
This DPA is governed bythe laws of the Republic of Poland. The courts of Warsaw, Poland have exclusivejurisdiction, without prejudice to Data Subject rights under Clause 18 of theSCCs.
ANNEX I – DETAILS OF PROCESSING
Data Exporter(Controller): The Customer, as identified during account registration.Contact for data protection matters: the email address designated as theCustomer’s primary or billing contact, or such other contact as the Customerspecifies in writing to Synthelio.
Data Importer (Processor): Synthelio Group sp. z o.o., Postępu10/140, 02-676 Warszawa, Poland. Contact for data protection matters:privacy@synthelio.com.
Categories of DataSubjects:
• Employees, contractors, and other personnel of theCustomer (Authorized Users).
• Employees, contractors, and personnel of the Customer’sown customers and business contacts whose data is uploaded into or synchronizedwith the Services.
• End-users and prospects managed by the Customer viaintegrations with third-party CRM platforms.
Categories of PersonalData:
• Identification and contact data: name, business email,business phone, job title, employer.
• Professional data: role, skills, certifications, workhistory, project assignment information.
• Account and authentication data: user IDs, hashedpasswords (where applicable), SSO identifiers, session tokens.
• Usage and operational data: login timestamps, IPaddresses, device and browser information, in-app activity logs, audit trails.
• Customer relationship data synchronized fromthird-party integrations (Salesforce, HubSpot, Pipedrive, Microsoft Dynamics):contact records, communication history, deal/opportunity data.
• Support and communication data: support tickets, chattranscripts, attachments submitted by users.
Special Categories ofPersonal Data:
None are intended to beprocessed. The Customer shall not upload special categories of personal data(Article 9 GDPR) or data relating to criminal convictions and offences (Article10 GDPR) into the Services unless expressly agreed in writing with Synthelio.
Frequency of theTransfer:
Continuous, for theduration of the Terms.
Nature of theProcessing:
Collection, storage,organization, structuring, retrieval, consultation, use, transmission,alignment or combination, and erasure, as required to provide the Services.
Purpose of theProcessing:
To enable the Customer touse the Synthelio platform for IT outsourcing and staff augmentationoperations, including resource management, CRM integration, reporting, andrelated functionality.
Period of Retention:
For the duration of theTerms, plus any period under Section 10 of this DPA or as required by law.
The President of thePersonal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) of theRepublic of Poland, or such other supervisory authority as may be designatedunder Clause 13 of the SCCs.
ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES
Synthelio implements andmaintains the following technical and organizational measures to ensure thesecurity of Customer Personal Data:
• Role-based access control (RBAC) with the principle ofleast privilege.
• Mandatory multi-factor authentication (MFA) foradministrative access to production systems.
• Single sign-on (SSO) via Google and Microsoft forend-user authentication where configured by the Customer.
• Quarterly access reviews; revocation upon personnelchanges within five (5) business days.
• Personal Data encrypted in transit using TLS 1.2 orhigher.
• Personal Data encrypted at rest using AES-256 orequivalent.
• Cryptographic keys managed via the key managementservices of the underlying cloud infrastructure provider, with restrictedaccess.
• Production environment hosted on Supabase (built onAWS) and Amazon Web Services, both certified to ISO 27001 and SOC 2.
• Logical separation of production, staging, anddevelopment environments.
• Network firewalls, security groups, and VPC isolation.
• Intrusion detection and continuous monitoring.
• Documented change management for productiondeployments.
• Regular vulnerability scanning of application andinfrastructure components.
• Timely patching of critical security vulnerabilities.
• Centralized logging and audit trails of administrativeactions.
• Confidentiality obligations imposed on all personnelvia employment or contractor agreements.
• Mandatory data protection and security awarenesstraining upon onboarding and annually thereafter.
• Background checks where permitted by law andproportionate to the role.
• Automated, encrypted backups with defined retention.
• Documented disaster recovery procedures, with recoveryobjectives proportionate to the Services.
• Periodic testing of backup restoration.
• Documented incident response procedures, including aPersonal Data Breach response plan.
• Designated personnel responsible for incident handling.
• Post-incident review and remediation tracking.
• Selection of Sub-processors based on data protectionand security due diligence.
• Written agreements imposing equivalent data protectionobligations.
• Ongoing monitoring of Sub-processor compliance.
• Collection limited to data necessary for the purposesset out in Annex I.
• Pseudonymization and aggregation applied wheretechnically feasible.
ANNEX III – LIST OF SUB-PROCESSORS
The Customer authorizesSynthelio to engage the following Sub-processors:
Sub-processor
Purpose / Service
Processing Location
Transfer Mechanism
Supabase, Inc.
Application database, authentication, and backend infrastructure
United States (AWS us-east-1)
EU SCCs (Module 2)
Amazon Web Services, Inc.
Cloud infrastructure and transactional email (SES)
United States and European Union
EU SCCs (Module 2); AWS DPA
Atlassian Pty Ltd / Atlassian, Inc.
Customer support ticketing and service desk (Jira Service Management)
Global (Atlassian Cloud regions)
EU SCCs (Module 2); Atlassian DPA
HubSpot, Inc.
CRM for support and account communications
United States
EU SCCs (Module 2); HubSpot DPA
Webflow, Inc.
Marketing website hosting (limited Personal Data via forms)
United States
EU SCCs (Module 2); Webflow DPA
Google LLC
Website analytics (Google Analytics 4)
United States and European Union
EU SCCs (Module 2); EU-US DPF (where Google is certified)
Note on integrations: Third-partyplatforms connected by the Customer (Salesforce, HubSpot, Pipedrive, MicrosoftDynamics) and identity providers used by the Customer (Google Workspace,Microsoft Entra ID) are not Sub-processors of Synthelio; they are independentproviders engaged directly by the Customer.
Updates: This listwill be updated by amendment to this DPA. Any addition or replacement of aSub-processor will be notified to the Customer in accordance with Section 6.2.
ANNEX IV – STANDARD CONTRACTUAL CLAUSES
The EU StandardContractual Clauses for the transfer of personal data to third countries(Commission Implementing Decision (EU) 2021/914, Module Two:Controller-to-Processor) are incorporated by reference on the terms set out inSection 12 of this DPA.
Full text:https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
By accepting the Terms,the Customer confirms it has read, understood, and agreed to be bound by theSCCs as so incorporated. Annexes I, II, and III of the SCCs are populated byAnnexes I, II, and III of this DPA, and the optional Clauses are configured asset out in Section 12.3.
[End of Data Processing Addendum]
.svg)
.svg)