SyntrixOne is in closed beta. Live platform status: syntrixone.com/status
SyntrixOne
Legal

Data Processing Addendum

Last updated: June 20, 2026· v0.1-draft

Draft — pending legal review

This document is a placeholder. SyntrixOne, Inc. has not yet executed final terms. Customers in a closed beta should refer to the signed mutual beta agreement provided by SyntrixOne for binding terms.

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service or other written or electronic agreement (the “Agreement”) between SyntrixOne, Inc. (“SyntrixOne,” the “Processor”) and the customer identified in the Agreement (the “Customer,” the “Controller”) governing the processing of Personal Data on behalf of the Controller. Capitalized terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and the UK GDPR.

1. Introduction & Scope

This DPA applies when SyntrixOne processes Personal Data on behalf of the Customer in connection with the Service. In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to data protection matters. This DPA incorporates the Standard Contractual Clauses (Commission Decision 2021/914) where applicable, with modules selected per the data flow.

2. Definitions

  • “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”: as defined in GDPR Art. 4.
  • “Customer Personal Data”: Personal Data contained in Customer Data and processed by SyntrixOne on Customer’s behalf.
  • “Subprocessor”: a third party engaged by SyntrixOne to process Customer Personal Data.
  • “Data Protection Laws”: GDPR, UK GDPR, the Swiss FADP, the CCPA/CPRA, and other applicable privacy laws.

3. Roles & Responsibilities

Customer is the Controller and SyntrixOne is the Processor of Customer Personal Data. Each party shall comply with its respective obligations under Data Protection Laws. Customer warrants that it has a lawful basis for the processing it instructs SyntrixOne to perform and has obtained all necessary notices and consents from Data Subjects.

4. Processing Details

SyntrixOne will (i) process Customer Personal Data only on documented instructions from Customer (including through Customer’s use of the Service); (ii) ensure persons authorized to process the data are bound by confidentiality; (iii) implement appropriate technical and organizational measures (see Annex II); (iv) assist the Controller with DSR responses, DPIAs, and notifications to authorities/data subjects; and (v) delete or return Customer Personal Data at the end of the provision of services.

5. Subprocessors

Customer authorizes SyntrixOne to engage the Subprocessors listed in Annex III. SyntrixOne will give at least 30 days’ notice (via in-product banner or email) of any intended additions or replacements. Customer may reasonably object on data-protection grounds within 30 days; the parties will work in good faith to resolve. If no resolution, Customer may terminate the affected Service with refund of pre-paid, unused fees.

6. Security Measures

SyntrixOne implements the measures described in Annex II. These include encryption in transit and at rest, least-privilege access, MFA for staff, immutable audit logs, network segregation, secrets management, a documented incident-response plan, and ongoing employee security training. Annex II may be updated to reflect improvements; SyntrixOne will not materially reduce the level of security.

7. Personal Data Breach

SyntrixOne will notify Customer without undue delay (and in any case within 72 hours of becoming aware) of any confirmed Personal Data Breach involving Customer Personal Data. The notification will include the nature of the breach, categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.

8. Data Subject Requests

SyntrixOne will provide self-service tools (export, delete, anonymize) to enable Customer to fulfil Data Subject requests. To the extent Customer cannot do so via the Service, SyntrixOne will assist Customer on a reasonable basis at no additional cost.

9. International Transfers

Where Customer Personal Data is transferred outside the EEA/UK/Switzerland, the parties incorporate the EU SCCs (2021/914) Module Two and the UK International Data Transfer Addendum. Annex I provides the SCC Annex 1 details (parties, transfer subject matter, frequency). Annex II provides the SCC Annex 2 (security measures).

10. Audits

Upon Customer’s written request (no more than once per 12 months and subject to confidentiality), SyntrixOne will provide reasonable information necessary to demonstrate compliance with Article 28 GDPR, including its most recent third-party audit reports (e.g., SOC 2). On-site audits are permitted only where SyntrixOne’s responses are insufficient, subject to a mutually agreed scope and cost-bearing by Customer.

11. Term & Termination

This DPA remains in force as long as SyntrixOne processes Customer Personal Data. Upon termination of the Agreement, SyntrixOne will return or delete Customer Personal Data within 30 days, except where retention is required by law (in which case SyntrixOne continues to protect it).

12. Liability

Each party’s liability under this DPA is subject to the limitations of liability in the Agreement. Nothing in this DPA excludes liability that cannot be excluded under Data Protection Laws.

Annex I — Processing Details

A. List of parties

Data exporter (Controller): the Customer entity identified in the Agreement.

Data importer (Processor): SyntrixOne, Inc.

B. Description of transfer

  • Categories of data subjects: Customer’s employees, contractors, end-customers, prospects, and website visitors who interact with the Service.
  • Categories of personal data: contact details (name, email, phone), identifiers (account ID, IP), conversation content, attachments, ticket and CRM data, AI-generated outputs.
  • Special categories: none expected (Customer instructed not to upload health, biometric, or other sensitive data without prior written agreement).
  • Frequency of transfer: continuous, for the duration of the Service.
  • Nature of processing: hosting, transmission, AI inference, indexing, search, analytics, retention.
  • Purpose of processing: provision of the Service.
  • Retention period: per Customer settings; default = duration of subscription + 30 days.

C. Competent supervisory authority

The Customer’s lead supervisory authority under GDPR or the Information Commissioner’s Office (UK).

Annex II — Security Measures

  • Encryption: TLS 1.2+ in transit; AES-256 at rest for primary data stores.
  • Access control: least privilege, role-based access, MFA for staff, hardware-bound SSH keys.
  • Tenant isolation: per-workspace logical isolation in shared infrastructure; option for dedicated infrastructure on Enterprise plans.
  • Logging & monitoring: immutable audit log, alerting on anomalous activity, 18-month retention.
  • Vulnerability management: automated dependency scanning, periodic penetration tests, public security disclosure program at security@syntrixone.com.
  • Business continuity: automated backups, documented RPO/RTO, annual recovery exercise.
  • Personnel: background checks where lawful; security training at onboarding and annually.

Annex III — Subprocessors

The current list is also published at /legal/subprocessors (forthcoming).

  • AWS / GCP — infrastructure hosting (US, EU regions per Customer choice on Enterprise).
  • MongoDB Atlas — managed database.
  • Stripe, Inc. — payment processing.
  • Resend — transactional email delivery.
  • Twilio — SMS/voice/WhatsApp (subject to Customer enablement).
  • OpenAI, Anthropic, Google — AI inference (zero-retention agreements where available; not used for model training of customer data).

Questions about this document? Contact us.