Data Processing Agreement
Version 2026-04-15 · Synapsrix B.V.
[Registered address — Utrecht, Netherlands — KvK number]
1. Definitions
Terms not defined herein shall have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR). "Customer" means the legal entity entering into a subscription with Synapsrix B.V. "Processor" means Synapsrix B.V. "Personal Data" means personal data processed by Processor on behalf of Customer under this Agreement and the Main Agreement. "Main Agreement" means the applicable order form, online terms, or other agreement governing Customer's subscription to the AIComply service.
2. Subject matter and duration
Processor processes Personal Data on Customer's behalf solely for the purpose of providing the AIComply service as described in the Main Agreement. This DPA remains in effect for the duration of the Main Agreement and until return or deletion of Personal Data is complete.
3. Nature and purpose of processing
Storage, access, organization, retrieval, and erasure of Personal Data as necessary to provide: - AI system inventory management - Risk classification under EU Regulation 2024/1689 (AI Act) - Technical documentation generation - Compliance dashboards and reporting - Audit log maintenance
4. Categories of data subjects
Customer's employees, contractors, and other natural persons whose data is processed by Customer's AI systems and captured within AIComply (as metadata only — AIComply does not ingest the underlying personal data processed by Customer's AI systems).
5. Categories of Personal Data
- Customer account data: names, email addresses, job titles of authorized users - AI system metadata: names, descriptions, intended purposes, vendor information - Risk classification decisions: responses to wizard questions, assigned risk levels - Technical documentation: text content authored by Customer's users - Audit log: actor email, action type, IP address, user agent, timestamps - Billing contact information (processed via Stripe — see sub-processors)
6. Obligations of Processor
Processor shall: (a) process Personal Data only on documented instructions from Customer, unless Union or Member State law requires otherwise; (b) ensure persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation; (c) take measures required pursuant to Article 32 GDPR (see Annex II — Technical and Organizational Measures); (d) assist Customer in responding to data subject rights requests (access, rectification, erasure, portability, objection) within reasonable timeframes; (e) make available information necessary to demonstrate compliance with Article 28 GDPR and allow for audits as described in this DPA; (f) notify Customer without undue delay after becoming aware of a personal data breach; (g) return or delete Personal Data upon termination of services per Customer's choice, subject to legal retention obligations.
7. Sub-processing
Processor is authorized to engage sub-processors listed at the Sub-processors page on the Synapsrix website. Processor shall give Customer at least 30 days advance notice of any intended change to the list, during which Customer may object on reasonable grounds relating to data protection. Where Customer objects and Processor cannot use an alternative, either party may terminate the affected part of the Main Agreement.
8. International transfers
Personal Data is processed in the European Economic Area by default. Where a sub-processor processes data outside the EEA, Processor shall ensure adequate safeguards per Articles 44–49 GDPR, including EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where applicable.
9. Data subject rights assistance
Upon Customer request, Processor will assist with fulfilling data subject rights at no additional charge within reasonable limits. Self-service data export and deletion are available to individual users via the AIComply application under Settings → Privacy.
10. Security
Processor implements and maintains technical and organizational measures described in Annex II. These include, at a minimum: encryption in transit (TLS 1.2+) and at rest, access control via role-based permissions and MFA where applicable, audit logging, security testing, incident response procedures, and sub-processor due diligence.
11. Data breach notification
Processor shall notify Customer of any personal data breach affecting Customer's data without undue delay and in any event within 48 hours of becoming aware, where feasible. Notification shall include the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, and measures taken or proposed.
12. Audits
Customer has the right to audit Processor's compliance once per contract year, subject to 30 days advance written notice. Audits shall be conducted at Customer's expense and shall not unduly disrupt Processor's operations. Processor may satisfy audit obligations by providing third-party certifications (e.g. ISO 27001) or completed standard questionnaires (CAIQ, SIG) where appropriate.
13. Return and deletion of data
Upon termination, Processor shall: (a) at Customer's written request within 30 days, make Personal Data available for export where technically feasible; (b) delete all copies of Personal Data within 90 days of termination, except where retention is required by law (e.g. audit log entries retained where a legal obligation applies, proportionately and as documented).
14. Liability and indemnification
Liability under this DPA is governed by the Main Agreement. Nothing in this DPA is intended to limit either party's liability where such limitation is prohibited by applicable law.
15. Governing law
This DPA is governed by the laws of the Netherlands. Disputes shall be resolved in the competent courts of Utrecht, Netherlands, without prejudice to mandatory rules.
Annex I — Parties
Controller: Customer (as identified in the executed signature page) Processor: Synapsrix B.V., Utrecht, Netherlands, [KvK] Contact: [email protected]
Annex II — Technical and Organizational Measures (TOM)
1. Access control - SSO/MFA for admin access where supported - Role-based access control within the product - Principle of least privilege enforced via Postgres RLS 2. Encryption - TLS 1.2+ in transit - AES-256 at rest (managed database + object storage) - Secrets managed via secure environment configuration 3. Data segregation - Multi-tenant isolation via Row-Level Security - Service-role access limited to authorized server-side code paths 4. Audit logging - Tamper-evident hash chain (SHA-256) - Extended retention for regulatory compliance where required - Periodic integrity verification 5. Sub-processor management - Due diligence on vendors - SOC 2 / ISO 27001 or equivalent where applicable - 30-day advance customer notice for material sub-processor changes 6. Business continuity - Automated backups via managed infrastructure - Documented recovery objectives - Documented incident response plan 7. Personnel - Confidentiality obligations - Access limited to personnel with a need to know 8. Incident response - Timely notification commitment as set out in this DPA - Documented runbook - Customer communication via agreed channels
Annex III — Sub-processors
The current list is maintained on the Synapsrix website Sub-processors page and is updated from that source.
Signature
Customer (Controller) Name: _________________________ Title: ________________________ Date: _________________________ Signature: ____________________ Synapsrix B.V. (Processor) Name: [Mehmet — Director] Title: Director Date: _________________________ Signature: ____________________