dpa.md

Data Processing Agreement

Last updated: 2026-06-13. This page is the customer-facing version of the Synsmarts Data Processing Agreement ("DPA") under GDPR Article 28. The signed, full-form DPA — including Annex 1 (Technical and Organizational Measures), Annex 3 (Standard Contractual Clauses) with all elections completed, Annex 4 (Processing Activities), and the executed signature page — is available on request to dpo@synsmarts.ai and is the document that governs once countersigned. This DPA is incorporated into the Synsmarts Terms of Service.

Parties

Processor: Synthetic Smarts, Inc. d/b/a Synsmarts, a Delaware corporation, with its registered office at 251 Little Falls Drive, Wilmington, DE 19808, USA and its principal place of business at 2 Park Avenue, 20th Floor, New York, NY 10016, USA.
Controller: the tenant — the customer entity that uses the Synsmarts managed hosting platform under the ToS.

You determine the purposes and means of processing personal data through your use of the platform. We process personal data on your behalf to provide, secure, and support the Services.

1. Definitions

Terms used in this DPA have the meanings given in GDPR Article 4: Personal Data, Processing, Data Subject, Personal Data Breach, Supervisory Authority. "DPF" means the EU-US Data Privacy Framework. "SCCs" means the Standard Contractual Clauses adopted by EU Commission Implementing Decision 2021/914.

2. Subject Matter, Nature, and Purpose of Processing

Subject matter. Processing of Personal Data in connection with our provision of the managed WordPress and Magento hosting platform to you.

Nature. Storage, retrieval, transmission, and deletion of Personal Data as part of application hosting; backup and disaster recovery; email relay; payment data transit; workspace access; AI-powered diagnostic analysis (when you enable it); and operations reasonably necessary to provide the Services on your documented instructions.

Duration. For the duration of the ToS. Sections 9 (Deletion/Return) and 14 (Survival) continue after termination.

Types of Personal Data: end-customer identifiers (name, email, address, phone, account credentials); transaction data (order history, payment tokens, amounts — never raw card numbers); technical data (IP, browser metadata, session tokens, cookies); application data (everything in your MySQL, Redis, S3, workspace); telemetry (request traces, slow query logs, PHP error traces, application source code — only when AI diagnostics are enabled).

Categories of Data Subjects: your end customers (shoppers, site visitors, registered users); your employees and contractors whose data is stored in the application.

3. Controller Instructions (Art 28(3)(a))

We process Personal Data only on your documented instructions. The ToS and this DPA are your initial instructions. Additional instructions may be issued through the platform API, dashboard, CLI, or MCP interface; we maintain an audit log of each (timestamp, authenticated identity, action, affected resources) as your evidential record. Automated instructions you authorize (including those issued by AI agents via MCP on your behalf) are your responsibility.

If we believe an instruction infringes data-protection law, we will notify you in writing and suspend the relevant processing until you confirm or modify the instruction. If we are required by EU or Member State law to process beyond your instructions, we will inform you of the requirement (unless the law forbids notification).

4. Confidentiality (Art 28(3)(b))

Everyone authorized to process Personal Data on our side is bound to confidentiality. This obligation survives termination.

4a. Records of Processing (Art 30(2))

We maintain Article 30(2) processor-side records of all categories of processing carried out on your behalf and make them available to supervisory authorities on request.

4b. Data-Protection Contacts

RoleContact
Processor DPOTo be designated before any controller Personal Data is processed (Art 37(1)(b)), within 30 days of DPA execution. Interim contact: dpo@synsmarts.ai.
Processor EU RepresentativeTo be designated in Ireland before any controller Personal Data is processed (Art 27(1)), within 30 days of DPA execution.
Processor privacy contactprivacy@synsmarts.ai
Controller DPOAs provided by you

5. Security of Processing (Art 28(3)(c))

We implement the technical and organizational measures listed in Annex 1 of the signed DPA. Highlights: per-tenant Kubernetes namespace isolation with default-deny NetworkPolicy; per-tenant AWS KMS keys (multi-region); TLS 1.2+ on all external paths; Vector PII/PAN redaction before ClickHouse storage; per-tenant ChunkHound code index isolation; four-tier testing; Trivy container scanning at build; Falco eBPF runtime detection; quarterly ASV external scanning; annual penetration testing; PCI audit trail (12 months retention).

We may update security measures from time to time provided the change does not materially decrease overall protection. "Material" changes (reduction in encryption scope or strength, change in data location or jurisdiction, new third-party access to Personal Data, modification of retention periods, removal of an existing control, or change in certification status) require at least 14 days' prior notice.

5a. Break-Glass Access

For active incident resolution, authorized Synsmarts SREs may access your environment under the following conditions: access limited to incident resolution (not routine operations); time-bounded (4 hours max per session, extension requires re-auth and documented justification); MFA via Keycloak; full ClickHouse audit log of identity, timestamp, commands, and data categories accessed; notification to you within 24 hours of access including incident, duration, data categories accessed, and actions taken; no Personal Data extracted outside your environment except as strictly necessary for diagnosis (extracted data deleted within 72 hours of incident closure); post-incident justification within 48 hours stored in our audit trail.

6. Sub-Processors (Art 28(2), 28(4))

You authorize the sub-processors listed at /tos/sub-processors. We impose data-protection obligations on each sub-processor at least as protective as this DPA, and we remain liable to you for each sub-processor's performance.

Notification of changes. We will notify you at least 30 days before adding or replacing a sub-processor that processes your Personal Data. Notification includes the sub-processor's name, location, processing description, and security baseline. Notifications are published on the sub-processor register page with RSS/email subscription.

Objection. You may object within 30 days of notification by providing written data-protection-related reasons. On a valid objection: we will not engage the objected sub-processor for your Personal Data; we will make reasonable efforts to provide an alternative arrangement (routing around, alternative sub-processor, or service modification); if no alternative is feasible, either party may terminate the affected services on 30 days' written notice without penalty to you.

Cloudflare dual role. Cloudflare acts as our sub-processor for CDN/WAF traffic relay (governed by this DPA and Module 3 SCCs) AND as an independent controller for its own threat intelligence (DDoS Botnet Threat Feed, Bot Management ML, Cloudforce One). Its independent-controller processing is outside this DPA and is governed by Cloudflare's own privacy policy. You acknowledge this dual role.

7. Data Subject Rights Assistance (Art 28(3)(e))

We will assist you in responding to Data Subject requests under Chapter III GDPR (Arts 15–22) by appropriate technical and organizational measures, including:

RightCapabilityMechanism
Access (Art 15)Export of all controller dataAPI endpoint, CLI command, dashboard export
Rectification (Art 16)Direct database accessMySQL, dashboard, API
Erasure (Art 17)Multi-store deletionTemporal workflow: ClickHouse DELETE + MySQL + S3 + Redis + workspace + backup expiry (37-day SLA: 7 days live + 30 days backup)
Restriction (Art 18)Processing-restricted flag15-minute propagation across downstream systems
Portability (Art 20)Machine-readable exportJSON / CSV via API
Objection to diagnostics (Art 21)Disable AI diagnosticscode_diagnosis_enabled toggle, immediate

If a Data Subject contacts us directly we will redirect them to you and notify you, and will not respond directly without your instruction. Response timeline: within 5 business days for standard assistance requests, up to 10 for complex multi-system requests.

8. Breach, Security, and DPIA Assistance (Art 28(3)(f))

Breach notification. We will notify you of a Personal Data Breach without undue delay, and in any event within 24 hours of becoming aware. "Awareness" means the point where we identify an incident reasonably suspected to involve Personal Data — initial notification with incomplete information is preferred over delayed notification with complete information. Initial notification includes nature of the breach (categories and approximate number of Data Subjects and records affected), our data-protection contact, likely consequences, and measures taken or proposed. Further information follows in phases as it becomes available.

Breach assistance. We assist you with investigation and mitigation, fulfilling your Art 33/34 obligations, communicating with affected Data Subjects, and documenting the breach.

DPIA assistance (Art 35). We provide technical descriptions, security-measure documentation (Annex 1), risk-assessment input, and a DPIA template pre-populated for your environment. For AI diagnostics specifically: documentation of diagnostic processing operations, data flows between Synsmarts, ClickHouse, ChunkHound, and Anthropic, the redaction pipeline description, and Anthropic's processing and deletion practices. You must conduct a DPIA before enabling AI diagnostics; the platform requires a checkbox confirmation before the toggle becomes available.

9. Deletion and Return of Data (Art 28(3)(g))

On termination, at your written election within 30 days: (a) we return all Personal Data in a machine-readable format (JSON, CSV, SQL dump, S3 export) and delete all copies, or (b) we delete all Personal Data and certify deletion in writing. No election within 30 days: we delete.

Scope. Deletion covers MySQL, Redis, S3 media, workspace files, ClickHouse telemetry (ALTER TABLE DELETE), Temporal workflow history, ChunkHound code index, diagnostic findings, transparency logs.

Timeline. Live data: within 7 days of instruction. Backup expiry: within 30 days (backups auto-expire on the standard rolling schedule). Total maximum erasure SLA: 37 days. S3 object versions: cryptographic erasure via deletion of the per-tenant KMS key within the 37-day window — consistent with EDPB Recommendations 01/2020 (supplementary measure: encryption with controller-held keys) and NIST SP 800-88 Rev. 1.

Backup-window proportionality. The 30-day backup retention is the minimum necessary for disaster recovery (weekly XtraBackup fulls require 30-day retention for ≥4 cycles; binlog shipping provides 14-day PITR coverage contingent on base-snapshot availability). During this window your Personal Data in backups is not actively processed for any purpose other than maintaining backup integrity and automated retention; is not accessible to any person or system other than the automated retention lifecycle; and is not restored to production unless you request it.

Certification. On completion (including backup expiry), we provide written certification of what was deleted, the KMS key ID scheduled for deletion (AWS KMS 30-day scheduling window), affected S3 buckets and EBS snapshots, and per-system deletion completion dates.

Legal hold exception. Deletion is deferred for Personal Data subject to an active legal hold or required by law, and we will inform you of any such exception.

10. Audit and Inspection (Art 28(3)(h))

We make available all information necessary to demonstrate compliance with Article 28 and this DPA. You (or a mandated independent auditor bound by confidentiality) may conduct audits and inspections, including physical inspections of facilities. Audits during normal business hours with at least 30 days' prior written notice; we may charge reasonable fees for audit support time exceeding 8 hours per calendar year. For credible data breach, regulatory investigation, or supervisory-authority inquiry affecting your Personal Data, you may request an expedited audit with 48 hours' notice (no fee threshold). We may satisfy audit requests by providing third-party audit reports (SOC 2, PCI-DSS ROC/AOC, ISO 27001) where they address the scope; you retain the right to conduct your own audit if third-party reports do not adequately address specific concerns.

11. International Transfers

Personal Data may be transferred to the United States. Transfer mechanisms:

Sub-processor transfers. Sub-processors receiving Personal Data in third countries have appropriate transfer mechanisms (DPF self-certification, SCCs Module 3, or equivalent). See the Transfer Impact Assessment for per-sub-processor analysis.

Transfer Impact Assessment summary. US surveillance laws (FISA 702, EO 12333, CLOUD Act) permit government access to data held by US electronic-communications service providers. EO 14086 (October 2022) introduced necessity, proportionality, and independent redress safeguards that underpin the DPF adequacy decision. EDPB Recommendations 01/2020 (Use Case 6) note that no effective technical supplementary measure prevents government access when the processor needs cleartext data access. DPF adequacy is the primary resolution. Supplementary measures: code-specific redaction pipeline, Vector PII/PAN redaction before storage, per-tenant encryption with per-tenant KMS keys (multi-region), ClickHouse row-level security, strict RBAC, cryptographic erasure. Residual risk: if DPF is invalidated, SCCs plus the supplementary measures above may be insufficient for cleartext hosting per EDPB guidance — this is documented as an accepted risk with ongoing monitoring of La Quadrature du Net v. Commission (Case T-553/23).

Post-DPF contingency. If DPF is invalidated and the updated TIA concludes SCCs with supplementary measures do not provide adequate protection for cleartext hosting: we will notify affected controllers within 14 days; offer EU-localized processing alternatives within 90 days where technically feasible; suspend transfers of new Personal Data if EU localization is not feasible; and you may terminate without penalty if adequate protection cannot be restored within 90 days of DPF invalidation.

12. Processor as Controller

We act as independent controller for certain platform-operation activities: platform security logging; post-deletion backup retention; email-deliverability monitoring; payment security logging; SSH access auditing; container image scanning; abuse and fraud detection; incident response; deletion audit records. For these activities we determine purposes and means, maintain separate ROPA entries, identify our own lawful basis (primarily Art 6(1)(f) legitimate interest), and fulfill our own controller obligations independently of this DPA. Audit logs carry a processing_role tag distinguishing processor-role from controller-role entries. Data subject requests received by you about these activities should be redirected to privacy@synsmarts.ai.

13. AI Diagnostics — Specific Provisions

When you enable code_diagnosis_enabled, we analyze your telemetry (request traces, slow query logs, error traces) and source code to diagnose performance issues, transmitting redacted data to the sub-processor Anthropic for AI inference.

Your obligations. By enabling, you: acknowledge that end-customer telemetry (IP addresses, URLs, query parameters) will be analyzed; confirm an appropriate lawful basis; confirm compatibility with the original purpose of collection; conduct a DPIA under Article 35 before enabling (the toggle is gated on a checkbox confirmation); accept responsibility for Art 13/14 transparency to your end customers.

Our safeguards. Code-specific redaction pipeline (truffleHog, gitleaks, detect-secrets + AST-aware parsing) before transmission. Vector PII/PAN redaction on telemetry before ClickHouse storage. Anthropic configured with zero post-inference retention and zero training use (contractual). Per-tenant ChunkHound code index isolation. Transparency logs (summaries by default; full post-redaction payloads on request with MFA step-up; 30-day retention). Confidence thresholds suppress low-confidence findings. Quarterly redaction-effectiveness testing. A redaction failure that results in unredacted PII transmitted to Anthropic is classified as a Personal Data Breach under §8 and notified within 24 hours.

Disablement. You may disable at any time. Disablement immediately stops diagnostic processing; existing findings are retained per the retention schedule unless you request erasure; Anthropic deletes post-inference data per its zero-retention commitment; transparency log export is available showing what was transmitted before disablement.

Anthropic terms-change trigger. If Anthropic modifies its terms, DPA, or privacy policy to reintroduce post-inference retention, we will notify you within 14 days, suspend AI diagnostic processing until you re-confirm enablement with knowledge of the changed terms, and reassess the Anthropic role classification. You may disable and request deletion of any data affected.

14. General

Governing law. This DPA is governed by the laws of the EU Member State in which you are established. If you are not established in an EU Member State, this DPA is governed by the laws of Ireland.

Survival. Sections 4 (Confidentiality), 9 (Deletion/Return), 10 (Audit), and this section survive termination.

Precedence. In the event of a conflict between this DPA and the ToS, this DPA prevails to the extent the conflict relates to the processing of Personal Data.

Amendments. Amendments require written agreement of both parties, except that we may update Annex 1 (security measures) and Annex 2 (sub-processor register) per §5 and §6 respectively.

Annexes (in the Signed DPA)

Contact

Data protection: dpo@synsmarts.ai
Privacy questions: privacy@synsmarts.ai
To execute the signed full-form DPA: dpo@synsmarts.ai

← back to terms of service