Skip to content
SyncSuite.co
Join free

Data Processing Addendum

Last modified: May 5, 2026

"This Data Processing Addendum forms part of the SyncSuite Terms of Service and governs how we process personal data on your behalf. It includes our sub-processor list, our technical and organizational measures, and Standard Contractual Clauses for international transfers."

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between the Customer ("you", "Controller") and 22 Apps, Inc., doing business as SyncSuite ("SyncSuite", "Processor"), in connection with the Customer's use of the SyncSuite Platform (the "Agreement", as set out in the Terms of Service).

This DPA applies to the extent SyncSuite processes Personal Data on behalf of the Customer in scope of the GDPR, the UK GDPR, the Swiss FADP, Canada's PIPEDA / PIPA, U.S. state privacy laws, or any equivalent law. Where this DPA conflicts with the Terms of Service in respect of personal-data processing, this DPA controls.

2. Definitions

  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-Processor" have the meanings given to them in the GDPR (or the equivalent term under another applicable law).
  • "Customer Personal Data" means Personal Data processed by SyncSuite on the Customer's behalf within the Customer's Workspace and Sub-Accounts.
  • "Standard Contractual Clauses" or "SCCs" means the Module 2 (Controller-to-Processor) clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, with the UK International Data Transfer Addendum where required.
  • "TOMs" means the Technical and Organizational Measures set out in Annex 3.

3. Roles & Scope

For Customer Personal Data, the Customer is the Controller and SyncSuite is the Processor. AI Agents that the Customer configures inside its Workspace act on the Customer's behalf as part of the Processor's services; if the Customer enables third-party AI providers under its own credentials, those providers operate as Sub-Processors that the Customer has chosen and authorized.

SyncSuite processes Customer Personal Data only on the Controller's documented instructions, including those given through configuration of the Platform, except as required by applicable law. Where SyncSuite is required by law to process beyond the Controller's instructions, SyncSuite will inform the Controller of that legal requirement before processing, unless the law prohibits such notice on important public-interest grounds.

4. Subject Matter, Duration, Nature & Purpose

  • Subject matter: provision of the SyncSuite Platform.
  • Duration: for the duration of the Customer's subscription, plus the post-termination retention window described in Section 11.
  • Nature and purpose: hosting and processing Customer Personal Data so the Customer can run its CRM, AI agents, communications, payments, and websites on the Platform.
  • Categories of Personal Data and Data Subjects: see Annex 1.

5. Customer Obligations & Prohibited Data Categories

The Customer warrants that: (i) it has all necessary rights, consents, and lawful bases to provide Customer Personal Data to SyncSuite for processing under this DPA; (ii) its instructions to SyncSuite (including those expressed through Platform configuration and AI Agent prompts) comply with applicable law; and (iii) it has provided required notices to its Data Subjects.

Prohibited data categories. The Platform is a general-purpose CRM, AI agent, and hosting service and is not designed, certified, or authorized for processing the following categories of data:

  • Protected Health Information (PHI) as defined under the U.S. Health Insurance Portability and Accountability Act (HIPAA) or its implementing regulations. SyncSuite does not sign Business Associate Agreements (BAAs), is not a HIPAA Business Associate, and the Platform may not be used to receive, store, transmit, or otherwise process PHI. If you are a covered entity or business associate under HIPAA, you must use a HIPAA-compliant alternative for any workflow that touches PHI.
  • Payment card data (full PAN, magnetic-stripe data, CVV / CVV2, or PIN) outside the Stripe Connect flow operated through our integration. Stripe handles cards directly; SyncSuite does not store card numbers.
  • Children's personal data within the meaning of COPPA (U.S., under 13) or the GDPR's higher local age of digital consent (under 16 in some jurisdictions) without an appropriate written agreement with SyncSuite and verifiable parental consent obtained by the Customer.
  • Government-classified, export-controlled, or national-security-restricted data.
  • Special-category data within the meaning of GDPR Article 9 (racial / ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, sex-life or sexual-orientation data) and equivalent sensitive-data definitions under U.S. state laws and Canadian privacy law, except where the Customer has performed and documented a Data Protection Impact Assessment, has a clear lawful basis (typically explicit consent), and has notified SyncSuite in writing.

If you submit prohibited data to the Platform, we may - in addition to our remedies under the Terms of Service - delete or quarantine the affected data, suspend the affected feature, or terminate your account. SyncSuite is not liable for any loss, regulatory consequence, or third-party claim arising from a Customer's submission of prohibited data.

6. Confidentiality

SyncSuite ensures that personnel authorized to access Customer Personal Data are bound by appropriate confidentiality obligations and have received privacy and security training proportional to their role.

7. Security (Technical and Organizational Measures)

SyncSuite implements and maintains the TOMs described in Annex 3. The Customer acknowledges that the TOMs are subject to technical progress and may be updated, provided that the level of security is not materially reduced.

8. Sub-Processors

The Customer provides a general written authorization for SyncSuite to engage Sub-Processors, listed in Annex 2. SyncSuite will:

  • Impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA.
  • Remain liable for the acts and omissions of its Sub-Processors as if they were its own.
  • Provide the Customer with reasonable advance notice of any intended addition or replacement of a Sub-Processor - typically at least 14 days where practical - by updating the Annex on the Platform or our website. For urgent vendor migrations, security responses, or other time-sensitive changes, SyncSuite may add a Sub-Processor immediately and update the Annex shortly afterward.
  • If the Customer reasonably objects to the change on legitimate data-protection grounds within 14 days of being informed, the Customer may, as its sole remedy, terminate the affected portion of the Service and receive a pro-rata refund of pre-paid fees for unused service.

9. International Transfers

Customer Personal Data is hosted in Germany on Hetzner Cloud's Falkenstein facilities. Where Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision (for example, where a Sub-Processor operates from the United States), the transfer is governed by the Standard Contractual Clauses Module 2 (Controller-to-Processor), incorporated by reference into this DPA. For transfers from the United Kingdom, the UK International Data Transfer Addendum (or, at the Customer's option, the UK IDTA standalone form) applies. For transfers from Switzerland, the SCCs are interpreted with the additional clarifications issued by the Swiss FDPIC.

For purposes of the SCCs:

  • Module: Module 2 (Controller-to-Processor).
  • Docking clause: the optional docking clause does not apply.
  • Clause 9 (Sub-Processors): Option 2 - general written authorization, with 14 days' notice (subject to the urgency carve-out described in Section 8 of this DPA).
  • Clause 11 (Redress): the optional language regarding independent dispute-resolution bodies does not apply.
  • Clause 17 (Governing law): Ireland.
  • Clause 18 (Forum): Ireland.
  • Annex I.A (Parties): the Customer (data exporter) and SyncSuite (data importer), with contact details from the Customer's account record and [email protected] respectively.
  • Annex I.B (Description): as set out in Annex 1.
  • Annex I.C (Competent supervisory authority): the Irish Data Protection Commission, except where another EU supervisory authority has competence.
  • Annex II (Technical and Organizational Measures): as set out in Annex 3.
  • Annex III (Sub-Processors): as set out in Annex 2.

A signed copy of the SCCs is available upon request to [email protected].

10. Data Subject Requests

Taking into account the nature of the processing, SyncSuite will assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfill the Controller's obligation to respond to requests from Data Subjects exercising their rights. If a request is made directly to SyncSuite, we will not respond to it on behalf of the Controller and will instead refer the requester to the Controller (except where required by law).

11. Return / Deletion

On termination of the Agreement, the Customer has 30 days to export Customer Personal Data through the Platform's export tools or by request. After that window, SyncSuite will delete or anonymize Customer Personal Data, except where retention is required by applicable law (for example, billing and tax records). Backups containing Customer Personal Data are aged out on the schedules described in Annex 3.

12. Personal Data Breach Notification

SyncSuite will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. SyncSuite will cooperate reasonably with the Controller's investigation and notification obligations.

13. Audit

SyncSuite will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Customer's audit right is satisfied primarily through the provision of third-party reports, security questionnaires, and other written documentation. On reasonable prior written notice and not more than once per year (except where a Personal Data Breach has occurred or where required by a supervisory authority), the Customer (or an independent auditor it appoints, who must be subject to confidentiality obligations and not a competitor of SyncSuite) may conduct an on-site audit during normal business hours, at its own expense and without disrupting SyncSuite's operations or the security of other customers' data.

14. Records of Processing Activities

SyncSuite maintains a Record of Processing Activities ("RoPA") consistent with GDPR Article 30(2) covering the Personal Data SyncSuite processes as Processor on behalf of its Customers. SyncSuite will make the relevant portions of its RoPA available to a competent supervisory authority on lawful request, and will provide a Customer-facing summary on reasonable written request to [email protected] for the Customer's own Article 30(1) compliance.

15. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement. Nothing in the Agreement or this DPA limits liability that cannot be excluded or limited under applicable law (for example, statutory liability to Data Subjects).

16. Order of Precedence; Governing Law

In the event of a conflict between this DPA, the Terms of Service, and any Order Form, the order of precedence with respect to personal-data matters is: (1) this DPA; (2) the SCCs (where they apply); (3) the Terms of Service; (4) the Order Form. This DPA is governed by the law of British Columbia, Canada, except that Clauses of the SCCs that mandate Irish (or other EU member state) law for SCC-related disputes will apply as written.

Annex 1 - Description of Processing

A. Subject matter and duration

Provision of the SyncSuite Platform, for the duration of the Customer's subscription plus the 30-day post-termination retention window.

B. Nature and purpose

Hosting, storage, transmission, retrieval, AI inference, communications routing, and analytics necessary to deliver the Platform.

C. Categories of Data Subjects

  • The Customer's authorized users (employees, contractors).
  • The Customer's contacts, leads, customers, and prospects.
  • The Customer's communication recipients (SMS / MMS, voice, email).
  • For Agency Customers: their Sub-Account holders and their Sub-Account end-users.

D. Categories of Personal Data

  • Identity and contact data (name, email, phone number, business name, address).
  • Account credentials (hashed passwords, session tokens, MFA factors).
  • Communications content (SMS / MMS / voice / email message bodies, transcripts, attachments).
  • CRM data the Customer chooses to store (custom fields, deal pipelines, tags, notes, calendar events).
  • OAuth tokens for connected social platforms (Instagram, TikTok, X / Twitter, LinkedIn, Facebook, YouTube, Pinterest, Reddit, Bluesky, Telegram, Discord, Google Business, WhatsApp).
  • Usage telemetry (IP address, browser, device, feature usage, audit logs).
  • Billing metadata (payment method tokens via Stripe, last four digits, billing address - full card numbers are not stored by SyncSuite).
  • AI prompts and AI outputs.
  • Files and media uploaded by the Customer.

E. Frequency

Continuous, for the duration of the Agreement.

F. Retention

30 days post-termination for Customer Workspace data; longer for billing and legal records as described in the Privacy Policy.

Annex 2 - Sub-Processors

SyncSuite engages the following Sub-Processors. The list is current as of the "Last modified" date at the top of this DPA; the most recent version is published at syncsuite.co/dpa#annex-2.

Infrastructure and core services

  • Hetzner Online GmbH - primary compute and database hosting. Location: Falkenstein, Germany (EU).
  • Cloudflare, Inc. - CDN, edge cache, R2 object storage (backups), custom-domain proxy (including Cloudflare for SaaS), and Cloudflare Web Analytics on the marketing site (cookieless; auto-excluded for visitors located in the EEA, UK, and Switzerland). Location: United States, with global edge points of presence; relies on the EU-U.S. Data Privacy Framework and the SCCs.
  • Stripe, Inc. - payment processing for SyncSuite subscriptions and Stripe Connect for end-Customer payments on Pro and Agency plans. Location: United States; SCCs / EU-U.S. DPF.

Communications

  • Twilio Inc. - SMS / MMS (A2P 10DLC), voice calling, and brand/campaign registration. Location: United States; SCCs / EU-U.S. DPF.
  • Twilio SendGrid - transactional and Customer-initiated email delivery. Location: United States; SCCs / EU-U.S. DPF.
  • Zernio - multi-platform social-media integrations (OAuth, posting, scheduling, comments, direct messages, analytics, ads) for the 13 connected platforms (Instagram, TikTok, X / Twitter, LinkedIn, Facebook, YouTube, Pinterest, Reddit, Bluesky, Telegram, Discord, Google Business, WhatsApp). Location: United States; SCCs.

AI model providers

SyncSuite routes AI inference through a model-abstraction layer that may dispatch a request to any of the providers below depending on the model the Customer (or AI Agent) selects, the routing layer's availability and load-balancing, and any model-specific capability the request requires. Customer Personal Data sent to these providers is processed transiently to generate a response and is contractually excluded from being used to train the providers' foundation models.

  • Anthropic, PBC - large-language-model inference (Claude family). Location: United States; SCCs / EU-U.S. DPF.
  • OpenAI, L.L.C. - large-language-model inference (GPT family). Location: United States; SCCs / EU-U.S. DPF.
  • Google LLC - large-language-model inference (Gemini family) via the Google Cloud Vertex AI endpoint. Location: United States, with EU regional endpoints where available; SCCs / EU-U.S. DPF.
  • xAI, LLC - large-language-model inference (Grok family). Location: United States; SCCs.

We may add, replace, or remove AI providers as the model landscape evolves. Where reasonably practical, SyncSuite will provide advance notice (typically at least 14 days) before adding or replacing a Sub-Processor. For urgent vendor migrations, security responses, capacity events, or other time-sensitive changes, SyncSuite may make the change immediately and update this Annex shortly afterward.

Annex 3 - Technical and Organizational Measures

SyncSuite implements and maintains the following measures:

A. Encryption

  • TLS 1.2 or higher in transit using Let's Encrypt and Cloudflare-issued certificates.
  • AES-256-GCM at-rest encryption for sensitive in-database fields (Stripe Connect OAuth tokens, third-party API keys, account secrets) using a per-environment master key.
  • Backup files (source-tarball backups daily; continuous database backups via CloudNativePG for Pro / Agency) are written to private Cloudflare R2 buckets and protected by private-bucket access control. Access to R2 buckets is authenticated and logged.

B. Tenant isolation

  • Each Workspace runs in an isolated Kubernetes namespace.
  • Free-tier static workloads run inside gVisor sandboxes for additional kernel-level isolation.
  • Network policies restrict cross-tenant traffic.

C. Access control

  • Role-based access control on Customer-facing accounts and on the Platform's internal admin tooling.
  • Principle-of-least-privilege for production access.
  • Audit logging on administrative actions.

D. Resilience and backups

  • Daily code backups (Free, Pro, Agency).
  • Continuous database backups (Pro, Agency) with point-in-time recovery via the CloudNativePG operator's Barman Cloud integration to R2.
  • Backups are best-effort, as described in the Terms of Service; the Customer is responsible for maintaining its own external backups for data it cannot afford to lose.

E. Vulnerability and incident management

  • Dependency monitoring and timely patching.
  • Container image scanning during build.
  • Documented incident-response procedure with the 72-hour breach-notification commitment in Section 12.

F. Personnel

  • Background checks where permitted by law.
  • Confidentiality and acceptable-use obligations.
  • Security and privacy training appropriate to role.

G. Certifications

SyncSuite does not currently hold SOC 2 or ISO 27001 certification. We will update this Annex if and when a certification is achieved.

Contact

DPO / privacy contact: Matthew McGregor - [email protected].