Legal

Data Processing Agreement

Version 1.0 · effective 17 May 2026

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Syntharra Terms of Service between Syntharra Limited (“Syntharra”) and the client (“Client”). It governs the processing of personal data carried out by Syntharra on Client’s behalf in the course of providing the service. In the event of conflict between the Terms of Service and this DPA in relation to personal data processing, this DPA prevails.

1. Definitions

Terms used in this DPA have the meanings given to them in the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively “CCPA”), or other applicable data-protection law, as the context requires. “Personal Data” means any information relating to an identified or identifiable natural person that Syntharra processes on Client’s behalf. “Processing” has the meaning given in GDPR Article 4(2).

2. Role of the parties

With respect to the Personal Data processed under this DPA, Client is the controller and Syntharra is the processor. Where the law of a particular jurisdiction characterises either party differently (for example, as joint controllers in respect of the decision to make a particular contact), each party will comply with its obligations under that characterisation.

For the purposes of the CCPA, Syntharra acts as Client’s “service provider” (or “contractor” where applicable) within the meaning of Cal. Civ. Code § 1798.140. Syntharra is prohibited from selling Personal Data, sharing it for cross-context behavioural advertising, retaining or using it for any purpose other than the business purposes specified in this DPA, or combining it with data from other sources outside of providing the service.

3. Scope and instructions

Syntharra processes Personal Data only on Client’s documented instructions, the most current of which are set out in the Terms of Service, this DPA, and the configuration choices made by Client through the dashboard. Syntharra will inform Client if, in its opinion, an instruction infringes applicable data-protection law and may decline to act on that instruction. Syntharra will not transfer Personal Data to any country or international organisation other than as permitted under Section 7.

4. Confidentiality

Syntharra ensures that personnel authorised to access Personal Data are bound by confidentiality undertakings, whether by contract, statute, or professional duty, and are trained on the requirements of this DPA.

5. Security measures (Annex II summary)

Syntharra implements the technical and organisational measures set out in Annex II to this DPA, which include at minimum: TLS 1.2+ encryption in transit; encryption at rest for Personal Data stores; application-layer encryption of OAuth tokens; Row Level Security policies in the production database; documented access-control procedures limiting production access to authorised personnel; audit logging of administrative access and consent events (with a separated immutable consent-event log being deployed); periodic review of access; secure software development practices including code review and dependency vulnerability scanning; documented incident response procedures.

6. Sub-processors

Client gives Syntharra general written authorisation to engage sub-processors in accordance with this Section. The current list of sub-processors is published and maintained at /legal/subprocessors.

Before engaging any new sub-processor, Syntharra will: (i) give Client at least 14 days’ written notice by email; (ii) update the published list; and (iii) impose on the sub-processor data-protection obligations no less protective than those set out in this DPA. Client may object to a new sub-processor in writing within the notice period. If the parties cannot resolve the objection within a reasonable period, Client may terminate the affected portion of the service without penalty and Syntharra will refund any pre-paid amounts allocable to that period (Syntharra does not currently charge pre-paid amounts but this clause is included for completeness).

Syntharra remains liable to Client for the acts and omissions of its sub-processors to the same extent Syntharra would be liable if performing the relevant act or omission itself, subject to the limitations of liability in the Terms of Service.

7. International data transfers

To the extent processing involves a transfer of Personal Data to a country outside the European Economic Area, the United Kingdom, or another jurisdiction whose laws apply, the transfer is made under: (i) an adequacy decision under GDPR Article 45 or the equivalent under UK GDPR or other applicable law; (ii) the EU-US Data Privacy Framework (with UK extension where applicable) where the receiving organisation is actively self-certified; or (iii) the European Commission’s Standard Contractual Clauses (Decision 2021/914), Module 2 (controller to processor) or Module 3 (processor to processor), as appropriate, supplemented where necessary by the UK International Data Transfer Addendum or the Swiss FDPIC’s approved clauses.

The Standard Contractual Clauses are deemed incorporated into this DPA by reference, with the parties identified as set out in Annex I, the security measures as set out in Annex II, the sub-processors as set out at /legal/subprocessors, and Ireland as the supervisory authority. Syntharra carries out a Transfer Impact Assessment for each US sub-processor in line with EDPB Recommendations 01/2020.

8. Assistance to Client

Taking into account the nature of the processing and the information available to Syntharra, Syntharra will assist Client by appropriate technical and organisational measures in fulfilling Client’s obligations under GDPR Articles 32 to 36, including:

  • responding to data-subject requests received by Syntharra and addressed to Client;
  • conducting data-protection impact assessments where required;
  • prior consultation with supervisory authorities where required; and
  • notifications of personal data breaches under Articles 33 and 34.

Syntharra may charge a reasonable fee for assistance that is exceptional in scope and materially outside the ordinary course of providing the service. Routine cooperation is provided at no charge.

9. Personal data breach notification

Syntharra will notify Client without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification will, to the extent then known, include:

  • the nature of the breach, categories and approximate number of affected data subjects and records;
  • the likely consequences;
  • measures taken or proposed to address the breach and to mitigate its possible adverse effects;
  • a contact point for further information.

Where the full information is not available within 48 hours, Syntharra will provide it progressively as it becomes available. Syntharra will reasonably cooperate with Client in any required notification to supervisory authorities or to affected data subjects.

10. Audit and inspection

Syntharra will make available to Client all information reasonably necessary to demonstrate compliance with this DPA. Client may, no more than once per 12 months and on at least 30 days’ written notice, request an audit of Syntharra’s compliance with this DPA. Audits will be conducted at Client’s expense, during business hours, in a manner that does not unreasonably interfere with Syntharra’s operations, and subject to confidentiality obligations no less protective than those in the Terms of Service. Syntharra may satisfy this obligation by providing the results of relevant third-party audit reports (for example, SOC 2 reports if and when available) in lieu of an on-site audit. Where Client’s supervisory authority requires an on-site audit, the parties will cooperate to enable it.

11. Return and deletion of data

On termination of the service or on Client’s written request, Syntharra will, at Client’s option, return all Personal Data to Client in a structured, machine-readable format or delete it, except to the extent retention is required by applicable law (such as records required for tax, audit, or the defence of statutory claims as described in the Privacy Policy). Syntharra will provide written confirmation of deletion on request.

12. Liability

The limitation of liability set out in the Terms of Service applies to claims under this DPA, except where applicable data-protection law requires otherwise. Nothing in this DPA limits a data subject’s rights against either party under applicable law.

13. Order of precedence

In the event of conflict between this DPA and any other agreement between the parties in relation to the processing of Personal Data, this DPA prevails.

Annex I — Parties and processing details

Data exporter: the Client identified in the Terms of Service, acting as controller. Data importer: Syntharra Limited, an Irish company, acting as processor.

Categories of data subjects: Client’s invoice recipients; persons named in or associated with Client’s invoices.
Categories of Personal Data: name, business name, telephone number, email address, postal address, invoice number, invoice amount, invoice date, due date, payment status, call recordings and transcripts of communications between Syntharra and the data subject.
Sensitive data: voice recordings are treated as sensitive personal information under the CCPA and as personal data that may include biometric identifiers under the GDPR; Syntharra processes them with the additional safeguards described in the Privacy Policy.
Frequency: continuous, in line with the schedule chosen by Client in the dashboard.
Nature and purpose: to enable AI-assisted invoice follow-up by voice and SMS, payment processing, and service improvement, as described in the Privacy Policy.
Retention: as set out in Section 6 of the Privacy Policy.
Subject matter and duration: for the duration of the Terms of Service and any retention period required by law thereafter.

Annex II — Technical and organisational measures

  • Access control to systems: SSO and multi-factor authentication for production access; role-based access controls.
  • Access control to data: Row Level Security policies; least-privilege database roles; audit logs of administrative access.
  • Transmission control: TLS 1.2 or higher for all data in transit; certificate pinning where appropriate.
  • Encryption at rest: AES-256 at the database layer; application-layer encryption of OAuth tokens and Personal Data fields classed as sensitive.
  • Input control: Logging of OAuth grants, ToS acceptance events, and data modifications affecting Personal Data.
  • Order control: Sub-processors are engaged in writing with terms no less protective than this DPA.
  • Availability control: Backups of Personal Data with retention and tested restoration; documented incident response.
  • Separation control: Logical separation of clients’ data by tenant identifier; segregation of production and non-production environments.
  • Personnel: Confidentiality undertakings; training on data-protection requirements; access withdrawn promptly on role change or departure.

Annex III — Sub-processors

The current authoritative list of sub-processors authorised under this DPA is published and maintained at /legal/subprocessors. The list at that URL is incorporated into this DPA by reference. Changes are made in accordance with Section 6.