LEGAL
Data Processing Agreement
Last Updated
DATA PROCESSING AGREEMENT
Version 2.0
Effective Date: February 23, 2026
TABLE OF CONTENTS
Definitions and Scope
Processing of Personal Data
Data Subject Rights
Data Protection and Security
International Data Transfers
Term and Termination
Liability and Indemnification
Governing Law
Schedule A: Categories of Personal Data
Schedule B: Authorized Sub-processors
Schedule C: Technical and Organizational Measures
Schedule D: Standard Contractual ClausesDEFINITIONS AND SCOPE
This Data Processing Agreement ("Agreement") is entered into between Syntari AI, Inc. ("Company" or "Processor") and the Customer ("Controller").
1.1 Definitions
● Personal Data: Any information relating to an identified or identifiable natural person.
● Processing: Any operation performed on Personal Data including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, and deletion.
● Data Subject: The individual to whom Personal Data relates.
● Sub-processor: Any legal entity engaged by the Processor to process Personal Data on behalf of the Controller.
● AI Subprocessor: Third-party AI service providers including but not limited to Anthropic, OpenAI, and Google.
● Incident: Any suspected or confirmed breach of security or loss of Personal Data.
1.2 Scope
This Agreement applies to processing of Personal Data as described in the Service Agreement and attached Schedules.PROCESSING OF PERSONAL DATA
2.1 Lawful Basis and Purpose
The Processor shall process Personal Data only:
● On documented instructions from the Controller;
● For purposes specified in the Service Agreement;
● In accordance with GDPR, CCPA, and applicable data protection laws.
2.2 Processing Instructions
The Controller acknowledges that the Processor processes Personal Data solely on the Controller's documented instructions. Changes must be provided in writing and approved by both parties.
2.3 Duration of Processing
The Processor shall process Personal Data for the duration of the Service Agreement and thereafter as required by law.DATA SUBJECT RIGHTS
3.1 Right to Access
The Processor shall, at the Controller's request and within 10 business days, provide reasonable assistance to enable data subjects to exercise their right to access their Personal Data.
3.2 Right to Correction and Deletion
The Processor shall provide reasonable assistance to enable data subjects to exercise their rights to correction, deletion, and restriction of processing.
3.3 Portability
The Processor shall assist the Controller in enabling data subjects to exercise their right to data portability in machine-readable format.
3.4 No Automated Decision Making
The Processor shall not engage in automated decision making producing legal effects without the Controller's explicit authorization.DATA PROTECTION AND SECURITY
4.1 Confidentiality
The Processor ensures that all persons authorized to process Personal Data are committed to confidentiality or are under an appropriate legal obligation of confidentiality.
4.2 Data Security Measures
The Processor implements appropriate technical and organizational measures as detailed in Schedule C:
● Encryption of data in transit and at rest
● Access controls and authentication mechanisms
● Regular security assessments and vulnerability testing
● Employee training and awareness programs
● Incident response procedures
4.3 Encryption and Access Controls
All Personal Data is encrypted using AES-256 or equivalent. Access is restricted to authorized personnel with multi-factor authentication required.
4.4 Sub-processing and AI Subprocessors
4.4.1 Authorization and Notification
The Processor may engage Sub-processors, including AI providers listed in Schedule B. The Controller has the right to object within 30 days of written notice.
4.4.2 AI Subprocessor Requirements
All AI Subprocessors must:
● Execute DPAs aligned with GDPR and applicable laws
● Provide technical and organizational measures equivalent to this Agreement
● Provide transparency regarding data processing locations and purposes
● Submit to audits and compliance verification
4.4.3 Incorporated Subprocessor DPAs
The DPAs of all AI providers listed in Schedule B are incorporated by reference and made binding terms of this Agreement. The Processor shall ensure Controller has access to these agreements upon request.
4.4.4 30-Day Advance Notification
The Processor shall provide 30 days' advance written notice prior to adding, removing, or materially changing any Sub-processor engagement. This notice shall include the Sub-processor's location, purpose, and safeguards.
4.5 Data Breach Notification
Upon becoming aware of an Incident, the Processor shall:
● Immediately assess the nature and scope of the breach
● Notify the Controller without undue delay
● Provide all information for regulatory notification obligations
4.6 Security Incident Response (48-Hour Notification Standard)
4.6.1 Notification Timeline
The Processor shall notify the Controller of any Security Incident within 48 hours of discovery. This aligns with industry best practices and Anthropic's DPA requirements.
4.6.2 Incident Report Contents
All incident notifications shall include:
● Description of the incident and affected systems
● Categories and approximate number of affected data subjects
● Likely consequences of the incident
● Measures taken or proposed to address and mitigate harm
● Name and contact of the Data Protection Officer
4.6.3 Cooperation with Authorities
The Processor shall reasonably cooperate with the Controller and regulatory authorities in investigating and responding to Incidents.
4.7 Data Retention and Deletion
The Processor shall delete or return Personal Data upon termination unless retained as required by law. A certificate of deletion shall be provided upon request.
4.8 Processor Certification
The Processor maintains SOC 2 Type II and ISO 27001 certifications. Current certificates are available upon request.
4.9 Audit Rights
4.9.1 General Audit Rights
The Controller has the right to audit the Processor's compliance with this Agreement. Audits may be conducted:
● Upon 15 business days' written notice
● No more than once per calendar year unless triggered by a suspected Incident
● During normal business hours
4.9.2 Third-Party Audits
The Controller may engage independent auditors, provided the auditor executes a confidentiality agreement.
4.9.3 AI Subprocessor Audits
Audits of AI Subprocessors shall be conducted via:
● Review of SOC 2 Type II and ISO 27001 reports
● Review of provider security documentation
● On-site audits, subject to provider approval
4.10 AI-Specific Data Processing
4.10.1 Permitted Uses
Customer Personal Data may be processed through AI features exclusively for providing the contracted services. No other use is permitted.
4.10.2 Model Training Prohibition
The Processor and all AI Subprocessors commit that:
● Customer Personal Data will NOT be used to train, fine-tune, or improve any machine learning models (for paid tiers)
● This restriction applies regardless of the AI provider's other policies
● The Controller shall receive written confirmation from all AI providers
4.10.3 Prompt and Output Handling
● Prompts: Deleted immediately after processing, maximum 24-hour retention
● Outputs: Retained according to Customer's specified retention settings
● Metadata: AI providers may retain limited metadata for abuse monitoring only
4.10.4 Abuse Monitoring Retention
AI providers may retain limited data for 30 days to monitor for abuse, fraud, and illegal activity. This data is separate from prompt/output data.
4.10.5 AI Provider Transparency
The Processor shall ensure AI Subprocessors provide:
● Quarterly reports on data handling practices
● Incident notification aligned with Section 4.6
● Documentation of technical safeguards
4.11 Data Subject Rights Coordination
4.11.1 Scope of Data Subject Requests
Data Subject Access Requests (DSARs) shall include data held by the Processor and all Sub-processors, including AI providers.
4.11.2 Coordination Procedures
The Processor shall:
● Acknowledge receipt of DSARs within 5 business days
● Coordinate with AI Subprocessors to retrieve data within 10 business days
● Provide consolidated response to the Controller within 30 calendar days
● Ensure deletions are executed across all systems and subprocessors
4.11.3 Subprocessor Cooperation
All Sub-processors shall cooperate fully with DSAR requests without charging additional fees for reasonable requests.INTERNATIONAL DATA TRANSFERS
5.1 EU-US Data Privacy Framework
To the extent Personal Data originates from the EU or UK, the Processor relies on the EU-US Data Privacy Framework and UK Extension for lawful international transfer. The Processor is certified under both frameworks.
5.2 Standard Contractual Clauses
For transfers not covered by adequacy decisions, the Processor incorporates Standard Contractual Clauses by reference (Schedule D). These clauses apply to EEA, UK, and other jurisdictions requiring safeguards.
5.3 Subprocessor Transfers
All Sub-processors, including AI providers, are contractually bound to equivalent transfer mechanisms. The Processor ensures appropriate safeguards for all onward transfers.
5.4 Transfer Impact Assessments
The Processor shall conduct Transfer Impact Assessments as required by law and provide documentation upon request.TERM AND TERMINATION
6.1 Effective Date
This Agreement is effective as of February 23, 2026, and continues for the duration of the Service Agreement.
6.2 Termination
Upon termination or expiration of the Service Agreement, the Processor shall, at the Controller's election:
● Delete all Personal Data within 30 days
● Return all Personal Data in a structured, commonly-used, machine-readable format
6.3 Post-Termination Obligations
Confidentiality, security, and audit obligations survive termination for the period required by law.LIABILITY AND INDEMNIFICATION
7.1 Processor Liability
The Processor is liable for damages caused by failure to comply with obligations under this Agreement, subject to Service Agreement limitations.
7.2 Indemnification
The Processor shall indemnify and hold harmless the Controller from third-party claims arising from the Processor's violation of applicable data protection law.
7.3 Subprocessor Liability
The Processor shall ensure all Sub-processors provide equivalent liability and indemnification obligations.GOVERNING LAW
This Agreement shall be governed by and construed in accordance with the laws of the jurisdiction in which the Controller is located, with applicable data protection laws (GDPR, CCPA, etc.) taking precedence.
SCHEDULE A: CATEGORIES OF PERSONAL DATA
The following categories of Personal Data may be processed by the Processor:
● Identification Data: Name, email address, phone number, user ID, IP address
● Profile Data: Job title, department, organization, role, preferences
● Usage Data: Login frequency, feature usage, session duration, interactions
● Communication Data: Messages, chat histories, collaboration records
● Document Data: Files, documents, and content uploaded or created
● Technical Data: Device information, browser type, operating system, system logs
● Behavioral Data: Service engagement patterns, feature adoption, analytics
● Transaction Data: Subscription details, payment information (tokenized)
● AI-Processed Data: Text, documents, or content input to AI features
Specific categories processed depend on services subscribed to and are detailed in the Service Agreement.
SCHEDULE B: AUTHORIZED SUB-PROCESSORS
The following Sub-processors are authorized to process Personal Data on behalf of the Controller. All are bound by Data Processing Agreements incorporating this Agreement's requirements.
Sub-processor Name Location Purpose Safeguards
Anthropic Claude API USA (San Francisco, CA) AI processing, text analysis, content generation SOC 2, ISO 27001, DPA with Data Privacy Framework
OpenAI USA (San Francisco, CA) AI processing, embeddings, language model inference SOC 2, ISO 27001, DPA with SCCs
Google Gemini API USA (Multiple locations) AI processing, multimodal AI inference SOC 2, ISO 27001, Google Cloud DPA
AWS (Infrastructure Provider) USA, EU (Regional selection) Data storage, compute resources, backup and DR SOC 2 Type II, ISO 27001, DPA with DPF
SendGrid (Email Services) USA (Denver, CO) Transactional email delivery and logging SOC 2, ISO 27001, DPA compliance
All AI Sub-processors are contractually bound to:
● Maintain DPAs aligned with this Agreement
● Prohibit use of Customer Personal Data for model training (paid tiers)
● Delete prompts within 24 hours except for abuse monitoring (30-day retention)
● Provide SOC 2 Type II reports annually
● Notify Processor of data breaches within 48 hours
● Cooperate with audit requests and data subject inquiries
The Processor shall provide 30 days' notice before adding or removing Sub-processors.
SCHEDULE C: TECHNICAL AND ORGANIZATIONAL MEASURES
The Processor implements the following technical and organizational measures to ensure appropriate security:
Technical Measures
● Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit
● Access Controls: RBAC, principle of least privilege, multi-factor authentication
● Authentication: Strong password policies, SSO integration, session management
● Monitoring: Real-time security monitoring, intrusion detection, log analysis
● Vulnerability Management: Penetration testing, vulnerability scanning, patch management
● Network Security: Firewalls, DDoS protection, network segmentation
● Backup and Recovery: Daily automated backups, geographic redundancy, recovery procedures
Organizational Measures
● Personnel Training: Annual GDPR and data protection training
● Access Management: Background checks for employees with data access
● Confidentiality Agreements: All personnel sign confidentiality agreements
● Incident Response: Documented procedures with regular drills
● Data Protection Officer: Appointed DPO available (dpo@syntari.ai)
● Audit Trails: Comprehensive logging of all data access and modifications
● Vendor Management: Sub-processors undergo security assessment
AI-Specific Security Measures
● Prompt Isolation: Prompts processed in isolated, ephemeral environments
● No Cross-Contamination: Data from different customers never mixed
● Metadata Filtering: PII metadata stripped from AI logs
● Output Validation: Outputs reviewed for accidental data leakage
● Continuous Monitoring: AI provider abuse monitoring for 30 days
Certification and Compliance
● SOC 2 Type II: Annual audit by independent auditors
● ISO 27001: Certified information security management system
● GDPR Compliance: Certified by external data protection counsel
● Regular Assessments: Third-party security assessments every 12 months
SCHEDULE D: STANDARD CONTRACTUAL CLAUSES
This Schedule incorporates the Standard Contractual Clauses ("SCCs") as mechanisms for lawful international data transfers.
D.1 Scope
The SCCs apply to transfers of Personal Data from the EEA, United Kingdom, or other jurisdiction requiring additional safeguards to locations outside such jurisdiction.
D.2 Module Selection
The Processor and Controller are parties to Controller-to-Processor transfers subject to Module 2 of the Standard Contractual Clauses (C2P).
D.3 Incorporated Clauses
The following Standard Contractual Clauses are incorporated by reference:
● Clause 1: Purpose and Duration
● Clause 2: Processing Details
● Clause 3: Sub-processing
● Clause 4: Assistance with Rights
● Clause 5: Assistance with Obligations
● Clause 6: Deletion or Return
● Clause 7: Audit Rights
● Clause 8: Data Subject Rights
● Clause 9: International Transfers
● Clause 10: Processor Sub-Contractor Liability
Complete text available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847
D.4 Data Protection Framework Certification
The Processor is certified under the EU-US Data Privacy Framework and the UK Extension, providing alternative adequacy mechanism for covered transfers.
D.5 Adequacy Assessment
The Processor has conducted a transfer impact assessment concluding that:
● US law provides adequate safeguards through legal and contractual protections
● The Data Privacy Framework provides robust rights and remedies
● Technical and organizational measures provide defense against mass surveillance
D.6 Subprocessor Transfers
All Sub-processors engage in equivalent transfer mechanisms:
● Standard Contractual Clauses (Module 2 or Module 3)
● Data Privacy Framework Certification
● Binding Corporate Rules
● Adequacy Decisions
D.7 Remedies and Enforcement
Data subjects retain all rights under the SCCs and may pursue claims against the Processor in the jurisdiction where the data subject is located or where the Processor is established.
EXECUTION
This Data Processing Agreement is executed as of February 23, 2026.
FOR SYNTARI AI, INC.:
Authorized Representative
Title: _____________________
Date: _____________________
FOR CUSTOMER:
Authorized Representative
Title: _____________________
Date: _____________________