Data Processing Agreement
Background
This Data Processing Agreement ("DPA") is entered into between Synvara Technologies, LLC ("Synvara," "Processor") and the enterprise client executing a Master Services Agreement or Statement of Work with Synvara ("Controller" or "Client").
This DPA governs Synvara's processing of personal data on behalf of the Controller in connection with the delivery of PulseArch, PulsrOS, Pulsaris, and related professional services. It is incorporated by reference into the applicable MSA.
This DPA reflects the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by CPRA, and other applicable data protection laws.
Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Controller" means the entity that determines the purposes and means of processing Personal Data — here, the Client.
- "Processor" means the entity that processes Personal Data on behalf of the Controller — here, Synvara.
- "Sub-processor" means any third party engaged by Synvara to process Personal Data in the delivery of Services.
- "Data Subject" means the natural person to whom the Personal Data relates.
- "Standard Contractual Clauses" (SCCs) means the European Commission's approved clauses for international data transfers (Decision 2021/914).
Scope & Roles
This DPA applies where Synvara processes Personal Data in the course of delivering contracted Services to Client. The Client acts as Controller of Personal Data it submits to Synvara's systems. Synvara acts as Processor and processes such data only as directed by the Client.
Where Synvara processes data for its own purposes (e.g., account management, invoicing), Synvara acts as an independent Controller, governed by the Privacy Policy.
Processing Instructions
Synvara will process Personal Data only on documented instructions from the Controller. Synvara will:
- Not process Personal Data for any purpose beyond what is necessary to deliver the contracted Services
- Not disclose Personal Data to third parties except as authorized by this DPA or required by applicable law
- Inform the Controller if, in Synvara's opinion, an instruction infringes applicable data protection law — before proceeding
- Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
Security Measures
Synvara implements technical and organizational measures appropriate to the risk of processing, including:
- Encryption in transit: All data transmitted uses TLS 1.2 or higher
- Encryption at rest: Personal Data stored in Synvara-managed cloud environments is encrypted at rest using AES-256 or equivalent
- Access controls: Access restricted via Zero Trust identity verification; least-privilege principles enforced
- Network security: Cloudflare WAF, DDoS mitigation, and rate limiting protect the perimeter
- Incident response: Documented incident response plan with defined escalation and notification procedures
- Vendor management: Sub-processors subject to security assessments and contractual obligations equivalent to this DPA
Sub-processors
Synvara will provide 30 days' advance notice of material changes to sub-processors to allow the Controller to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | CDN, edge compute, DDoS mitigation, Zero Trust access | United States / Global Edge |
| Twilio SendGrid | Transactional email delivery for contact forms and notifications | United States |
| Supabase, Inc. | Database and authentication services for portal features (where applicable) | United States |
Data Subject Rights
Synvara will assist the Controller in fulfilling Data Subject rights requests (access, correction, deletion, portability, objection, restriction) by:
- Promptly forwarding any Data Subject requests received that pertain to Personal Data controlled by the Client
- Providing technical assistance reasonably required to fulfill requests within commercially reasonable timeframes
- Not responding to Data Subject requests on behalf of the Controller without written authorization
Breach Notification
Synvara will notify the Controller without undue delay — and in any event within 72 hours — of becoming aware of a Personal Data breach. The notification will include, to the extent known:
- A description of the nature of the breach and the categories and approximate number of records affected
- The likely consequences of the breach
- Measures taken or proposed to address and mitigate the breach
Notification is made to the designated security contact in the applicable MSA, or to security@synvara.ai.
International Transfers
Where Personal Data originating from the EEA, UK, or Switzerland is processed under this DPA, transfers are governed by:
- EU Standard Contractual Clauses (Module 2 — Controller to Processor) as approved by European Commission Decision 2021/914
- UK International Data Transfer Addendum (IDTA) for transfers from the United Kingdom, where applicable
For sovereign cloud or air-gapped deployments, data residency commitments specified in the applicable SOW take precedence.
Audits & Assessments
Synvara will make available to the Controller all information reasonably necessary to demonstrate compliance, and will support audits subject to:
- Reasonable advance notice of at least 30 days
- Audit scope limited to Personal Data and systems relevant to this DPA
- Execution of a confidentiality agreement by the auditor
- Audit costs borne by the Controller unless a material deficiency is identified
Synvara may satisfy audit requests by providing third-party attestations, penetration test summaries, or SOC 2 reports where available.
Deletion & Return
Upon termination or expiration, or upon written request, Synvara will at the Controller's election:
- Return a complete copy of all Personal Data in a structured, machine-readable format; and/or
- Delete all Personal Data from Synvara systems, including backup copies, within 60 days
Synvara may retain Personal Data where required by applicable law, isolated from active processing and deleted when legally permissible.
Annex — Processing Details
| Element | Detail |
|---|---|
| Subject-matter | Delivery of PulseArch, PulsrOS, Pulsaris, and associated professional services |
| Duration | Term of the applicable MSA or SOW, plus any post-termination retention period required by law |
| Nature of processing | Storage, retrieval, transmission, analysis, and deletion of Personal Data as required to deliver contracted Services |
| Purpose | AI orchestration, system fabric operation, enterprise intelligence services, support, and communications |
| Categories of Personal Data | As specified per deployment: names, email addresses, professional identifiers, authentication credentials, and data submitted by authorized end-users |
| Categories of Data Subjects | Controller's employees, contractors, and authorized end-users of Synvara-powered systems |
| Special categories | Not anticipated. Client must notify Synvara in writing before submitting special category data. |
Execute This DPA
This DPA is incorporated into the applicable Master Services Agreement. To formally execute this DPA as a standalone document or to initiate an MSA negotiation:
Contact Synvara's legal team to receive a countersigned copy or to request a custom DPA tailored to your jurisdiction and deployment architecture.
Email: legal@synvara.ai · Reference: "DPA Execution Request"
Or submit via the contact form selecting "General Inquiry."