When we build AI agents, integrations, or websites that handle your customers' personal data, Synelo Studio acts as a processor for you (the controller) under GDPR Article 28. This page sets out the binding processing terms; the SOW supplements them with project-specific scope.
1. Scope and roles
Synelo Studio processes personal data on your documented instructions to deliver the services described in the SOW (e.g. ingest customer enquiries, run AI inference on them, return a response). You remain the controller of that data.
2. Categories of data and data subjects
Project-specific. Typically:
- Categories of data: contact details, message content, transactional metadata.
- Categories of data subjects: your customers, leads, employees as relevant.
- Special-category data (Art 9): not processed unless explicitly named in the SOW.
3. Processor obligations (Art 28(3))
- Process only on your documented instructions, including international transfers.
- Ensure people authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (TOMs — see §5).
- Engage sub-processors only with your prior authorisation (general authorisation given for the list in §6, with 14-day notice of changes).
- Assist you in responding to data-subject requests and DPIAs as far as possible given the nature of the processing.
- Notify you without undue delay (within 48 hours) of becoming aware of a personal-data breach.
- Delete or return all personal data at the end of the engagement, at your choice, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow for audits (annual, or after a breach).
4. International transfers
Where personal data is transferred outside the EEA, the transfer is covered by the EU Standard Contractual Clauses (Decision 2021/914) — Module 3 (processor to processor) for our sub-processor chain. Supplementary measures include encryption in transit, encryption at rest, and contractual zero-retention with the AI inference provider.
5. Technical and organisational measures (TOMs)
- TLS 1.2+ in transit; encryption at rest at every storage layer.
- Least-privilege access; HMAC-signed admin sessions; SameSite=Strict cookies.
- Secrets stored only in managed secret stores (Vercel / Supabase); never in source.
- Logged access; rate-limited public endpoints.
- Regular dependency vulnerability scanning; security advisories tracked.
- Backups encrypted; restore tested quarterly.
- Sub-processor security reviewed before engagement.
6. Authorised sub-processors
| Sub-processor | Purpose | Location | SCCs |
|---|---|---|---|
| Vercel Inc. | Hosting / CDN | USA + EU edge | Module 3 |
| Supabase Inc. | Database (Postgres) | EU (Frankfurt) | n/a — EEA |
| Resend, Inc. | Transactional email | USA | Module 3 |
| Anthropic PBC | AI inference (Claude API) | USA | Module 3 + zero retention |
| Stripe Payments Europe Ltd. | Payments | Ireland / USA | Module 3 |
| Cloudflare Inc. | Turnstile (CAPTCHA) | USA / global | Module 3 |
| Google LLC | GTM / GA4 (consent-gated only) | USA | Module 3 |
We will notify you 14 days in advance of any change to this list. You may object; if no agreement is reached, you may terminate the affected services.
7. Liability
Liability under this DPA is governed by the limitation-of-liability clause in the SOW or our Terms of Service, except where GDPR Article 82 mandates a different allocation.
8. Term
This DPA is effective for the duration of the engagement and survives termination until all personal data has been deleted or returned per §3.
9. Signing
For project engagements requiring a countersigned DPA on paper, email legal@synelostudio.com — we will return a PDF based on this template within 48 hours.