1. Scope, parties, and role allocation
This Data Processing Addendum (DPA) is incorporated into the Synphoria Terms of Service and any applicable order form unless a signed data-processing agreement replaces it. The customer is the controller for personal data it decides to enter, configure, import, or manage in Synphoria. SYNPHORIAAI sp. z o.o. acts as processor for that customer personal data and processes it only to provide, secure, support, and administer the Service. Synphoria may remain an independent controller for its own account, billing, security, legal, analytics, and product-safety processing described in the Privacy Policy.
2. Article 28 processing details
For GDPR Article 28 purposes, the subject matter is Synphoria's provision of company, clinic, recruitment, partner, support, and related software services. The duration is the term of the applicable account, order, or agreement plus any retention period required for export, deletion, backup expiry, legal compliance, audit, security, or dispute handling. The nature of processing may include collection, hosting, storage, organization, retrieval, transmission, analysis, generation, access control, support, security review, deletion, and return. The purpose is to operate Synphoria for the customer's authorized users and configured workflows.
3. Data subjects and personal data categories
- Data subjects may include customer administrators, employees, invited users, candidates, clinic users or patients where enabled, specialists, partner or reseller contacts, support contacts, and other people whose data the customer lawfully submits.
- Personal data may include identity, contact, account, workspace membership, department, role, calendar, HR, clinic, recruitment, support, billing, usage, integration, security, audit, and communication metadata.
- Special-category data is processed only where the customer enables or submits it through an appropriate Synphoria surface and has the required notice, consent, legal basis, and contractual authority.
4. Documented instructions
Synphoria processes customer personal data only on the customer's documented instructions, including the Terms, this DPA, order forms, configuration choices, authorized user actions, support requests, and lawful written instructions. If Synphoria believes an instruction infringes applicable data-protection law, it will inform the customer unless legally prohibited from doing so. The customer remains responsible for controller notices, legal bases, permissions, data accuracy, role assignments, and the lawfulness of submitted data.
5. Confidentiality and authorized personnel
Synphoria restricts access to customer personal data to personnel, contractors, and service providers who need it for authorized service operation, support, security, legal, or compliance purposes and who are bound by confidentiality or equivalent professional duties. Access is role-based and limited by the privacy boundaries described in the Privacy Policy, Data Safety & Security Statement, and product-specific controls.
6. Security measures
Synphoria applies appropriate technical and organizational measures under GDPR Article 32, taking account of the processing context, risk, implementation cost, and state of the art. Measures may include encryption in transit, supported at-rest protections, private-content key controls where implemented, access control, audit logging, tenant separation, backup and restore controls, vulnerability management, incident response, and secure development practices. No online service can guarantee absolute security.
7. Sub-processors
The customer gives general authorization for Synphoria to use sub-processors needed to provide the Service. Current vendor categories and links are maintained in the Data Safety & Security Statement, including hosting, database, storage, AI/model, voice, email, payment, SMS/phone, security, logging, Slack, Microsoft Teams, and operational providers. Synphoria remains responsible for sub-processor processing performed under its instructions and will impose data-protection obligations appropriate to the processing. Material sub-processor changes are handled through the applicable notice, objection, workaround, termination, or order-form process.
8. International transfers
Where customer personal data is transferred outside the EEA, UK, or another restricted-transfer jurisdiction, Synphoria uses the transfer mechanism applicable to the relevant provider and flow where required. That may include an adequacy decision, European Commission Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Agreement (UK IDTA), the UK Addendum to the EU SCCs, transfer risk assessments, and supplementary technical, contractual, or organizational controls. The Privacy Policy and Data Safety & Security Statement identify current provider categories and transfer references.
9. Assistance with controller duties
Taking into account the nature of processing and information available to Synphoria, Synphoria will provide reasonable assistance for data-subject requests, security of processing, personal-data breach handling, data protection impact assessments, prior consultations, and other controller obligations required by GDPR Articles 28, 32, 33, 34, 35, and 36. The customer remains responsible for deciding how to respond to data-subject requests and regulator communications unless a signed agreement assigns a different responsibility.
10. Personal data breach
Synphoria will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data processed by Synphoria as processor. The notice will include information reasonably available to Synphoria to help the customer meet its legal duties. Synphoria may update the notice as investigation facts develop. A breach notice is not an admission of fault or liability.
11. Return, deletion, and retention
At the end of the applicable service relationship, Synphoria will return or delete customer personal data according to the Service functionality, order form, written instructions, and applicable law. Some backups, security logs, audit records, billing records, legal records, abuse-prevention records, and deletion metadata may remain for limited retention periods where required for integrity, security, legal compliance, or dispute handling. Deletion can remove or revoke private content, projections, and retrieval eligibility while preserving legally required metadata.
12. Audits and information
Synphoria will make available information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28 processor obligations. Audits should normally be satisfied through documentation, security materials, questionnaires, third-party reports where available, or a controlled review process agreed in writing. Audits must not compromise other tenants, private user content, source code, trade secrets, credentials, infrastructure secrets, security controls, or service availability.
Privacy contact: contact@synphoria.app | security@synphoria.app