Data Processing Addendum

"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by Provider to process Personal Data.

Customer is the Controller (or processor on behalf of its own controllers) of Customer Data. Provider is the Processor and will process Personal Data only (a) to deliver the Service, (b) on documented instructions from Customer (these Terms and the DPA constitute such instructions), and (c) as required by applicable law.

• Subject matter: processing of Personal Data necessary to provide the SYNQ CRM platform.
• Duration: term of the subscription plus the export window described in the Terms.
• Nature: hosting, transmission, storage, organization, retrieval, deletion, and analytics related to Service operation.
• Purpose: provision of CRM, campaign, communications, contracting, invoicing, and client portal features.
• Categories of Data Subjects: Customer's employees and contractors; Customer's clients and their staff; journalists, contacts, and other individuals Customer chooses to include.
• Categories of Personal Data: name, contact details, employer/role, communications metadata, files Customer uploads. Customer must not upload special-category data unless necessary and lawful.

Customer authorizes Provider to engage Sub-processors. A current list is available on request. Provider will: (a) impose data protection terms substantially equivalent to this DPA on each Sub-processor; (b) remain liable for Sub-processor performance; and (c) provide reasonable prior notice of new Sub-processors so Customer may object on reasonable data protection grounds.

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the European Commission Standard Contractual Clauses (Module Two — Controller to Processor; or Module Three — Processor to Processor, as applicable) and the UK International Data Transfer Addendum. Provider will implement supplementary measures including encryption in transit (TLS 1.2+) and at rest, access logging, role-based access, and challenge of unlawful government requests.

Provider will implement and maintain appropriate technical and organizational measures including: encryption in transit and at rest; row-level security and least-privilege access; audit logging; secret management; separation of environments; incident response procedures; vendor security review; and personnel confidentiality obligations.

Provider will, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligations to respond to Data Subject requests and to comply with Articles 32–36 GDPR (security, breach notification, impact assessments, prior consultation).

Provider will notify Customer without undue delay (and where feasible within 72 hours) after becoming aware of a Personal Data breach affecting Customer Data, providing the information reasonably required for Customer to meet its own notification obligations.

Provider will make available information necessary to demonstrate compliance, including third-party audit reports where available. On-site audits are limited to once per 12-month period, with 30 days' prior written notice, conducted during business hours, at Customer's expense, and subject to confidentiality.

Upon termination, Provider will, at Customer's option, return or delete Personal Data within 30 days (the export window), subject to legal retention obligations and de-identified backups that cycle out in the ordinary course.

To the extent Provider processes Personal Information of California residents on behalf of Customer, Provider acts as a "service provider" and will not (a) sell or share Personal Information; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement; or (c) combine it with Personal Information from other sources except as permitted by the CCPA. Provider certifies it understands and will comply with these restrictions.

In case of conflict, the order of precedence is: SCCs (where incorporated) → this DPA → the Terms of Service.