Data Processing Agreement

1. Background and Scope

This Data Processing Agreement ("DPA") supplements the agreement under which SalesSynq ("SalesSynq" or "Processor") provides services to the customer ("Customer" or "Controller") (the "Service Agreement"). It governs the processing of Customer Personal Data by SalesSynq on behalf of Customer in connection with the Service.

This DPA is intended to satisfy Article 28 of Regulation (EU) 2016/679 ("GDPR") and the corresponding provisions of the United Kingdom General Data Protection Regulation ("UK GDPR") and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") where applicable. Where the Service involves a transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom or Switzerland to a country not benefitting from an adequacy decision, the EU Standard Contractual Clauses (Module Two: controller to processor) of Commission Implementing Decision (EU) 2021/914 (the "EU SCCs") apply, completed by Annex I, II and III of this DPA.

2. Definitions

Capitalised terms used but not defined in this DPA have the meaning given in the Service Agreement or the GDPR. In addition:

• Customer Personal Data means Personal Data within Customer Data that SalesSynq Processes on behalf of Customer in connection with the Service.
• Customer Data means data that Customer or its end users submit to or generate through the Service.
• Sub-processor means a third party engaged by SalesSynq to Process Customer Personal Data on its behalf in connection with the Service.
• Personal Data Breach has the meaning given in Article 4(12) GDPR.

3. Roles and Scope of Processing

1. Roles.The parties acknowledge that, with respect to Customer Personal Data, Customer is the "controller" and SalesSynq is the "processor". Where a Customer end user is themselves a controller (for example, where Customer's tenant uses the Service to process its own customer data), Customer warrants that it has authority to instruct SalesSynq on that data.
2. Subject matter and duration. The subject matter of the Processing is the provision of the Service. The Processing continues for the term of the Service Agreement and any subsequent retention period required by law.
3. Nature and purpose of Processing. SalesSynq Processes Customer Personal Data to provide the Service: data ingestion, semantic enrichment, scoring, alerting, reporting, support, billing and security.
4. Categories of data subjects.Customer's employees and contractors who use the Service; Customer's prospects, customers and contacts whose data is ingested by the Service.
5. Categories of Personal Data. Identifiers (name, email, phone, role, employer); business communications (email content, chat content, meeting notes); CRM records (deal value, stage, ownership, history); telemetry of how the Service is used.
6. Special Categories. Customer warrants that it will not knowingly submit special-category Personal Data (Article 9 GDPR) to the Service; SalesSynq does not solicit such data.

4. Processor Obligations

1. Documented instructions.SalesSynq Processes Customer Personal Data only on documented instructions from Customer, which include the Service Agreement, this DPA, and Customer's configuration of the Service. SalesSynq will inform Customer if, in its opinion, an instruction infringes applicable data protection law.
2. Confidentiality. SalesSynq ensures that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations.
3. Security. SalesSynq implements the technical and organisational measures described in Annex II to protect Customer Personal Data against unauthorised or unlawful processing, accidental loss, destruction or damage.
4. Sub-processors. Customer authorises SalesSynq to engage Sub-processors as set out in Annex III and in /trust/subprocessors. SalesSynq imposes data protection obligations on each Sub-processor at least equivalent to those in this DPA and remains responsible for their performance. SalesSynq notifies Customer of any intended addition or replacement of a Sub-processor with at least 30 days' notice; Customer may object on reasonable grounds during that period.
5. Data subject rights.SalesSynq makes available functionality within the Service to enable Customer to fulfil its obligations to respond to data subject requests under Articles 15–22 GDPR. Where SalesSynq receives a data subject request relating to Customer Personal Data directly, it will (without responding substantively itself) inform the data subject to contact Customer and notify Customer.
6. Assistance.SalesSynq assists Customer, taking into account the nature of the Processing and the information available, in fulfilling its obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessment, prior consultation).
7. Personal Data Breach. SalesSynq notifies Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
8. Deletion or return. Upon termination of the Service Agreement, SalesSynq deletes or returns all live Customer Personal Data within 30 days, save where retention is required by applicable law. Backup copies of Customer Personal Data are not targeted for erasure inside the immutable encrypted snapshots; they expire as the snapshots roll off the standard cycle (up to 6 months for the monthly tier) and are not used to restore an offboarded tenant. The full retention cycle is set out in the Privacy Policy.
9. No training on Customer Data. SalesSynq does not use Customer Personal Data to train, fine-tune or otherwise improve any third-party or proprietary AI / machine-learning model.

5. Audits

SalesSynq makes available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR. SalesSynq supports Customer's audit rights through:

• this DPA, the Privacy Policy, and the public Security and AI Disclosure pages;
• the executive summary of SalesSynq's most recent third-party penetration test (under NDA);
• a written response to Customer's reasonable security questionnaire (e.g. SIG-Lite, CAIQ-Lite); and
• where applicable, the most recent SOC 2 / ISO 27001 attestation reports as they are obtained (under NDA).

If Customer reasonably believes the above does not provide sufficient information, Customer may, at its own cost and no more than once per twelve-month period, conduct an on-site audit on at least 30 days' written notice and during business hours, subject to commercially reasonable confidentiality and security restrictions.

6. International Data Transfers

Where the Processing involves a transfer of Customer Personal Data from the EEA, the United Kingdom or Switzerland to a third country, the EU SCCs (Module Two: controller to processor) are incorporated into this DPA by reference. The annexes to the EU SCCs are completed as follows:

• EU SCC Annex I.A — List of Parties: see Annex I below.
• EU SCC Annex I.B — Description of Transfer: see Annex I below.
• EU SCC Annex I.C — Competent Supervisory Authority: the supervisory authority of the EEA Member State in which the data exporter is established.
• EU SCC Annex II — Technical and Organisational Measures: see Annex II below.
• EU SCC Annex III — List of Sub-processors: see Annex III and /trust/subprocessors.

For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (issued by the Information Commissioner under section 119A of the Data Protection Act 2018). For Swiss transfers, references to the GDPR are read as references to the Swiss Federal Act on Data Protection (FADP).

7. CCPA / CPRA

Where Customer is a "business" under the CCPA/CPRA, SalesSynq acts as a "service provider." SalesSynq does not (i) sell or share Customer Personal Data, (ii) retain, use or disclose Customer Personal Data for any purpose other than the specific purposes set out in the Service Agreement and this DPA, or (iii) combine Customer Personal Data with personal information received from any other source, except as permitted by the CCPA/CPRA regulations.

8. Order of Precedence

In the event of any conflict, the order of precedence is: (1) the EU SCCs (where they apply), (2) this DPA, (3) the Service Agreement. Nothing in this DPA limits any data subject's right under the EU SCCs.

Annex I — Parties and Description of Transfer

A. List of Parties

Data exporter (controller): Customer, as identified in the Service Agreement.

Data importer (processor): SalesSynq, contactable at privacy@salesynq.com; legal entity and registered address as identified in the Service Agreement and the Privacy Policy.

B. Description of Transfer

C. Competent Supervisory Authority

The supervisory authority of the EEA Member State in which the data exporter is established, or where the data exporter is not established in the EEA, the supervisory authority of the EEA Member State in which the data exporter's representative under Article 27 GDPR is established.

Annex II — Technical and Organisational Measures

SalesSynq implements the following technical and organisational measures. Detailed evidence is available under NDA.

1. Pseudonymisation and encryption of personal data

• Field-level encryption using AES-256-GCM with HMAC-SHA256 integrity (RFC 5116) for sensitive Customer Data fields, with versioned encryption keys.
• TLS 1.2+ for all public web and API traffic; HSTS preload with 2-year max-age; strict CSP, X-Frame-Options, X-Content-Type-Options and Referrer-Policy headers.
• Internal service-to-service traffic is mutually authenticated (mTLS) in production.
• Pseudonymisation of common PII categories (emails, phones, IBANs, payment card numbers, IP addresses) before transmission to LLM Sub-processors.

2. Confidentiality, integrity, availability, resilience

• OAuth 2.0 / OpenID Connect SSO (Google, Microsoft); password-based authentication is disabled by default.
• Authentication: OAuth 2.0 / OIDC SSO via Google or Microsoft (which carry the Customer's own MFA), and native TOTP-based MFA with self-service enrolment, recovery codes, and configurable hard-enforcement for password sign-in. The session token carries an "mfa" claim when a second factor was verified, available for risk-based handler annotations.
• Fine-grained authorisation via OpenFGA; tenant-scoped checks at every repository call, enforced by an aspect that rejects any cross-tenant query.
• Redis-backed sliding-window rate limiting (10 req/60s on auth endpoints).
• Append-only audit log with periodic chain sealing; 365-day default retention.
• Sentry PII filtering enabled; sensitive HTTP request body fields masked in logs.

3. Restoration of availability and access

• Encrypted backups (Restic) with 7 daily / 4 weekly / 6 monthly snapshots.
• Weekly automated restore drill; documented incident-response procedure.

4. Regular testing of effectiveness

• CodeQL static application security testing on every pull request.
• OWASP Dependency-Check on every pull request and on a daily schedule (CVSS ≥ 7 fails the build).
• Gitleaks secret scanning in pre-commit hooks.
• Annual third-party penetration test (executive summary available under NDA once delivered).

5. AI / LLM-specific measures

• Customer Data is never used to train, fine-tune or improve any third-party or proprietary AI / ML model.
• Each LLM provider's "do not use my data for training" toggle is applied at the production-org level. We have applied for OpenAI Zero-Data-Retention and will apply for the equivalent at any future LLM Sub-processor before it processes Customer Data.
• Each LLM call carries a tenant-scoped pseudonymous identifier so providers' abuse-monitoring systems do not co-mingle customers.
• LLM response cache uses a TTL of at most one hour; cache keys are derived from a redacted prompt.
• Customer-facing scoring is produced by deterministic rule-based logic; LLM output is suggested text and falls back to deterministic logic on parse failure.

6. Personnel

• Personnel with access to Customer Personal Data are subject to confidentiality obligations as a condition of engagement.
• Access is provisioned on a least-privilege basis and reviewed at least annually.

Annex III — Sub-processors

The current list of Sub-processors is published and kept up to date at /trust/subprocessors. SalesSynq notifies Customer of any intended addition or replacement of a Sub-processor with at least 30 days' notice; Customer may object on reasonable grounds during that period.

The list is also reproduced below for convenience. The version on the public page prevails in the event of any inconsistency.

Contact and Execution

For questions about this DPA, including requests for a counter-signed copy, contact privacy@salesynq.com.

Customers may request a counter-signed copy of this DPA at no charge. Where Customer requires modifications, SalesSynq will engage in good faith to agree commercially reasonable variations.