Data Processing Agreement

1. Definitions

2. Scope and Application

2.1 Applicability

This DPA applies when:

• You use Synthesis AI's platform with your own API keys (BYOK model)
• Personal data is processed through our platform
• Either party is established in the European Union or processes EU residents' data

2.2 Relationship to Terms of Service

This DPA supplements and forms an integral part of the Terms of Service. In case of conflict regarding data protection matters, this DPA prevails.

3. Roles and Responsibilities

3.1 Your Role as Controller

When using your own API keys, you:

• Determine the purposes and means of processing
• Ensure lawful basis for processing
• Maintain direct relationships with API providers
• Are responsible for data sent to AI providers
• Must comply with API providers' terms and policies

3.2 Our Role as Processor

We act as a processor by:

• Facilitating technical connections to API providers
• Providing the platform interface
• Storing encrypted API keys locally in your browser
• Processing data only on your documented instructions
• Not accessing or using your API keys for our purposes

4. Processing Instructions

4.1 Documented Instructions

We will process personal data only on your documented instructions, including:

• Instructions provided through the platform interface
• API calls you initiate
• Configuration settings you specify
• This DPA and the Terms of Service

4.2 Instruction Limitations

We will inform you if:

• Your instructions violate GDPR or EU/Member State laws
• We are legally required to process data beyond your instructions
• Technical limitations prevent following specific instructions

5. Security Measures

5.1 Technical Measures

• Encryption: AES-256 for stored API keys, TLS 1.3 for data in transit
• Access Control: Multi-factor authentication, role-based permissions
• Data Isolation: Logical separation between customer environments
• Monitoring: 24/7 security monitoring and intrusion detection
• Backup: Regular encrypted backups with secure retention

5.2 Organizational Measures

• Confidentiality: All personnel sign confidentiality agreements
• Training: Regular data protection and security training
• Access Limitation: Access on a need-to-know basis only
• Incident Response: Documented procedures for security incidents
• Vendor Management: Security assessment of sub-processors

6. Sub-processors

6.1 Authorized Sub-processors

You consent to our use of the following sub-processors:

• Amazon Web Services (AWS): Cloud infrastructure (EU regions)
• Cloudflare: CDN and DDoS protection
• Stripe: Payment processing (PCI-DSS compliant)
• SendGrid: Transactional email services

6.2 API Providers Clarification

6.3 New Sub-processors

We will:

• Notify you 30 days before engaging new sub-processors
• Provide opportunity to object to new sub-processors
• Ensure sub-processors comply with equivalent obligations
• Remain fully liable for sub-processor performance

7. Data Subject Rights

7.1 Assistance with Requests

We will assist you in responding to data subject requests by:

• Providing tools to export data
• Enabling data deletion capabilities
• Supporting data correction features
• Facilitating data portability
• Implementing access restrictions when requested

7.2 Technical Capabilities

Our platform provides:

• Self-service data export functionality
• API key deletion mechanisms
• Cache clearing options
• Audit logs for data access
• Consent management tools

8. Data Breach Notification

8.1 Processor Obligations

In case of a personal data breach, we will:

• Notify you without undue delay upon discovery
• Provide details about the nature and scope of the breach
• Share information about affected data and data subjects
• Describe measures taken to address the breach
• Cooperate in breach investigations and remediation

8.2 Communication Protocol

Breach notifications will be sent to your registered email address and through platform notifications within 24 hours of discovery.

9. International Transfers

9.1 Transfer Mechanisms

For transfers outside the EEA, we rely on:

• EU-US Data Privacy Framework (where applicable)
• Standard Contractual Clauses (Module 2: Controller to Processor)
• Adequacy decisions by the European Commission
• Your explicit consent for specific transfers

9.2 Transfer Safeguards

We ensure appropriate safeguards through:

• Contractual obligations with recipients
• Technical security measures
• Regular assessment of recipient country laws
• Supplementary measures where necessary

10. Audits and Compliance

10.1 Audit Rights

You have the right to:

• Request information about our processing activities
• Review our security certifications and audit reports
• Conduct audits with 30 days' written notice
• Use independent third-party auditors (under NDA)

10.2 Compliance Demonstration

We demonstrate compliance through:

• Annual security assessments
• SOC 2 Type II reports (available on request)
• ISO 27001 certification (in progress)
• Regular penetration testing results
• Data protection impact assessments

11. Data Retention and Deletion

11.1 Retention Period

We retain data only as long as necessary:

• API keys: Session-based only (deleted on logout)
• Cached responses: Maximum 24 hours
• Audit logs: 90 days for security purposes
• Account data: Duration of service + 30 days

11.2 Deletion Upon Termination

Upon termination of services, we will:

• Delete or return all personal data within 30 days
• Delete existing copies unless legally required to retain
• Provide certification of deletion upon request
• Ensure sub-processors also delete data

12. Liability and Indemnification

12.1 Limitation of Liability

Our liability is limited as specified in the Terms of Service, except for:

• Damages resulting from willful misconduct or gross negligence
• Breach of confidentiality obligations
• Violations of data protection laws due to our actions

12.2 Indemnification

Each party indemnifies the other against claims arising from:

• Their own violation of applicable data protection laws
• Processing beyond the scope of instructions
• Failure to comply with this DPA

13. Term and Termination

13.1 Duration

This DPA remains in effect for the duration of the Terms of Service and any processing of personal data thereunder.

13.2 Survival

Obligations regarding confidentiality, data deletion, and liability survive termination.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of Romania and the courts of Romania have exclusive jurisdiction, without prejudice to specific GDPR provisions on jurisdiction.

15. Contact Information