Last updated January 1, 2026

Data Processing Addendum (DPA)

This DPA forms part of the customer agreement and governs the processing of personal data by SynerMatrix on behalf of the customer.

Capitalized terms not defined here have the meanings in the customer agreement.

Roles and Scope

The customer acts as controller and SynerMatrix acts as processor with respect to personal data.

Processing is limited to the services and documented instructions provided by the customer.

Categories of data, data subjects, and processing purposes are described in the order form or statement of work.

SynerMatrix will not process personal data beyond documented instructions.

SynerMatrix ensures personnel are bound by confidentiality obligations.

Security measures include access control, encryption, monitoring, and incident response procedures.

SynerMatrix may engage subprocessors to deliver services and will maintain a list of subprocessors.

Subprocessors are bound by contractual obligations consistent with this DPA.

SynerMatrix will assist with data subject requests where required and as reasonably feasible.

Requests must be verified and documented by the customer.

SynerMatrix will notify customers of security incidents without undue delay.

Incident response procedures align with the customer agreement and applicable law.

Upon termination, SynerMatrix will return or delete personal data as specified in the customer agreement.

Retention periods are documented and aligned to service requirements.

AI features process data only within customer-defined boundaries and instructions.

Prompts and outputs may be logged for security and audit purposes under the customer's retention policies.

SynerMatrix does not use customer data to train AI models unless explicitly agreed in writing.