SynapBridge
Back to synapbridge.com

Data Processing Addendum

Last updated July 14, 2026

This DPA supplements the Terms of Service where SynapBridge processes personal data on behalf of a customer subject to the GDPR, UK GDPR, CCPA, or an equivalent regime. It reflects the operating practices already in place; the definitive counter-signed version is available from legal@synapbridge.com for procurement.

Note. This page reflects the operating practices SynapBridge follows today. Enterprise customers who require a counter-signed Master Services Agreement or a bespoke Data Processing Addendum for procurement or audit review can email legal@synapbridge.com.

1. Roles

You are the controller of the personal data you send through the service. SynapBridge acts as your processor under Article 28 GDPR / equivalent. Downstream model providers (OpenAI, Anthropic, Google, Microsoft, AWS Bedrock, etc.) you elect to connect are separate independent processors under their own terms.

2. Subject-matter and duration

We process personal data as necessary to render the SynapBridge platform (routing AI calls, enforcing your policies, storing audit logs, billing), for the duration of your subscription, and for the retention windows specified in the Privacy Policy.

3. Categories of data and data subjects

Any personal data contained in prompts you send, in responses from downstream models, in embeddings or memory-graph nodes derived from either, or in account/usage/operational records. Data subjects: your employees, users, and anyone identifiable inside the content you send.

4. Subprocessors

Current sub-processors are maintained at synapbridge.com/sub-processors (Amazon Web Services, Stripe, WorkOS, Amazon Cognito, Amazon Simple Email Service, Cloudflare) with the corporate address, processing purpose, data location, and cross-border transfer mechanism for each.

We give admins at least 30 days' notice of a new or replaced sub-processor via email; you may object and terminate the affected workspace for that reason.

5. Cross-border transfers

We rely on the Standard Contractual Clauses (module 2 or 3 as applicable), the UK IDTA, and adequacy findings where they apply. Business and Enterprise workspaces may pin storage to a specific region (see Privacy Policy §4).

6. Security

TLS 1.2+ in transit, AES-256 at rest under AWS KMS with tenant-scoped keys where applicable, mandatory MFA on every human account, least-privilege IAM, per-tenant secret vaulting, audit trail of every model call. Full control mapping (SOC 2 Type II) available under NDA.

7. Personal-data breach

We notify you without undue delay and within 72 hours of confirming a personal-data breach affecting your workspace. Notifications go to the admin email on file plus privacy@synapbridge.com for updates.

8. Assistance

We assist you with DSARs (access, portability, erasure, restriction, objection) via Settings → Data self-serve, and for anything beyond that via privacy@synapbridge.com. We assist with DPIAs and prior consultations on request.

9. Return and deletion

On termination you can export all personal data from Settings → Export until the read-only window closes (default 30 days). After that we permanently delete personal data from primary and backup systems within 35 days.

10. Audits

Once per 12 months (unless a specific incident warrants more) we make our SOC 2 Type II report, penetration test summary, and control inventory available to you under NDA. On-site audit rights are available for Enterprise customers under a mutually agreed scope.

11. Contact

Elevayt Ventures LLC · SynapBridge · legal@synapbridge.com