Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Synqc ("Processor") for the use of the Synqc service. It governs the processing of personal data carried out by Synqc on behalf of the Controller, in accordance with Article 28 of the EU General Data Protection Regulation ("GDPR").
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
"Data Subject" means a natural person whose Personal Data is processed under this DPA — primarily the Controller's HubSpot contacts.
"Sub-processor" means any third party engaged by Synqc to process Personal Data on behalf of the Controller.
2. Subject Matter and Purpose
Synqc processes Personal Data solely to provide the Controller with its conversion-tracking service: receiving CRM events from HubSpot, enriching and hashing the relevant contact properties, and delivering the resulting conversion signals to Meta Conversions API on behalf of the Controller.
Synqc shall not process Personal Data for any purpose other than those documented in this DPA and in the Controller's written instructions.
3. Categories of Data and Data Subjects
Data subjects: HubSpot contacts belonging to the Controller.
Categories of personal data processed:
- Contact identifiers: email address, phone number (both transmitted only as SHA-256 hashes)
- Name components: first name, last name (transmitted only as SHA-256 hashes)
- Location data: city, state, zip/postal code, country (transmitted only as SHA-256 hashes)
- Date of birth (transmitted only as SHA-256 hash)
- Behavioural and commercial data: lifecycle stage, lead score, deal amount, form submission events
- Technical metadata: event timestamps, HubSpot object IDs
All directly identifying fields (email, phone, name, location, date of birth) are irreversibly hashed using SHA-256 before leaving Synqc's infrastructure. Raw PII is never stored by Synqc beyond the duration of a single request.
4. Obligations of Synqc (Processor)
4.1 Processing on Instructions Only
Synqc shall process Personal Data only on documented instructions from the Controller. The Controller's instructions are set out in this DPA and in the service configuration. If Synqc is required by applicable law to process Personal Data in a manner inconsistent with the Controller's instructions, Synqc shall inform the Controller before such processing takes place.
4.2 Confidentiality
Synqc ensures that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
4.3 Security (Article 32 GDPR)
Synqc implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- SHA-256 hashing of all directly identifying personal data before external transmission
- TLS 1.2 or higher for all data in transit
- AES-256 encryption at rest (Cloudflare infrastructure)
- HMAC-SHA256 verification of all incoming HubSpot webhooks
- HttpOnly, Secure, SameSite=Strict session cookies and CSRF protection
- Rate limiting and bot-score filtering on all sensitive endpoints
- Scoped API tokens with least-privilege access
- Error monitoring with PII scrubbing before log transmission
4.4 Sub-processors
The Controller provides general authorisation for Synqc to engage Sub-processors. Synqc shall inform the Controller of any intended changes to Sub-processors and give the Controller the opportunity to object. The current list of Sub-processors is:
| Sub-processor | Country | Purpose |
|---|---|---|
| Cloudflare, Inc. | United States | Infrastructure, compute, KV storage, Queues |
| Meta Platforms, Inc. | United States | Recipient of conversion signals (CAPI) |
| Sentry, Inc. | United States | Error monitoring (PII scrubbed before transmission) |
| Resend, Inc. | United States | Transactional email (login links, deletion confirmations) |
Each Sub-processor is bound by data protection obligations at least equivalent to those in this DPA.
4.5 Assistance with Data Subject Rights
Synqc shall assist the Controller in fulfilling its obligations to respond to Data Subject requests concerning access, rectification, erasure, restriction, portability, and objection. Assistance will be provided within 5 business days of a written request.
4.6 Security Incident Notification
Synqc shall notify the Controller of a confirmed personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. Notification shall include, to the extent available: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
4.7 Data Protection Impact Assessments
Synqc shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities where required under Articles 35 and 36 GDPR.
4.8 Deletion and Return of Data
Upon termination of the service or upon request, Synqc shall delete all Personal Data within 30 days. The Controller may request written confirmation of deletion. Synqc may retain audit logs in anonymised form for up to 13 months where required by law.
4.9 Audit Rights
Synqc shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for audits or inspections conducted by the Controller or an auditor mandated by the Controller, at reasonable notice and at the Controller's cost.
5. Obligations of the Controller
The Controller warrants that it has a lawful basis for processing and sharing the Personal Data with Synqc, that it has provided appropriate notices to Data Subjects, and that it complies with all applicable data protection laws.
6. International Data Transfers
All Sub-processors listed above are located in the United States. Personal Data transferred to the United States is governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), Module 3 (Processor-to-Processor), which are incorporated by reference into this DPA. The Controller, as exporter, and Synqc, as importer (or Synqc as exporter and each Sub-processor as importer), are the parties to the relevant SCC modules.
7. Duration
This DPA is effective for the duration of the service agreement and terminates automatically upon its expiry or termination, subject to the deletion obligations in Section 4.8.
8. Governing Law
This DPA is governed by the laws of Sweden, without prejudice to the rights of Data Subjects under applicable EU data protection law.
9. Contact
Questions regarding this DPA should be directed to: legal@synqc.io