Data Processing Agreement

Contract package documents

• Data Processing Agreement (DPA). Bilateral processor-side terms governing Syncanix's handling of customer personal data under GDPR Article 28. Defines processing purposes, data categories, sub-processors, security measures, and breach-notification SLAs.
• Standard Contractual Clauses (SCCs) — Module Two. European Commission Implementing Decision 2021/914, Module Two (processor-to-processor). Governs transfers of personal data outside the EEA to sub-processors operating from third countries.
• UK ICO International Data Transfer Addendum (IDTA). Addendum extending SCCs Module Two to cover transfers of UK personal data, per the UK ICO's published template.
• Swiss FADP rider. Bridge rider extending the SCCs to cover transfers of personal data subject to the Swiss Federal Act on Data Protection (FADP), as required by the FDPIC's guidance.
• Regional addenda. Lightweight addenda for UAE PDPL, KSA PDPL (Saudi), Israel Privacy Protection Law + Amendment 13, Egypt Law 151/2020, and other MENA jurisdictions when a customer's deployment triggers them.

DPA scope (Article 28 obligations)

The DPA captures every obligation GDPR Article 28(3) imposes on a processor:

• Instructions only (Art. 28 § 3(a)). Syncanix processes customer personal data only on documented customer instructions, including transfers to third countries.
• Confidentiality (Art. 28 § 3(b)). Every Syncanix employee or contractor with access to customer personal data is bound by a confidentiality obligation.
• Security (Art. 28 § 3(c) + Art. 32). Encryption at rest via AWS KMS, encryption in transit via TLS 1.3, least-privilege IAM, and the controls documented on the security page →.
• Sub-processor engagement (Art. 28 § 2 + § 4). Customer prior-authorisation for sub-processor changes; 30-day change-notice policy on the subprocessor page →; the same Article 28 obligations are flowed down to every sub-processor.
• Assist with rights requests (Art. 28 § 3(e)). Syncanix assists customers with DSARs (Articles 15–22, covering access, rectification, erasure, restriction, portability, and objection) within the 24-hour acknowledgement / 30-day fulfilment SLA.
• Breach notification (Art. 33). Notification to the customer within 24 hours of confirmation of a personal-data breach affecting their data. The customer (controller) retains the obligation to notify supervisory authorities and data subjects.
• Audit cooperation (Art. 28 § 3(h)). Annual audit window and on-demand evidence (SOC 2 reports, ISO 27001 certificate when available) to substantiate processor obligations.
• Deletion / return (Art. 28 § 3(g)). On termination, customer personal data is returned or deleted per the customer's instruction within 30 days, with all backup copies purged within a further 90 days. A short soft-delete buffer is preserved per Article 17 (Erasure) to recover from accidental requests.

Standard Contractual Clauses

Cross-border transfers from the EEA to a sub-processor in a third country (United States, Canada, etc.) are governed by SCCs Module Two — the European Commission's processor-to-processor template (Implementing Decision 2021/914, in force since 27 June 2021). The annexes documenting the data categories, processing purposes, and security measures are populated per sub-processor as listed on the subprocessor page →. The customer signs the SCCs as the data exporter; Syncanix signs as the data importer.

UK ICO IDTA addendum

For transfers of UK personal data, the SCCs alone are not sufficient post-Brexit. The UK ICO's International Data Transfer Addendum (IDTA), published 21 March 2022, extends the SCCs into a UK-data-protection-law-compatible instrument. Syncanix's addendum is the ICO's published template populated with the same annexes as the SCCs.

Swiss FADP rider

The Federal Act on Data Protection (FADP, revised version effective 1 September 2023) governs Swiss personal data. Syncanix's Swiss rider is a thin bridge — it replaces "European Union" with "Switzerland" in the relevant SCCs sections, adopts the FDPIC (Federal Data Protection and Information Commissioner) as the supervisory authority, and incorporates Swiss-law-specific data subject rights.

Regional addenda

MENA jurisdictions impose their own processor-side contract requirements, addressed by lightweight regional addenda triggered by the customer's deployment:

• UAE PDPL (Federal Decree-Law 45/2021 + DIFC DP Law 5/2020 + ADGM). Consent-centric; cross-border transfers need adequacy or contract.
• Saudi PDPL. Full enforcement since 14 Sep 2024. 72-hour breach notice to SDAIA. Cross-border transfers need SDAIA approval. Local representative required when revenue thresholds trigger.
• Israel Privacy Protection Law + Amendment 13 (effective 15 Aug 2025). GDPR-aligned; expanded "personal info" definition; mandatory Privacy Protection Officer; fines up to 5% turnover.
• Egypt Law 151/2020. Cross-border transfer licence + consent default.
• Qatar Law 13/2016 PDPPL. Consent + notification regime.
• Bahrain PDPL 30/2018. Registration of controllers; consent.
• Oman Royal Decree 6/2022 PDPL. Cross-border transfer licence.
• Jordan PDPL 24/2023. Conditional DPO; data subject rights.

Counsel review

The DPA template, SCCs Module Two, UK IDTA addendum, Swiss FADP rider, and regional addenda are reviewed by EU privacy counsel before each commercial release. Sign-off is captured in docs/legal/counsel-sign-off.md with the counsel's name, review date, and scope. Counsel review is a launch-blocking gate. Until counsel has signed off, working copies of the contract package are shared bilaterally on request via admin@syncanix.com.

How to request the package

1. Email admin@syncanix.com with your legal entity name, the deployment jurisdiction(s), and which addenda you need (UK, Swiss, KSA, UAE, Israel, etc.).
2. Syncanix returns the working copy within 2 business days, populated with the annexes for the sub-processors that apply to your deployment.
3. Negotiation and counter-signature take place by email or via a DocuSign / Adobe-Sign workflow at the customer's preference.
4. Once counsel sign-off lands, this page links the signed published templates directly here as .pdf downloads.

Related

• Subprocessor list → — the entities the SCCs annexes reference.
• Security overview → — the Article 32 measures captured in the DPA.
• Privacy notice → — Article 28 § 3(a) instruction-of-controller scope.
• Compliance status → — SOC 2 / ISO 27001 evidence that substantiates Article 32.