Data Processing Agreement

"Controller" means the client who determines the purposes and means of processing personal data.

"Processor" means Sinthetix (Sinthetik Industries), which processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in the GDPR (EU) 2016/679 and/or applicable national data protection laws.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

This Data Processing Agreement ("DPA") applies where Sinthetix processes Personal Data on behalf of a client in connection with AI engineering, automation, or software development services.

Sinthetix processes Personal Data only to the extent necessary to deliver the agreed services and only on documented instructions from the Controller.

Sinthetix will: (a) process Personal Data only on the Controller's documented instructions; (b) ensure that personnel authorised to process Personal Data have committed to confidentiality; (c) implement appropriate technical and organisational measures as described in our Security page; (d) not engage a sub-processor without the Controller's prior written consent; (e) assist the Controller in responding to data subject rights requests; (f) delete or return all Personal Data upon termination of services.

Sinthetix currently uses the following sub-processors in the delivery of services:

Supabase (Supabase Inc.) — database and authentication infrastructure, hosted in the United States.

Stripe (Stripe Inc.) — payment processing, hosted in the United States.

AWS (Amazon Web Services) — cloud compute and storage, regions as specified in the applicable SOW.

Sinthetix will notify the Controller of any intended changes to this list at least 14 days in advance, giving the Controller the opportunity to object.

Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, Sinthetix will ensure such transfer is covered by an appropriate safeguard (e.g., Standard Contractual Clauses, adequacy decision, or equivalent mechanism).

Sinthetix implements and maintains the technical and organisational security measures described at sinthetix.com/legal/security. These include TLS encryption in transit, encryption at rest, row-level access controls, and restricted credential management.

Sinthetix will, to the extent technically feasible, assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by applicable law.

Sinthetix will notify the Controller without undue delay (and no later than 72 hours after becoming aware) of any confirmed Personal Data breach affecting Controller data, including sufficient information for the Controller to meet its own notification obligations.

This DPA is governed by the laws of the Commonwealth of Virginia. To the extent EU GDPR applies, the parties agree to apply the Standard Contractual Clauses (SCCs) as published by the European Commission.

To execute a signed DPA or for data protection enquiries: sales@sinthetix.com · Sinthetik Industries · Virginia, USA