Data Processing Addendum

Last Updated: March 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") entered into between Synckony Pty Ltd (ABN [to be inserted]) ("Synckony", "we", "us") and you ("Customer", "you") that incorporates this DPA by reference. This DPA governs the processing of Personal Data by Synckony in providing the Service (as defined in the Agreement).

This DPA does not apply to Personal Data once transferred from the Service to a Third-Party Service (as defined in the Agreement), as your agreement with that Third-Party Service will instead govern.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

1.1. "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including without limitation: (a) the Australian Privacy Act 1988 (Cth) ("Australian Privacy Act") and the Australian Privacy Principles ("APPs"); (b) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (c) the Data Protection Act 2018 and the UK GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR"); (d) the Swiss Federal Act on Data Protection ("Swiss FADP"); (e) the Brazilian Lei Geral de Protecao de Dados ("LGPD"); (f) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); (g) the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and other applicable U.S. state privacy laws; and (h) any other applicable data protection or privacy law, in each case as amended, superseded, or replaced from time to time.

1.2. "Australian Data" means Personal Data that is subject to the protection of the Australian Privacy Act.

1.3. "Connected Platform" means the third-party ecommerce platform to which Customer connects a store via the Service (currently Maropost Commerce Cloud / Neto).

1.4. "Controller", "Processor", "Data Subject", "Processing" (and "Process"), and "Supervisory Authority" each have the meaning given to them in Applicable Data Protection Law, as appropriate.

1.5. "Controller to Processor SCCs" means Module Two (transfer controller to processor) of the European Commission Implementing Decision (EU) 2021/914, as updated or replaced from time to time.

1.6. "Customer Content" has the meaning given in the Agreement.

1.7. "Data Privacy Framework" means the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework self-certification programmes (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced from time to time.

1.8. "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

1.9. "European Data" means Personal Data that is subject to the protection of European Data Protection Laws.

1.10. "European Data Protection Laws" means (a) the GDPR; (b) the UK GDPR; and (c) the Swiss FADP; in each case as may be amended, superseded, or replaced from time to time.

1.11. "Personal Data" means (a) personal data, personal information, or personally identifiable information (as defined under Applicable Data Protection Law) that is subject to Applicable Data Protection Law and (b) that is contained within Customer Content, for which Customer authorises Synckony to collect and process on Customer's behalf in connection with Synckony's provision of the Service under the Agreement.

1.12. "Processor to Processor SCCs" means Module Three (transfer processor to processor) of the European Commission Implementing Decision (EU) 2021/914, as updated or replaced from time to time.

1.13. "Security Incident" means a confirmed breach of security of the Service or Synckony's systems used to process Personal Data leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by Synckony. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.

1.14. "Sensitive Information" means any Personal Data (a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (b) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation; (c) relating to criminal convictions and offences; and (d) any other form of Personal Data that is afforded enhanced protection under Applicable Data Protection Law.

1.15. "Shadow State" means the fingerprint-based record maintained by Synckony consisting exclusively of cryptographic hashes (xxHash64 fingerprints) used for change detection, which does not contain the underlying Personal Data itself.

1.16. "Subprocessor" means any third party engaged by Synckony to process Personal Data on behalf of Customer in connection with the Service.

1.17. "Subprocessor List" means the list of Synckony's Subprocessors as published at [synckony.com/legal/subprocessors].

1.18. "UK Addendum" means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force from 21 March 2022, as updated or replaced from time to time.

2. Description of Processing

2.1. Categories of Data Subjects. As set out in Schedule 1 (Details of Processing).

2.2. Types of Personal Data. As set out in Schedule 1 (Details of Processing).

2.3. Subject-Matter and Nature of Processing. The subject-matter of processing of Personal Data by Synckony is the provision of the Service to Customer that involves processing of Personal Data. Synckony polls the Connected Platform API on Customer's behalf, detects changes in resource data via fingerprint comparison, and delivers webhook notifications containing changed resource data to Customer's configured endpoints and Third-Party Services.

2.4. Purpose of Processing. Personal Data will be processed by Synckony for the purposes of: (a) providing the Service, including polling, change detection, webhook delivery, and integration execution; (b) maintaining the Shadow State for change detection purposes; (c) temporary storage of webhook payloads for retry delivery (up to 72 hours); (d) providing related support and maintaining the Service; and (e) as otherwise described in the Agreement.

2.5. Duration of Processing. Personal Data will be processed for the duration of the Agreement, subject to Section 16 of this DPA.

3. Roles of the Parties

3.1. Customer is the Controller (or, where Customer is itself a Processor acting on behalf of another Controller, the Processor passing down relevant processing instructions to Synckony). Synckony is the Processor (or Sub-processor, as applicable) acting on Customer's documented instructions.

3.2. Customer acknowledges that Synckony is an independent Controller when carrying out activities not related solely to Synckony's processing of Personal Data on Customer's behalf (such as Synckony's management of its website analytics, customer accounts, billing, and marketing activities).

4. Processing Requirements

4.1. Synckony will process Personal Data in its capacity as Processor: (a) for the purpose of providing and supporting the Service in accordance with the Agreement, this DPA, and any other documented lawful instructions from Customer; (b) to develop, enhance, and improve the Service as provided by the Agreement; and (c) as otherwise required by applicable law. Synckony will at all times comply with Applicable Data Protection Law in processing Personal Data under the Agreement.

4.2. In case Synckony cannot process Personal Data in accordance with Customer's instructions due to a legal requirement under any applicable law, Synckony shall (a) promptly notify Customer in writing (including by email) of such legal requirement before carrying out the relevant processing, to the extent permitted by applicable law, and (b) cease all processing (other than merely storing and maintaining the security of the affected Personal Data) until Customer provides new instructions.

4.3. Notwithstanding anything to the contrary in the Agreement, where required by Applicable Data Protection Law, Synckony shall not: (a) retain, use, or disclose Personal Data other than as provided for in the Agreement or as needed to perform the Service; (b) "sell" or "share" Personal Data (as those terms are defined by the CCPA); (c) process Personal Data except as necessary for the business purposes specified in the Agreement or this DPA; or (d) retain, use, disclose, or otherwise process Personal Data outside of the direct business relationship with Customer and not combine Personal Data with personal information that it receives from other sources, except as permitted under the CCPA.

4.4. Customer Responsibilities. Customer is solely responsible for: (a) the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data; (b) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Law for the collection and use of Personal Data, including obtaining any necessary consents and authorisations; (c) ensuring Customer has the right to transfer, or provide access to, Personal Data to Synckony for processing in accordance with the terms of the Agreement (including this DPA); and (d) ensuring that Customer's instructions to Synckony regarding the processing of Personal Data comply with applicable laws, including Applicable Data Protection Law.

4.5. Security Adequacy. Customer is responsible for independently determining whether the data security provided by the Service adequately meets Customer's obligations under Applicable Data Protection Law. Customer acknowledges that it is solely responsible for certain configurations and design decisions for the Service (including polling frequencies, webhook endpoints, and Integration selections) and for implementing those configurations in a secure manner.

4.6. No Sensitive Information. Customer acknowledges that the Service is not intended or designed for the processing of Sensitive Information, and Customer agrees not to provide any Sensitive Information through the Service. Synckony shall have no liability for any Sensitive Information processed through the Service in violation of this section.

5. Shadow State and Data Minimisation

5.1. Synckony maintains a Shadow State consisting exclusively of xxHash64 fingerprints derived from Customer's Connected Platform resource data. The Shadow State stores only: tenant identifier, resource type, resource identifier, content hash, and timestamp of last observation. No underlying Personal Data is stored in the Shadow State.

5.2. Full resource data (which may contain Personal Data) flows through the Service transiently for the purposes of: (a) computing fingerprints for change detection; (b) constructing webhook payloads for delivery to Customer's configured endpoints; and (c) temporary storage in the retry buffer for up to 72 hours in the event of delivery failure.

5.3. Synckony does not persistently store full resource data beyond the 72-hour retry window. Once a webhook payload is successfully delivered or the retry window expires, the full resource data is deleted from Synckony's systems.

6. Security

6.1. Synckony shall implement and maintain throughout the term of the Agreement reasonable and appropriate technical and organisational measures designed to protect Personal Data against unauthorised or accidental access, loss, alteration, disclosure, or destruction, as further described in Schedule 2 (Technical and Organisational Measures).

6.2. Synckony will take appropriate steps to ensure compliance with the Technical and Organisational Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorised to process Personal Data have agreed to appropriate confidentiality obligations.

6.3. Customer acknowledges that the Security Measures are subject to technical progress and development and that Synckony may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the material degradation of the overall security of the Service.

7. Security Incident

7.1. If Synckony becomes aware of a Security Incident, Synckony will: (a) notify Customer without undue delay, and not later than 72 hours after Synckony confirms the Security Incident; and (b) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within Synckony's reasonable control.

7.2. Upon Customer's request and taking into account the nature of the applicable processing, Synckony will assist by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law.

7.3. Customer acknowledges that Synckony providing notification of a Security Incident is not an acknowledgement of fault or liability.

8. Confidentiality

Synckony will ensure that its personnel authorised to process Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

9. Data Subject Requests

9.1. Customer is responsible for handling any requests or complaints from Data Subjects with respect to their Personal Data processed by Synckony under this DPA.

9.2. If Synckony receives a request from a Data Subject in relation to the Data Subject's Personal Data processed under Customer's Service account, Synckony will notify Customer and advise the Data Subject to submit the request to Customer, and Customer will be responsible for responding to any such request.

9.3. Taking into account the nature of the processing, Synckony will provide reasonable assistance to Customer in fulfilling Customer's obligation to respond to Data Subject requests, to the extent Customer is unable to address such requests through the Service's existing functionality.

10. Data Protection Impact Assessments

Where required by Applicable Data Protection Law, Synckony will provide reasonable assistance to Customer with conducting any legally required data protection impact assessments with respect to the processing of Personal Data by Synckony (including, where necessary, subsequent consultation with a Supervisory Authority with jurisdiction over such processing), taking into account the nature of processing and the information available to Synckony.

11. Audits

11.1. To the extent necessary and required by Applicable Data Protection Law, Customer may, at Customer's sole expense, conduct a reasonable audit pursuant to a mutually agreed-upon audit plan with Synckony that is consistent with the requirements of this Section 11.

11.2. Customer may exercise such audit right: (a) to the extent Synckony's provision of third-party audit reports (e.g., SOC 2 reports, when available) does not provide sufficient information to verify Synckony's compliance with this DPA; and (b) where required by Applicable Data Protection Law or a relevant government authority.

11.3. Each such audit must: (a) be conducted by Customer or through a third-party auditor on Customer's behalf that will enter into a confidentiality agreement with Synckony; (b) be limited in scope to matters reasonably required to assess Synckony's compliance with this DPA and Applicable Data Protection Law; (c) occur no more than once annually (unless required under Applicable Data Protection Law); (d) cover only processing facilities directly controlled by Synckony; (e) restrict findings to Customer's Personal Data only; and (f) treat any results as confidential information to the fullest extent permitted by Applicable Data Protection Law.

11.4. Synckony shall make available its privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA.

12. Subprocessors

12.1. General Authorisation. Customer provides general authorisation for Synckony to engage Subprocessors in accordance with this Section 12 and approves Synckony's use of the Subprocessors listed on the Subprocessor List as at the date of the Agreement.

12.2. Subprocessor Obligations. Synckony will enter into a written agreement with each Subprocessor imposing data protection obligations substantially the same as those set out in this DPA. Synckony will be liable for the acts and omissions of its Subprocessors undertaken in connection with Synckony's performance under this DPA to the same extent Synckony would be liable if performing the Services directly.

12.3. Subprocessor List. Synckony will maintain a current list of its Subprocessors, including their functions and locations, as specified on the Subprocessor List.

12.4. Notification of Changes. Synckony may update the Subprocessor List from time to time. In the event that Synckony updates the Subprocessor List, Synckony will provide fourteen (14) days' advance written notice (which may be via email, a posting on the Synckony website, or notification through the Synckony dashboard).

12.5. Objection to New Subprocessors. In the event that Customer does not wish to consent to the use of an additional Subprocessor, Customer may notify Synckony that it does not consent within fourteen (14) days of Synckony's advance written notice, based on reasonable data protection concerns. In such case, the parties will discuss such concerns in good faith.

12.6. Resolution. If the parties are unable to reach a mutually agreeable resolution to Customer's objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the affected portion of the Service for convenience, and Synckony will refund any pre-paid unused fees for the terminated portion of the applicable Subscription Term.

13. International Data Transfers

13.1. Authorisation. In connection with the performance of the Agreement, Customer authorises Synckony to transfer Personal Data internationally. Customer acknowledges that Personal Data may be transferred to and processed by Synckony and its Subprocessors in Australia, the United States, and other jurisdictions where Synckony and its Subprocessors have operations. Whenever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Law.

13.2. Transfers from Australia. Where Synckony transfers Australian Data outside Australia, Synckony will comply with Australian Privacy Principle 8 and take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.

13.3. Transfers from Europe. To the extent that Synckony receives European Data, Synckony will comply with the following transfer mechanisms:

(a) Standard Contractual Clauses. The applicable Standard Contractual Clauses are incorporated by reference and form a part of this DPA as follows: (i) the Controller to Processor SCCs if the restricted transfer is subject to the GDPR and Synckony is acting as Customer's Processor; (ii) the Processor to Processor SCCs if the restricted transfer is subject to the GDPR and Synckony is acting as Customer's Sub-processor; (iii) in Clause 7 of the SCCs, the optional docking clause will apply; (iv) in Clause 9 of the SCCs, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be fourteen (14) days as set out in Section 12.4 of this DPA; (v) in Clause 11 of the SCCs, the optional language shall not apply; (vi) in Clause 17 of the SCCs, Option 1 will apply, and the SCCs will be governed by the laws of Ireland; (vii) in Clause 18(b) of the SCCs, disputes shall be resolved before the courts of Dublin, Ireland; (viii) Annex I of the SCCs is completed with the information in Schedule 1 of this DPA; (ix) Annex II of the SCCs is completed with the information in Schedule 2 of this DPA.

(b) UK Addendum. If the restricted transfer is subject to the UK GDPR, the UK Addendum shall apply. For the purposes of the UK Addendum: (i) the information required for Table 1 is contained in Schedule 1 of this DPA, and the start date shall be the commencement of the Service; (ii) in relation to Table 2, the version of the EU Clauses to which the UK Addendum applies is the Controller to Processor SCCs (or Processor to Processor SCCs, as applicable); (iii) in relation to Table 3, the list of parties and description of transfer are as set out in Schedule 1, and technical and organisational measures are as set out in Schedule 2; and (iv) in relation to Table 4, neither party will be entitled to terminate the UK Addendum in accordance with clause 19 of Part 2 of the UK Addendum.

(c) Swiss Transfers. If the restricted transfer consists of Personal Data originating from Switzerland, the SCCs shall apply with the following modifications: (i) "FDPIC" means the Swiss Federal Data Protection and Information Commissioner; (ii) the term "EU Member State" must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and (iii) the FDPIC shall act as the "competent Supervisory Authority".

13.4. Transfers of Brazilian Data. If the restricted transfer is subject to the LGPD, the Standard Contractual Clauses set forth in Resolution CD/ANPD No. 19/2024 shall apply.

14. U.S. State Privacy Laws

14.1. Where Synckony processes Personal Data subject to U.S. Data Protection Laws, Synckony shall: (a) not sell or share (as defined under applicable U.S. Data Protection Laws) Personal Data; (b) not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA; (c) not retain, use, or disclose Personal Data outside of the direct business relationship with Customer; and (d) not combine Personal Data with personal information received from or on behalf of another person, except as permitted by applicable U.S. Data Protection Laws.

14.2. Synckony certifies that it understands and will comply with the restrictions set out in Section 14.1.

15. Aggregated and De-Identified Data

Synckony may collect and use aggregated and de-identified data derived from Customer's use of the Service for the purposes of improving the Service, generating analytics, and producing industry benchmarks. Such data will be de-identified in accordance with Applicable Data Protection Law and will not identify Customer or any individual Data Subject.

16. Data Retention and Deletion

16.1. Upon expiration or termination of the Agreement, Synckony will: (a) cease processing Personal Data on Customer's behalf; and (b) within thirty (30) days of termination, provide Customer with the ability to export or retrieve Customer's configuration data from the Service.

16.2. Following the thirty (30) day export period, Synckony will delete Personal Data in its possession or control, including any cached webhook payloads in the retry buffer, except to the extent Synckony is required by applicable law to retain copies of Personal Data, in which case Synckony will isolate and protect the Personal Data from any further processing except to the extent required by applicable law.

16.3. Shadow State data (xxHash64 fingerprints) will be deleted within thirty (30) days following termination. As the Shadow State contains only cryptographic hashes and no underlying Personal Data, its retention does not constitute continued processing of Personal Data.

16.4. This DPA remains in effect until the later of: (a) the expiration or termination of the Agreement; and (b) the deletion of all Personal Data in accordance with this Section 16.

17. Liability

Each party's liability arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set out in the Agreement.

18. General

18.1. This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the processing of Personal Data in connection with the Service.

18.2. Synckony may amend this DPA from time to time. Material changes will be communicated at least thirty (30) days prior to taking effect. Customer's continued use of the Service after the effective date of any amendment constitutes acceptance.

18.3. If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.

Schedule 1: Details of Processing

A. List of Parties

Data Exporter (Customer):
Name, address, contact details, and activities as provided in Customer's Account registration.
Role: Controller (or Processor on behalf of another Controller).

Data Importer (Synckony):
Synckony Pty Ltd
Email: [email protected]
Role: Processor (or Sub-processor).

B. Description of Transfer

Categories of Data Subjects:
Data Subjects include Customer's end users, customers, and other individuals whose Personal Data is contained within Customer's Connected Platform store data. This may include: online shoppers, wholesale buyers, account holders, email subscribers, loyalty programme members, and individuals who have submitted orders, enquiries, or reviews through Customer's Connected Platform store.

Categories of Personal Data:
Personal Data processed through the Service may include, depending on Customer's Connected Platform configuration and the resource types Customer elects to monitor:

• Contact information: names, email addresses, phone numbers, billing and shipping addresses
• Transaction data: order details, order history, payment method types (not payment card numbers), purchase amounts, currency
• Account data: customer account identifiers, account creation dates, customer group classifications
• Product interaction data: cart contents, wishlist items, product reviews, RMA/return requests
• Communication preferences: marketing opt-in status, newsletter subscription status
• Technical identifiers: IP addresses (where collected by the Connected Platform), browser user agent strings

Sensitive Information: None. The Service is not intended for processing Sensitive Information.

Frequency of Transfer: Continuous, based on Customer's configured polling frequency (ranging from every 2 minutes to every 60 minutes per resource type).

Nature and Purpose of Processing: Synckony polls Customer's Connected Platform API, computes fingerprints of resource records, detects changes by comparing fingerprints against the Shadow State, and delivers webhook notifications containing changed resource data to Customer's configured endpoints and Third-Party Services. Personal Data flows transiently through the Service for change detection, payload construction, and delivery. Full resource data is not persistently stored beyond a 72-hour retry buffer.

Retention Period: Personal Data in transit is retained only for the duration of webhook delivery (immediate delivery or up to 72 hours in the retry buffer). Shadow State fingerprints (which do not contain Personal Data) are retained for the duration of the Agreement plus thirty (30) days.

C. Competent Supervisory Authority

The competent Supervisory Authority shall be determined in accordance with Applicable Data Protection Law. For Australian Data, the relevant authority is the Office of the Australian Information Commissioner (OAIC).

Schedule 2: Technical and Organisational Measures

Synckony implements and maintains the following technical and organisational measures to protect Personal Data.

1. Access Controls

• Access to production systems is restricted to authorised personnel with a documented need-to-know.
• User access controls address timely provisioning and de-provisioning of accounts.
• Multi-factor authentication is required for all personnel accessing production infrastructure.
• Role-based access control (RBAC) is implemented across all systems.

2. Encryption

• All data in transit is encrypted using TLS 1.2 or higher.
• Connected Platform API keys provided by Customers are encrypted at rest using AES-256 encryption.
• Database storage (Turso/libSQL) is encrypted at rest.
• Redis cache (Upstash) connections use TLS encryption.

3. Infrastructure Security

• The Service is hosted on Railway, which provides managed container infrastructure with automatic security patching.
• The database layer (Turso) is a distributed SQLite platform with edge replication and encrypted storage.
• The caching layer (Upstash Redis) provides serverless Redis with TLS encryption and SOC 2 Type II certification.
• DNS and CDN services (Cloudflare) provide DDoS mitigation, WAF protection, and SSL/TLS management.

4. Authentication and Authorisation

• Customer authentication is managed through Clerk, which provides secure session management, multi-factor authentication support, and OAuth 2.0 flows.
• Webhook endpoints receive HMAC-SHA256 signed payloads, enabling recipients to verify authenticity.
• API authentication uses bearer tokens with scoped permissions.

5. Monitoring and Logging

• Application logging is provided through Axiom with structured log ingestion and retention.
• Error tracking and alerting is provided through Sentry with real-time exception monitoring.
• Uptime monitoring is provided through BetterStack with alerting and incident management.
• Logs are retained for a minimum of thirty (30) days for operational and security purposes.

6. Data Minimisation

• The Shadow State stores only xxHash64 fingerprints (8-byte hashes), not the underlying resource data.
• Full resource data flows transiently and is not persistently stored beyond the 72-hour retry buffer.
• Connected Platform API credentials are configured with minimal required permissions (typically READ-only).
• Polling operates within a self-imposed rate limit of 200 requests per minute per store (40% of the Connected Platform's 500 req/min limit).

7. Incident Response

• Synckony maintains an incident response process for identifying, containing, and remediating security incidents.
• Security incident notifications are provided to affected Customers within 72 hours of confirmation.
• Post-incident reviews are conducted to identify root causes and implement preventive measures.

8. Personnel Security

• All personnel with access to Personal Data are subject to confidentiality obligations.
• Security awareness practices are maintained for personnel handling Customer data.
• Access is revoked promptly upon personnel role changes or termination.

9. Business Continuity

• The Service architecture uses distributed infrastructure with automatic failover capabilities.
• Database backups are maintained with point-in-time recovery capabilities.
• Synckony maintains uptime targets as published on the Synckony status page.

10. Vendor Management

• Subprocessors are evaluated for security and privacy practices before engagement.
• Subprocessors are required to maintain data protection obligations consistent with this DPA.
• The Subprocessor List is maintained and updated with advance notice to Customers.

Schedule 3: Subprocessors

The following Subprocessors are authorised to process Personal Data as at the date of this DPA. The current list is maintained at [synckony.com/legal/subprocessors].

This Data Processing Addendum was last updated in March 2026.