Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Synthfy LLC and you.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person processed by Synthfy on your behalf
- Processing: Any operation performed on Personal Data, including collection, recording, storage, alteration, retrieval, disclosure, or deletion
- Sub-processor: Any third party engaged by Synthfy to process Personal Data on your behalf
2. Scope & Roles
- Data Controller: You (the Customer) determine the purposes and means of processing Personal Data
- Data Processor: Synthfy LLC processes Personal Data on your behalf as necessary to provide the Service
This DPA applies to all Personal Data processed by Synthfy in connection with your use of the Service, including call recordings, caller information, and SMS data.
3. Data Processing Obligations
Synthfy shall: process Personal Data only on your documented instructions; ensure authorized personnel have committed to confidentiality; implement appropriate technical and organizational security measures; assist you in responding to data subject requests; make available all information necessary to demonstrate compliance; and notify you of any Personal Data breach without undue delay (within 72 hours).
4. Sub-processors
You authorize Synthfy to engage the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google LLC | Secure computational hosting, primary cloud environment, and conversational AI model inference services. | United States |
| Railway | Primary web application hosting, user dashboard containers, and secure database storage. | United States |
| SignalWire | Enterprise telecommunications carrier services, voice telephony routing, and secure SMS messaging transit. | United States |
| Postmark | Automated billing confirmation transmission, system notifications, and transaction email delivery. | United States |
| PayPal | Secure PCI-compliant customer payment processing, subscription transaction handling, and billing services. | United States |
| Cloudflare | Domain name resolution, edge security protection, DDoS mitigation, and global CDN caching services. | United States |
Synthfy will notify you before adding or replacing sub-processors.
5. Security Measures
- TLS 1.2/1.3 in transit, AES-256 at rest, AES-256-GCM for OAuth tokens
- Role-based access controls, SSH key-based authentication
- Automated threat detection and logging
- Daily encrypted backups with tested restore procedures
- HMAC-signed webhook verification between high-speed AI engine and secure user dashboard servers
- Incident response procedures with 72-hour notification
6. Data Transfers
All data is processed and stored within the United States. If data transfers outside the US become necessary, Synthfy will notify you in advance.
7. Data Subject Rights
Synthfy will assist you in fulfilling data subject requests (access, rectification, deletion, data portability, objection) within 30 days.
8. Data Retention & Deletion
Upon termination of your account, Synthfy will delete or return all Personal Data within 30 days, delete existing copies unless legally required to retain, and provide written certification of deletion upon request.
9. HIPAA Notice
Synthfy is not HIPAA-certified and does not offer Business Associate Agreements (BAAs). This DPA does not constitute a BAA. Do not use Synthfy to process Protected Health Information (PHI). Synthfy is intended for administrative, non-clinical business communications only.
10. Contact
- Email: [email protected]