GDPR Compliance

1. Introduction

TOV «Sinaptic AI» (“Sinaptic”) is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). As a Ukrainian company operating within the Diia.City framework and serving clients across the European Economic Area, we have implemented comprehensive technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently.

This document describes our GDPR compliance framework, including our roles as data controller and processor, our Data Processing Agreement provisions, sub-processor management, cross-border transfer mechanisms, data subject rights procedures, breach notification protocols, and Data Protection Officer appointment.

2. Sinaptic as Data Controller and Data Processor

2.1 Data Controller Role

Sinaptic acts as a data controller when we determine the purposes and means of processing personal data. This includes processing related to:

• Our website visitors’ data (analytics, contact form submissions, cookie data).
• Prospective customer data collected through marketing activities, events, and sales outreach.
• Customer account information required for service provisioning and billing.
• Employee and contractor personal data (governed by separate internal policies).

2.2 Data Processor Role

Sinaptic acts as a data processor when we process personal data on behalf of our enterprise clients through our products:

• Browser DLP: When monitoring and classifying data within a client’s browser environment, personal data such as employee browsing metadata and content classifications are processed on the client’s behalf.
• Sinaptic AI Intent Firewall®: Action verification logs may contain references to personal data depending on the nature of the AI agent actions being verified.
• Sinaptic® DROID+: Deployed agents may interact with or process personal data as part of the client’s business processes.

In the processor role, Sinaptic processes personal data exclusively in accordance with the client’s documented instructions and the terms of the applicable Data Processing Agreement.

3. Data Processing Agreement (DPA) Provisions

Sinaptic enters into a Data Processing Agreement with every client for whom we act as a data processor, in compliance with Article 28 of the GDPR. Our standard DPA includes the following provisions:

1. Subject Matter and Duration: Clear definition of the nature, purpose, and duration of processing, the types of personal data processed, and the categories of data subjects.
2. Processing Instructions: Sinaptic processes personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization.
3. Confidentiality: All Sinaptic personnel authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security Measures: Implementation of appropriate technical and organizational measures as required by Article 32, including encryption, pseudonymization, access controls, and regular testing.
5. Sub-processing: Sinaptic shall not engage another processor without prior specific or general written authorization of the controller. Where general authorization is given, Sinaptic informs the controller of any intended changes.
6. Assistance with Data Subject Rights: Sinaptic assists the controller in responding to requests from data subjects exercising their rights under the GDPR.
7. Breach Notification: Sinaptic notifies the controller without undue delay after becoming aware of a personal data breach.
8. Data Return and Deletion: Upon termination of the DPA, Sinaptic deletes or returns all personal data to the controller, at the controller’s choice, and deletes existing copies unless Union or Member State law requires storage.
9. Audit Rights: Sinaptic makes available to the controller all information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by the controller or an auditor mandated by the controller.

4. Sub-Processors

Sinaptic engages a limited number of sub-processors to support the delivery of our Services. Each sub-processor is:

• Subject to a written agreement imposing data protection obligations no less protective than those in our DPA with the controller.
• Assessed for GDPR compliance, including verification of appropriate technical and organizational security measures, prior to engagement.
• Monitored on an ongoing basis for continued compliance with their contractual and legal obligations.

We maintain a current list of sub-processors, which includes for each: the name, location, and description of processing activities. This list is provided to clients upon execution of the DPA and updated whenever changes occur.

Clients who have opted for change notifications under our DPA will receive at least 30 days’ advance notice before a new sub-processor begins processing personal data, along with a reasonable opportunity to object.

5. Cross-Border Data Transfers

Sinaptic is headquartered in Kyiv, Ukraine. While Ukraine has not yet received a general adequacy decision from the European Commission under Article 45 of the GDPR, our participation in the Diia.City program reflects Ukraine’s commitment to aligning its regulatory framework with EU standards. We employ the following transfer mechanisms to ensure lawful cross-border data transfers:

5.1 Standard Contractual Clauses

For transfers of personal data from the EEA to Ukraine, we implement the Standard Contractual Clauses (SCCs) adopted by the European Commission under Implementing Decision (EU) 2021/914. We execute the appropriate modules depending on the transfer scenario (controller-to-processor or processor-to-processor).

5.2 Transfer Impact Assessment

In accordance with the guidance from the European Data Protection Board (EDPB), we have conducted a Transfer Impact Assessment (TIA) evaluating the legal framework for government access to personal data in Ukraine. This assessment considers:

• Ukrainian legislation on surveillance and law enforcement access.
• Judicial oversight mechanisms and procedural safeguards.
• The practical experience of Sinaptic with government access requests (to date, none received).
• The nature of the data being transferred and the potential impact on data subjects.

5.3 Supplementary Technical Measures

We implement supplementary technical measures to ensure effective protection of personal data transferred internationally, including: encryption in transit and at rest using industry-standard algorithms; pseudonymization and anonymization where feasible; strict access controls limiting access to personal data to authorized personnel on a need-to-know basis; and technical architecture that minimizes the personal data that leaves the EEA.

6. Data Subject Rights

Sinaptic has established procedures to facilitate the exercise of data subject rights under Chapter III of the GDPR:

• Right of Access (Art. 15): Data subjects may request access to their personal data. We verify the identity of the requester and provide the requested information within 30 days.
• Right to Rectification (Art. 16): Requests for correction of inaccurate data are processed within 30 days.
• Right to Erasure (Art. 17): Erasure requests are honored where applicable, subject to legal retention requirements.
• Right to Restriction (Art. 18): Processing may be restricted upon request while accuracy disputes are resolved.
• Right to Data Portability (Art. 20): Personal data is provided in structured, machine-readable format upon request.
• Right to Object (Art. 21): Objections to processing based on legitimate interest are assessed and acted upon promptly.

When Sinaptic acts as a data processor, data subject requests received by Sinaptic are promptly forwarded to the relevant controller, and Sinaptic assists the controller in fulfilling such requests in accordance with the DPA.

To exercise your rights, contact us at hello@sinaptic.ai.

7. Personal Data Breach Notification

Sinaptic has implemented a comprehensive breach detection, assessment, and notification process in compliance with Articles 33 and 34 of the GDPR.

7.1 Notification to Supervisory Authority

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Sinaptic (as data controller) will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where notification is not made within 72 hours, the notification will be accompanied by reasons for the delay.

7.2 Notification to Data Subjects

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Sinaptic will communicate the breach to the affected data subjects without undue delay, describing the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

7.3 Notification to Controllers (Processor Role)

When acting as a data processor, Sinaptic will notify the relevant controller without undue delay after becoming aware of a personal data breach affecting the controller’s data. This notification will include:

• A description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned.
• The name and contact details of the DPO or other contact point for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

7.4 Breach Register

Sinaptic maintains a register of all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken. This register is available for inspection by supervisory authorities upon request.

8. Data Protection Officer

Sinaptic has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR. The DPO:

• Informs and advises Sinaptic and its employees on their obligations under the GDPR and other applicable data protection laws.
• Monitors compliance with the GDPR, other Union or Member State data protection provisions, and Sinaptic’s data protection policies.
• Provides advice on Data Protection Impact Assessments (DPIAs) and monitors their performance.
• Serves as the contact point for data subjects and the supervisory authority.
• Reports directly to the highest level of management within Sinaptic.

9. Records of Processing Activities

In compliance with Article 30 of the GDPR, Sinaptic maintains comprehensive records of processing activities, both as a data controller and as a data processor. These records include the purposes of processing, categories of data subjects and personal data, categories of recipients, information on international transfers, envisaged retention periods, and a general description of technical and organizational security measures. These records are maintained in written (electronic) form and are made available to supervisory authorities upon request.

10. Data Protection Impact Assessments

Sinaptic conducts Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR for any type of processing that is likely to result in a high risk to the rights and freedoms of natural persons, particularly where it involves the use of new technologies, automated decision-making, or large-scale processing of personal data. DPIAs are conducted before the commencement of such processing and are reviewed whenever there is a material change in the nature, scope, context, or purposes of processing.