Skip to content
SStaySynq
← Home

Data Processing Agreement

Last updated:

This DPA forms part of the StaySynq Terms of Service and reflects the parties' agreement on the processing of personal data under GDPR, UK GDPR, and equivalent laws.

1. Roles

Customer is the data controller. StaySynq is the data processor. StaySynq processes personal data only on documented instructions from Customer, except where required by applicable law.

2. Scope of processing

Subject matter: provision of the StaySynq platform.

Duration: the subscription term plus the data retention period set out in the Privacy Policy.

Nature: hosting, storage, processing, and transmission of personal data to operate the platform.

Data subjects: Customer's employees, guests, prospects, and other business contacts.

3. StaySynq obligations

StaySynq will:

  • Process personal data only per Customer's documented instructions.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Annex II).
  • Assist Customer with data subject requests, DPIAs, and authority consultations.
  • Notify Customer without undue delay of personal data breaches.
  • Delete or return personal data at the end of the subscription term.
  • Make available the information necessary to demonstrate compliance and submit to audits.

4. Sub-processors

Customer authorizes StaySynq to engage sub-processors. We maintain a current list at staysynq.com/legal/subprocessors. We will notify Customer at least 30 days before adding a new sub-processor; Customer may object on reasonable data protection grounds.

5. International transfers

Where personal data is transferred outside the EEA, UK, or other restricted region, the transfer relies on the European Commission's Standard Contractual Clauses, the UK IDTA, or another approved mechanism, as appropriate.

6. Annex II — Security measures

StaySynq implements the following measures (non-exhaustive): encryption in transit (TLS 1.3) and at rest (AES-256); SOC 2 Type II and ISO 27001 controls; least-privilege access with SSO/MFA; centralized audit logging; quarterly penetration tests; segregated tenant data; documented incident response; secure SDLC with code review and dependency scanning; physical security at hosting providers; ongoing security training.

7. Execution

This DPA takes effect on the start of the subscription term. To request a signed copy or negotiate amendments, email legal@staysynq.com.

Related
Privacy PolicyTerms of ServiceSecurity