EN اردو Sign in Start free trial
Legal

Data Processing Agreement

Last updated: 8 May 2026 · Effective: 8 May 2026 · Art. 28 UK GDPR compliant

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Synergia360 Ltd and each Customer. It sets out the terms on which Synergia360 processes personal data on behalf of the Customer, in accordance with Article 28 of UK GDPR and the Data Protection Act 2018. By using the Platform, the Customer agrees to this DPA.

1. Parties and Definitions

In this DPA:

  • "Controller" means the Customer, being the entity that determines the purposes and means of processing personal data.
  • "Processor" means Synergia360 Ltd (Company No. 13495021), which processes personal data on behalf of the Controller.
  • "Data Subject" means the individual to whom personal data relates.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR.
  • "Processing" has the meaning given in UK GDPR.
  • "Sub-processor" means any third party engaged by Synergia360 to process personal data in the course of providing the Platform.
  • "UK GDPR" means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.

2. Scope and Role

This DPA applies to all personal data processed by Synergia360 as Processor on behalf of the Controller in connection with the provision of the Synergia360 Platform. The subject matter, nature, purpose, and duration of processing, together with the types of personal data and categories of data subjects involved, are set out in Schedule 1.

For the avoidance of doubt, where Synergia360 processes personal data for its own purposes as a data controller (for example, the personal data of Customer's Authorised Users for account management and billing), that processing is governed by the Synergia360 Privacy Policy and not this DPA.

3. Processor Obligations

Synergia360, as Processor, shall:

3.1 Instructions

Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. Where Synergia360 is required to process data by law, it will inform the Controller before processing (unless prohibited from doing so). If Synergia360 believes an instruction would infringe UK GDPR, it will notify the Controller.

3.2 Confidentiality

Ensure that all persons authorised to process the personal data are subject to appropriate confidentiality obligations, whether by contract or professional duty.

3.3 Security

Implement and maintain the technical and organisational security measures set out in Schedule 2 of this DPA, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.

3.4 Sub-processors

Not engage any new Sub-processor without first notifying the Controller, in accordance with section 5 of this DPA.

3.5 Data subject rights

Provide reasonable assistance to the Controller to respond to requests from Data Subjects exercising their rights under UK GDPR, in accordance with section 9 of this DPA.

3.6 Assistance with compliance

Assist the Controller in ensuring compliance with its obligations under Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments, and prior consultation with supervisory authority), taking into account the nature of processing and the information available to Synergia360.

3.7 Deletion or return

At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires retention, in accordance with section 11 of this DPA.

3.8 Audit cooperation

Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to section 10.

4. Controller Obligations

The Controller represents and warrants that:

  • It has all necessary rights, consents, and lawful bases to upload and instruct Synergia360 to process the personal data;
  • The personal data has been collected and disclosed to Synergia360 in compliance with applicable data protection laws;
  • It will comply with its obligations as Controller under UK GDPR, including providing required privacy notices to Data Subjects;
  • Its instructions to Synergia360 will not cause Synergia360 to violate any applicable law.

5. Sub-processors

5.1 General authorisation

The Controller provides general authorisation for Synergia360 to engage Sub-processors as set out in Schedule 3. Synergia360 shall ensure that each Sub-processor is bound by contractual obligations equivalent to those imposed on Synergia360 under this DPA.

5.2 Changes to Sub-processors

Synergia360 will provide at least 14 days' advance written notice (by email to the Controller's registered account address) before engaging any new Sub-processor or making material changes to existing Sub-processors that may affect the security or privacy of personal data. The Controller may object to such changes within 14 days of notice on reasonable data protection grounds. If the parties cannot resolve the objection, the Controller may terminate the applicable services on written notice.

5.3 Responsibility for Sub-processors

Synergia360 remains fully liable to the Controller for the acts and omissions of its Sub-processors to the same extent as if Synergia360 had performed those acts or omissions directly.

6. International Data Transfers

Synergia360 will not transfer personal data to a country outside the UK or EEA unless:

  • The transfer is to a country that benefits from a UK adequacy regulation;
  • Appropriate safeguards are in place, such as UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU Standard Contractual Clauses; or
  • Another exception under UK GDPR Chapter V applies.

Details of international transfers and the applicable safeguards for each Sub-processor are included in Schedule 3.

7. Technical and Organisational Security Measures

Synergia360 implements the security measures described in Schedule 2, which address:

  • Pseudonymisation and encryption of personal data;
  • Ongoing confidentiality, integrity, availability, and resilience of processing systems;
  • Ability to restore availability and access to personal data in the event of a physical or technical incident;
  • Regular testing, assessing, and evaluating the effectiveness of technical and organisational measures.

8. Personal Data Breach Notification

8.1 Notification to Controller

Synergia360 will notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any personal data breach affecting personal data processed under this DPA. Notification will be sent to the Controller's registered account email address.

8.2 Content of notification

The initial notification will include, to the extent then known:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
  • The name and contact details of the Synergia360 data protection contact;
  • A description of the likely consequences of the breach;
  • The measures taken or proposed to address the breach, including mitigation measures.

Where complete information is not available at the time of initial notification, Synergia360 will provide further information as it becomes available.

8.3 Controller's notification obligations

The Controller is responsible for notifying the ICO and affected Data Subjects where required by UK GDPR (Articles 33 and 34). Synergia360's 48-hour notification is provided to enable the Controller to comply with its 72-hour notification obligation to the ICO under Article 33 UK GDPR. Synergia360 will cooperate reasonably with the Controller in connection with any such notifications.

9. Assistance with Data Subject Rights

Synergia360 will, upon the Controller's written request, provide commercially reasonable assistance to help the Controller fulfil its obligations to respond to requests from Data Subjects exercising rights under UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). Synergia360 will forward any requests received directly from Data Subjects to the Controller without undue delay and in any event within five business days of receipt.

10. Audit Rights

Synergia360 will provide, on reasonable written request from the Controller (at least 30 days' notice), the following to demonstrate compliance with this DPA:

  • Copies of relevant policies, procedures, and certifications;
  • Responses to information security questionnaires;
  • Third-party audit reports (such as SOC 2 or ISO 27001 if applicable and available).

Where the Controller requires an on-site audit, this may be conducted no more than once per calendar year, on reasonable notice and during normal business hours, subject to execution of an appropriate confidentiality agreement. The Controller shall bear the costs of any audit it requests.

11. Deletion on Termination

Following termination of the Agreement, or on written request from the Controller, Synergia360 will:

  • Retain Customer Data for a period of 30 days to enable the Controller to export or retrieve its data;
  • After the 30-day period (or immediately on the Controller's written instruction if shorter), securely and permanently delete all Customer Data from Synergia360's live systems;
  • Use commercially reasonable efforts to procure the deletion of Customer Data from Sub-processor systems within 90 days;
  • On request, provide the Controller with written confirmation of deletion.

Synergia360 may retain Customer Data beyond the 30-day period solely where required by applicable law (for example, HMRC record-keeping obligations), and will notify the Controller of such retention and the legal basis.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding liability, the Terms of Service shall prevail, except to the extent that applicable data protection law requires otherwise.

13. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 — Details of Processing

Schedule 1 to the Data Processing Agreement

Subject matter

The provision of the Synergia360 multi-tenant SaaS e-commerce analytics and management platform.

Nature and purpose of processing

Synergia360 processes personal data to deliver the following Platform features on behalf of the Controller:

  • Aggregation and display of order data from connected e-commerce channels (Amazon, Shopify, eBay, Etsy, TikTok Shop, OnBuy, and others)
  • Inventory management, stock allocation, and warehouse management
  • Shipping label generation and carrier integration (Royal Mail, DPD, Evri, and others)
  • Sales and analytics reporting
  • Customer communication and notification workflows
  • AI-assisted demand forecasting and anomaly detection
Duration of processing

For the duration of the Agreement, plus any retention period required under section 11 of this DPA or applicable law.

Types of personal data processed
  • End-customer names, email addresses, phone numbers, and delivery addresses
  • Order identifiers, basket contents, purchase history, and transaction values
  • IP addresses and device identifiers (where collected by the Controller's channels)
  • Returns, refund, and complaint data
  • Warehouse staff names and system access logs (where applicable)
Categories of data subjects
  • The Controller's end-customers (buyers on connected marketplaces and storefronts)
  • The Controller's employees or contractors who use the Platform
Special category data

The Platform is not designed or intended for the processing of special category data (as defined in Art. 9 UK GDPR). The Controller must not upload or process special category data through the Platform without prior written agreement from Synergia360.

Schedule 2 — Technical and Organisational Security Measures

Schedule 2 to the Data Processing Agreement

Infrastructure security
  • All production infrastructure hosted on Microsoft Azure (UK South, with secondary replication to West Europe)
  • Azure Virtual Network with private endpoints; no direct public internet access to databases or internal services
  • All data encrypted at rest using AES-256 (Azure-managed keys)
  • All data encrypted in transit using TLS 1.2 or higher
  • Azure Key Vault for secrets management; no plaintext credentials stored in code, configuration files, or databases
Access control
  • Role-based access control (RBAC) enforced at application and infrastructure level
  • Principle of least privilege applied to all service accounts and human operators
  • Multi-factor authentication (MFA) required for all internal system access
  • Regular review and revocation of access rights for leavers
  • Row-level security on database for tenant isolation
Data integrity and availability
  • Azure SQL with automated geo-redundant backups; point-in-time restore up to 35 days
  • Azure Blob Storage with locally redundant storage (LRS) and soft-delete enabled
  • Target uptime of 99.9% per calendar month (excluding scheduled maintenance)
  • Incident response runbooks maintained and tested at least annually
Application security
  • Comprehensive audit logging of all material data access and changes, retained for 12 months
  • Input validation and output encoding applied throughout the application
  • Dependency vulnerability scanning in CI/CD pipeline
  • Annual penetration testing by an independent security firm
  • Security incident response procedure with 48-hour breach notification to Controller
Organisational measures
  • Data protection training for all personnel with access to personal data
  • Data Protection Policy, Acceptable Use Policy, and Incident Response Policy maintained internally
  • Vendor due diligence process for all Sub-processors
  • Privacy by design principles applied to new features and system changes

Schedule 3 — Approved Sub-processors

Schedule 3 to the Data Processing Agreement

The following Sub-processors are approved as at the effective date of this DPA. Synergia360 will notify the Controller of any changes in accordance with section 5.2 of this DPA.

Sub-processor Purpose Location Transfer mechanism
Microsoft Azure Cloud infrastructure hosting, compute, SQL database, blob storage, communication services UK (primary: UK South); EU (secondary: West Europe) UK adequacy (EU/EEA) / IDTA where applicable
Stripe, Inc. Payment processing and subscription billing United States (EU & UK data residency options) UK IDTA / SCCs with UK Addendum
Plausible Analytics Website analytics (marketing site only — no personal data or cookies) European Union (Germany) UK adequacy
Flagsmith Feature flag management (self-hosted on Synergia360 Azure infrastructure) UK South (Azure) N/A (self-hosted)

For requests to sign a negotiated DPA or to obtain copies of sub-processor agreements, please contact legal@synergia360.app.