Skip to main content
Last updated: July 11, 2026 This Data Processing Agreement (“DPA”) supplements the SynapsAI Cloud Terms of Use (“Terms”) and forms a binding contractual agreement between SynapsAI Technologies Inc. (“SynapsAI”) and the corporate or institutional customer utilizing our high-performance infrastructure services (the “Client”). This DPA applies automatically when and to the extent that Client-submitted input data streams, files, or model payloads contain “Personal Data” regulated by the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) or the UK Data Protection Act 2018. No separate signature is required — acceptance is incorporated through account registration and platform use as described in Terms of Use, Section 13.

1. Scope, Definitions, and Roles

  • Definitions: Terms such as “Personal Data”, “Processing”, “Data Controller”, “Data Processor”, and “Data Subject” carry the meanings defined in Article 4 of the GDPR.
  • Roles of the Parties: The parties explicitly acknowledge and agree that with respect to the processing of inference payloads, customer files, and real-time inputs, the Client acts as the Data Controller (with sole determination over the purpose and legality of processing) and SynapsAI acts strictly as the Data Processor executing compute workloads under the automated, software-driven instructions of the Client.

2. Scope and Nature of Processing

  • Subject Matter: The provision of raw high-performance compute nodes, execution runtimes, and caching infrastructure for processing machine learning model instances.
  • Duration of Processing: The duration of this DPA corresponds strictly with the active lifetime of the Client’s account workspace and active compute containers.
  • Nature and Purpose: SynapsAI processes data exclusively to compile, initialize, and execute the open-weights or custom machine learning models designated by the Client, facilitating high-throughput inference requests.
  • Data Categories & Data Subjects: The specific categories of personal data and data subjects are determined entirely and dynamically by the Client via the input prompt strings, datasets, audio clips, or video files they transmit to the service.

3. Obligations of the Data Processor (SynapsAI)

SynapsAI covenants and agrees to handle all Client Personal Data strictly under the following operational guidelines:
  • Processing Instructions: SynapsAI shall process Personal Data exclusively in accordance with the documented, programmatic instructions of the Client (including requests submitted via APIs, management UIs, or configuration files). SynapsAI will not utilize, monitor, or review Client data for model training, algorithmic profiling, commercial resale, or any secondary non-contractual objective.
  • Personnel Confidentiality: SynapsAI ensures that its operational engineers, system administrators, or subprocessors authorized to manage structural components are bound by appropriate confidentiality obligations.
  • Zero-Retention Processing Operations: As set forth in our Data Policy, text inference payloads are held exclusively in transient volatile memory (RAM/VRAM). Audio/video preprocessing temporary files are isolated in ephemeral directories and programmatically erased directly upon execution. Generated video assets are maintained in memory for a maximum window of 10 minutes prior to purge.
  • Subprocessor Control & Notification: The Client grants SynapsAI a general written authorization to engage upstream infrastructure providers (“Subprocessors”) to operate the platform. A current list — including Nebius (AI cloud compute), Cloudflare (network edge), Better Stack (incident management and monitoring), and Stripe (payment infrastructure) — is published at Subprocessors. SynapsAI shall impose strict data protection obligations upon all engaged Subprocessors that are no less restrictive than those defined in this agreement. SynapsAI will update the public subprocessor list when adding or replacing a subprocessor that materially affects personal data processing; enterprise Clients may object as provided in a separate written agreement.

4. Technical and Organizational Security Controls

SynapsAI shall maintain robust structural controls engineered to isolate customer tenant operations and negate data access vulnerabilities, including:
  • Process Isolation: Segmenting multi-tenant execution stacks strictly at the operating system process layer, enforced via strict kernel resource boundaries (Linux cgroups) and specialized sandboxing routing.
  • Network Encryption: Requiring TLS-encrypted network layers for all inbound customer API endpoint interactions and service routing paths.
  • API Credential Verification: Restricting internal tenant cluster access strictly through cryptographic API secret keys maintained and managed exclusively by the Client.

5. Security Incident Notification

If SynapsAI verifies a structural security incident resulting in the accidental, unauthorized, or unlawful alteration, loss, disclosure, or compromise of Client Personal Data traversing our infrastructure networks, SynapsAI shall:
  • Transmit a formal written notice to the Client’s registered administrative email without undue delay, and no later than 72 hours post-verification.
  • Supply a comprehensive summary detailing the structural nature of the incident, estimated data volumes affected, and immediate programmatic mitigation metrics enacted.
  • Actively cooperate with the Client’s regulatory reporting obligations to national Supervisory Authorities.

6. Audit Rights and Regulatory Cooperation

  • Data Subject Rights Assistance: Taking into account the transient, short-lived nature of our zero-retention processing model, SynapsAI shall provide reasonable, automated interface tools enabling the Client to comply with data subject extraction, correction, or deletion inquiries.
  • Compliance Documentation: Upon reasonable written request from an enterprise Client subject to this DPA, SynapsAI shall make available documentation reasonably necessary to demonstrate compliance with this DPA — such as summaries of security controls, subprocessors, and data-handling practices. SynapsAI is not obligated to provide proprietary architectural diagrams, source code, or third-party audit reports unless separately agreed in writing.

7. Cross-Border Data Transfers & International Data Addendum

Because SynapsAI Cloud infrastructure relies on specialized North American datacenter routing zones, the parties incorporate the European Commission Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor) into this DPA by reference where required for international transfers of Personal Data. The execution of the Terms of Use and this DPA satisfies the execution requirements for the SCCs. For UK data transfers, the parties incorporate the UK International Data Transfer Addendum (IDTA) where applicable.

8. Governing Law

This DPA is governed by and construed in alignment with the specific judicial mechanisms governing the overarching Terms of Use, except where explicitly overridden by mandatory provisions of the GDPR or applicable national data protection frameworks.