Last updated: 16 July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Terms”) between the customer organization (the “Controller”) and DUMA DIGITAL SOLUTIONS S.R.L. (the “Processor”) for the use of SYNCDATE at syncdate.app (the “Service”). It applies where the Processor processes personal data on the Controller’s behalf and is incorporated into the Terms by reference; no signature is required, though a countersigned copy can be provided on request.
Terms not defined here have the meaning given in the Terms. “GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR as it forms part of the law of the United Kingdom.
Parties and roles
- Controller: the customer Organization (as defined in the Terms).
- Processor: DUMA DIGITAL SOLUTIONS S.R.L., a company incorporated in Romania with registered office at Strada Verzişori nr. 6, Ap./Boxa 118, Sector 4, 030167 Bucureşti, Romania. CUI: 51430401 · VAT ID: RO51430401. (The entity named in the live Terms of Service and Privacy Policy.)
Where the Organization is itself a processor for its own customers, the Processor acts as a subprocessor and these terms apply on a back-to-back basis.
1. Subject matter and duration
The Processor processes personal data on behalf of the Controller as necessary to provide the SYNCDATE calendar synchronization service, for the duration of the service relationship plus the deletion periods described in Section 8.
2. Nature and purpose of processing
Reading calendar data from calendar accounts connected by the Controller’s Members, transforming it per the Members’ sync configurations (including privacy settings such as busy-only), and writing it to target calendar accounts; and operating, securing, and supporting the Service.
3. Categories of data subjects
- Members of the Controller’s Organization (users of the Service).
- Third parties whose personal data appears in calendar events (attendees, organizers, and contact details in event bodies).
4. Categories of personal data
- Account data: name, email address, and authentication identifiers.
- OAuth tokens for connected calendar accounts (encrypted at rest — see Annex II).
- Calendar event data: titles, times, locations, descriptions, and attendee lists — to the extent the Member’s sync configuration copies them (busy-only configurations copy availability windows without event details).
- Service logs and sync metadata (event identifiers, timestamps, and error records).
No special categories of data are required by the Service; incidental special-category data may appear inside calendar event content controlled by the data subjects.
5. Controller instructions and lawfulness
a) The Processor processes personal data only on the documented instructions of the Controller. The service configuration made by the Controller and its Members (including which calendars to connect, sync direction, and privacy settings), this DPA, and the Terms constitute the Controller’s complete and final instructions. Additional or different instructions must be agreed in writing.
b) The Controller warrants that it has a lawful basis and all necessary authority, consents, and notices to have the personal data processed as directed — including the data of its Members and of third parties who appear in calendar events.
c) The Processor informs the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law (Art. 28(3), final paragraph).
6. Processor obligations (Art. 28(3))
The Processor shall:
a) process personal data only on documented instructions from the Controller (as defined in Section 5), including with regard to international transfers, unless required by EU or Member State law, in which case it informs the Controller unless that law prohibits it;
b) ensure persons authorised to process the data are bound by confidentiality;
c) implement the technical and organisational measures set out in Annex II;
d) engage subprocessors only in accordance with Section 7;
e) assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to data-subject requests (Arts. 12–23), taking into account the nature of processing;
f) assist the Controller in ensuring compliance with its Art. 32–36 obligations (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor;
g) notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, with the information reasonably available, to support the Controller’s obligation to notify its supervisory authority without undue delay and, where feasible, within 72 hours (Art. 33);
h) at the end of the services, delete or return the personal data in accordance with Section 8;
i) make available information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits in accordance with Section 10.
7. Subprocessors
General authorisation. The Controller grants a general authorisation for the Processor to engage subprocessors. The current subprocessor list is set out in Annex III. The Processor will give the Controller at least 30 days’ prior notice of intended additions or replacements, by updating the published list and notifying the Organization’s billing/admin contact by email. The Controller may object on reasonable data-protection grounds within that notice period; the parties will then work in good faith to resolve the objection, and failing resolution the Controller may terminate the affected services as its sole remedy.
The Processor imposes on each subprocessor data-protection obligations no less protective than those in this DPA and remains liable to the Controller for the subprocessor’s performance of those obligations.
Calendar providers the Members connect (Google, Microsoft, CalDAV hosts, and iCal feed publishers) are not subprocessors — they are services the Controller and its Members independently contract with and direct SYNCDATE to exchange data with, acting as independent controllers or processors under their own terms. The same applies to AI clients the Member connects via the MCP endpoint.
8. International transfers
Primary processing and storage occur on infrastructure located in the EU — the Processor’s hosting subprocessor (Hetzner) operates the application and databases in EU data centres (Germany — Nuremberg/Falkenstein; Finland — Helsinki), which are ISO/IEC 27001:2022 certified.
Where a subprocessor processes personal data outside the EEA (see Annex III — the US-based subprocessors Cloudflare, Stripe, Postmark, Backblaze, AWS, and Google Analytics), each transfer is safeguarded by an appropriate Art. 46 mechanism. Each of these subprocessors relies on the EU Standard Contractual Clauses (EC Implementing Decision 2021/914) and, where applicable, an active EU–US Data Privacy Framework self-certification, as recorded in Annex III.
9. Deletion and return
On termination of the services, or on deletion of a Member’s account, the Processor deletes the associated personal data from production systems. Account deletion is a hard delete of the user’s records; a PII-free audit tombstone is retained to record that deletion occurred. Synced copies previously written into third-party calendars remain under the Controller’s or Members’ own calendar accounts and are not within the Processor’s control after deletion. Off-site database backups (gzip-compressed database dumps held in a private, access-restricted US object-storage bucket) roll off on the backup retention schedule (currently 90 days), after which the data is no longer recoverable. On request before deletion, the Processor returns the personal data in a structured, commonly used format.
10. Audits
The Processor makes available documentation (this DPA, the security overview, and the subprocessor list) sufficient to demonstrate compliance with Art. 28. Audits beyond documentation review are limited to once per 12 months, on reasonable prior written notice, during business hours, without access to other customers’ data or to the Processor’s confidential information, and at the Controller’s cost — save where a supervisory authority requires otherwise.
11. US state privacy laws (for US customers)
Where US state privacy laws apply (e.g. the California CCPA/CPRA), the Processor acts as a “service provider” or “processor” and not as a “third party”: it does not sell or share the Controller’s personal data, does not retain, use, or disclose it for any purpose other than providing the service (or as permitted by law), and does not combine it with data from other sources except as permitted. The parties certify their understanding of these restrictions.
12. Liability, precedence, and governing law
a) Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms; this DPA does not increase either party’s aggregate liability.
b) In the event of a conflict between this DPA and the Terms on the subject of the processing of personal data, this DPA prevails.
c) This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, consistent with the Terms. This choice of forum does not affect the application of mandatory EU or UK data-protection law to the processing described here. A person who is not a party to this DPA has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.
Annex I — Processing details
| Item | Detail |
|---|---|
| Subject matter | Provision of the SYNCDATE calendar synchronization service (Section 1). |
| Duration | The duration of the service relationship plus the deletion periods in Section 8. |
| Nature and purpose | Reading, transforming, and writing calendar data per Member sync configurations; operating, securing, and supporting the Service (Section 2). |
| Categories of data subjects | Members of the Controller’s Organization; third parties appearing in calendar events (Section 3). |
| Categories of personal data | Account data; OAuth tokens; calendar event data; service logs and sync metadata (Section 4). |
| Special-category data | Not required; may appear incidentally in event content controlled by data subjects (Section 4). |
Annex II — Technical and organisational measures
- Encryption at rest: OAuth tokens for connected calendar accounts are encrypted at rest using AES-256-GCM. The encryption key is held only in the application environment and is never included in a database dump.
- Encryption in transit: TLS for data in transit, terminated at the Processor’s CDN/edge subprocessor (Cloudflare).
- Access control: least-privilege operator access to production systems; authentication and access management for administrative access.
- Backups: off-site database backups are gzip-compressed database dumps held in a private, access-restricted US object-storage bucket with defined retention (currently 90 days). These backups rely on the storage provider’s storage-level protections and are not additionally client-side encrypted; because the AES-256-GCM key is not included in the dump, encrypted OAuth tokens remain encrypted within a backup.
- Logging: structured audit logging with correlation IDs to support security and troubleshooting.
- Environment separation: production and development environments are separated.
Annex III — Subprocessors
Calendar providers and AI clients the Member connects are not subprocessors (see Section 7).
| Subprocessor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Hosting, database, and CMS infrastructure | EU (Germany — Nuremberg/Falkenstein; Finland — Helsinki); ISO/IEC 27001:2022 certified | Data stays in the EU/EEA — no transfer mechanism required |
| Cloudflare, Inc. | DNS, CDN, TLS termination, and web application firewall | US | EU Standard Contractual Clauses + EU–US Data Privacy Framework |
| Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc.) | Payments, billing, and tax | EU / US | EU Standard Contractual Clauses + EU–US Data Privacy Framework |
| Postmark (AC PM LLC / ActiveCampaign) | Transactional email | US | EU Standard Contractual Clauses + EU–US Data Privacy Framework |
| Backblaze, Inc. | Off-site database backups (private US B2 bucket, 90-day retention) | US | EU Standard Contractual Clauses + EU–US Data Privacy Framework |
| Amazon Web Services (Lambda, us-east-1) | Conditional US-egress proxy for geo-blocked iCal feeds only; off by default | US | EU Standard Contractual Clauses + EU–US Data Privacy Framework |
| Google (Google Analytics / GA4) | Product and usage analytics | US | EU Standard Contractual Clauses / EU–US Data Privacy Framework |
| Contentsquare (ContentSquare SAS) | Session recording and heatmaps | EU (France) | Data stays in the EU/EEA — no transfer mechanism required |
Contact
DUMA DIGITAL SOLUTIONS S.R.L.
Strada Verzişori nr. 6, Ap./Boxa 118, Sector 4, 030167 Bucureşti, Romania
CUI 51430401 · VAT ID RO51430401
Email: info@syncdate.app (general) or support@syncdate.app (support)