Last updated: June 3, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Synter, LLC, with offices at 525 Third St., Suite 200, Lake Oswego, OR 97034, USA ("Synter", the "Processor") and the customer entity that has entered into the Agreement ("Customer", the "Controller"), and reflects the parties' agreement with regard to the Processing of Personal Data under the Agreement.
To execute this DPA, or to request a signed copy, contact privacy@synterai.com. The current sub-processor list is published at /legal/subprocessors.
"GDPR" means Regulation (EU) 2016/679, including as incorporated into United Kingdom law (the "UK GDPR") where applicable. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data Processed by Synter on behalf of Customer in connection with the Services, as described in Annex 1. "Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission in Implementing Decision (EU) 2021/914.
With respect to Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Synter is the Processor. Customer is responsible for the lawfulness of the Personal Data it makes available to Synter, including lawful basis, notices, and any required consents (including consents for cookies, advertising identifiers, and the Synter Pixel on Customer's properties). This DPA does not apply to Personal Data that Synter Processes as an independent Controller (e.g., account registration and billing contacts), which is governed by Synter's Privacy Policy.
Synter Processes Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required by applicable law (in which case Synter informs Customer unless prohibited). Instructions are documented in the Agreement, this DPA, and Customer's configuration of and interaction with the Services. Synter will inform Customer if, in its opinion, an instruction infringes applicable data protection law.
Persons authorized to Process Customer Personal Data are bound by confidentiality obligations and Process Customer Personal Data only as necessary to provide the Services.
Synter implements and maintains appropriate technical and organizational measures as described in Annex 2, in accordance with Article 32 GDPR, and may update them provided the overall level of protection is not materially reduced.
Customer provides general written authorization for the sub-processors listed at /legal/subprocessors (Annex 3). Synter provides at least 14 days' notice before a new sub-processor Processes Customer Personal Data. Customer may object on reasonable, documented data protection grounds; if unresolved, Customer may terminate the affected Services with a pro-rata refund of prepaid fees. Synter imposes materially equivalent data protection obligations on each sub-processor and remains fully liable for their performance.
Synter assists Customer, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests. Requests received directly by Synter are forwarded promptly to Customer.
Synter notifies Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, with the information reasonably required for Customer to meet its obligations under Articles 33 and 34 GDPR. Information may be provided in phases.
Synter provides reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent they relate to the Services.
On termination, at Customer's choice, Synter deletes or returns Customer Personal Data (absent a legal retention requirement). Default deletion is within 30 days of termination; backups are deleted in the ordinary rotation, not exceeding 90 days.
Synter makes available information reasonably necessary to demonstrate Article 28 compliance, including available audit reports and responses to written security questionnaires (at most once per 12-month period, except after a breach or where required by a Supervisory Authority). Where that is insufficient, Customer or an independent auditor may audit on at least 30 days' written notice, at most once per 12-month period, under reasonable scope and confidentiality terms.
Synter and its sub-processors Process Personal Data in the United States and other countries outside the EEA/UK. For EEA transfers without an adequacy decision, the parties enter into the SCCs, Module Two (Controller to Processor), incorporated by reference and completed by Annexes 1-3 (Clause 7 included; Clause 9(a) Option 2 with the notice period in Section 6; Clause 17/18: Ireland). The UK Addendum and Swiss adaptation apply to UK and Swiss transfers respectively. Synter is not currently certified under the EU-U.S. Data Privacy Framework; the SCCs are the operative transfer mechanism.
Liability is subject to the limitations in the Agreement except where prohibited by law. In case of conflict, the SCCs prevail over this DPA, which prevails over the Agreement. The DPA remains in force for as long as Synter Processes Customer Personal Data.
Subject matter: provision of the Synter advertising platform (cross-platform campaign management, attribution and analytics, hosted landing pages, audience tools, AI-agent-assisted operations). Data Subjects: visitors to Customer's websites and Synter-hosted landing pages; recipients of Customer's advertising, including contacts in lists Customer uploads or syncs; Customer's leads and end customers; Customer's authorized users. Personal Data: online identifiers (cookie IDs, advertising IDs, click IDs, IP addresses, user-agent data); contact data in Customer-supplied audiences (typically hashed before transmission to ad platforms); lead form submissions; engagement and conversion events; account user names and business contact details. Special categories: none intended; Customer agrees not to submit Art. 9 data. Duration and retention: the term of the Agreement plus the deletion periods in Section 10.
The current list is maintained at /legal/subprocessors.
Questions, executed copies, and signature requests: privacy@synterai.com.