Last updated: March 24, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Synthfy LLC ("Processor," "we," "us") and the customer ("Controller," "you") for the provision of AI phone answering and automation services ("Services").
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
"Sub-Processor" means any third party engaged by Synthfy to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable person to whom Personal Data relates.
"Data Breach" means any unauthorized access, disclosure, alteration, or destruction of Personal Data.
2. Scope of Processing
Synthfy processes Personal Data solely to provide the Services agreed upon, including:
- Receiving and handling inbound phone calls via AI
- Generating AI transcripts and call summaries
- Storing call recordings and metadata
- Scheduling appointments via calendar integrations
- Sending automated SMS and email follow-up communications
- Processing lead capture and CRM data
3. Roles and Responsibilities
The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing.
4. Processing Instructions
Synthfy shall process Personal Data only in accordance with the Controller's documented instructions. If Synthfy believes an instruction from the Controller infringes applicable data protection laws, Synthfy shall promptly notify the Controller and may suspend the relevant processing until the Controller issues revised instructions.
5. Confidentiality
Synthfy ensures that all personnel authorized to process Personal Data have committed to binding confidentiality obligations. Access to Personal Data is restricted to authorized personnel on a need-to-know basis, and all access is logged and monitored.
6. Security Measures
Synthfy implements appropriate technical and organizational measures to protect Personal Data, including:
- AES-256 encryption for data at rest
- TLS 1.2+ encryption for data in transit
- Multi-factor authentication for all system access
- Role-based access controls
- Regular security assessments and penetration testing
- Automated threat detection and monitoring
- Secure data backup and disaster recovery procedures
7. Sub-Processors
Synthfy may engage Sub-Processors to assist in providing the Services. Synthfy shall maintain a current list of Sub-Processors and notify the Controller of any intended changes, providing the Controller a reasonable opportunity to object. Synthfy ensures that all Sub-Processors are bound by data protection obligations no less protective than those set forth in this DPA.
8. Data Subject Rights
Synthfy shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including:
- Right of access to Personal Data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to restrict processing
- Right to object to processing
Synthfy will respond to Controller requests regarding Data Subject rights within 15 business days.
9. Data Breach Notification
In the event of a Personal Data breach, Synthfy shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. The notification shall include the nature and scope of the breach, categories and approximate number of affected Data Subjects, likely consequences of the breach, and measures taken or proposed to address and mitigate the breach.
10. Data Transfers
If Personal Data is transferred outside the originating jurisdiction, Synthfy shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for transfers from the EEA and UK, and compliance with all applicable cross-border data transfer requirements.
11. Audit Rights
The Controller may audit Synthfy's compliance with this DPA upon reasonable written notice. Synthfy shall make available all information necessary to demonstrate compliance and shall allow for and contribute to audits and inspections conducted by the Controller or an authorized auditor. Audits shall be conducted during normal business hours with at least 30 days advance notice.
12. Data Retention and Deletion
Upon termination of the Services or upon the Controller's written request, Synthfy shall delete or return all Personal Data within 30 days, unless retention is required by applicable law. Call recordings and transcripts are retained for a default period of 90 days unless otherwise configured by the Controller.
13. Term and Termination
This DPA shall remain in effect for the duration of the Service Agreement between the parties. The data protection obligations contained in this DPA shall survive termination of the Service Agreement to the extent necessary for the continued protection of Personal Data.
14. Governing Law
This DPA shall be governed by the laws of the State of Texas, without regard to conflict of law principles, except where mandatory data protection laws of another jurisdiction apply to the processing activities.
15. Contact Us
Synthfy LLC
Email: legal@synthfy.us
Support: hello@synthfy.us
Phone: (713) 766-9062
Website: synthfy.us