Data Processing Agreement
Effective Date: 2025-06-18
Parties:
This Data Processing Agreement (“Agreement”) is entered into between:
Controller: The entity that accepts the Terms of Service and identifies itself during sign-up
Processor: Pantzar Trading AB, Kyrkogatan 16B, 852 31 Sundsvall, Sweden, [email protected]
1. Purpose, Nature & Duration
Data Subjects. The Personal Data concern the following categories of data subjects:
- existing and prospective customers of the Controller,
- employees and other representatives of the Controller, and
- website visitors and end-users whose interactions are recorded in the Controller’s CRM.
Special Categories. The Controller shall not transmit, and Synqc shall not intentionally process, any “special category” data under Art. 9 GDPR (e.g. health, biometric, religious data). Transmission of such data requires a separate, written agreement.
This Clause 1 shall be read together with Annex I-B (Description of Processing) which set out the nature, purpose and duration of the Processing.
2. Instructions & Compliance
Synqc shall process Personal Data only on documented instructions from Controller, including with regard to third-country transfers. If Synqc believes an instruction infringes applicable law it will promptly inform Controller.
3. Data Categories
Synqc will process the categories of Personal Data described in Annex I-B (Categories of Data).
4. Confidentiality
Synqc shall ensure that persons authorised to process the Personal Data are bound by confidentiality agreements and receive GDPR-aware security training.
5. Sub-processing
Synqc shall impose on each Sub-processor data-protection obligations that are no less protective than those set out in this Agreement and the SCCs, including the obligation to implement appropriate technical and organisational measures and to allow Controller (directly or via Synqc) to conduct audits under identical conditions.
Synqc shall give Controller at least five (5) business days’ prior written notice of any intended addition or replacement of a Sub-processor. Controller may reasonably object in writing within that period; in such case the Parties will discuss in good faith. If the Parties cannot reach agreement, Controller may terminate the affected Services without penalty.
The current list of authorised Sub-processors, their locations and safeguards is set out in Annex III (Authorised Sub-processors). Security measures are described in Annex II (Technical and Organisational Measures), which forms part of the SCC.
6. Security
Synqc implements the technical and organisational measures described in Annex II (TOMs), which forms part of the Standard Contractual Clauses.
Synqc keeps internal records of all processing activities carried out on behalf of Controller in accordance with Article 30 §2 GDPR and will provide a copy to Controller on request.
7. Assistance
Synqc shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject exercising rights under Chapter III GDPR, and shall provide reasonable assistance in fulfilling such requests.
Synqc will assist Controller considering the nature of processing; where requests are manifestly unfounded/excessive, Synqc may charge reasonable costs.
Upon Controller’s written request, Synqc shall provide assistance required for Controller to carry out data-protection-impact assessments and, where relevant, consultations with a Supervisory Authority, in each case solely in relation to the Services and to the extent such assistance is not otherwise reasonably available to Controller.
8. Personal-Data Breach
In the event of a personal data breach, Synqc will notify the Customer without undue delay and, where feasible, within 72 hours after becoming aware, including relevant details to support legal obligations and mitigation.
Contact Point. All security or breach-related notices shall be sent to [email protected]. Synqc may also notify Controller’s designated security contact as provided in the Admin Console.
9. Deletion & Return
Upon termination of the Master Services Agreement, the Controller may elect to
(a) have all Personal Data returned in a commonly-used machine-readable format or
(b) have Synqc delete the Personal Data.
Synqc will comply with the Controller’s election within 30 days and will certify deletion in writing. Backup media are overwritten within 90 days unless Union or Member-State law requires longer retention.
10. Audit & Certifications
Synqc will make available SOC 2 Type II or ISO 27001 reports yearly; on-site audits limited to once per 12 months with 30-day notice. In addition, Synqc shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, including completed industry-standard security questionnaires (e.g., CAIQ) upon request.
11. International Transfers
Transfers rely on EU SCC 2021/914 Module 2 and, for UK data, the UK Addendum. Processor and sub-processors enter into the SCC; Annex I/II/III form part of this Agreement.
The Parties agree that Annex I, II and III to this DPA constitute the Appendix to the 2021 Standard Contractual Clauses (Module 2) and, where relevant, the UK International Data Transfer Addendum; Synqc is authorised to sign the SCCs on behalf of its listed Sub-processors.
12. Liability & Precedence
Each party’s aggregate liability under this DPA is limited as set out in the Master Services Agreement. If there is a conflict between this DPA and any other agreement, this DPA prevails.
13. Governing Law and Jurisdiction
This Agreement shall be governed by, and construed in accordance with, the laws of Sweden. Any dispute arising out of or in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts of Stockholm, Sweden, without prejudice to the mandatory rights of Data Subjects under GDPR.
This DPA is deemed accepted by the Customer upon agreeing to the Terms of Service. Synqc will maintain an auditable log of each Customer’s acceptance of this DPA, including version identifier and timestamp, for the term of the Services and twelve (12) months thereafter.
ANNEXES
ANNEX I — Details of Processing / Data Transfer
A. List of Parties
Data Exporter (Controller)
- Identity: The Customer that signs up for Synqc.
- Contact: Provided by Customer at DPA signature.
- Role & Activities: Uses Synqc to forward selected HubSpot CRM data to Meta’s Conversions API.
Data Importer (Processor)
- Identity: Synqc — Erik Pantzar, Sole Proprietor, Org-no 559428-0926, Kyrkogatan 16B, 852 31 Sundsvall, Sweden.Contact: [email protected] / +46 76 130 9198
- Role & Activities: Receives HubSpot webhooks, hashes personal data, transmits it to Meta CAPI, stores minimal metadata for logs and dashboards.
B. Description of Processing
Subject-matter & duration:
Continuous API service; processing lasts for the subscription term plus 30 days for graceful shutdown.
Nature & purpose:
- Receive webhook events from HubSpot.
- Hash or transform personal identifiers.
- Send events to Meta CAPI.
- Provide dashboards, logs, and configuration back to the Customer.
Categories of personal data:
Unless otherwise noted, Synqc receives these identifiers in cleartext, hashes them with SHA-256 immediately upon receipt, and does not store or forward the raw values.
Direct contact identifiers (hashed)
• E-mail address • Phone number • First & last name • ZIP/postcode • City • State/region • Country • Date of birth
Lifecycle & status fields
• lifecyclestage • hs_lead_status • hs_pipeline
Engagement / behavioural metrics
• Page views (hs_analytics_num_page_views) • Sessions (hs_analytics_num_visits) • Form-submission count (num_conversion_events) • Event revenue (hs_analytics_revenue)
Timing metrics
• first_conversion_date • recent_conversion_date • first_deal_created_date • days_to_close • hs_time_to_move_from_lead_to_customer • closedate
Commercial & value data
• Deal amount (recent_deal_amount) • Deal currency (deal_currency) • predicted_ltv
Score & ranking fields
• hs_score (lead score) • hs_engagement_scoreCompany & demographic context• industry • company_size • numemployees • annualrevenue • jobtitle • original_source • notes_last_contacted
Derived or optional commerce fields (only if present in HubSpot and mapped)
• Product SKU, name, type • Quantity • Order/Contact ID (used as order_id) • content_ids, content_name, content_type, num_items, value, currency
Technical event metadata
• IP address and User-Agent contained in inbound HubSpot webhook requests (forwarded to Meta CAPI as client_ip_address / client_user_agent) • Event timestamp & unique event ID
Customer-selected HubSpot properties
Any additional contact, deal or company property that the Customer maps in the “Custom-Data Mapping” step.
Administrator account data (Controller personnel) – stored by Synqc for contract administration, not forwarded to Meta
• Full name • Business e-mail • Company name
Special-category data (Art 9 GDPR):
The Service is not designed to handle special-category data. Transmission of such data is prohibited without a separate written agreement.
Data subjects:
Individuals stored as contacts in the Customer’s HubSpot portal (prospects, leads, customers).
Frequency of transfer:
Event-driven, typically within one minute of a change in HubSpot.
Retention schedule:
- Raw personal data: never stored.
- Hashed identifiers & event metadata: auto-deleted 30 days after receipt.
- OAuth tokens and configuration: deleted 30 days after account closure.
Competent supervisory authority:
Integritetsskyddsmyndigheten (IMY), Sweden.
ANNEX II — Technical and Organisational Measures
Encryption
- TLS 1.2+ for all traffic in transit.
- Cloudflare Workers KV encrypts data at rest (AES-256).
- Raw PII is never persisted; only SHA-256 hashes are stored temporarily.
Access control
- Single-user account protected by FIDO2 token + TOTP fallback.
- Cloudflare API tokens scoped to Edit Workers / Read KV / Secrets Store only.
- Production secrets injected via Cloudflare environment variables; never committed to repo.
Confidentiality & least privilege
- No subcontractors with interactive access.
- Sentry error payloads scrubbed (sendDefaultPii:false).
- Debug logging gated behind DEBUGGING env var (default false).
Integrity & availability
- Automatic Cloudflare edge KV replication (≥3 regions).
- Daily Worker-script backups via GitHub Actions.
- Incident Response Plan v2025-06-18 (table-top tested annually).
Data deletion & portability
- “/data-deletion” endpoint deletes all KV records and OAuth tokens for a user within 24 h.
- Users can export event logs via self-service dashboard (CSV).
Pen-testing & monitoring
- Dependency scanning with npm audit on every CI run.
- Cloudflare Observability enabled for Worker traces & custom metrics.
- External penetration test when (a) Synqc processes > 100 000 contact records, or (b) 12 months have passed since launch (whichever is earlier).
ANNEX III — Authorised Sub-processors
1. Cloudflare, Inc. — 101 Townsend St, San Francisco CA 94107, USA
- Edge compute platform and KV storage where the Synqc Worker runs.
- Processing locations: Cloudflare POPs worldwide, including EU.
- Safeguard: Standard Contractual Clauses (Processor-to-Processor, Module 3).
2. Sentry GmbH — Kreuznacher Str. 61, 60486 Frankfurt am Main, Germany
- Error and performance monitoring (receives only hashed IDs and non-PII stack traces).
- Processing location: Germany (Frankfurt data centre).
- Safeguard: Intra-EU transfer — no additional clauses required.
Synqc will notify the Customer at least 5 business days in advance before adding or replacing a sub-processor.
ANNEX IV — Governing Law & Jurisdiction
(EU Standard Contractual Clauses 2021/914 — Module 2, Clauses 17-18)
Clause 17 (Governing law – option 1 selected)
The Clauses and this DPA are governed by the laws of Sweden.
Clause 18 (Choice of forum and jurisdiction)
The Parties agree that any dispute arising from the Clauses shall be submitted to the courts of Stockholm, Sweden, and they irrevocably submit to the exclusive jurisdiction of those courts.
Version: 2025-06-18 • Last editor: Erik Pantzar
Parties:
This Data Processing Agreement (“Agreement”) is entered into between:
Controller: The entity that accepts the Terms of Service and identifies itself during sign-up
Processor: Pantzar Trading AB, Kyrkogatan 16B, 852 31 Sundsvall, Sweden, [email protected]
1. Purpose, Nature & Duration
Data Subjects. The Personal Data concern the following categories of data subjects:
- existing and prospective customers of the Controller,
- employees and other representatives of the Controller, and
- website visitors and end-users whose interactions are recorded in the Controller’s CRM.
Special Categories. The Controller shall not transmit, and Synqc shall not intentionally process, any “special category” data under Art. 9 GDPR (e.g. health, biometric, religious data). Transmission of such data requires a separate, written agreement.
This Clause 1 shall be read together with Annex I-B (Description of Processing) which set out the nature, purpose and duration of the Processing.
2. Instructions & Compliance
Synqc shall process Personal Data only on documented instructions from Controller, including with regard to third-country transfers. If Synqc believes an instruction infringes applicable law it will promptly inform Controller.
3. Data Categories
Synqc will process the categories of Personal Data described in Annex I-B (Categories of Data).
4. Confidentiality
Synqc shall ensure that persons authorised to process the Personal Data are bound by confidentiality agreements and receive GDPR-aware security training.
5. Sub-processing
Synqc shall impose on each Sub-processor data-protection obligations that are no less protective than those set out in this Agreement and the SCCs, including the obligation to implement appropriate technical and organisational measures and to allow Controller (directly or via Synqc) to conduct audits under identical conditions.
Synqc shall give Controller at least five (5) business days’ prior written notice of any intended addition or replacement of a Sub-processor. Controller may reasonably object in writing within that period; in such case the Parties will discuss in good faith. If the Parties cannot reach agreement, Controller may terminate the affected Services without penalty.
The current list of authorised Sub-processors, their locations and safeguards is set out in Annex III (Authorised Sub-processors). Security measures are described in Annex II (Technical and Organisational Measures), which forms part of the SCC.
6. Security
Synqc implements the technical and organisational measures described in Annex II (TOMs), which forms part of the Standard Contractual Clauses.
Synqc keeps internal records of all processing activities carried out on behalf of Controller in accordance with Article 30 §2 GDPR and will provide a copy to Controller on request.
7. Assistance
Synqc shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject exercising rights under Chapter III GDPR, and shall provide reasonable assistance in fulfilling such requests.
Synqc will assist Controller considering the nature of processing; where requests are manifestly unfounded/excessive, Synqc may charge reasonable costs.
Upon Controller’s written request, Synqc shall provide assistance required for Controller to carry out data-protection-impact assessments and, where relevant, consultations with a Supervisory Authority, in each case solely in relation to the Services and to the extent such assistance is not otherwise reasonably available to Controller.
8. Personal-Data Breach
In the event of a personal data breach, Synqc will notify the Customer without undue delay and, where feasible, within 72 hours after becoming aware, including relevant details to support legal obligations and mitigation.
Contact Point. All security or breach-related notices shall be sent to [email protected]. Synqc may also notify Controller’s designated security contact as provided in the Admin Console.
9. Deletion & Return
Upon termination of the Master Services Agreement, the Controller may elect to
(a) have all Personal Data returned in a commonly-used machine-readable format or
(b) have Synqc delete the Personal Data.
Synqc will comply with the Controller’s election within 30 days and will certify deletion in writing. Backup media are overwritten within 90 days unless Union or Member-State law requires longer retention.
10. Audit & Certifications
Synqc will make available SOC 2 Type II or ISO 27001 reports yearly; on-site audits limited to once per 12 months with 30-day notice. In addition, Synqc shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, including completed industry-standard security questionnaires (e.g., CAIQ) upon request.
11. International Transfers
Transfers rely on EU SCC 2021/914 Module 2 and, for UK data, the UK Addendum. Processor and sub-processors enter into the SCC; Annex I/II/III form part of this Agreement.
The Parties agree that Annex I, II and III to this DPA constitute the Appendix to the 2021 Standard Contractual Clauses (Module 2) and, where relevant, the UK International Data Transfer Addendum; Synqc is authorised to sign the SCCs on behalf of its listed Sub-processors.
12. Liability & Precedence
Each party’s aggregate liability under this DPA is limited as set out in the Master Services Agreement. If there is a conflict between this DPA and any other agreement, this DPA prevails.
13. Governing Law and Jurisdiction
This Agreement shall be governed by, and construed in accordance with, the laws of Sweden. Any dispute arising out of or in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts of Stockholm, Sweden, without prejudice to the mandatory rights of Data Subjects under GDPR.
This DPA is deemed accepted by the Customer upon agreeing to the Terms of Service. Synqc will maintain an auditable log of each Customer’s acceptance of this DPA, including version identifier and timestamp, for the term of the Services and twelve (12) months thereafter.
ANNEXES
ANNEX I — Details of Processing / Data Transfer
A. List of Parties
Data Exporter (Controller)
- Identity: The Customer that signs up for Synqc.
- Contact: Provided by Customer at DPA signature.
- Role & Activities: Uses Synqc to forward selected HubSpot CRM data to Meta’s Conversions API.
Data Importer (Processor)
- Identity: Synqc — Erik Pantzar, Sole Proprietor, Org-no 559428-0926, Kyrkogatan 16B, 852 31 Sundsvall, Sweden.Contact: [email protected] / +46 76 130 9198
- Role & Activities: Receives HubSpot webhooks, hashes personal data, transmits it to Meta CAPI, stores minimal metadata for logs and dashboards.
B. Description of Processing
Subject-matter & duration:
Continuous API service; processing lasts for the subscription term plus 30 days for graceful shutdown.
Nature & purpose:
- Receive webhook events from HubSpot.
- Hash or transform personal identifiers.
- Send events to Meta CAPI.
- Provide dashboards, logs, and configuration back to the Customer.
Categories of personal data:
Unless otherwise noted, Synqc receives these identifiers in cleartext, hashes them with SHA-256 immediately upon receipt, and does not store or forward the raw values.
Direct contact identifiers (hashed)
• E-mail address • Phone number • First & last name • ZIP/postcode • City • State/region • Country • Date of birth
Lifecycle & status fields
• lifecyclestage • hs_lead_status • hs_pipeline
Engagement / behavioural metrics
• Page views (hs_analytics_num_page_views) • Sessions (hs_analytics_num_visits) • Form-submission count (num_conversion_events) • Event revenue (hs_analytics_revenue)
Timing metrics
• first_conversion_date • recent_conversion_date • first_deal_created_date • days_to_close • hs_time_to_move_from_lead_to_customer • closedate
Commercial & value data
• Deal amount (recent_deal_amount) • Deal currency (deal_currency) • predicted_ltv
Score & ranking fields
• hs_score (lead score) • hs_engagement_scoreCompany & demographic context• industry • company_size • numemployees • annualrevenue • jobtitle • original_source • notes_last_contacted
Derived or optional commerce fields (only if present in HubSpot and mapped)
• Product SKU, name, type • Quantity • Order/Contact ID (used as order_id) • content_ids, content_name, content_type, num_items, value, currency
Technical event metadata
• IP address and User-Agent contained in inbound HubSpot webhook requests (forwarded to Meta CAPI as client_ip_address / client_user_agent) • Event timestamp & unique event ID
Customer-selected HubSpot properties
Any additional contact, deal or company property that the Customer maps in the “Custom-Data Mapping” step.
Administrator account data (Controller personnel) – stored by Synqc for contract administration, not forwarded to Meta
• Full name • Business e-mail • Company name
Special-category data (Art 9 GDPR):
The Service is not designed to handle special-category data. Transmission of such data is prohibited without a separate written agreement.
Data subjects:
Individuals stored as contacts in the Customer’s HubSpot portal (prospects, leads, customers).
Frequency of transfer:
Event-driven, typically within one minute of a change in HubSpot.
Retention schedule:
- Raw personal data: never stored.
- Hashed identifiers & event metadata: auto-deleted 30 days after receipt.
- OAuth tokens and configuration: deleted 30 days after account closure.
Competent supervisory authority:
Integritetsskyddsmyndigheten (IMY), Sweden.
ANNEX II — Technical and Organisational Measures
Encryption
- TLS 1.2+ for all traffic in transit.
- Cloudflare Workers KV encrypts data at rest (AES-256).
- Raw PII is never persisted; only SHA-256 hashes are stored temporarily.
Access control
- Single-user account protected by FIDO2 token + TOTP fallback.
- Cloudflare API tokens scoped to Edit Workers / Read KV / Secrets Store only.
- Production secrets injected via Cloudflare environment variables; never committed to repo.
Confidentiality & least privilege
- No subcontractors with interactive access.
- Sentry error payloads scrubbed (sendDefaultPii:false).
- Debug logging gated behind DEBUGGING env var (default false).
Integrity & availability
- Automatic Cloudflare edge KV replication (≥3 regions).
- Daily Worker-script backups via GitHub Actions.
- Incident Response Plan v2025-06-18 (table-top tested annually).
Data deletion & portability
- “/data-deletion” endpoint deletes all KV records and OAuth tokens for a user within 24 h.
- Users can export event logs via self-service dashboard (CSV).
Pen-testing & monitoring
- Dependency scanning with npm audit on every CI run.
- Cloudflare Observability enabled for Worker traces & custom metrics.
- External penetration test when (a) Synqc processes > 100 000 contact records, or (b) 12 months have passed since launch (whichever is earlier).
ANNEX III — Authorised Sub-processors
1. Cloudflare, Inc. — 101 Townsend St, San Francisco CA 94107, USA
- Edge compute platform and KV storage where the Synqc Worker runs.
- Processing locations: Cloudflare POPs worldwide, including EU.
- Safeguard: Standard Contractual Clauses (Processor-to-Processor, Module 3).
2. Sentry GmbH — Kreuznacher Str. 61, 60486 Frankfurt am Main, Germany
- Error and performance monitoring (receives only hashed IDs and non-PII stack traces).
- Processing location: Germany (Frankfurt data centre).
- Safeguard: Intra-EU transfer — no additional clauses required.
Synqc will notify the Customer at least 5 business days in advance before adding or replacing a sub-processor.
ANNEX IV — Governing Law & Jurisdiction
(EU Standard Contractual Clauses 2021/914 — Module 2, Clauses 17-18)
Clause 17 (Governing law – option 1 selected)
The Clauses and this DPA are governed by the laws of Sweden.
Clause 18 (Choice of forum and jurisdiction)
The Parties agree that any dispute arising from the Clauses shall be submitted to the courts of Stockholm, Sweden, and they irrevocably submit to the exclusive jurisdiction of those courts.
Version: 2025-06-18 • Last editor: Erik Pantzar