Last updated: March 10, 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller", "You") and syn Development Inc. ("Processor", "Company", "We", "Us") for the provision of the syn.bike service ("Service"), as described in the Terms and Conditions (the "Agreement").

This DPA applies where the Customer acts as a data controller with respect to Personal Data processed through the Service — for example, a business using Syn to manage data on behalf of its own users, employees, or clients. Where the Company processes Personal Data for which it is the data controller (such as an individual user's own account data), the processing is governed by the Privacy Policy and this DPA does not apply.

This DPA is entered into to reflect the parties' agreement with regard to the processing of Personal Data by the Processor on behalf of the Controller, in accordance with the requirements of Data Protection Laws.

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. In addition:

"Data Protection Laws" means all applicable legislation relating to data protection and privacy, including (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), (ii) the UK General Data Protection Regulation as defined by the Data Protection Act 2018 ("UK GDPR"), (iii) the Swiss Federal Act on Data Protection ("FADP"), and (iv) any national implementing legislation, as amended, replaced, or superseded from time to time.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data, as identified above.

"Processor" means syn Development Inc., which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2021/914 of 4 June 2021, and any successor clauses adopted by the European Commission.

"Supervisory Authority" means an independent public authority established by an EU or EEA member state, or the UK Information Commissioner's Office, as applicable.

Scope and Roles

Roles of the Parties

The Controller is the data controller with respect to Personal Data processed through the Service. The Processor processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions.

The Processor may also act as an independent data controller for data it processes for its own legitimate purposes, as described in the Privacy Policy. This DPA does not apply to such independent controller processing, which includes:

  • Account management (creating and managing the Controller's account, authentication)
  • Billing and payment processing (invoicing, transaction records, tax compliance)
  • Service improvement (aggregated, anonymized usage analytics via Umami)
  • Platform reliability (error monitoring via Sentry, security monitoring)
  • Communications initiated by the Processor (service announcements, policy updates)

Certain service providers used for the Processor's independent controller purposes (specifically Sentry for error monitoring and Umami for analytics) may incidentally process Personal Data that also relates to the Controller's users — for example, an error log that captures a user's IP address or identifier. Such providers are listed in Annex III and are subject to the Sub-Processor obligations in this DPA to the extent they process Personal Data on the Controller's behalf. Where the same provider processes data solely for the Processor's independent purposes (e.g., aggregated platform-wide error rates or anonymized analytics), that processing falls outside this DPA but remains subject to the security and confidentiality obligations below.

For the avoidance of doubt, where any independent controller activity involves Personal Data that is also processed on the Controller's behalf, the Processor shall apply the security, confidentiality, and breach notification obligations of this DPA to such data regardless of the legal basis for processing.

Scope of Processing

This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with the provision of the Service.

Details of Processing

Subject Matter

The provision of the syn.bike cloud-based bike suspension and linkage design platform, as described in the Agreement.

Duration

The duration of the processing is the term of the Agreement, plus any period required for data deletion or return as specified in this DPA.

Nature and Purpose of Processing

The Processor processes Personal Data as necessary to provide the Service to the Controller, including: hosting and storing Controller's data, authenticating users, enabling collaboration via team features, processing payments, sending transactional communications, and monitoring for errors and security incidents.

Categories of Data Subjects

  • Controller's employees, consultants, contractors, and agents who are Authorized Users of the Service
  • Any other individuals whose Personal Data is submitted to the Service by the Controller or its Authorized Users

Types of Personal Data

  • Identifiers: name, email address, phone number (optional), profile image (optional)
  • Account data: authentication credentials, account preferences and settings
  • Content data: bike and spring design objects and associated data created using the Service
  • Billing data: billing address, transaction history (for paid accounts; sensitive payment card data is processed directly by Stripe and never accessed by the Processor)
  • Usage data: IP address, browser type, pages visited, timestamps
  • Team data: team membership, role assignments

Obligations of the Processor

Processing Instructions

  1. The Processor shall process Personal Data only on the Controller's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

  2. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Data Protection Laws.

  3. The Agreement (including this DPA), and the Controller's use and configuration of the Service, constitute the Controller's complete and final documented instructions to the Processor for the processing of Personal Data. Any additional or alternative instructions must be agreed upon separately in writing.

Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security

  1. The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, as appropriate:

    • Encryption of Personal Data in transit (TLS) and at rest
    • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
    • Commercially reasonable measures to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident
    • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

  2. The Processor shall take reasonable steps to ensure that only authorized personnel have access to Personal Data, and that such access is limited to what is necessary for the performance of their duties.

Sub-Processors

  1. The Controller provides general written authorization for the Processor to engage Sub-Processors to assist in the provision of the Service. The current list of Sub-Processors is set out in Annex III and in the Privacy Policy.

  2. The Processor shall impose on each Sub-Processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures such that the processing will meet the requirements of Data Protection Laws.

  3. The Processor shall provide the Controller with at least thirty (30) days' prior written notice by email (to the address associated with the Controller's Account) before engaging any new Sub-Processor or replacing an existing Sub-Processor. The notice shall include the name of the Sub-Processor, the nature of the processing, and the location of processing.

  4. The Controller may object to any new or replacement Sub-Processor on reasonable data protection grounds by notifying the Processor in writing within thirty (30) days of receiving the notice. The parties shall discuss the objection in good faith. If the parties are unable to resolve the objection within a further thirty (30) days, the Controller may terminate the Agreement by providing written notice, without prejudice to any fees due for the period prior to termination.

  5. The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

Assistance with Data Subject Rights

  1. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including the rights of access, rectification, erasure, restriction, portability, and objection.

  2. The Processor shall promptly notify the Controller if the Processor receives a request from a Data Subject in respect of Personal Data processed on behalf of the Controller. The Processor shall not respond to such a request directly unless authorized to do so by the Controller or required by applicable law.

Personal Data Breach Notification

  1. The Processor shall notify the Controller of any Personal Data Breach without undue delay and no later than forty-eight (48) hours after becoming aware of it.

  2. The notification shall include, to the extent reasonably available:

    • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
    • The name and contact details of the Processor's contact point for further information
    • A description of the likely consequences of the Personal Data Breach
    • A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects

  3. Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

  4. The Processor shall take commercially reasonable actions to preserve forensic evidence, contain the breach, and mitigate its effects.

  5. The Processor shall cooperate with and assist the Controller in relation to any investigation, mitigation, and remediation of the Personal Data Breach, and in meeting any obligations the Controller may have to notify Supervisory Authorities and Data Subjects under Data Protection Laws.

Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities that the Controller reasonably considers to be required under Data Protection Laws, in each case solely in relation to the processing of Personal Data under this DPA and taking into account the nature of the processing and the information available to the Processor. The Processor shall make available relevant documentation about its processing activities at no additional charge. Where assistance requires effort materially beyond providing existing documentation (such as bespoke analysis or participation in consultations), the Controller shall bear the Processor's reasonable costs, agreed in advance.

Records of Processing

The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) of the GDPR. Such records shall be made available to the Controller or the relevant Supervisory Authority upon request.

Audit Rights

  1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 of the GDPR.

  2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

    • The Controller shall provide at least thirty (30) days' prior written notice
    • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
    • The scope shall be reasonable and limited to the processing activities covered by this DPA
    • The auditor shall be bound by appropriate confidentiality obligations
    • Audits shall not exceed once per twelve (12) month period, unless a Personal Data Breach has occurred or a Supervisory Authority requires an additional audit
    • Audit costs shall be borne by the Controller, unless the audit reveals a material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs

  3. As a first step, the Processor may propose to satisfy audit requests by providing existing compliance documentation such as SOC 2 reports, security certifications, penetration test summaries, or completed security questionnaires. If such documentation does not reasonably address the Controller's audit objectives, the Controller retains the right to conduct or commission an on-site inspection subject to the conditions in paragraph 2 above.

Obligations of the Controller

The Controller shall:

  1. Ensure that it has a lawful basis under Data Protection Laws for the processing of Personal Data and for instructing the Processor to process Personal Data on its behalf
  2. Provide the Processor with documented instructions regarding the processing of Personal Data
  3. Ensure that Data Subjects have been informed of the processing in accordance with Data Protection Laws, including by providing an appropriate privacy notice
  4. Comply with its own obligations under Data Protection Laws, including with respect to data subject rights, data breach notifications to Supervisory Authorities and Data Subjects, and data protection impact assessments
  5. Not instruct the Processor to process Personal Data in violation of Data Protection Laws

International Transfers

Adequacy

Syn Development Inc. is based in British Columbia, Canada, and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). The European Commission has recognized Canada as providing an adequate level of data protection for recipients subject to PIPEDA (Commission Decision 2002/2/EC). Accordingly, transfers of Personal Data from the EU/EEA to the Processor do not require additional transfer safeguards under GDPR. The United Kingdom similarly recognizes Canada as adequate under UK GDPR for organizations subject to PIPEDA.

Transfers to Other Countries

Where Personal Data is transferred to Sub-Processors located in countries that have not received an adequacy decision from the European Commission (such as the United States), the Processor shall ensure that appropriate safeguards are in place, including one or more of the following:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), incorporated into agreements with Sub-Processors
  • EU-US Data Privacy Framework (DPF) certifications held by Sub-Processors, where the Sub-Processor maintains a current and valid certification
  • Any other valid transfer mechanism recognized under Data Protection Laws

Supplementary Measures

Where the Processor, following a transfer impact assessment, determines that the law of a destination country may impair the effectiveness of the safeguards relied upon, the Processor shall implement supplementary technical and organizational measures to ensure an essentially equivalent level of protection, such as encryption in transit and at rest, pseudonymization, or access controls limiting the ability of public authorities to access the data.

Government Access Requests

In accordance with the EDPB Recommendations 01/2020 on supplementary transfer measures:

  1. The Processor shall not voluntarily disclose Personal Data to any government authority or law enforcement agency unless required to do so by applicable law.

  2. If the Processor receives a legally binding request from a government authority for access to Personal Data processed on behalf of the Controller, the Processor shall promptly notify the Controller of the request before making any disclosure, to the extent legally permitted. Where notification is prohibited by law, the Processor shall use reasonable efforts to obtain a waiver of the prohibition and shall disclose as much information as legally permissible as soon as possible.

  3. The Processor shall review the legality of any government access request and shall challenge the request through available legal mechanisms where there are reasonable grounds to consider the request unlawful or excessive, including where the request conflicts with Data Protection Laws.

  4. In all cases, the Processor shall disclose only the minimum amount of Personal Data necessary to comply with the request.

  5. To the extent permitted by law, the Processor shall maintain a record of government access requests received and make summary information available to Controllers upon request.

UK Transfers

Canada is recognized as adequate under UK GDPR, so transfers from a UK-based Controller to the Processor do not require additional transfer safeguards. For onward transfers of Personal Data to Sub-Processors located in countries without UK adequacy status (such as the United States), the Processor shall ensure the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, version B1.0) is incorporated into agreements with those Sub-Processors.

Swiss Transfers

For onward transfers of Personal Data to Sub-Processors located in countries without an adequacy finding under the Swiss FADP, the Processor shall ensure the SCCs apply with the modifications specified by the Swiss Federal Data Protection and Information Commissioner, including references to the FADP and the competent Swiss supervisory authority.

Data Deletion and Return

  1. Upon termination or expiration of the Agreement, or upon the Controller's written request, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller, and delete existing copies, unless applicable law requires continued storage of the Personal Data.

  2. The Controller shall have thirty (30) days following termination of the Agreement to request return of Personal Data. The Processor shall make Personal Data available for export in a standard, machine-readable format and shall fulfil any return request within thirty (30) days of receiving it.

  3. Following the later of (a) the expiry of the thirty (30) day request period or (b) completion of a return request made within that period, the Processor shall delete all remaining Personal Data within thirty (30) days, except where retention is required by applicable law (e.g., billing records retained for tax compliance purposes as described in the Privacy Policy).

  4. The Processor shall certify deletion in writing upon the Controller's request.

Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except that this DPA does not limit either party's liability to Data Subjects or Supervisory Authorities under Data Protection Laws.

Term

This DPA shall take effect on the date the Controller accepts the Agreement and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. Provisions that by their nature should survive termination (including data deletion, confidentiality, and liability provisions) shall survive.

Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement (the laws of British Columbia, Canada), except that:

  • Where the GDPR applies to the processing, this DPA shall be governed by the laws of the EU member state in which the Controller is established
  • Where the UK GDPR applies, this DPA shall be governed by the laws of England and Wales
  • Where the Swiss FADP applies, this DPA shall be governed by the laws of Switzerland

Changes to This DPA

We may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or our processing practices. When we do, we will update the "Last updated" date at the top of this page.

For non-material changes (such as adding Sub-Processors in accordance with the Sub-Processors section, updating Annex II technical measures, or correcting typographical errors), the Processor will provide notice via the mechanisms described in the Agreement and changes will take effect thirty (30) days after notice.

For material changes (such as altering the scope of processing, modifying liability provisions, or changing the legal bases for international transfers), the Processor will provide at least thirty (30) days' notice via email. Material changes require the Controller's affirmative written consent. If the Controller does not consent to a material change, the Controller may terminate the Agreement by providing written notice within thirty (30) days of receiving the notification, without prejudice to any fees due for the period prior to termination.

Annex I — Details of Processing

Field Details
Controller The entity identified as "You" or "Customer" in the Agreement
Processor syn Development Inc., 1083 Mount Newton Cross Road, Saanichton, BC, Canada
Contact privacy@syn.bike
Subject matter Provision of the syn.bike cloud-based bike suspension and linkage design platform
Duration Term of the Agreement plus any post-termination data deletion period
Nature and purpose Hosting, storage, processing, and transmission of Personal Data as necessary to provide the Service, including user authentication, data storage, team collaboration, payment processing, transactional communications, error monitoring, and security
Categories of data subjects Controller's employees, consultants, contractors, agents, and other Authorized Users; any individuals whose Personal Data is submitted to the Service
Types of personal data Names, email addresses, phone numbers, profile images, authentication credentials, account settings, bike/spring design data, billing addresses, transaction history, IP addresses, browser/device information, usage timestamps, team membership and roles
Sensitive data None intentionally processed. The Controller shall not submit special categories of data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR) to the Service unless explicitly agreed in writing. The Processor does not screen for or identify sensitive data within Content, and the Controller bears sole responsibility for compliance with Articles 9 and 10 if it submits such data in breach of this prohibition.
Frequency of transfer Continuous, for the duration of the Agreement
Retention As described in the Data Retention section of the Privacy Policy

Annex II — Technical and Organizational Measures

The Processor implements the following measures to protect Personal Data:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted using AES-256 or equivalent, as provided by Google Cloud Platform

Access Control

  • Access to production systems is restricted to authorized personnel on a need-to-know basis
  • Multi-factor authentication is required for access to production infrastructure
  • Access rights are reviewed periodically and revoked promptly upon change of role or termination

Infrastructure Security

  • The Service is hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and other certifications
  • Network security controls including firewalls and intrusion detection
  • Regular security patches and updates applied to infrastructure

Application Security

  • Secure software development practices
  • Input validation and output encoding to prevent common vulnerabilities
  • Regular dependency updates and vulnerability scanning

Availability and Resilience

  • Automated backups with geographic redundancy
  • Disaster recovery procedures
  • Target monthly uptime of 99.5% as described in the Agreement

Incident Management

  • Documented incident response procedures
  • Personal Data Breach notification within 48 hours of awareness
  • Post-incident review and remediation process

Personnel

  • Confidentiality obligations for all personnel with access to Personal Data
  • Security awareness practices

Sub-Processor Management

  • Due diligence assessment before engaging Sub-Processors
  • Written data processing agreements with all Sub-Processors
  • Ongoing monitoring of Sub-Processor compliance

Annex III — Sub-Processors

The following Sub-Processors are authorized to process Personal Data on behalf of the Controller as of the date of this DPA:

Sub-Processor Purpose Location Transfer Mechanism
Google Cloud Platform (GCP) Core infrastructure: hosting, database, authentication, file storage, cloud functions United States and European Union SCCs; DPF (where currently certified)
Stripe Payment processing and billing United States SCCs; DPF (where currently certified)
Sentry Error monitoring and application diagnostics United States SCCs; DPF (where currently certified)
Twilio SendGrid Transactional and marketing email delivery United States SCCs; DPF (where currently certified)
Railway Logging infrastructure: log database and log dashboard. No customer personal data is processed. United States SCCs; DPF (where currently certified)

Note on self-hosted software: The Processor uses Umami, an open-source analytics tool, self-hosted on the Processor's own Google Cloud Platform infrastructure (GCP us-central1). Because Umami is self-hosted, Umami (the company) does not receive or process any Personal Data — all analytics data remains on the Processor's GCP infrastructure. GCP is the Sub-Processor for this data and is already listed above.

An up-to-date list of Sub-Processors is maintained in the Privacy Policy. Changes to Sub-Processors are communicated in accordance with the Sub-Processors section of this DPA.

Contact

For questions or requests related to this DPA:

By email: privacy@syn.bike

By mail: syn Development Inc. 1083 Mount Newton Cross Road, Saanichton, BC, Canada

Online: https://syn.bike/dpa/