SyncBridge Pro

Data Processing Addendum — SyncBridge Pro

_Last updated: please update on publish_

This DPA supplements the Terms of Service between you ("Controller") and Ironhazel Labs (pending Osek Murshe registration, Israel) operating SyncBridge Pro at https://syncbridge.ironhazel.com ("Processor"), and describes how we process personal data on your behalf as required by the EU GDPR, UK GDPR, and Israeli Privacy Protection Law Amendment 13.

1. Scope

This DPA applies when Controller's end-users' personal data is processed by the Service.

2. Roles

  • Controller: you (the business customer).
  • Processor: Ironhazel Labs (pending Osek Murshe registration, Israel).
  • Sub-processors: listed in §8.

3. Purpose & duration of processing

We process personal data only to deliver the Service. Processing lasts for the term of the Terms plus any legally-mandated retention.

4. Types of personal data & data subjects

  • Data subjects: Controller's end-users (customers, employees, leads).
  • Data categories: identifiers, contact info, usage data, any data Controller submits via the Service.

5. Obligations

We will:

  • Process personal data only on documented instructions from Controller.
  • Ensure authorized personnel are under confidentiality obligations.
  • Implement appropriate technical and organizational measures (see §7).
  • Assist Controller in responding to data-subject requests.
  • Notify Controller without undue delay of personal-data breaches affecting their data.
  • Make available information needed to demonstrate compliance.

6. Data-subject requests

If we receive a request from one of Controller's data subjects, we will forward it to Controller within 5 business days without acting on it directly (unless legally required).

7. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase).
  • Access controls with least-privilege.
  • Automated backups.
  • Incident-response procedures.
  • Annual access review.

8. Sub-processors

We use the following sub-processors:

  • Vercel Inc. — application hosting (US + EU).
  • Supabase — database and authentication (EU).
  • Resend — transactional email (US).
  • PostHog — product analytics (US or EU, per region).
  • Paddle.com Market Ltd. or Lemon Squeezy — payment processing and merchant of record.

We notify Controller of new sub-processors with 30 days' notice by email to the account owner. Controller may object and, if we cannot resolve the objection, terminate the affected services.

9. International transfers

Transfers outside the EEA / UK / Israel to sub-processors are covered by Standard Contractual Clauses (EU Commission Decision 2021/914) or equivalent safeguards.

10. Return and deletion

Upon termination Controller may export their data via Service features. We delete or anonymize personal data within 30 days of termination unless legally retained.

11. Contact

DPO: privacy@ironhazel.com

General: hello@ironhazel.com