Cyntex
Get Demo
GDPR • Data Processing

Data Processing Agreement

Our comprehensive DPA ensures full GDPR compliance for all data processing activities.

Last updated: August 9th, 2025
GDPR Article 28

Agreement Parties

Data Controller: [Customer Name] ("Controller")

Data Processor: Cyntex.ai ("Processor")

1. Purpose and Scope

This Data Processing Agreement governs the processing of personal data by Cyntex.ai as a data processor on behalf of the Customer as data controller. Processing is conducted solely for the provision of AI receptionist services as outlined in our Terms of Service.

2. Data Processing Activities

Personal data processing includes:

  • Voice Call Processing: Recording, transcription, and analysis of customer calls
  • Lead Management: Processing contact information and inquiry details
  • Appointment Scheduling: Managing booking information and calendar integration
  • Analytics and Reporting: Performance metrics and service optimization

3. GDPR Compliance

Processor shall:

  • Process data only on documented instructions from Controller
  • Maintain confidentiality of all personal data and ensure staff confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist Controller in fulfilling GDPR obligations and data subject rights
  • Notify Controller of any data breach without undue delay (within 72 hours)

4. Sub-Processors

Processor may engage the following approved sub-processors:

  • ElevenLabs: Voice AI synthesis and processing (Business Plan with DPA: https://elevenlabs.io/dpa)
  • AWS: Cloud infrastructure services (EU regions only)
  • Telephony Providers: Call routing and SIP services

All sub-processors operate under equivalent DPA terms and appropriate data protection safeguards.

5. Security Measures

Technical and organizational measures include:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Control: Role-based access with multi-factor authentication
  • Monitoring: Continuous security monitoring and incident detection
  • Backup: Regular automated backups with geographic redundancy
  • Testing: Regular penetration testing and vulnerability assessments

6. Data Subject Rights

Processor will assist Controller in responding to data subject requests:

  • Access Requests: Provide data extracts within 30 days
  • Rectification: Correct inaccurate personal data
  • Erasure: Delete personal data upon valid request
  • Portability: Provide data in structured, machine-readable format

7. Data Retention and Deletion

Data retention periods:

  • Call Recordings: Configurable retention, default 7 days
  • Call Metadata: 30 days standard retention
  • Lead Information: As directed by Controller
  • Service Termination: All data securely deleted within 90 days

8. International Transfers

All personal data processing occurs within the EU. Where transfers to third countries are necessary (e.g., for technical support), they are conducted under appropriate safeguards including EU Standard Contractual Clauses and adequacy decisions.

9. Termination

Upon termination of the service agreement, Processor will either securely delete all personal data or return it to Controller as instructed. Data deletion is completed within 90 days using secure erasure methods that prevent data recovery.

Contact & Compliance

Data Protection Officer: dpo@cyntex.ai

Legal Department: legal@cyntex.ai

Incident Response: 24/7 security incident hotline available

Questions About Our DPA?

Our legal and compliance team is available to discuss data processing requirements and GDPR compliance.

Contact Legal Team