Data Processing Agreement

Effective Date:

Nov 25, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written or electronic agreement (“Principal Agreement”) between:

(1) The Customer (“Controller”),
and
(2) KeepSync (“Processor”), a company established in the Republic of Cyprus,

(each a “Party” and together the “Parties”).

This DPA governs KeepSync’s processing of Personal Data on behalf of the Customer under the Principal Agreement.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR, including:

  • “Personal Data”: any information relating to an identified or identifiable natural person.
  • “Processing”: any operation performed on Personal Data.
  • “Controller” / “Processor”: as defined in GDPR Articles 4(7) and 4(8).
  • “Data Subject”: an identified or identifiable person.
  • “EU Data Protection Law”: GDPR and all related national legislation, including that of the Republic of Cyprus.
  • “Sub-processor”: any third party engaged by the Processor to process Personal Data.

2. Subject Matter & Duration

The Processor will process Personal Data only for the purpose of providing the Services under the Principal Agreement.
This DPA remains in force for as long as the Processor processes Personal Data on behalf of the Controller.

3. Nature and Purpose of Processing

Processing activities may include:

  • data collection, storage, and organization;
  • access and retrieval;
  • analysis, transmitting, and deletion;
  • providing the functionality of the KeepSync platform.

The Processor will process Personal Data only on documented instructions from the Controller.

4. Categories of Personal Data and Data Subjects

Categories of Data Subjects

May include:

  • Customer employees and contractors;
  • Users of the Customer’s systems;
  • Any Data Subjects whose data is uploaded to the Services.

Categories of Personal Data

May include:

  • contact data (names, emails, phone numbers);
  • usage data and metadata;
  • organizational and role information;
  • any additional personal data uploaded or submitted by the Controller.

No special categories of data (GDPR Art. 9) are processed unless explicitly agreed.

5. Processor Obligations

The Processor agrees to:

5.1 Process Data Only on Instructions

Process Personal Data solely based on the Controller’s documented instructions, including those within the Principal Agreement.

5.2 Confidentiality

Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.

5.3 Security Measures

Implement appropriate technical and organizational measures to protect Personal Data, including:

  • encryption in transit and where applicable at rest,
  • access controls,
  • data minimization,
  • regular security audits and monitoring.

5.4 Sub-processors

The Processor may engage Sub-processors.

  • A list of Sub-processors will be maintained and provided upon request.
  • The Processor will ensure Sub-processors provide at least equivalent data protection obligations.
  • The Controller may object to new Sub-processors on reasonable grounds.

5.5 Assistance to Controller

Assist the Controller in ensuring compliance with obligations relating to:

  • security,
  • breach notification (GDPR Art. 33–34),
  • data protection impact assessments (Art. 35–36),
  • responding to Data Subject requests.

5.6 Data Breaches

Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

5.7 Return or Deletion of Data

Upon termination of the Services, the Processor will:

  • delete all Personal Data, or
  • return it to the Controller,
    unless EU or Cyprus law requires storage.

6. Controller Obligations

The Controller agrees to:

  • ensure lawful basis for processing;
  • ensure accuracy and lawfulness of Personal Data;
  • fulfill its GDPR obligations regarding Data Subject rights;
  • provide instructions compliant with GDPR.

7. International Data Transfers

Any transfer of Personal Data outside the EEA requires safeguards under GDPR Chapter V, such as:

  • Standard Contractual Clauses (SCCs),
  • adequacy decisions,
  • or other approved mechanisms.

The Processor will not transfer data outside the EEA without appropriate safeguards.

8. Audits

The Controller may conduct audits (directly or via a third-party auditor) once per year or after a confirmed data breach.
Audits must:

  • provide reasonable notice,
  • not disrupt operations,
  • be limited to data protection compliance.

The Processor may charge reasonable fees for audits that exceed standard information requests.

9. Liability & Indemnification

Each Party’s liability under this DPA is subject to the liability limitations set out in the Principal Agreement.
Nothing in this DPA limits liability for violations of GDPR.

10. Amendments

The Processor may update this DPA to stay compliant with applicable law. Material changes will be communicated to the Controller.

11. Governing Law & Jurisdiction

This DPA is governed by the laws of the Republic of Cyprus.
Any disputes will be resolved exclusively in the courts of Nicosia, Cyprus.

12. Contact Information

Processor: KeepSync
Email: support@keepsync.io

What's next?

Start Building Your Warm Pipeline in HubSpot Today

Join 500+ HubSpot teams converting relationships into predictable revenue

Start Free Trial - No Card Required
Schedule 15-Min Demo

KeepSync – native HubSpot integration that tracks when your champions change jobs. Transform warm relationships into your most reliable pipeline source with automated job change tracking.

Pages
Legal
© 2025 Syntro. All rights reserved.