Data Processing Agreement
In accordance with Article 28 of the General Data Protection Regulation (GDPR)
1. Parties
The Processor: SynqLayer, operating under the name SynqFlow, registered with the Chamber of Commerce under number 42041391, located in Waddinxveen, the Netherlands. Hereinafter referred to as “Processor”.
The Controller: The natural or legal person using SynqFlow services and having personal data processed by the Processor. Hereinafter referred to as “Controller”.
2. Subject and Duration
This agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the SynqFlow services.
Nature of processing: Collecting, storing, analyzing and reporting transport-related data, including:
- Trip registration (starting point, destination, distance, date)
- Vehicle data (license plate, fuel type, CO₂ class)
- Location data (GPS coordinates, departure and arrival locations)
- Financial receipt data (photos of fuel receipts, amounts, liters)
Duration: This agreement applies for the duration of the Controller’s active SynqFlow subscription. After termination, personal data is retained for a maximum of 30 days before permanent deletion.
3. Categories of Personal Data
The following categories of personal data may be processed:
- Location data: GPS coordinates, departure and arrival addresses of transport trips
- Vehicle data: License plates, vehicle types, fuel types, emission classes
- Financial receipt data: Fuel receipts and scanned metadata such as amounts, liters, date and location
- Account data: Name, email address and company name of the Controller
4. Subprocessors
The Processor uses the following subprocessors. A data processing agreement has been concluded with each party in accordance with GDPR Article 28:
| Subprocessor | Service | Datacenter |
|---|---|---|
| Google Cloud (Vertex AI) | AI processing (receipt scanning) | europe-west4 (Netherlands) |
| Supabase | Database & authentication | eu-west-2 (London, UK) |
| Vercel | Hosting & edge functions | Global Edge Network |
By accepting this agreement, the Controller authorizes the use of the subprocessors listed above. The Controller will be informed at least 14 days in advance of any subprocessor changes.
5. Security Measures
The Processor implements appropriate technical and organizational measures to protect personal data against loss, unlawful processing and unauthorized access:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Least-privilege access control: only authorized staff with explicit access rights
- Multi-factor authentication on all administrative systems
- Row Level Security (RLS) at database level per user
- Logging and monitoring of access to personal data
- Periodic security audits and penetration testing
6. Data Subject Rights
The Processor assists the Controller in fulfilling data subject rights under GDPR, including:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
Requests to exercise these rights can be submitted via the SynqFlow support channel. The Processor will respond to such requests within 30 days.
7. Contact
For questions about this Data Processing Agreement or the processing of personal data, contact us via:
Email: contact@synqflow.com
KvK: 42041391
VAT: NL005450830B62
8. Final Provisions
This agreement is governed by Dutch law. Disputes will be submitted to the competent court in The Hague.
This Data Processing Agreement was last updated on April 24, 2026 and takes effect immediately upon commencement of the services.