Data Processing Agreement
In accordance with Article 28 of the General Data Protection Regulation (GDPR)
1. Parties
The Processor: SynqLayer, operating under the name SynqFlow, registered with the Chamber of Commerce under number 42041391, located in Waddinxveen, the Netherlands. Hereinafter referred to as “Processor”.
The Controller: The natural or legal person using SynqFlow services and having personal data processed by the Processor. Hereinafter referred to as “Controller”.
2. Subject and Duration
This agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the SynqFlow services.
Nature of processing: Collecting, storing, analyzing and reporting transport-related data, including:
- Trip registration (starting point, destination, distance, date)
- Vehicle data (license plate, fuel type, CO₂ class)
- Location data (GPS coordinates, departure and arrival locations)
- Financial receipt data (photos of fuel receipts, amounts, liters)
Duration: This agreement applies for the duration of the Controller’s active SynqFlow subscription. After termination, a 30-day export period applies. After that, personal data is deleted or anonymized where reasonably possible, subject to legal, administrative, security, or dispute-related obligations.
3. Categories of Personal Data
The following categories of personal data may be processed:
- Location data: GPS coordinates, departure and arrival addresses of transport trips
- Vehicle data: License plates, vehicle types, fuel types, emission classes
- Financial receipt data: Fuel receipts and scanned metadata such as amounts, liters, date and location
- Account data: Name, email address and company name of the Controller
4. Retention periods
The following retention periods apply as a baseline for personal data processed in SynqFlow:
- Account and company data: while the account is active.
- Vehicles, trips, and driver data: while the account is active.
- After cancellation: 30-day export period, then deletion or anonymization where reasonably possible.
- Contact, support, and upgrade requests: up to 12 months unless longer retention is needed for follow-up or dispute handling.
- Audit and security logs: generally 12 to 24 months for security, abuse detection, and incident investigation.
- Backups: automatic rotation according to the applicable backup policy; immediate removal from existing backups is not guaranteed.
- Payment and invoice data: relevant only once payment functionality is added and then according to applicable statutory retention periods.
Deletion requests are reviewed first against legal, administrative, security, and dispute-related obligations.
5. Subprocessors
The Processor uses the following subprocessors. A data processing agreement has been concluded with each party in accordance with GDPR Article 28:
| Subprocessor | Service | Datacenter |
|---|---|---|
| Google Cloud (Vertex AI) | AI processing (receipt scanning) | According to current subprocessor and project configuration |
| Supabase | Database & authentication | According to current project configuration |
| Vercel | Hosting & edge functions | Global Edge Network |
By accepting this agreement, the Controller authorizes the use of the subprocessors listed above. The Controller will be informed at least 14 days in advance of any subprocessor changes.
6. Security Measures
The Processor implements appropriate technical and organizational measures to protect personal data against loss, unlawful processing and unauthorized access:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Least-privilege access control: only authorized staff with explicit access rights
- Multi-factor authentication on all administrative systems
- Row Level Security (RLS) at database level per user
- Logging and monitoring of access to personal data
- Periodic security audits and penetration testing
7. Data Subject Rights
The Processor assists the Controller in fulfilling data subject rights under GDPR, including:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
Requests to exercise these rights can be submitted via the SynqFlow support channel. The Processor will respond to such requests within 30 days.
8. Contact
For questions about this Data Processing Agreement or the processing of personal data, contact us via:
Email: info@synqlayer.com
KvK: 42041391
VAT: NL005450830B62
9. Final Provisions
This agreement is governed by Dutch law. Disputes will be submitted to the competent court in The Hague.
This Data Processing Agreement was last updated on 17 May 2026 and takes effect immediately upon commencement of the services.