Data Processing Agreement.
For enterprise customers.

1. Definitions

Terms not defined here have the meanings given in the DPDP Act 2023 or our Terms of Service. Where this DPA refers to “Customer”, that means you, the entity that has signed up for an enterprise subscription; “LexVio” means Global Synapse Technologies; and “Personal Data” means data of Data Principals that the Customer uploads, generates, or processes via the Service.

2. Roles

• Customer acts as the Data Fiduciary in respect of Personal Data it submits to or generates via the Service.
• LexVio acts as a Data Processor (under contract) processing such Personal Data on the Customer's instructions, only for the purposes of providing the Service.
• For Personal Data LexVio collects directly (account holders, billing contacts), LexVio acts as Data Fiduciary; see our Privacy Policy.

3. Scope and instructions

LexVio shall process Personal Data only on the documented instructions of the Customer, which are deemed to include: (a) use of the Service's features as configured by Customer-authorised users; (b) compliance with applicable law; and (c) responses to lawful requests by competent authorities. LexVio shall not access Personal Data except as necessary to deliver the Service.

4. Customer obligations

• Customer warrants that it has lawful basis (consent, statutory legitimate use, or other) to process Personal Data via the Service.
• Customer is responsible for the accuracy and lawfulness of Personal Data it uploads.
• Customer shall not upload data of children below 18, sensitive categories not permitted under the Customer's own privacy notice, or data prohibited by law.
• Customer is the sole point of contact for Data Principals (its users, employees, counterparties) for rights requests; LexVio assists as set out in §8 below.

5. Confidentiality

LexVio personnel with access to Personal Data are bound by contractual confidentiality obligations and have completed mandatory privacy and security training. Access is logged and reviewed periodically.

6. Security measures (Annex)

LexVio implements appropriate technical and organisational measures, including:

• Encryption — AES-256 at rest, TLS 1.3 in transit.
• Access control — role-based access; multi-factor authentication on administrative interfaces; least-privilege defaults.
• Logging — immutable audit logs of administrative actions; retained 12–36 months.
• Backups — encrypted, replicated to a secondary India region; tested quarterly; 90-day retention.
• Vulnerability management — automated dependency scans; annual third-party penetration testing.
• Personnel — background-checked staff; off-boarding deprovisioning within 24 hours.
• Certifications — SOC 2 Type II and ISO/IEC 27001 in pursuit (status published on /trust).

7. Sub-processors

Customer authorises LexVio to engage sub-processors to deliver the Service. The current sub-processor list is available on request via info@globalsynapsetech.com and includes (without limitation):

• Amazon Web Services — hosting infrastructure (ap-south-1, Mumbai).
• Anthropic — AI model inference. No customer content is used to train Anthropic models.
• Razorpay / Stripe — payment processing.
• PostHog — product analytics on the marketing site (consent-gated).
• Sentry — error monitoring (scrubbed of Personal Data).

LexVio will give Customer at least 30 days' advance notice (by email to the account's primary admin) of any new or replacement sub-processor. Customer may object by terminating its subscription for cause if it cannot reach a workable accommodation.

8. Assistance with Data Principal rights

LexVio will, taking into account the nature of processing, provide reasonable assistance to enable Customer to respond to Data Principal rights requests (access, correction, erasure, nomination, consent withdrawal). Standard self-service tooling is available in the admin console; complex cases handled via support@globalsynapsetech.com within 5 business days.

9. Personal data breach notification

LexVio will notify Customer of a confirmed Personal Data breach without undue delay and in any event within 24 hours of confirmation. Notification will include the nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and remediation measures. LexVio will independently notify the Data Protection Board of India where required by DPDP Act §8(6).

10. Audit rights

LexVio will, upon reasonable request and at intervals not more than annually, make available current SOC 2 reports and similar attestations under appropriate confidentiality. Where Customer reasonably requires a direct audit (e.g. regulator-mandated), parties will agree on scope, timing, and cost in writing.

11. Cross-border transfers

Personal Data is primarily processed in India. Limited transfers outside India (model inference, error monitoring) occur only to jurisdictions not restricted by the Central Government under DPDP Act §16, and only under contractual safeguards equivalent to this DPA.

12. Return or deletion

On termination of the Service, LexVio will, at Customer's choice and within 30 days, either return or securely delete all Personal Data, subject to legal retention requirements (e.g. 8-year billing records under the Companies Act 2013).

13. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing limits liability that cannot be limited under applicable law.

14. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails in respect of the processing of Personal Data.

15. Signing this DPA

Enterprise customers are deemed to accept this DPA when they execute a Master Subscription Agreement or Order Form referencing this URL. Customers requiring a counter-signed copy should contact info@globalsynapsetech.com; we typically counter-sign within 5 business days.