How to use this template
- Read the body of the DPA below alongside the Privacy Policy and the Terms of Service, which it incorporates by reference.
- Complete the customer-side fields in Annex 1 and the signature block at the end of this page.
- Send the counter-signed DPA to privacy@graphorlm.com; Synapse counter-signs and returns a fully executed copy within five business days, along with a frozen snapshot of Annex 3 reflecting the subprocessors in production on the signature date.
- The executed DPA becomes part of your agreement with Synapse and prevails over inconsistent terms in any underlying agreement to the extent of any conflict on data-processing matters.
Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered into between: SYNAPSE INOVAÇÃO E TECNOLOGIA LTDA., a company organized under the laws of the Federative Republic of Brazil, with principal place of business in Brazil (“Synapse” or the “Processor”), and [CAMPO — Customer legal name, jurisdiction, registered address, registration/tax identifier] (the “Customer” or the “Controller”), each a “Party” and together the “Parties”. This DPA forms part of and is incorporated into the Terms of Service published athttps://docs.graphorlm.com/legal/terms-of-service and any other agreement between the Parties governing the Customer’s use of the Graphor Service (collectively, the “Agreement”). In the event of any conflict between this DPA and the Agreement on data-protection matters, this DPA prevails.
1. Definitions
Unless otherwise defined below, terms have the meaning given to them in LGPD, GDPR, the Agreement, the Privacy Policy, or this DPA.| Term | Meaning |
|---|---|
| Applicable Data Protection Law | LGPD (Lei nº 13.709/2018 — Brazil), GDPR (Regulation (EU) 2016/679), and any other data protection legislation applicable to the Processing under this DPA. |
| Controller | The natural or legal person that determines the purposes and means of the Processing of Personal Data — for the purposes of this DPA, the Customer. |
| Customer Personal Data | Personal Data that Customer or its end users submit to the Graphor Service, including Customer Content as defined in the Privacy Policy. |
| Personal Data | Any information relating to an identified or identifiable natural person (“Data Subject”) that is Processed under this DPA. |
| Process / Processing | Any operation or set of operations performed on Personal Data, whether or not by automated means — collection, storage, transmission, use, deletion, etc. |
| Processor | The natural or legal person that Processes Personal Data on behalf of the Controller — for the purposes of this DPA, Synapse. |
| Standard Contractual Clauses or “SCCs” | The Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
| Subprocessor | Any third party engaged by Synapse to Process Customer Personal Data on Synapse’s behalf, as listed in Annex 3 and on the Subprocessors page. |
| Security Incident | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. |
2. Scope, roles, and duration
2.1 Roles of the Parties
The Customer is the Controller of the Customer Personal Data. Synapse acts as the Processor on the Customer’s behalf to provide the Graphor Service. This allocation of roles applies for the purposes of LGPD art. 5º, VI–VII and GDPR art. 4(7)–(8).2.2 Scope of Processing
Synapse Processes Customer Personal Data only as necessary to provide the Graphor Service to the Customer in accordance with the Customer’s documented instructions, which are codified in:- the Agreement;
- the Trust Center and the documents it incorporates;
- this DPA;
- the Customer’s configuration of the Service (project settings, API requests).
2.3 Duration
This DPA applies for as long as Synapse Processes Customer Personal Data under the Agreement and survives termination to the extent necessary for the return or deletion obligations in §13.2.4 Description of the Processing
The nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1.3. Processor obligations
3.1 Documented instructions
Synapse Processes Customer Personal Data only on the Customer’s documented instructions (LGPD art. 39, I / GDPR art. 28(3)(a)). The Agreement, the Trust Center, this DPA, and the Customer’s use of the Service constitute the Customer’s documented instructions. Synapse will inform the Customer if it believes an instruction violates Applicable Data Protection Law.3.2 Confidentiality
Synapse ensures that all personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations (LGPD art. 47 / GDPR art. 28(3)(b)).3.3 Security
Synapse implements the technical and organizational measures described in Annex 2 to protect Customer Personal Data against unauthorized or unlawful Processing and accidental loss, destruction, damage, alteration, or disclosure (LGPD art. 46 / GDPR art. 32).3.4 Assistance with Data Subject rights
Synapse provides reasonable assistance to the Customer in fulfilling Data Subject requests under LGPD art. 18 and GDPR art. 15–22. The customer-callable DSR API satisfies the deletion and access dimensions; other requests are routed via privacy@graphorlm.com.3.5 Assistance with Controller obligations
Synapse provides reasonable assistance to the Customer in complying with its obligations under LGPD art. 38 (DPIA), 46 (security), and 48 (breach notification), and GDPR art. 32–36, taking into account the nature of the Processing and the information available to Synapse.3.6 No use of Customer Personal Data for Synapse’s purposes
Synapse does not use Customer Personal Data for purposes other than providing the Service to the Customer. Synapse does not use Customer Content (a subset of Customer Personal Data) to train AI models — this commitment is documented in Model Use and Training and is binding on Synapse under this DPA. Operational telemetry that is incidentally collected to operate and improve the Service is subject to the Brazilian PII mask described in Data Retention §4 and is never used for AI-model training.4. Subprocessors
4.1 General authorization
The Customer authorizes Synapse to engage the Subprocessors listed in Annex 3 and on the public Subprocessors page.4.2 Material changes to the subprocessor list
Synapse notifies the Customer at least 30 days before any material change to the Subprocessor list takes effect, except where an immediate change is required to remediate an active Security Incident. Notification is delivered by email to the privacy contact on file and by update to the Subprocessors page (subscribe at subprocessors@graphorlm.com).4.3 Customer objection
The Customer may object in writing within the 30-day window to a proposed Subprocessor change on reasonable data-protection grounds. If the Parties cannot resolve the objection within 30 days, the Customer may terminate the affected portion of the Agreement without penalty and receive a pro-rated refund of any pre-paid Fees for the unused portion of the Subscription term.4.4 Subprocessor obligations and pass-through clauses
Each Subprocessor is bound by data-protection obligations no less protective than those in this DPA, through Synapse’s contractual relationship with the Subprocessor. Synapse incorporates by reference the following upstream commitments and is responsible to the Customer for the Subprocessor’s performance under those commitments:- AWS — the AWS Data Processing Addendum governs the AWS Bedrock processing; incorporating SCCs.
- OpenAI — the OpenAI DPA governs embedding processing, with Zero Data Retention enrolled for the Synapse production org. Synapse commits to maintain ZDR enrollment for the duration of this DPA, and to notify the Customer within 10 business days if ZDR is disabled (by Synapse or by OpenAI policy change).
- Cerebras — the Cerebras Terms of Use and Privacy Policy, including the published no-training and zero-retention commitments.
- Google Cloud Platform — the Google Cloud DPA for all GCP-hosted components.
- Neo4j AuraDB — the Neo4j DPA for the managed graph store.
- Stripe — the Stripe DPA for payment processing.
- Firebase Authentication — covered under the Google Cloud DPA above.
4.5 Related-party disclosure
Synapse operates two distinct business lines under the same legal entity (the Graphor SaaS product and Synapse’s consultancy practice). The relationship is disclosed on Subprocessors §8. Where Synapse Consultoria projects consume the Graphor Service for end clients, they do so under this same DPA on terms equivalent to any unrelated third-party customer, with no privileged data path and no preferential subprocessor treatment.5. International transfer of Personal Data
5.1 Transfer regime
The Customer authorizes Synapse to transfer Customer Personal Data to the regions described in Data Residency. For Customer Personal Data subject to LGPD or GDPR, the transfer is conducted under one or more of the safeguards in LGPD art. 33 / GDPR art. 44–49:- The Standard Contractual Clauses 2021/914 referenced in Annex 4 and incorporated by reference, including the modules required for the relevant transfer scenario (Module 2 for controller-to-processor; Module 3 for processor-to-processor onward transfers to Subprocessors).
- The data protection commitments of each upstream Subprocessor (per §4.4).
- The technical and organizational measures in Annex 2.
5.2 Region commitment
Synapse Processes Customer Personal Data inus-central1 (Iowa, USA) and the US AWS Bedrock regions, as documented in Data Residency. Synapse notifies the Customer at least 30 days before any change to the primary Processing region takes effect.
6. Security
Synapse implements and maintains the technical and organizational measures described in Annex 2, which include encryption at rest (cloud-provider-managed AES-256; customer-managed encryption keys on enterprise request), encryption in transit (TLS 1.2+), logical tenant isolation, per-project API tokens with TTL and audit, and the operational controls inventoried in Compliance §3. The measures will be reviewed periodically and updated as the threat landscape, available technology, and Customer expectations evolve. Synapse does not unilaterally reduce the protections below the level agreed at signature.7. Security Incident notification
Synapse notifies the Customer of a confirmed Security Incident affecting Customer Personal Data within 72 hours of internal confirmation, per the procedure documented in Incident Response. The notification includes the five elements specified in Incident Response §5: what happened, why it happened, the Customer-specific scope, the response actions, and the Customer-side actions recommended. Synapse publishes a written post-mortem to the affected Customer within 14 days of internal confirmation, per Incident Response §6. The 72-hour SLA aligns with LGPD art. 48 (“prazo razoável,” interpreted by ANPD as 72 hours) and with GDPR art. 33 (controller-to-supervisory-authority window).8. Audit
The Customer may audit Synapse’s compliance with this DPA on reasonable prior notice (no less than 30 days, except in connection with a Security Incident) and during normal business hours, subject to reasonable confidentiality and scoping commitments. The audit may take one or more of the following forms:- Review of Synapse’s Trust Center and supporting documentation;
- Review of the most recent Synapse audit report (where one is available — see Compliance §1);
- Review of the most recent Subprocessor audit reports made available under each Subprocessor’s NDA terms;
- A reasonable on-site or remote inquiry conducted by the Customer or a qualified independent auditor at the Customer’s expense.
9. Cooperation with authorities
If Synapse receives a binding legal request from a competent authority for disclosure of Customer Personal Data (subpoena, court order, regulatory inquiry), Synapse will:- Notify the Customer of the request to the extent legally permitted, allowing the Customer to seek a protective order or other remedy;
- Where notification is prohibited, take reasonable steps to inform the Customer of the request once the prohibition expires;
- Disclose only the minimum data required to comply with the request.
10. Data Protection Impact Assessment
On reasonable request, Synapse provides the Customer with information and documentation reasonably necessary for the Customer to complete a Data Protection Impact Assessment (LGPD art. 38) or a Data Protection Impact Assessment / Article 35 DPIA (GDPR art. 35) for processing involving the Graphor Service. A DPIA template is available on request via privacy@graphorlm.com.11. Liability
Each Party’s liability under this DPA is subject to the limits set out in the Agreement. Where the Agreement contains a liability cap, that cap applies to this DPA. Where the Agreement is silent or where Applicable Data Protection Law requires a different allocation, liability follows the joint-and-several allocation in LGPD art. 42 / GDPR art. 82.12. Conflict between this DPA and the Agreement
If there is a conflict between this DPA and the Agreement on data-protection matters, this DPA prevails. If there is a conflict between this DPA and any other data-processing instrument signed between the Parties after the effective date of this DPA, the later-signed instrument prevails.13. Return and deletion on termination
Within 30 days of termination of the Agreement, Synapse, at the Customer’s election:- Returns the Customer Personal Data in a structured, commonly used, machine-readable format; or
- Deletes the Customer Personal Data per the end-to-end cascade in Data Retention §2, retaining only such copies as are required by Applicable Law (notably Brazilian tax and accounting law for billing records — see Data Retention §6).
14. Term and termination
This DPA enters into force on the date of the last signature below and terminates upon termination of the Agreement. The obligations in §7 (Security Incident notification), §9 (cooperation), and §13 (return and deletion) survive termination for the period required to fulfil them.15. Governing law and jurisdiction
This DPA is governed by the laws of the Federative Republic of Brazil. Disputes arising out of or in connection with this DPA are resolved per the arbitration procedure in the Terms of Service (§12.2) — binding arbitration conducted in Portuguese, in the city of São Paulo, State of São Paulo, Brazil.Annex 1 — Description of the processing
(To be completed by the Customer at signature.)| Item | Description |
|---|---|
| Nature of the Processing | Ingestion of Customer Personal Data into the Graphor Service; partitioning, chunking, embedding, indexing, retrieval; provision of question-and-answer and structured-data-extraction services on the Customer’s behalf. |
| Purpose of the Processing | [CAMPO — Customer-stated business purpose, e.g. “Internal knowledge management for legal practice X” / “Customer-support content base for product Y” / “Compliance document analysis for division Z”] |
| Categories of Data Subjects | [CAMPO — e.g. “Customer’s employees and contractors with Service access” / “Customer’s end-clients whose documents are ingested” / “Other identifiable persons appearing in the Customer Content”] |
| Types of Personal Data | Account Information, Professional Information, Contact Information, Customer Content (as defined in the Privacy Policy), and any Personal Data the Customer chooses to upload as Customer Content. Special categories (LGPD art. 11 / GDPR art. 9): Customer is solely responsible for assessing the lawful basis for any upload of special-category Personal Data and for configuring access controls accordingly. |
| Duration of the Processing | For the term of the Agreement, with the post-termination return-or-delete window in §13. |
| Frequency of transfer | Continuous, as the Customer uses the Service. |
Annex 2 — Technical and organizational measures
Synapse implements and maintains the technical and organizational measures listed below. The current state of each control is documented in the Trust Center page cited.| Control area | Measure | Documented at |
|---|---|---|
| Encryption at rest | Cloud-provider-managed AES-256 by default; customer-managed encryption keys available on enterprise request | Trust Center Overview §3 |
| Encryption in transit | TLS 1.2+ enforced on every public surface; managed certificates | Architecture §5 |
| Logical tenant isolation | Single-tenant logical model with per-layer (API, database, graph store, storage, observability) project-scoped enforcement | Tenant Isolation §1 |
| Identity and access management | Per-project API tokens with TTL + last-used auditing; tier-aware observability access; Project-scoped Synapse-personnel access | Tenant Isolation §2, Tenant Isolation §6 |
| AI model governance | Contractual no-training commitments from every active provider; tier-based provider declaration; verbatim citations | Model Use and Training |
| Data retention and deletion | Infinite-until-DELETE posture; end-to-end delete cascade; customer-callable DSR API; bounded TTL on observability traces | Data Retention |
| Security Incident response | 72-hour notification SLA; 14-day post-mortem commitment | Incident Response |
| Subprocessor management | Versioned subprocessor list; 30-day prior-notice commitment | Subprocessors |
| Vulnerability management | Dependency scanning in CI; security advisory monitoring; quarterly patch review | Available on request |
| Disaster recovery | Cloud-provider automated backups + point-in-time recovery (7-day window); restore procedure that preserves customer DSR actions | Data Retention §5 |
| Audit logging | Customer-visible activity log surface; export path | Audit Logs |
Annex 3 — Subprocessors as of signature date
The Subprocessors authorized at the effective date of this DPA are the providers listed on the Subprocessors page. For the purposes of this DPA, the relevant list is frozen at signature and re-published as part of the executed copy of this DPA. A material change to this list follows the procedure in §4.2. Current Subprocessor categories (the full per-provider detail is in the Subprocessors page):- Cloud infrastructure — Google Cloud Platform, Amazon Web Services (Bedrock), Neo4j AuraDB.
- AI model providers — Anthropic (via AWS Bedrock), OpenAI (embeddings, ZDR enrolled), Cerebras (chunk enrichment + fast tier, zero retention).
- Payment — Stripe.
- Authentication — Firebase Authentication.
- Observability — Self-hosted Langfuse (tier-aware).
- Marketing-site analytics — Google Analytics (consent-gated; marketing site only; not loaded on legal routes).
Annex 4 — Standard Contractual Clauses
For transfers of Customer Personal Data subject to GDPR from the European Economic Area, Switzerland, or the United Kingdom to Synapse’s Processing locations (the United States and any other non-adequacy jurisdiction), the Parties incorporate by reference the Standard Contractual Clauses 2021/914, as adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, together with the following Module elections:- Module 2 (Controller-to-Processor) applies between the Customer (as data exporter) and Synapse (as data importer) for Customer Personal Data Processed under this DPA.
- Module 3 (Processor-to-Processor) applies between Synapse (as data exporter) and each Subprocessor (as data importer) for onward transfers of Customer Personal Data, through Synapse’s contractual relationship with each Subprocessor.
- Clause 7 (Docking Clause): not applicable.
- Clause 9 (Use of Sub-processors): Option 2 (General written authorization), with the 30-day notice window in §4.2 above.
- Clause 11 (Redress): independent dispute resolution body to be the body in the Customer’s place of habitual residence.
- Clause 17 (Governing Law): the law of the EU Member State in which the data exporter is established. Where this would result in less protection for the data subject, the law of the EU Member State in which the data subject has habitual residence applies.
- Clause 18 (Choice of Forum and Jurisdiction): the courts of the EU Member State in which the data exporter is established.
Signature blocks
By signing below, the Parties agree to be bound by this DPA.For the Processor
SYNAPSE INOVAÇÃO E TECNOLOGIA LTDA.| Field | Value |
|---|---|
| Name | [CAMPO — Authorized signatory name] |
| Title | [CAMPO — Signatory title] |
| Signature | [CAMPO] |
| Date | [CAMPO] |
For the Controller
[CAMPO — Customer legal name]| Field | Value |
|---|---|
| Name | [CAMPO — Authorized signatory name] |
| Title | [CAMPO — Signatory title] |
| Signature | [CAMPO] |
| Date | [CAMPO] |
Change history
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-06-21 | Initial publication of the DPA template, incorporating the Trust Center commitments, the no-training clause with pass-through references to upstream Subprocessor DPAs (per Subprocessors §1), Standard Contractual Clauses incorporated by reference, and the 72-hour Security Incident notification SLA. |
Contact
- DPA inquiries, custom redlines, signature-stage questions: privacy@graphorlm.com
- Subscription to DPA template change notifications: subprocessors@graphorlm.com
- Customer support: support@graphorlm.com