Legal

Data Processing Addendum

Last updated: 27 May 2026

This is the master template.

This Data Processing Addendum is attached to the Managed Agent Service Agreement for clients whose own privacy obligations require formal processor terms (real estate, healthcare, allied health, financial services, legal, or any business handling personal information of third parties). For lower-risk engagements where the agent touches only internal data, section 10 of the main agreement may be sufficient. We publish this in full so prospective clients can read the processor terms before they ever talk to us.

Annex to:the Managed Agent Service Agreement between Synexa (ABN 58 211 406 299) and the client named in the executed copy of this Addendum (“the Agreement”).

This Addendum sets out how Synexa handles personal information that we process on your behalf in the course of delivering the managed agent service. It forms part of the Agreement. Where any conflict arises between this Addendum and the body of the Agreement on data handling matters, this Addendum prevails.

1. Roles and definitions

  • You are the controller. You determine why personal information is collected and how it is used in your business.
  • Synexa is the processor. We handle personal information solely on your instructions and only for the purposes of delivering the managed agent service.
  • Personal information has the meaning given in the Privacy Act 1988 (Cth).
  • Sub-processor means a third party Synexa engages to help deliver the service, including AI model providers, cloud hosting, and infrastructure providers.

2. Scope of processing

What we process.In the course of operating your agent we process personal information across the categories set out in the executed copy of this Addendum. Typical examples, depending on the agent’s scope: customer names, contact details, employee names, prospect contact records, calendar entries, email content, CRM records, document content, transaction records, call transcripts, photographs, and any other personal information that flows through the workflows your agent runs.

For what purposes. We process this information only to:

  • Build, operate, monitor, maintain, and improve the agent built for you under the Agreement
  • Provide support and respond to your requests
  • Meet our legal and regulatory obligations
  • Detect, investigate, and respond to security incidents

We do not use personal information for our own marketing, do not sell it, and do not use it to train any general-purpose AI model owned by us or any third party.

3. Sub-processors

To deliver the managed agent service, we use trusted third parties. Engaging these sub-processors is integral to providing the service.

Current sub-processors at the time of signing this Addendum include:

  • Anthropic (and any other large language model providers we use to power the agent)
  • Cloud hosting and infrastructure providers we use to run the agent
  • Customer relationship management, support, and communications tools we use to operate the engagement
  • Subcontractors and partners we engage from time to time, who are bound to confidentiality and data handling obligations consistent with this Addendum

We require each sub-processor to handle personal information on terms consistent with this Addendum and applicable Australian privacy law.

Changes to sub-processors. We may add, remove, or change sub-processors over time. Where a change would materially affect the way your personal information is handled, we will give you reasonable advance notice. You can object to a change on reasonable grounds; if we cannot accommodate the objection, you may end the engagement under the Agreement without penalty.

Up-to-date list. A current list of sub-processors is available on request.

4. Cross-border transfers

Some of our sub-processors host or process data outside Australia, including in the United States and the European Union. By accepting this Addendum, you authorise us to transfer personal information to those locations for the purposes described in section 2.

We take reasonable steps to ensure overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles, including by relying on contractual terms with those providers.

5. Security

We protect personal information using reasonable administrative, technical, and physical safeguards appropriate to the type of information and the risks of its loss, misuse, or unauthorised access.

Specific measures include:

  • Access controls, with personal information accessible only to personnel who need it to deliver the service
  • Encryption in transit for data moving between systems
  • Encryption at rest where supported by the underlying infrastructure
  • Secure credential management for integration logins you provide
  • Monitoring of the systems on which the agent runs
  • Patching and vulnerability management for infrastructure under our control

No system is perfectly secure. We commit to maintaining reasonable, current security practices, not to guaranteeing absolute security.

6. Personnel and confidentiality

Personnel and subcontractors with access to personal information processed under this Addendum are bound by confidentiality obligations equivalent to those in the Agreement. They access personal information only on a need-to-know basis for the purposes of delivering the service.

7. Data breach notification

If we become aware of unauthorised access to, or unauthorised disclosure or loss of, your personal information, we will notify you without undue delay and, in any event, within 72 hours of becoming aware of the incident. Our notification will include, to the extent known at the time:

  • A description of the nature of the breach
  • The categories and approximate volume of personal information affected
  • The likely consequences
  • The steps we have taken or propose to take in response

We will cooperate with you in good faith on any notification you choose to make to the Office of the Australian Information Commissioner (OAIC) or to affected individuals, including under the Notifiable Data Breaches scheme.

8. Assistance with your obligations

On reasonable request and at reasonable cost where applicable, we will assist you with:

  • Responding to requests from individuals to access, correct, or delete their personal information
  • Conducting privacy impact assessments where relevant to the agent we operate for you
  • Demonstrating compliance with your obligations under the Privacy Act 1988 (Cth)

If we receive a request directly from one of your customers or contacts in relation to data we hold as your processor, we will refer that request to you.

9. Audit and information rights

You may, on reasonable written notice and not more than once in any 12-month period (except in response to a data breach or regulatory request, in which case more frequent requests are permitted), request from us reasonable information about how we handle personal information under this Addendum.

We will respond in good faith, providing summary information about our security measures, sub-processor list, and data handling practices. On-site audits are not generally available; equivalent information will be provided in writing.

10. Data return and deletion

On termination of the Agreement, or earlier on your written request, we will, within 30 days:

  • Return your personal information to you in a reasonable format, or
  • Securely delete it from systems under our control,

at your election, except where we are required to retain information for legal, regulatory, tax, or legitimate record-keeping reasons. Where we retain information under this exception, we will continue to protect it consistent with this Addendum until it is deleted.

11. Liability

The liability provisions of the Agreement apply to claims arising under this Addendum. Nothing in this Addendum excludes or limits any liability that cannot be excluded under Australian law, including under the Privacy Act 1988 (Cth) or the Competition and Consumer Act 2010 (Cth).

12. Governing law

This Addendum is governed by the laws of Queensland, Australia.

Questions about this addendum? hello@synexa.com.au. See also our Managed Agent Service Agreement, Terms of Service, and Privacy Policy.