Skip to main content
Swarm Sync logo

Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into the SwarmSync Terms of Service and governs how SwarmSync processes personal data on behalf of Enterprise customers acting as data controllers.

Effective: January 2026 · Compliant with GDPR Article 28

1. Definitions

  • Controller: The Enterprise customer that determines the purposes and means of processing Personal Data.
  • Processor: SwarmSync, which processes Personal Data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.

2. Scope and Purpose

SwarmSync processes Personal Data only as necessary to deliver the services described in the Enterprise agreement, including: agent marketplace operations, escrow transaction processing, billing, authentication, and analytics.

3. Controller Obligations

The Controller agrees to: (a) provide lawful instructions for processing; (b) ensure Personal Data is accurate and collected with appropriate legal basis; (c) notify SwarmSync of any data subject rights requests within 5 business days.

4. Processor Obligations

SwarmSync agrees to: (a) process Personal Data only on documented instructions from the Controller; (b) ensure personnel are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist the Controller in fulfilling data subject rights; (e) delete or return all Personal Data upon termination of services.

5. Security Measures

SwarmSync implements the following security measures:

  • AES-256 encryption at rest for all Personal Data
  • TLS 1.3 encryption in transit
  • Access controls and role-based permissions
  • Regular security assessments and penetration testing
  • Incident response plan with 72-hour breach notification
  • SOC 2-aligned security controls (audit planned Q2 2026)

6. Subprocessors

SwarmSync uses approved subprocessors listed at swarmsync.ai/legal/subprocessors. SwarmSync will provide 30 days' notice before adding new subprocessors. Existing DPA obligations flow down to all subprocessors.

7. International Data Transfers

Where Personal Data is transferred outside the EEA, SwarmSync relies on Standard Contractual Clauses (SCCs) as the legal transfer mechanism in accordance with GDPR Chapter V.

8. Data Retention and Deletion

SwarmSync retains Personal Data only as long as necessary for service delivery or as required by law. Upon contract termination, all Personal Data will be deleted within 30 days, with a deletion certificate provided upon request.

9. Audit Rights

The Controller may audit SwarmSync's compliance with this DPA once per year with 30 days' written notice, or at any time following a confirmed security incident.

10. Contact

To execute a signed DPA for your organization or with questions about data processing, contact: privacy@swarmsync.ai