This Data Processing Agreement ("DPA") forms part of the terms and conditions of 2sync.com (the "Agreement") between TONOID, a French société par actions simplifiée with registered office at 4 rue Jean Rey, 78220 Viroflay, France, registered with the RCS of Versailles under number 879 475 788 (the "Processor") and any User that does not qualify as a Consumer and that uses the Service to process personal data of third parties (the "Controller").
This DPA applies to the extent that the Processor processes, on behalf of the Controller, personal data contained in the third-party accounts the Controller connects to the Service. It is entered into pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR").
1. Subject matter and duration
The Processor provides a synchronization service between Notion and third-party productivity services, as described in the Agreement. This DPA applies for as long as the Processor processes personal data on behalf of the Controller under the Agreement.
2. Nature and purpose of the processing
Reading, matching, creating, updating and deleting items in the accounts connected by the Controller, strictly to perform the synchronizations configured by the Controller, together with the storage of connection credentials, synchronization configuration, item mappings and activity logs necessary to operate the Service.
3. Categories of personal data and data subjects
Personal data: data contained in synchronized items, such as calendar events (titles, descriptions, attendees, locations), tasks, contact records (names, email addresses, phone numbers, postal addresses, employers, birthdays), email metadata (subject, sender, recipients, snippet), and any personal data the Controller includes in synchronized Notion databases.
Data subjects: the Controller's contacts, meeting attendees, email correspondents, colleagues, customers and any other individuals whose data appears in the connected accounts.
4. Obligations of the Processor
The Processor shall:
- process the personal data only on documented instructions from the Controller, the Agreement and the synchronization configuration set by the Controller constituting such instructions, unless required to do otherwise by Union or Member State law, in which case the Processor shall inform the Controller before processing unless that law prohibits it;
- ensure that persons authorized to process the personal data have committed themselves to confidentiality;
- implement the technical and organizational measures described in Section 7;
- respect the conditions of Sections 5 and 6 for engaging sub-processors;
- taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, in responding to requests for exercising data subjects' rights;
- assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor;
- notify the Controller without undue delay after becoming aware of a personal data breach affecting the personal data processed under this DPA;
- at the choice of the Controller, delete or return all the personal data after the end of the provision of the Service, and delete existing copies unless Union or Member State law requires their storage. Deleting the account or disconnecting an integration triggers the deletion of the related connection data and credentials;
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable prior notice and no more than once per year unless required by a supervisory authority.
5. Sub-processors
The Controller gives a general authorization to the Processor to engage the sub-processors listed below. The Processor shall inform the Controller of any intended addition or replacement of sub-processors, by updating this page and, where the Controller has an account, by email, at least 15 days before the change takes effect, giving the Controller the opportunity to object. The Processor imposes on each sub-processor, by contract, data protection obligations equivalent to those set out in this DPA and remains fully liable to the Controller for the performance of the sub-processor's obligations.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting of the application and databases | Germany (EU) |
| Cloudflare, Inc. | Content delivery network and traffic filtering | United States |
| Functional Software, Inc. (Sentry) | Error monitoring | United States |
6. International transfers
The personal data synchronized by the Service is hosted in the European Union. Where a sub-processor processes personal data outside the European Economic Area, the transfer is carried out under an adequacy decision of the European Commission (including the EU-U.S. Data Privacy Framework where the sub-processor is certified) or the Standard Contractual Clauses adopted by the European Commission, together with supplementary measures where required.
The Controller acknowledges that the third-party services it chooses to connect (such as Notion, Google, Microsoft or Todoist) process data under the Controller's own agreements with those providers; such processing is outside the scope of this DPA.
7. Security measures
Taking into account the state of the art and the nature of the data, the Processor implements, in particular: encryption of data in transit (TLS); field-level encryption of connection credentials (OAuth tokens) at rest; access controls and authentication for administrative access to production systems; logging and monitoring of the infrastructure; environment segregation; and redaction of sensitive fields in application logs. The Processor does not store copies of the synchronized content beyond what is necessary to operate the synchronizations (connection metadata, configuration, item mappings and activity logs).
8. Contact
Questions and requests relating to this DPA, including data subject requests and breach notifications, shall be addressed to help@2sync.com.
9. Miscellaneous
In the event of conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails. This DPA is governed by French law. Its invalidity in whole or in part shall not affect the validity of the remainder of the Agreement.