Products
AI Employees
Sintra X
Features
Brain AI
Power-ups
Company
What is an AI Employee
Resources
Blog
Case studies
FAQ
Help center
Pricing
Log in
Get Started

Data Processing Agreement

Need help?
Start Chat

Last Updated: 24th of January, 2025

This Data Processing Agreement (“DPA”) is made by and between:

  1. PlayOS, Inc. doing business as Sintra (“Processor” or “Sintra”), a Delaware corporation having its registered office at 8 The Green STE A, Dover, Delaware 19901, United States;
  2. The customer entity agreeing to these terms (“Controller” or “Customer”).

This DPA is incorporated into and forms part of any agreements (including the Master Subscription Agreement or Terms of Service) under which Sintra provides services to the Customer (the “Principal Agreement”). In case of any conflict between this DPA and the Principal Agreement regarding the Processing of Personal Data, the terms of this DPA shall govern.

1. DEFINITIONS

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where control means ownership of more than 50% of the shares or other equity interests.

1.2 “Applicable Data Protection Law” means all worldwide data protection and privacy laws applicable to the Processing of Personal Data under the Principal Agreement, including (where applicable) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”), and any other similar laws in jurisdictions where Sintra operates or from which Personal Data is collected.

1.3 “Controller” or “Data Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller unless otherwise specified.

1.4 “Processor” or “Data Processor” means the entity which processes Personal Data on behalf of the Controller. For purposes of this DPA, Sintra is the Processor unless otherwise specified.

1.5 “Customer Data” or “Personal Data” means any information relating to an identified or identifiable natural person that is submitted by or on behalf of Customer (including Customer’s own clients, employees, or other end users) to Sintra via the Services, and which Sintra Processes on Customer’s behalf as a Processor in the course of providing the Services. This includes, for example, names, email addresses, chat logs, behavioral data, payment details, tokens, or other data that may be provided by Customer or its end users.

1.6 “Subprocessor” means any third party (including any Sintra Affiliate) appointed by or on behalf of Sintra to Process Personal Data on behalf of Customer in connection with the Services.

1.7 “Services” means the AI-based products, mobile apps, web apps, software, and related services provided by Sintra to Customer under the Principal Agreement.

1.8 “Standard Contractual Clauses (SCCs)” means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries as updated or replaced from time to time.

1.9 “Data Subject” means any identified or identifiable natural person whose Personal Data is being Processed, such as the Customer’s employees, contractors, or end users.

1.10 “Data Breach” or “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. ROLES OF THE PARTIES

2.1 Relationship of the Parties. The parties acknowledge that Customer is acting as the Controller and Sintra is acting as the Processor with respect to the Processing of Personal Data under this DPA. Where required under Applicable Data Protection Law, Sintra may act as a Controller for limited sets of data (e.g., for its own account management, billing, or marketing purposes), but for all Customer-submitted data, Sintra acts as a Processor on behalf of Customer.

2.2 Instructions. Sintra shall Process Personal Data only in accordance with Customer’s documented instructions (including those provided via the Services and the Principal Agreement). Sintra will not Process Personal Data for any other purpose unless required by law, in which case Sintra will (to the extent permitted by law) inform Customer of such legal requirement before Processing.

3. DETAILS OF PROCESSING

3.1 Subject Matter and Duration. The subject matter of the Processing is the provision of the Services to the Customer under the Principal Agreement. The duration of Processing shall be the term of the Principal Agreement, plus the period from termination until deletion of all Personal Data by Sintra in accordance with this DPA.

3.2 Nature and Purpose of Processing.

  • To provide the AI-based services and functionalities (including personalization, chat-based interactions, content creation, product analytics, improvements, marketing insights, etc.).
  • To allow Customer to manage subscriptions, user profiles, billing, analytics, and other account-related activities.
  • To fulfill any other documented, lawful instructions from Customer.

3.3 Type of Personal Data. Customer Data may include the following categories:

  • Contact Information: names, email addresses, phone numbers.
  • Account Data: user IDs, login credentials (hashed).
  • Chat/Content Data: chat logs, business content, messages, user prompts and responses.
  • Behavioral/Analytics Data: usage data, IP addresses, timestamps, user actions within the platform.
  • Financial Data: payment info (where applicable, but typically handled via third-party payment processors like Stripe).
  • Tokens/Integrations Data: access tokens for integrations, if any.

3.4 Categories of Data Subjects.

  • Customer’s Authorized Users: individuals who are granted access to Sintra’s platform.
  • Customer’s Clients/End Users: if the Customer inputs or uploads their clients’ data or interactions.
  • Other Individuals: any other data subjects whose Personal Data is transmitted by or on behalf of Customer through the Services.

3.5 Sensitive Data. Customer should not intentionally submit special categories of data (e.g., health, genetic, biometric, children’s data) unless the parties have agreed in writing to necessary safeguards. If such data is submitted inadvertently, Sintra will treat it with appropriate security measures and will process it as directed by Customer.

4. SINTRA’S OBLIGATIONS

4.1 Confidentiality. Sintra shall ensure that any persons authorized to Process Personal Data are subject to confidentiality obligations and receive training on data protection and information security.

4.2 Security Measures. Taking into account the nature, scope, context, and purposes of Processing as well as the risk to Data Subjects, Sintra shall implement appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data at rest and in transit where appropriate.
  • Access controls using user IDs instead of plain emails, hashing credentials.
  • Regular risk assessments and vulnerability scanning.
  • Employee security awareness training.
  • Intrusion detection and monitoring.
  • Logical separation of data.
  • Secure data backups, with retention as per Customer instructions.

Additional details regarding Sintra’s technical and organizational measures may be provided upon Customer’s request or made available in Sintra’s documentation or security policy.

4.3 Subprocessors.
(a) Appointment of Subprocessors. Customer acknowledges and agrees that Sintra uses third parties (Subprocessors) to provide the Services. A list of current Subprocessors (e.g., OpenAI, Anthropic, Stripe, GCP, AWS, etc.) will be maintained and updated by Sintra.
(b) Obligations. Sintra shall ensure each Subprocessor is bound by data protection obligations consistent with this DPA, including confidentiality and sufficient technical and organizational measures.
(c) Changes to Subprocessors. Sintra shall provide notice of new Subprocessors by posting updates or via email. If Customer reasonably objects to a new Subprocessor on legitimate data protection grounds, Sintra will work with Customer in good faith to address such objections, which may include offering an alternative arrangement or the option for Customer to terminate the affected Services.

4.4 International Transfers.
(a) Personal Data may be stored and processed in the United States or European Union, as well as any country in which Sintra or its Subprocessors operate.
(b) Where required by Applicable Data Protection Law for cross-border transfers (e.g., EU/EEA, UK, or Swiss Personal Data), Sintra relies on legally recognized transfer mechanisms such as Standard Contractual Clauses or other adequacy frameworks.
(c) Sintra shall provide a copy of the relevant transfer mechanism upon request, subject to redactions for confidentiality.

4.5 Data Subject Requests. Taking into account the nature of the Processing, Sintra shall promptly inform Customer if it receives any request from a Data Subject regarding their Personal Data (access, correction, deletion, etc.). Sintra will not respond to such requests except on Customer’s documented instructions. Sintra shall provide reasonable assistance to enable Customer to respond to Data Subject requests as required by law.

4.6 Data Breach Notification. If Sintra becomes aware of a Personal Data Breach affecting Customer Data, Sintra will notify Customer without undue delay (and in any event within 72 hours of confirmation of the breach, if feasible). Such notice will describe the nature of the breach, potential impact, and the measures taken or proposed to address it. Sintra is not responsible for notifications or communications to regulators or individuals unless otherwise required by law or agreed. Customer may contact help@sintra.ai to report an incident.

4.7 Deletion or Return of Data.
(a) During the Term: Sintra will rectify or delete Personal Data upon Customer’s request within thirty (30) days unless retention is required by law or necessary for legitimate business purposes.
(b) Upon Termination: Upon expiration or termination of the Principal Agreement, Sintra shall, at Customer’s choice, delete or return all Customer Data. If deletion is requested, Sintra will remove Personal Data from active systems within 30 days (with possible retention in backups for a limited period).
(c) Exceptions: Sintra may retain certain data if required by law, subject to confidentiality and technical protection measures.

5. CUSTOMER’S OBLIGATIONS

5.1 Compliance with Laws. Customer represents and warrants that it (a) has complied, and will continue to comply, with all Applicable Data Protection Laws; and (b) has the right to transfer or provide access to Personal Data for Processing by Sintra in accordance with this DPA.

5.2 Data Minimization and Accuracy. Customer shall ensure that Personal Data is collected lawfully, is accurate, and is limited to what is necessary for the purposes for which it is processed. Customer is responsible for ensuring that their instructions comply with all applicable laws.

5.3 Data Subject Rights and Notices. Customer shall provide all necessary notices to Data Subjects and obtain any required consents under Applicable Data Protection Law for Sintra’s Processing of Personal Data under this DPA.

5.4 End User Interaction. If Customer uploads or processes data relating to third parties (e.g., end users), Customer is solely responsible for ensuring it has the necessary legal basis to do so. Sintra disclaims any responsibility if the Customer lacks such basis.

6. AUDITS AND CERTIFICATIONS

6.1 Right to Audit. Customer may audit Sintra’s compliance with this DPA up to once per year, or more frequently if required by Applicable Data Protection Law. Any audit shall (a) be conducted upon reasonable notice; (b) not unreasonably interfere with Sintra’s operations; (c) be limited in scope and duration as necessary to maintain security and confidentiality; and (d) be performed by an independent third-party auditor bound by confidentiality.

6.2 Provision of Information. Sintra may satisfy any such audit request by providing relevant third-party security audit or certification reports (e.g., SOC 2, ISO certificates), if available, to the extent they provide a comparable level of assurance.

7. LIABILITY AND INDEMNIFICATION

7.1 Liability Cap. The liability of each party under or in connection with this DPA shall be subject to the limitations of liability set forth in the Principal Agreement. Sintra does not assume liability for data breaches or other acts or omissions by its Subprocessors beyond what is set forth in the Principal Agreement and this DPA.

7.2 Third-Party Services. Sintra uses known, reputable third-party Subprocessors (e.g., Stripe for payments, OpenAI for AI processing). Customer acknowledges that Sintra shall not be responsible for any data incidents or liabilities solely attributable to these third-party providers’ acts or omissions, provided Sintra has complied with Section 4.3 (Subprocessors). Sintra will, however, remain responsible for coordinating with such Subprocessors to enforce data protection obligations and assisting Customer with any necessary remediation or notifications if a subprocessor breach occurs.

7.3 Indemnification. Each party shall indemnify and defend the other party against any costs, damages, or fines arising from the indemnifying party’s breach of this DPA or Applicable Data Protection Law, to the extent provided in the Principal Agreement.

8. INTERNATIONAL DATA TRANSFERS

8.1 General. Personal Data that Sintra Processes may be transferred to and stored in the United States or the European Union. Sintra and its Subprocessors maintain data centers primarily in these regions.

8.2 Mechanisms for Transfers. For transfers from the European Economic Area, United Kingdom, or Switzerland to countries not recognized by competent authorities as providing an adequate level of data protection, Sintra shall rely on Standard Contractual Clauses or other lawful transfer mechanisms. By signing or accepting this DPA, Customer instructs Sintra to enter into such transfer mechanisms on Customer’s behalf where necessary.

9. MISCELLANEOUS

9.1 Term and Termination. This DPA is effective for the term of the Principal Agreement. Termination or expiry of the Principal Agreement shall automatically terminate this DPA. The obligations that by their nature survive termination will remain in effect (e.g., confidentiality, deletion of data).

9.2 Governing Law and Jurisdiction. This DPA and any disputes or claims arising out of or in connection with it shall be governed by the laws of Delaware, United States, without regard to conflicts of law rules. The parties submit to the exclusive jurisdiction of the courts located in Delaware, except where otherwise required by Applicable Data Protection Law.

9.3 Entire Agreement; Conflict. This DPA supplements and forms part of the Principal Agreement. In the event of inconsistencies between the terms of this DPA and the Principal Agreement concerning the Processing of Personal Data, the terms of this DPA shall prevail. Except as set forth in this DPA, the Principal Agreement remains unchanged.

9.4 Severability. If any provision of this DPA is found unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that the DPA otherwise remains in full force and effect.

9.5 Amendments. Sintra may modify this DPA as required to comply with changes in law or best practices. If Sintra makes a material change, Sintra will notify Customer, and the updated DPA will be effective upon posting or as otherwise communicated in writing.

9.6 Counterparts / Electronic Signature. This DPA may be executed in counterparts, each of which is deemed an original, but all of which together constitute one and the same instrument. The parties consent to the use of electronic signatures.

ANNEX 1: SUBPROCESSORS

Below is a non-exhaustive list of key Subprocessors used by Sintra for hosting, data processing, or other Services-related activities. This list may be updated from time to time.

  • OpenAI (AI infrastructure)
  • Anthropic (AI infrastructure)
  • SerpAPI (search API)
  • SEOptimer (SEO analysis)
  • Stripe (payment processing)
  • Google Cloud Platform (hosting, data storage)
  • RevenueCat (subscription management)
  • Apple (in-app purchases)
  • Twilio (SMS, communications)
  • Intercom (customer support)
  • Amazon Web Services (hosting, storage)
  • Klaviyo (marketing email)
  • Sentry (error tracking)
  • Equifax (if used for credit checks, etc.)
  • Github (code repository)
  • GrafanaCloud (monitoring)
  • Wordware (specialized tools)
  • Replicate (AI infrastructure)
  • Railway (hosting platform)
  • Mixpanel (analytics)
  • Churnkey (subscription churn management)
  • CockroachDB (database)

Sintra also uses affiliates (e.g., Monkai, UAB) for certain data processing and development activities.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

Security Controls:

  1. Access Controls: User authentication via hashed credentials; role-based access; unique user IDs instead of storing plain emails.
  2. Encryption: Data encrypted in transit (TLS 1.2 or higher) and at rest where feasible.
  3. Physical Security: Cloud data centers (AWS, GCP) with industry-standard physical security, access restricted to authorized personnel only.
  4. Monitoring and Logging: Activity logs, intrusion detection, SIEM solutions for event monitoring, security alerts, and anomaly detection.
  5. Incident Response: Defined process for handling security incidents and Data Breaches, with notifications to Customer in accordance with this DPA.
  6. Employee Training: Security and privacy awareness sessions for employees with data access responsibilities.
  7. Data Minimization & Retention: Data kept only as needed for providing the Services or complying with legal obligations.
  8. Data Deletion: Upon request or service termination, data is securely deleted within 30 days, subject to legitimate legal or business retention requirements.

SIGNATURE

By using Sintra’s Services or otherwise signing this DPA (physically or electronically), the parties acknowledge and agree to be bound by its terms.

If you have any questions about this DPA or wish to exercise your data protection rights, please contact us at: help@sintra.ai.

Disclaimer: This DPA is provided for general informational purposes and does not constitute legal advice. You should consult with your legal counsel to confirm that the final DPA meets all legal requirements for your specific circumstances.

Copyright © 2025
PlayOS, Inc.
All rights reserved
Features
Sintra Employees
Brain AI
Power-ups
Resources
Blog
Case studies
About Us
Become an Affiliate
Support
Help center
Contact
Plans and Payments
FAQ
Legal
Privacy policy
Terms and conditions
Refund policy
Money-Back Guarantee
Other policies
Trustpilot