BeSync Legal

Data Processing Addendum

Effective 04.03.2026

Parties, Scope & Precedence

This Data Processing Addendum ("DPA") forms part of the agreement between Customer ("Customer" or "Controller") and InfraSync Tech Ltd ("Processor" or "BeSync"), under which Processor provides the BeSync services to Customer.

Scope. This DPA applies only to Personal Data that Processor Processes on behalf of Customer as a Processor in connection with Customer's use of BeSync, including Personal Data contained in Customer Content. It does not apply to Personal Data that Processor Processes as an independent controller (e.g., billing administration, website analytics).

Precedence. If there is any conflict between this DPA and the Agreement, this DPA will prevail solely with respect to the parties' data protection obligations. If Standard Contractual Clauses apply, they will prevail to the extent of any conflict.

Turkey Operating Entity. Certain operational activities may be performed by InfraSync Teknoloji Ltd, Konyaaltı/Antalya-Turkiye, acting as a Sub-processor bound by this DPA through a written agreement no less protective than this DPA.

Definitions

Controller / Processor / Personal Data / Processing / Personal Data Breach

Have the meanings given in Data Protection Laws.

Customer Personal Data

Any Personal Data contained in Customer Content or otherwise Processed by Processor on behalf of Customer under the Agreement.

Customer Content

Data (including messages, standup responses, task records, reports, and related metadata) that Customer or its Users submit to or make available to the Services.

Data Protection Laws

All data protection and privacy laws applicable to the Processing, including EU GDPR, UK GDPR, and their implementing or supplemental laws, as amended from time to time.

Standard Contractual Clauses (SCCs)

The standard contractual clauses for international transfers adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.

UK Addendum

The International Data Transfer Addendum to the SCCs issued by the UK ICO, as updated from time to time.

Sub-processor

Any Processor-appointed third party (including affiliates) that Processes Customer Personal Data on behalf of Processor to provide the Services.

Roles and Processing Details

Customer is the Controller of Customer Personal Data and Processor is the Processor. Processor will Process Customer Personal Data only on documented instructions from Customer, including: the Agreement and this DPA; Customer's configuration and use of the Services (admin settings, approval policies, channels selected for monitoring); and written instructions provided by Customer to Processor's support channels.

If Processor reasonably believes that an instruction infringes Data Protection Laws, Processor will inform Customer and is not required to follow the instruction until it is modified to comply.

Processor Obligations

Confidentiality

Processor will ensure that persons authorised to Process Customer Personal Data are under an appropriate obligation of confidentiality (contractual or statutory).

Security Measures

Processor will implement and maintain appropriate technical and organisational measures (TOMs) designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as described in Annex 2.

Personal Data Breach Notification

Processor will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data and, where feasible, within 30 days
Notification will include: nature of the incident, likely consequences, measures taken or proposed, and relevant contact points

Assistance with Data Subject Requests

Processor will provide reasonable assistance to Customer to help respond to data subject requests, including by providing self-service tools for export or deletion and responding to written requests within a reasonable time.

Deletion or Return at End of Services

Upon termination or expiry, Processor will return and/or delete Customer Personal Data at Customer's choice, unless Data Protection Laws require continued storage. Processor may retain Customer Personal Data in backups for a limited period consistent with backup policies.

AI and Automated Processing Limitations

Processor Processes Customer Content to generate structured outputs such as summaries, extracted signals, sprint proposals, and task suggestions
Customer Content is not used to train general-purpose or foundation models shared across customers unless expressly agreed in writing
Processor may use aggregate, de-identified, or anonymised service telemetry to improve the Services, provided it does not identify Customer or individual Users

Sub-processors

Customer provides general authorisation for Processor to appoint Sub-processors to Process Customer Personal Data for the purpose of providing the Services.

Notice of changes. Processor will provide notice of any intended addition or replacement of a Sub-processor at least 2 days before the change takes effect.

Objection right. Customer may object to a new Sub-processor on reasonable data protection grounds by providing written notice within 2 days of notice. If Customer objects, Processor will use reasonable efforts to provide the Services without the objected Sub-processor or propose a commercially reasonable alternative.

Flow-down obligations. Processor will impose on each Sub-processor, via a written agreement, data protection obligations that are no less protective than those in this DPA. Processor remains responsible for the performance of its Sub-processors.

International Transfers

Customer Personal Data may be Processed in different locations globally and may be accessed by the Turkey Operating Entity in Turkey and other Sub-processor locations listed in Annex 3.

SCCs (EEA transfers). If Customer is established in the EEA and Customer Personal Data is transferred to Processor in a third country requiring safeguards, the SCCs (Module 2, Controller-to-Processor) are incorporated into this DPA by reference.

UK restricted transfers. If Customer is established in the UK and the transfer is a "restricted transfer" under UK Data Protection Laws, the UK Addendum will apply.

If Processor receives a legally binding request from a public authority for Customer Personal Data, Processor will, to the extent permitted by law, notify Customer and challenge the request where it has reasonable grounds to do so.

Audits and Compliance

Customer may audit Processor's compliance with this DPA subject to the following conditions:

Frequency: No more than once per 12-month period, unless required by a supervisory authority or following a confirmed Personal Data Breach
Scope: Limited to data protection and security controls; conducted primarily by reviewing documentation and remote meetings
Notice: At least 5 days' prior written notice, except where mandated by law or a supervisory authority
Confidentiality: Customer and its auditors must sign reasonable confidentiality obligations
Costs: Customer bears its own costs and reimburses Processor for reasonable costs unless the audit reveals a material breach by Processor

If Processor obtains third-party assurance reports (e.g., SOC 2, ISO 27001), Processor may make a summary available to Customer under confidentiality obligations as an alternative to or to reduce the scope of audits.

Annex 1: Details of Processing

Subject matter

Provision of the BeSync Services: AI-powered, chat-native project management assistance integrated with collaboration platforms and third-party tools.

Duration

Processing occurs for the term of the Agreement and any post-termination period needed for return/deletion as set out in this DPA and 90 days.

Categories of Personal Data

Identifiers (name, work email, user IDs, workspace IDs, channel IDs)
Message content from authorised channels/conversations and direct messages used for standups
Standup responses (yesterday/today/blockers) and metadata
Task and Kanban data (titles, descriptions, assignees, status, estimates, due dates, comments)
Integration metadata (issue IDs, repositories, links, statuses)
Extracted signals (blockers, risks, dependencies, deadlines, requests, updates)
Derived persona metadata (expertise tags, workload indicators, onboarding notes) where enabled
Audit logs of admin actions and system events
Technical logs (IP address, device/browser info, timestamps)

Special Categories of Personal Data

The Services are not designed to require Special Categories of Personal Data, but such data may be included in Customer Content at Customer's discretion. Customer remains responsible for ensuring valid legal conditions for Processing.

Annex 2: Technical & Organisational Measures

Processor will maintain TOMs appropriate to the risk, which may include:

Access controls

Role-based access control; least privilege; MFA for administrative access; separation of duties.

Encryption

Encryption in transit (e.g., TLS) and encryption at rest.

Logging and monitoring

Centralised logging for security events; monitoring for anomalous access; audit logs for admin actions.

Vulnerability management

Patch management; dependency scanning; periodic security testing each 4 months.

Secure development

Code review; CI/CD controls; secrets management.

Data isolation

Logical tenant segregation and access controls to limit cross-customer access.

Backups and resilience

Encrypted backups on monthly basis; disaster recovery procedures.

Incident response

Incident response procedures; on-call escalation; breach notification process.

Personnel security

Confidentiality commitments; security training; access review.