Data Processing Agreement
2026-05-09-f7798ab
Working draft: This DPA accurately reflects SimpleStandup's current technical and operational controls. Specific commercial terms (notice addresses, custom SLA guarantees, named compliance certifications) are placeholders and subject to legal review. Customers with immediate DPA needs should contact privacy@synapsiumlabs.io.
The short version: SimpleStandup is a Processor, not a Controller. You decide what content your team posts; we store it, generate AI insights, and deliver it through your chosen integrations. You (the Customer) remain the Controller of your data at all times.
Purpose and Scope
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Synapsium Labs ("Processor," operating SimpleStandup) for the provision of the SimpleStandup async standup platform ("Services").
This DPA governs the Processor's processing of Personal Data on behalf of the Controller and sets out the parties' respective obligations under applicable data protection laws.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person processed through the Services.
- Processing — any operation performed on Personal Data, including collection, storage, retrieval, transmission, or deletion.
- Controller — the Customer, who determines the purposes and means of processing Personal Data.
- Processor — Synapsium Labs (operating SimpleStandup), which processes Personal Data on behalf of the Controller.
- Sub-processor — any third party engaged by SimpleStandup to process Personal Data on behalf of the Controller.
- Data Subject — the individual whose Personal Data is processed.
2. Role and Responsibilities
SimpleStandup acts as a Processor on behalf of the Controller. SimpleStandup processes Personal Data solely in accordance with the Controller's documented instructions, which are expressed through the Controller's organization, team, and per-user configuration in the SimpleStandup dashboard, the integrations the Controller chooses to connect, and the content the Controller's authorized users submit through the Services.
2.1 Data Flow
- An authorized user submits a standup update through the web app, Slack, or Microsoft Teams.
- SimpleStandup stores the submission in its database, associates it with the user's team and organization, and makes it visible to other authorized members of that team.
- On a scheduled basis, SimpleStandup sends standup content for a team to Google Cloud Vertex AI to generate insights, summaries, and suggested actions. The generated content is stored alongside the source standups.
- SimpleStandup may deliver notifications, reminders, and insight summaries to users via email (Postmark), Slack, or Microsoft Teams, depending on the Controller's and individual user's preferences.
2.2 Categories of Data Subjects
The Personal Data processed through SimpleStandup relates to the Controller's employees, contractors, and authorized users who use the Services to share daily updates with their team.
3. Data Storage and Retention
3.1 What We Store
| Category | Stored Data | Retention |
|---|---|---|
| User account | Email address, display name, theme preference, Firebase identity, organization and team membership, role, terms-acceptance records | Retained while the account is active; deleted within 90 days on request |
| Standup content | The text submitted as standup updates, including yesterday/today/blockers fields and any freeform content | Retained while the organization is using the Services; deleted within 90 days on request |
| Derived content | AI-generated insights, action items, comments, reactions, aggregated team metrics | Same as standup content |
| Integration tokens | OAuth tokens for connected Slack workspaces and Microsoft Teams tenants, encrypted at rest | Retained until the integration is disconnected; deleted on disconnect |
| Operational logs | Application logs, request traces, error reports — used for debugging and performance monitoring. We aim not to log standup content but cannot guarantee zero leakage in error paths. | Short retention for monitoring and debugging; Sentry error reports retained per Sentry's retention policy |
| Billing records | Subscription status, invoice history, payment method last four digits | As required by law, typically 7 years |
3.2 What We Don't Store
SimpleStandup does not access or store any data outside what is submitted through its interfaces. We do not access your calendar, email, files, or any other data unless you explicitly submit it as standup content.
4. Security Measures
SimpleStandup implements technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
4.1 Encryption
- In transit: All connections to SimpleStandup require TLS 1.2 or higher. Connections to Vertex AI and other Google APIs use Google's standard TLS configuration. Connections to Cloud SQL use IAM-authenticated, encrypted connections.
- At rest: Cloud SQL databases are encrypted at rest using Google-managed encryption keys (AES-256). Secret Manager contents are encrypted at rest by Google-managed keys. Slack and Microsoft Teams OAuth tokens are stored encrypted in Secret Manager, never in the application database.
4.2 Authentication and Access Control
- End user authentication flows through Firebase Identity Platform, with optional organization-scoped tenants.
- Optional SSO enforcement at the organization level — Customers can require their members to authenticate via the Customer's chosen OIDC provider.
- Application-level tenant isolation: every request validates the user's membership in the requested organization before returning data.
- Service-to-service authentication uses Google Cloud IAM and Workload Identity Federation; long-lived service account keys are not used.
4.3 Network Security
- All services run on Google Cloud Run in the
us-central1region with IAM-enforced access controls. - Cloud SQL instances are accessed via the Cloud SQL Auth Proxy, not exposed to the public internet.
4.4 Operational Security
- SimpleStandup personnel with production access are bound by confidentiality obligations.
- Deployments are automated via GitHub Actions using Workload Identity Federation; no long-lived deploy credentials exist.
- Infrastructure is defined as code (OpenTofu); changes are reviewed before deployment.
- Code changes are reviewed before merge to the main branch.
5. Sub-processors
5.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Compute (Cloud Run), database (Cloud SQL), secret storage (Secret Manager), object storage, scheduling, monitoring, AI processing (Vertex AI) | us-central1 (United States) |
| Firebase / Identity Platform | End user authentication and optional organization-scoped tenants | Google's infrastructure |
| Google Vertex AI | AI insight generation from standup content using the Gemini model family | us-central1 (United States) |
| Postmark | Transactional email delivery | United States |
| Stripe | Subscription billing | United States |
| Slack (Customer-connected) | Standup submission and notification delivery, only when the Customer chooses to connect a Slack workspace | United States |
| Microsoft Teams (Customer-connected) | Standup submission and notification delivery, only when the Customer chooses to connect a Microsoft Teams tenant | Microsoft's infrastructure |
| Sentry | Frontend error monitoring | United States |
5.2 Sub-processor Changes
SimpleStandup shall notify the Controller of any intended changes to sub-processors by updating this DPA and providing at least 30 days advance notice via email to the Controller's designated contact, where the Controller has an opportunity to object. If the Controller objects to a new sub-processor on reasonable grounds, SimpleStandup will work in good faith to provide an alternative or permit the Controller to terminate the affected Services.
5.3 AI Sub-processor Commitments
Standup content sent to Vertex AI for insight generation is subject to Google Cloud's terms, which prohibit Google from using customer prompts and responses to train its foundation models by default. SimpleStandup does not opt in to any model training feature.
6. Data Subject Rights
SimpleStandup shall assist the Controller in responding to Data Subject requests under applicable law, including access, rectification, erasure, restriction, and portability. Most Data Subject requests can be fulfilled by the Controller through the SimpleStandup dashboard directly. For requests that require engineering assistance, SimpleStandup will respond within 7 days of receipt at privacy@synapsiumlabs.io.
7. Data Breach Notification
SimpleStandup shall notify the Controller of any Personal Data breach affecting the Controller's data without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification shall include:
- The nature of the breach and categories of data affected
- The approximate number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
- A named point of contact for follow-up
8. Data Deletion and Return
On the Controller's written request — including upon termination of the Services where the Controller chooses to invoke this provision — SimpleStandup shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller within 90 days of the request, except for data we are required to retain by law (such as billing records).
Deletion includes user records, standup content, derived content (insights, actions, comments), session records, and OAuth tokens. Backups are deleted as they age out of the normal backup retention cycle.
Return is available through Controller-initiated export from the dashboard, or by request to privacy@synapsiumlabs.io. The Controller is responsible for exporting any data they wish to retain before requesting deletion.
9. International Data Transfers
SimpleStandup is a United States company. All Personal Data is processed and stored in Google Cloud's us-central1 region. Data is not routinely transferred outside the United States.
Customers with data residency requirements that exclude the United States should contact privacy@synapsiumlabs.io to discuss commercial options. For transfers to the United States from jurisdictions that require a transfer mechanism (such as EU Member States), the parties rely on the Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914, which are incorporated by reference into this DPA for such transfers.
10. Compliance
- GDPR: SimpleStandup supports GDPR obligations as a Processor through the measures described in this DPA. This DPA serves as the Article 28 contract between Processor and Controller.
- CCPA/CPRA: SimpleStandup processes Personal Data as a "Service Provider" under CCPA and shall not sell Personal Data or process it for any purpose other than performing the Services.
- HIPAA: SimpleStandup is not currently a HIPAA Business Associate and does not recommend processing Protected Health Information through the Services.
11. Term and Termination
This DPA shall remain in effect for the duration of SimpleStandup's processing of Personal Data on behalf of the Controller. The obligations in this DPA shall survive termination to the extent required for SimpleStandup to complete deletion or return of Personal Data in accordance with Section 8.
12. Governing Law
This DPA is governed by the laws of the State of Delaware, without regard to its conflict of laws principles. Any dispute arising out of or relating to this DPA shall be resolved in accordance with the dispute resolution provisions of the main Terms of Service.
13. Contact Information
For privacy and data protection inquiries, including Data Subject requests, breach notifications, and sub-processor objections:
- Email: privacy@synapsiumlabs.io
- Company: Synapsium Labs (operating SimpleStandup), Atlanta, GA, United States
14. Changes to This DPA
SimpleStandup may update this DPA from time to time to reflect changes in technical or organizational measures, sub-processors, or regulatory requirements. Each version of this DPA is permanently identified by the date-and-commit version string at the top of this page. Material changes will be communicated to Controllers via email at least 30 days before they take effect.