Products
AI Employees
Sintra X
Pricing
Features
Brain AI
Power-ups
Company
What is an AI Employee
Resources
Blog
Case studies
FAQ
Help center
Pricing
Log in
Get Started

Data Processing Agreement

Need help?
Start Chat

Last Updated: 24th of March, 2025

This Data Processing Agreement (“DPA”) is made by and between:

  1. PlayOS, Inc. doing business as Sintra (“Processor” or “Sintra”), a Delaware corporation having its registered office at 8 The Green STE A, Dover, Delaware 19901, United States;
  2. The customer entity agreeing to these terms (“Controller” or “Customer”).

This DPA is incorporated into and forms part of any agreements (including the Master Subscription Agreement or Terms of Service) under which Sintra provides services to the Customer (the “Principal Agreement”). In case of any conflict between this DPA and the Principal Agreement regarding the Processing of Personal Data, the terms of this DPA shall govern.

1. Definitions

  1. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
    • Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where control means ownership of more than 50% of the shares or other equity interests.
    • Applicable Data Protection Law means all worldwide data protection and privacy laws applicable to the Processing of Personal Data under the Principal Agreement, including (where applicable) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”), and any other similar laws in jurisdictions where Sintra operates or from which Personal Data is collected.
    • Controller or Data Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller unless otherwise specified.
    • Processor or Data Processor means the entity which processes Personal Data on behalf of the Controller. For purposes of this DPA, Sintra is the Processor unless otherwise specified.
    • Customer Data or Personal Data means any information relating to an identified or identifiable natural person that is submitted by or on behalf of Customer (including Customer’s own clients, employees, or other end users) to Sintra via the Services, and which Sintra Processes on Customer’s behalf as a Processor in the course of providing the Services. This includes, for example, names, email addresses, chat logs, behavioural data, payment details, tokens, or other data that may be provided by Customer or its end users.
    • Subprocessor means any third party (including any Sintra Affiliate) appointed by or on behalf of Sintra to Process Personal Data on behalf of Customer in connection with the Services.
    • Services means the AI-based products, mobile apps, web apps, software, and related services provided by Sintra to Customer under the Principal Agreement.
    • Standard Contractual Clauses (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries as updated or replaced from time to time.
    • Data Subject means any identified or identifiable natural person whose Personal Data is being Processed, such as the Customer’s employees, contractors, or end users.
    • Data Breach or Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  2. In this DPA, unless the context requires otherwise, words importing the singular include the plural and vice versa.
  3. In this DPA, unless the context requires otherwise, a reference to the Article, Clause or Annex is the reference to the specific article, clause or annex of this DPA.
  4. Title of the DPA or section headings are for convenience only and have no impact on the interpretation of any provision of the DPA.

2. Roles of the Parties

  1. The parties acknowledge that Customer is acting as the Controller and Sintra is acting as the Processor with respect to the Processing of Personal Data under this DPA. Where required under Applicable Data Protection Law, Sintra may act as a Controller for limited sets of data (e.g., for its own account management, billing, or marketing purposes), but for all Customer-submitted data, Sintra acts as a Processor on behalf of Customer.
  2. Sintra shall Process Personal Data only in accordance with Customer’s documented instructions (including those provided via the Services and the Principal Agreement). Sintra will not Process Personal Data for any other purpose unless required by law, in which case Sintra will (to the extent permitted by law) inform Customer of such legal requirement before Processing.

3. Details of Processing

  1. The subject matter of the Processing is the provision of the Services to the Customer under the Principal Agreement. 
  2. The duration of data processing is limited to the term of the Principal Agreement. Upon termination or expiration of the agreement, Sintra will remove Personal Data from active systems within 30 days, with possible retention in backups for a limited period. Data will only be retained beyond this period if required by law, subject to strict confidentiality and security measures.
  3. Nature and Purpose of Processing:
    1. To provide the AI-based services and functionalities (including personalization, chat-based interactions, content creation, product analytics, improvements, marketing insights, etc.).
    2. To allow Customer to manage subscriptions, user profiles, billing, analytics, and other account-related activities.
    3. To fulfill any other documented, lawful instructions from Customer.
  4. Customer Data may include the following categories:
    1. Contact Information: names, email addresses, phone numbers.
    2. Account Data: user IDs, login credentials (hashed).
    3. Chat/Content Data: chat logs, business content, messages, user prompts and responses.
    4. Behavioral/Analytics Data: usage data, IP addresses, timestamps, user actions within the platform.
    5. Financial Data: payment info (where applicable, but typically handled via third-party payment processors like Stripe).
    6. Tokens/Integrations Data: access tokens for integrations, if any.
  5. Categories of Data Subjects:
    1. Customer’s Authorized Users: individuals who are granted access to Sintra’s platform.
    2. Customer’s Clients/End Users: if the Customer inputs or uploads their clients’ data or interactions.
    3. Other Individuals: any other data subjects whose Personal Data is transmitted by or on behalf of Customer through the Services.
  6. Customer should not intentionally submit special categories of data (e.g., health, genetic, biometric, children’s data) unless the parties have agreed in writing to necessary safeguards. If such data is submitted inadvertently, Sintra will treat it with appropriate security measures and will process it as directed by Customer.

4. Sintra’s obligations

  1. Sintra shall ensure that any persons authorized to Process Personal Data are subject to confidentiality obligations and receive training on data protection and information security.
  2. Taking into account the nature, scope, context, and purposes of Processing as well as the risk to Data Subjects, Sintra shall implement appropriate technical and organizational measures to protect Personal Data, including:
    1. Encryption of data at rest and in transit where appropriate.
    2. Access controls using user IDs instead of plain emails, hashing credentials.
    3. Regular risk assessments and vulnerability scanning.
    4. Employee security awareness training.
    5. Intrusion detection and monitoring.
    6. Logical separation of data.
    7. Secure data backups, with retention as per Customer instructions.
    8. Additional details regarding Sintra’s technical and organizational measures may be provided upon Customer’s request or made available in Sintra’s documentation or security policy.
  3. Appointment of Subprocessors:
    1. Customer acknowledges and agrees that Sintra uses third parties (Subprocessors) to provide the Services. A list of current Subprocessors (e.g., OpenAI, Anthropic, Stripe, GCP, AWS, etc.) will be maintained and updated by Sintra.

    2. Sintra shall ensure each Subprocessor is bound by data protection obligations consistent with this DPA, including confidentiality and sufficient technical and organizational measures.

    3. Sintra shall provide notice of new Subprocessors by posting updates or via email. If Customer reasonably objects to a new Subprocessor on legitimate data protection grounds, Sintra will work with Customer in good faith to address such objections, which may include offering an alternative arrangement or the option for Customer to terminate the affected Services.
  4. International Transfers:
    1. Personal Data may be stored and processed in the United States or European Union, as well as any country in which Sintra or its Subprocessors operate.

    2. Where required by Applicable Data Protection Law for cross-border transfers (e.g., EU/EEA, UK, or Swiss Personal Data), Sintra relies on legally recognized transfer mechanisms such as Standard Contractual Clauses or other adequacy frameworks.

    3. Sintra shall provide a copy of the relevant transfer mechanism upon request, subject to redactions for confidentiality.
  5. Taking into account the nature of the Processing, Sintra shall promptly inform Customer if it receives any request from a Data Subject regarding their Personal Data (access, correction, deletion, etc.). Sintra will not respond to such requests except on Customer’s documented instructions. Sintra shall provide reasonable assistance to enable Customer to respond to Data Subject requests as required by law.
  6. If Sintra becomes aware of a Personal Data Breach affecting Customer Data, Sintra will notify Customer without undue delay (and in any event within 72 hours of confirmation of the breach, if feasible). Such notice will describe the nature of the breach, potential impact, and the measures taken or proposed to address it. Sintra is not responsible for notifications or communications to regulators or individuals unless otherwise required by law or agreed. Customer may contact help@sintra.ai to report an incident.
  7. Deletion or Return of Data:
  
    1. Sintra will rectify or delete Personal Data upon Customer’s request within thirty (30) days unless retention is required by law or necessary for legitimate business purposes.
(
    2. Upon expiration or termination of the Principal Agreement, Sintra shall, at Customer’s choice, delete or return all Customer Data. If deletion is requested, Sintra will remove Personal Data from active systems within 30 days (with possible retention in backups for a limited period
    3. Sintra may retain certain data if required by law, subject to confidentiality and technical protection measures.

5. Customer’s obligations

  1. Customer represents and warrants that it (a) has complied, and will continue to comply, with all Applicable Data Protection Laws; and (b) has the right to transfer or provide access to Personal Data for Processing by Sintra in accordance with this DPA.
  2. Customer shall ensure that Personal Data is collected lawfully, is accurate, and is limited to what is necessary for the purposes for which it is processed. Customer is responsible for ensuring that their instructions comply with all applicable laws.
  3. Customer shall provide all necessary notices to Data Subjects and obtain any required consents under Applicable Data Protection Law for Sintra’s Processing of Personal Data under this DPA.
  4. If Customer uploads or processes data relating to third parties (e.g., end users), Customer is solely responsible for ensuring it has the necessary legal basis to do so. Sintra disclaims any responsibility if the Customer lacks such basis.

6. Confidentiality

  1. The Processor hereby confirms that it will ensure the confidentiality of Personal Data in the course of processing thereof. Only those employees of the Processor who require the access to the Personal Data in order to be able to fulfil the obligations of the Processor provided in the Service Agreement and the Agreement and who have been obligated to comply with the confidentiality provisions shall have the access to the Personal Data and process them and only to the extent required for the fulfilment of obligations of the Processor under the Service Agreement and the Agreement. Provisions on confidentiality set out in the Service Agreement, including the established fines, shall also be applicable to this Agreement and any Processing.

7. Right to audit

  1. The Controller shall have the right at any time, having submitted a prior reasonable notification, using its own efforts or by engaging an independent third party (an auditor), to perform an audit in order to verify the compliance of Processor’s activities to the Agreement requirements. For this purpose, the Processor undertakes to ensure the possibility for the Controller or the auditor thereof to access the Processor’s premises, computer software, required documents, etc. to the extent required for the performance of audit. These obligations shall not include the information about other customers of the Processor. At the request of a Party, the other Party and (or) the auditor shall undertake to keep all information related to the audit confidential; however, such obligation shall not restrict the right of the Controller and (or) auditor to take actions with regard to conclusions reasonably made in the course of audit.

8. Data Protection Impact Assessment

  1. Where the type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the Processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Processor shall, prior to the Processing, provide support to the Controller in carrying out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data.
  2. The Processor is aware that in cases where the supervisory authority believes that the aforementioned planned Processing activities indicated in Clause 5.1 may become the reason of infringement of the Applicable Legal Acts, the supervisory authority may submit written recommendations to the Processor and use any authorisations provided in the Applicable Legal Acts.

9. Liability and Indemnification

  1. The liability of each party under or in connection with this DPA shall be subject to the limitations of liability set forth in the Principal Agreement. Sintra does not assume liability for data breaches or other acts or omissions by its Subprocessors beyond what is set forth in the Principal Agreement and this DPA.
  2. Sintra uses known, reputable third-party Subprocessors (e.g., Stripe for payments, OpenAI for AI processing). Customer acknowledges that Sintra shall not be responsible for any data incidents or liabilities solely attributable to these third-party providers’ acts or omissions, provided Sintra has complied with Section 4.3 (Subprocessors). Sintra will, however, remain responsible for coordinating with such Subprocessors to enforce data protection obligations and assisting Customer with any necessary remediation or notifications if a subprocessor breach occurs.
  3. Each party shall indemnify and defend the other party against any costs, damages, or fines arising from the indemnifying party’s breach of this DPA or Applicable Data Protection Law, to the extent provided in the Principal Agreement.

10. International data transfers

  1. Personal Data that Sintra Processes may be transferred to and stored in the United States or the European Union. Sintra and its Subprocessors maintain data centers primarily in these regions.
  2. For transfers from the European Economic Area, United Kingdom, or Switzerland to countries not recognized by competent authorities as providing an adequate level of data protection, Sintra shall rely on Standard Contractual Clauses or other lawful transfer mechanisms. By signing or accepting this DPA, Customer instructs Sintra to enter into such transfer mechanisms on Customer’s behalf where necessary.

11. Miscellaneous

  1. Term and Termination. This DPA is effective for the term of the Principal Agreement. Termination or expiry of the Principal Agreement shall automatically terminate this DPA. The obligations that by their nature survive termination will remain in effect (e.g., confidentiality, deletion of data).
  2. Governing Law and Jurisdiction. This DPA and any disputes or claims arising out of or in connection with it shall be governed by the laws of Delaware, United States, without regard to conflicts of law rules. The parties submit to the exclusive jurisdiction of the courts located in Delaware, except where otherwise required by Applicable Data Protection Law.
  3. Entire Agreement; Conflict. This DPA supplements and forms part of the Principal Agreement. In the event of inconsistencies between the terms of this DPA and the Principal Agreement concerning the Processing of Personal Data, the terms of this DPA shall prevail. Except as set forth in this DPA, the Principal Agreement remains unchanged.
  4. Severability. If any provision of this DPA is found unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that the DPA otherwise remains in full force and effect.
  5. Amendments. Sintra may modify this DPA as required to comply with changes in law or best practices. If Sintra makes a material change, Sintra will notify Customer, and the updated DPA will be effective upon posting or as otherwise communicated in writing.
  6. Signature. By using Sintra’s Services or otherwise signing this DPA (physically or electronically), the parties acknowledge and agree to be bound by its terms.

12. Annexes to the Agreement

  1. Annex 1. List of subprocessors;
  2. Annex 2. List of organisational and technical measures.

Annex 1: Subprocessors

Below is a non-exhaustive list of key Subprocessors used by Sintra for hosting, data processing, or other Services-related activities. This list may be updated from time to time.

  • OpenAI (AI infrastructure)
  • Anthropic (AI infrastructure)
  • SerpAPI (search API)
  • SEOptimer (SEO analysis)
  • Stripe (payment processing)
  • Google Cloud Platform (hosting, data storage)
  • RevenueCat (subscription management)
  • Apple (in-app purchases)
  • Twilio (SMS, communications)
  • Intercom (customer support)
  • Amazon Web Services (hosting, storage)
  • Klaviyo (marketing email)
  • Sentry (error tracking)
  • Equifax (if used for credit checks, etc.)
  • Github (code repository)
  • GrafanaCloud (monitoring)
  • Wordware (specialized tools)
  • Replicate (AI infrastructure)
  • Railway (hosting platform)
  • Mixpanel (analytics)
  • Churnkey (subscription churn management)
  • CockroachDB (database)
  • Sintra also uses affiliates (e.g., Monkai, UAB) for certain data processing and development activities.

Annex 2: Technical and Organisational measures

Security Controls:

  • Access Controls: User authentication via hashed credentials; role-based access; unique user IDs instead of storing plain emails.
  • Encryption: Data encrypted in transit (TLS 1.2 or higher) and at rest where feasible.
  • Physical Security: Cloud data centers (AWS, GCP) with industry-standard physical security, access restricted to authorized personnel only.
  • Monitoring and Logging: Activity logs, intrusion detection, SIEM solutions for event monitoring, security alerts, and anomaly detection.
  • Incident Response: Defined process for handling security incidents and Data Breaches, with notifications to Customer in accordance with this DPA.
  • Employee Training: Security and privacy awareness sessions for employees with data access responsibilities.
  • Data Minimization & Retention: Data kept only as needed for providing the Services or complying with legal obligations.
  • Data Deletion: Upon request or service termination, data is securely deleted within 30 days, subject to legitimate legal or business retention requirements.
Copyright © 2025
PlayOS, Inc.
All rights reserved
Features
Sintra Employees
Brain AI
Power-ups
Resources
Blog
Case studies
About Us
Become an Affiliate
Support
Help center
Contact
Plans and Payments
FAQ
Legal
Privacy policy
Terms and conditions
Refund policy
Money-Back Guarantee
Other policies
Trustpilot