Data Processing Agreement (DPA)
Synaps Media is committed to GDPR compliance. This Data Processing Agreement defines our roles, responsibilities, and obligations as your data processor.
In Accordance with Article 28 of the General Data Protection Regulation (GDPR)
1. Subject Matter and Relationship
This DPA forms part of the Terms of Service ("Agreement") and governs the processing of personal data by Synaps Media on behalf of the Customer. This DPA shall prevail over the Agreement regarding data protection matters.
2. Roles and Instructions
- The Customer acts as Controller and Synaps Media acts as Processor.
- Synaps Media shall process personal data only on documented instructions from the Customer. The Agreement and the Customer’s use of the Services constitute the complete and ongoing instructions.
- Synaps Media shall inform the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
3. Sub-processors
- The Customer grants a general authorization for Synaps Media to engage sub-processors. The current list is maintained at: https://www.synapsmedia.com/dpa-sub-processors/
- Synaps Media may update this list from time to time. Continued use of the Services after such updates constitutes acceptance of the new sub-processors.
4. Security and Confidentiality
- Synaps Media shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR).
- Synaps Media ensures that all personnel authorized to process data are subject to confidentiality obligations.
5. Assistance and Audits
- Taking into account the nature of the processing, Synaps Media shall assist the Customer in fulfilling data subject rights requests. Self-service features within the Ghost CMS interface are the primary means for such assistance.
- Synaps Media reserves the right to charge a reasonable fee for assistance that requires significant manual effort.
- Synaps Media shall provide necessary documentation to demonstrate compliance. Physical on-site audits are excluded.
6. Personal Data Breach
Synaps Media shall notify the Customer without undue delay after becoming aware of a personal data breach affecting data processed under this DPA.
7. International Data Transfers
Personal data is primarily stored within the EU/EEA. Certain processing activities (such as email routing or content delivery) may involve transfers outside the EU/EEA, subject to appropriate safeguards such as Standard Contractual Clauses (SCCs).
8. Termination and Deletion
Upon termination of the Services, Synaps Media shall delete personal data within 30 days, unless retention is required by law. Encrypted backups may persist for up to 60 days before being deleted.
Annex A – Processing Details
| Field | Description |
|---|---|
| Subject matter | Managed Ghost CMS hosting services. |
| Duration | For the duration of the Agreement and until deletion of data. |
| Nature and Purpose | Hosting, storage, and technical operation of the Ghost CMS instance. |
| Type of Data | Names, emails, IP addresses, and any other personal data processed within the Customer’s Ghost instance. |
| Responsibilities | The Customer is responsible for ensuring the legal basis for all processed data, including special categories (Art. 9 GDPR). |
| Data Subjects | Website visitors, subscribers, and the Customer's authorized users. |
Acceptance: This DPA is incorporated into the Agreement. By subscribing to or using the Services, the Customer agrees to these terms. No separate signature is required.
Last updated: April 03, 2026