EFFECTIVE DATE: JUNE 2026
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Master Service Agreement or Terms of Service (the “Agreement”) between Synonym Inc., a Delaware corporation, d/b/a Roebling (“Roebling”) and the entity identified as “Customer” in the Agreement (“Customer”), and governs the Processing of Personal Data by Roebling on behalf of Customer.
RECITALS
WHEREAS, Customer has engaged Roebling to provide access to and use of its industrial infrastructure planning and development platform (the “Platform”) pursuant to the Agreement;
WHEREAS, in connection with the provision of the Platform, Roebling will Process certain Personal Data on behalf of Customer; and
WHEREAS, the parties wish to establish the terms and conditions governing such Processing to ensure compliance with applicable Data Protection Laws.
NOW, THEREFORE, in consideration of the mutual obligations set forth herein, the parties agree as follows:
1. DEFINITIONS
1.1. “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including: (a) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); (b) the EU GDPR as incorporated into the laws of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”), and the UK Data Protection Act 2018; (c) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (“CCPA”); and (d) any other applicable data protection or privacy laws of the United States or its states.
1.2. “Controller” means the entity that determines the purposes and means of Processing Personal Data. For purposes of this DPA, Customer is the Controller.
1.3. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.4. “EU SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914.
1.5. “Personal Data” means any information relating to an identified or identifiable natural person that Roebling Processes on behalf of Customer in connection with the Platform, as further described in Annex I.
1.6. “Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by Roebling.
1.7. “Processing” (and its cognates “Process” and “Processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
1.8. “Processor” means the entity that Processes Personal Data on behalf of the Controller. For purposes of this DPA, Roebling is the Processor.
1.9. “Services” means the Platform and any related services provided by Roebling to Customer under the Agreement.
1.10. “Sub-processor” means any third party engaged by Roebling to Process Personal Data on behalf of Customer in connection with the Services.
1.11. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, as may be amended or replaced.
2. SCOPE AND ROLES
2.1. Applicability. This DPA applies to the Processing of Personal Data by Roebling on behalf of Customer in connection with the Services. This DPA does not apply to Personal Data for which Roebling is an independent Controller, such as Customer contact information used by Roebling for its own account management, billing, and relationship purposes, or to aggregated and anonymized data that does not identify Customer or any individual and is used by Roebling for product improvement, research and development, AI model training, benchmarking, or analytics purposes as described in the Agreement.
2.2. Roles of the Parties. The parties acknowledge and agree that, with respect to the Processing of Personal Data under this DPA, Customer is the Controller and Roebling is the Processor. Roebling shall Process Personal Data only on behalf of and in accordance with Customer's documented instructions.
2.3. Customer Obligations. Customer represents, warrants, and covenants that:
(a) It has complied and will continue to comply with all Applicable Data Protection Laws in connection with its collection and provision of Personal Data to Roebling;
(b) It has provided and will continue to provide all necessary notices to, and has obtained and will continue to obtain all necessary consents, authorizations, or other legal bases from, Data Subjects as required under Applicable Data Protection Laws to permit the Processing contemplated by this DPA;
(c) Its instructions to Roebling regarding the Processing of Personal Data comply with Applicable Data Protection Laws; and
(d) It has the right to transfer, or provide access to, Personal Data to Roebling for Processing in accordance with this DPA.
2.4. Details of Processing. The subject matter, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are set forth in Annex I.
3. ROEBLING'S PROCESSING OBLIGATIONS
3.1. Processing Instructions. Roebling shall Process Personal Data only: (a) in accordance with Customer’s documented instructions, which the parties agree include the instructions set forth in this DPA and the Agreement; and (b) as required by applicable law, in which case Roebling shall inform Customer of such legal requirement before Processing unless prohibited by law from doing so. Customer may provide additional written instructions consistent with the terms of the Agreement, provided that any instructions requiring Roebling to take actions beyond the scope of the Services may be subject to additional fees. If Roebling becomes aware that, in its opinion, an instruction from Customer would infringe Applicable Data Protection Laws, Roebling shall promptly inform Customer; provided, however, that Roebling has no obligation to conduct legal review of Customer’s instructions and shall have no liability for any failure to identify potentially unlawful instructions.
3.2. Confidentiality. Roebling shall ensure that any personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations, whether by contract or statutory duty.
3.3. Security Measures. Roebling shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breaches and to preserve the security, integrity, and confidentiality of Personal Data. Such measures shall be appropriate to the risk and shall include, at a minimum, the measures set forth in Annex II. Roebling may update its security measures from time to time, provided that any updates do not materially diminish the overall security of the Services.
3.4. Assistance with Data Subject Rights. Taking into account the nature of the Processing, Roebling shall assist Customer, by appropriate technical and organizational measures and insofar as reasonably possible, in fulfilling Customer's obligations to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws. If Roebling receives a request from a Data Subject regarding Personal Data Processed on behalf of Customer, Roebling shall promptly notify Customer and shall not respond to such request except to acknowledge receipt, unless legally required to do so or authorized by Customer.
3.5. Assistance with Compliance Obligations. Roebling shall, taking into account the nature of Processing and the information available to Roebling, provide reasonable assistance to Customer with:
(a) Customer's obligations under Applicable Data Protection Laws relating to security of Processing;
(b) Customer's obligations regarding notification of Personal Data Breaches to supervisory authorities and Data Subjects;
(c) Customer's obligations regarding data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Laws; and
(d) Responding to inquiries from data protection supervisory authorities concerning the Processing of Personal Data under this DPA.
Customer shall reimburse Roebling for reasonable costs incurred in providing assistance under this Section 3.5, except to the extent such assistance arises from Roebling's breach of this DPA.
3.6. AI Processing. Customer acknowledges that the Services include AI-powered features that Process Personal Data contained in Customer Data uploaded to or submitted through the Platform. Customer represents and warrants that it has obtained all necessary consents and legal bases required under Applicable Data Protection Laws for such AI Processing. Roebling does not authorize third-party AI providers to use Personal Data Processed through AI features to train their general-purpose AI models. Nothing in this DPA limits Roebling’s right to use aggregated, anonymized, or de-identified data that does not identify Customer or any individual for product improvement, research and development, AI model training, benchmarking, analytics, or other purposes permitted under the Agreement.
3.7. Records of Processing. Roebling shall maintain records of processing activities carried out on behalf of Customer to the extent required by Article 30(2) of the EU GDPR. Such records shall be maintained for Roebling’s own compliance purposes. For clarity, Customer remains solely responsible for maintaining its own records of processing activities as required by Article 30(1) of the EU GDPR.
4. SUB-PROCESSORS
4.1. Authorization. Customer grants Roebling general written authorization to engage Sub-processors to Process Personal Data on Customer’s behalf, subject to the requirements of this Section 4. Roebling maintains a current list of Sub-processors at the URL specified in Section 4.3 (or such other URL as Roebling may designate). Customer’s execution of this DPA constitutes authorization of the Sub-processors listed as of the Effective Date.
4.2. Sub-processor Obligations. Roebling shall:
(a) Enter into, or ensure there is in place, a written agreement with each Sub-processor (which may include standard data processing terms incorporated by reference into the Sub-processor’s terms of service) imposing data protection obligations materially consistent with those set forth in this DPA with respect to the protection of Personal Data; and
(b) Remain fully liable to Customer for the performance of each Sub-processor's obligations.
4.3. Changes to Sub-processors. Roebling shall maintain a current list of Sub-processors at https://roebling.com/subprocessors (or such other URL as Roebling may designate by notice to Customer). Roebling shall provide Customer with at least fourteen (14) days’ prior notice before engaging any new Sub-processor, which notice may be provided by updating the Sub-processor list and sending notice to the email address associated with Customer’s account. Customer may object to a new Sub-processor on reasonable data protection grounds by providing written notice to Roebling within fourteen (14) days of Roebling’s notice. If Customer objects, the parties shall negotiate in good faith to resolve Customer’s concerns. If the parties are unable to resolve Customer’s objection within thirty (30) days, Customer may, as its sole remedy, terminate the portion of the Services that cannot be provided without the objected-to Sub-processor, and Roebling shall refund any prepaid fees covering the remainder of the term for such terminated Services.
5. PERSONAL DATA BREACH NOTIFICATION
5.1. Notification. Roebling shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of Customer.
5.2. Contents of Notification. Such notification shall include, to the extent then known:
(a) A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) The name and contact details of Roebling's point of contact from whom additional information may be obtained;
(c) A description of the likely consequences of the Personal Data Breach; and
(d) A description of the measures taken or proposed to be taken by Roebling to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
5.3. Cooperation. Roebling shall cooperate with Customer and take reasonable steps as directed by Customer to assist in the investigation, mitigation, and remediation of the Personal Data Breach, and in Customer's efforts to comply with notification obligations under Applicable Data Protection Laws.
5.4. No Admission. Roebling's notification of or response to a Personal Data Breach under this Section 5 shall not be construed as an acknowledgment by Roebling of any fault or liability.
6. INTERNATIONAL DATA TRANSFERS
6.1. Processing Locations. As of the Effective Date, Roebling Processes Personal Data in the United States using data centers operated by Amazon Web Services and Google Cloud Platform. Roebling shall not transfer Personal Data to a country outside the United States, the European Economic Area (“EEA”), or the United Kingdom (“UK”) without ensuring that appropriate safeguards are in place as required by Applicable Data Protection Laws.
6.2. Transfers from the EEA. To the extent that Customer's use of the Services involves the transfer of Personal Data from the EEA to the United States or another country not subject to an adequacy decision by the European Commission, the parties agree that the EU SCCs (Module Two: Controller to Processor) are hereby incorporated by reference and shall apply to such transfers, with Customer as “data exporter” and Roebling as “data importer.” The EU SCCs shall be completed as set forth in Annex III.
6.3. Transfers from the UK. To the extent that Customer's use of the Services involves the transfer of Personal Data from the UK to a country not subject to UK adequacy regulations, the parties agree that the UK Addendum is hereby incorporated by reference and shall apply to such transfers. The UK Addendum shall be completed as follows:
(a) Table 1: The parties' details shall be as set forth in Annex I of this DPA;
(b) Table 2: The EU SCCs referenced in Section 6.2, with the options selected as set forth in Annex III, shall apply;
(c) Table 3: The Annexes of this DPA shall constitute the Appendix Information; and
(d) Table 4: Neither party may terminate the UK Addendum as set forth in Section 19 of the UK Addendum.
6.4. Alternative Transfer Mechanisms. The parties may agree in writing to rely on any alternative transfer mechanism that may be recognized under Applicable Data Protection Laws as providing adequate safeguards for international transfers of Personal Data, in which case such mechanism shall apply in lieu of the transfer mechanisms specified above.
7. UNITED STATES STATE PRIVACY LAWS
7.1. CCPA Compliance. To the extent the CCPA applies to Personal Data Processed under this DPA:
(a) Roebling is a “Service Provider” as defined in the CCPA and Processes Personal Data on behalf of Customer for the business purposes specified in the Agreement and this DPA;
(b) Roebling shall not sell or share (as those terms are defined in the CCPA) Personal Data;
(c) Roebling shall not retain, use, or disclose Personal Data for any purpose other than performing the Services as specified in the Agreement, for Roebling's operational purposes as permitted under the CCPA, or as otherwise permitted by the CCPA;
(d) Roebling shall not retain, use, or disclose Personal Data outside the direct business relationship between Roebling and Customer, except as permitted by the CCPA;
(e) Roebling shall not combine Personal Data received from Customer with personal information received from or on behalf of another person or collected from Roebling's own interaction with the consumer, except as permitted by the CCPA; and
(f) Roebling shall comply with applicable provisions of the CCPA and shall provide the same level of protection for Personal Data as required of businesses under the CCPA.
7.2. Other U.S. State Privacy Laws. To the extent other U.S. state privacy laws apply to Personal Data Processed under this DPA, Roebling shall Process such Personal Data in accordance with the applicable “processor,” “service provider,” or equivalent classification under such laws.
7.3. Certification. Roebling certifies that it understands and will comply with the restrictions and obligations set forth in this Section 7.
8. AUDIT AND RECORDS
8.1. Information and Audit Rights. Upon Customer's written request and subject to the confidentiality obligations set forth in the Agreement, Roebling shall make available to Customer information reasonably necessary to demonstrate Roebling's compliance with this DPA.
8.2. Audits. Customer may, upon at least thirty (30) days' prior written notice and no more than once per twelve (12) month period, conduct an audit or inspection, or appoint a qualified third-party auditor (subject to reasonable confidentiality undertakings) to conduct an audit or inspection, of Roebling's Processing activities and facilities to verify Roebling's compliance with this DPA. Any such audit shall:
(a) Be conducted during Roebling's normal business hours;
(b) Not unreasonably interfere with Roebling's business operations;
(c) Be conducted at Customer's sole expense; and
(d) Be subject to reasonable security and confidentiality requirements.
8.3. Security Reports. To the extent Roebling has obtained a SOC 2 Type II report, ISO 27001 certification, or comparable third-party audit report or certification, Roebling may, upon Customer's request and subject to confidentiality obligations, provide Customer with a copy of such report or certification in satisfaction of audit requests under Section 8.2.
9. DATA RETENTION AND DELETION
9.1. Retention. Roebling shall retain Personal Data only for as long as necessary to provide the Services and fulfill the purposes set forth in Annex I, unless a longer retention period is required by applicable law.
9.2. Deletion or Return. Upon termination or expiration of the Agreement, or upon Customer's earlier written request, Roebling shall, at Customer's election:
(a) Return to Customer all Personal Data in Roebling's possession or control in a commonly used, machine-readable format; or
(b) Delete all Personal Data in Roebling's possession or control.
Roebling shall complete such return or deletion within ninety (90) days of receiving Customer’s written election specifying return or deletion. If Customer does not make an election within thirty (30) days of termination or expiration, Roebling may delete Personal Data without further notice. Personal Data stored in backup or archival systems shall be deleted in accordance with Roebling’s standard backup rotation schedule, which shall not exceed an additional ninety (90) days. For purposes of this Section, deletion includes rendering Personal Data permanently unreadable or unrecoverable.
9.3. Exceptions. Roebling may retain Personal Data to the extent required by applicable law, provided that Roebling shall: (a) Process such retained Personal Data only for the purposes required by applicable law; (b) continue to protect such Personal Data in accordance with this DPA; and (c) delete such Personal Data promptly upon expiration of the applicable retention requirement.
9.4. Certification. Upon Customer's written request, Roebling shall provide written certification of deletion of Personal Data in accordance with this Section 9.
9.5. Individual User Deletion. During the term of the Agreement, Customer may request deletion of Personal Data associated with a specific individual user (for example, upon such user's departure from Customer's organization) by submitting a written request to Roebling. Roebling shall remove or de-identify the specified user's Personal Data within thirty (30) days of receiving such request, except to the extent retention is required by applicable law or permitted under Section 9.3. Anonymized and aggregated data that does not identify the individual user may be retained in accordance with Section 2.1.
10. GENERAL PROVISIONS
10.1. Order of Precedence. In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the Processing of Personal Data. In the event of any conflict between this DPA and the EU SCCs or UK Addendum, the EU SCCs or UK Addendum (as applicable) shall control to the extent required to comply with Applicable Data Protection Laws.
10.2. Liability. Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement, except that such limitations shall not apply to the extent prohibited by Applicable Data Protection Laws.
10.3. Term. This DPA shall remain in effect for the duration of the Agreement. The obligations imposed by this DPA shall survive termination or expiration of the Agreement to the extent Roebling continues to Process Personal Data on behalf of Customer.
10.4. Amendments. This DPA may be amended only by a written instrument signed by both parties, except that Roebling may update the Annexes to this DPA as necessary to reflect changes in Sub-processors (in accordance with Section 4.3), security measures, or Processing activities, provided that such updates do not materially diminish the protections afforded to Personal Data under this DPA.
10.5. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.
10.6. Governing Law. This DPA shall be governed by the laws specified in the Agreement, except that the EU SCCs shall be governed by the law of Ireland and the UK Addendum shall be governed by the laws of England and Wales.
ANNEX I — DETAILS OF PROCESSING
Part A: List of Parties
Data Exporter (Controller) | Data Importer (Processor) | |
Name | Customer, as identified in the Agreement | Synonym Inc. d/b/a Roebling |
Address | As specified in the Agreement | 3 Bioscience Park Dr, Farmingdale, NY 11735 |
Contact Person | Customer's designated administrator | privacy@roebling.com |
Activities | Use of the Platform for industrial infrastructure planning and development | Provision of industrial infrastructure planning platform |
Role | Controller | Processor |
Part B: Description of Processing
Element | Description |
Subject Matter of Processing | Processing of Personal Data in connection with Roebling's provision of its industrial infrastructure planning platform to Customer |
Duration of Processing | For the term of the Agreement and any applicable data retention period thereafter |
Nature of Processing | Collection, storage, organization, retrieval, use, disclosure by transmission, and deletion of Personal Data through the Platform, including Processing by AI-powered features |
Purpose of Processing | To provide the Services, including: user authentication and account management; multi-factor authentication; Platform functionality and features; AI-assisted infrastructure planning and analysis; customer support; and compliance with legal obligations |
Categories of Personal Data | User account information: name, email address, job title; Authentication data: login credentials (hashed passwords), phone number (for MFA); Technical data: IP addresses, device identifiers, browser information; Usage data: Platform activity logs, feature usage, access timestamps; User-uploaded content: any Personal Data contained in documents, files, or data uploaded by users to the Platform (including data Processed by AI features) |
Categories of Data Subjects | Customer's authorized users and personnel; individuals whose Personal Data may be contained in user-uploaded content (e.g., third-party contacts, facility personnel, contractors referenced in project documentation) |
Special Categories of Data | None anticipated. Customer shall not submit special categories of Personal Data (as defined in Article 9 of the GDPR) to the Platform without Roebling's prior written consent. |
Part C: Competent Supervisory Authority
For transfers subject to the EU GDPR, the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs based on the EEA country in which the Data Exporter is established, or, where the Data Exporter is not established in the EEA, the EEA country in which the Data Exporter's EU representative is established, or, where no EU representative is appointed, the EEA country in which the Data Subjects are located.
For transfers subject to the UK GDPR, the competent supervisory authority shall be the UK Information Commissioner's Office.
ANNEX II — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Roebling implements and maintains the following technical and organizational security measures to protect Personal Data:
1. Access Control
Role-based access controls limiting access to Personal Data to authorized personnel with a business need
Unique user identification and authentication for all system access
Multi-factor authentication for administrative and privileged access
Regular review of access rights and prompt revocation upon personnel departure or role change
Password policies requiring minimum complexity and regular rotation
Multi-tenant architecture with logical separation of Customer data, ensuring that each Customer's data is isolated from other Customers' data within shared infrastructure
2. Encryption
Encryption of Personal Data in transit using TLS 1.2 or higher
Encryption of Personal Data at rest using AES-256 or equivalent
Secure key management practices
3. Network Security
Firewalls and intrusion detection/prevention systems
Network segmentation to isolate sensitive systems
Regular vulnerability scanning
DDoS protection
4. Application Security
Secure software development lifecycle practices
Code review and security testing prior to deployment
Regular penetration testing by qualified third parties
Prompt patching of security vulnerabilities
5. Physical Security
Data centers operated by AWS and GCP with industry-standard physical security controls
Physical access controls, surveillance, and environmental protections at data center facilities
6. Organizational Measures
Written information security policies and procedures
Employee security awareness training
Background checks for personnel with access to Personal Data (where permitted by law)
Confidentiality agreements with all personnel
7. Incident Response
Documented incident response plan
Designated incident response team
Regular testing of incident response procedures
Procedures for breach notification in accordance with this DPA
8. Business Continuity
Regular data backups with secure off-site storage
Disaster recovery procedures
Business continuity planning
9. Vendor Management
Due diligence assessment of Sub-processors
Contractual data protection requirements for Sub-processors
Ongoing monitoring of Sub-processor compliance
We value your privacy
We use cookies to improve site functionality. Some cookies help us understand how visitors use our site.