1. Definitions
Capitalized terms not defined here have the meaning given in the Terms of Service or in applicable data-protection law.
- Personal Data: any information relating to an identified or identifiable natural person that Customer provides to or generates through the Service.
- Processing: any operation performed on Personal Data, such as collection, storage, modification, retrieval, use, transmission, or deletion.
- Controller: the entity that determines the purposes and means of Processing Personal Data. With respect to Customer's content in the Service, Customer is the Controller.
- Processor: the entity that Processes Personal Data on behalf of the Controller. With respect to Customer's content in the Service, Vyntric is the Processor.
- Sub-processor: a third party engaged by Vyntric to Process Personal Data on Customer's behalf.
- Data Subject: the natural person to whom Personal Data relates.
- Standard Contractual Clauses ("SCCs"): the European Commission's standard contractual clauses for the transfer of personal data to third countries (Module Two: Controller to Processor) as adopted in Commission Implementing Decision (EU) 2021/914.
2. Scope and roles
2.1 Subject matter
Vyntric provides the Service to Customer. In doing so, Vyntric Processes Personal Data on Customer's behalf as a Processor.
2.2 Duration
This DPA applies for as long as Customer uses the Service and Vyntric Processes Personal Data on Customer's behalf.
2.3 Nature and purpose of Processing
Vyntric Processes Personal Data solely to provide and improve the Service in accordance with the Terms of Service, Privacy Policy, and Customer's lawful, documented instructions (typically expressed through Customer's use of the Service).
2.4 Categories of Personal Data
- Identification and contact data of Customer's users (name, email)
- Account data (organization id, plan, billing identifiers)
- Authentication data (access tokens, OAuth tokens, encrypted at rest)
- Service content data (planning session content, design-axis answers, drafted issues, code anchors)
- Integration data (Linear identifiers for projects, issues, milestones, users, labels)
- Telemetry data (MCP tool calls, API request logs, audit log entries, IP addresses, error reports)
2.5 Categories of Data Subjects
- Customer's authorized users
- Natural persons referenced in Customer's Linear workspace data (Linear users, assignees, mentions in issue content)
3. Vyntric's obligations
3.1 Lawful Processing
Vyntric will Process Personal Data only on Customer's documented instructions, including with regard to transfers to a third country. Customer's use of the Service per the Terms of Service constitutes those instructions, supplemented by any additional written instructions Customer provides.
3.2 Confidentiality
Vyntric will ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.
3.3 Security
Vyntric will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those described in Annex A below.
3.4 Sub-processor engagement
Vyntric may engage Sub-processors as described in Annex B. Vyntric will:
- Impose data-protection obligations on Sub-processors no less protective than those in this DPA
- Remain liable for Sub-processors' performance of those obligations
- Notify Customer of any intended changes to its list of Sub-processors at least 14 days before the change, by posting to askparley.dev/dpa and (where Customer has provided a notification email) by email
- Allow Customer to object on reasonable data-protection grounds. If the parties cannot resolve the objection within 30 days, Customer may terminate the Service per the Terms of Service
3.5 Data Subject requests
Where a Data Subject contacts Vyntric directly about a request related to their Personal Data Processed under this DPA, Vyntric will redirect the request to Customer where Customer is the appropriate respondent. Vyntric will assist Customer, by appropriate technical and organizational measures, in fulfilling Customer's obligation to respond to Data Subject requests.
Most Data Subject requests can be fulfilled directly through the Service: data export at Settings, Export my data and account deletion at Settings, Delete account. For requests Customer cannot fulfill through the Service, Customer may contact privacy@vyntric.com.
3.6 Personal Data Breach notification
Vyntric will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will describe the nature of the breach, categories and approximate numbers of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address it.
Vyntric will reasonably cooperate with Customer to fulfill any obligation Customer has to notify supervisory authorities or affected Data Subjects.
3.7 Data Protection Impact Assessments
Where a Data Protection Impact Assessment is required under Article 35 GDPR, Vyntric will provide Customer with reasonable assistance, taking into account the nature of Processing and the information available to Vyntric.
3.8 Return or deletion of Personal Data
On termination of the Service, Vyntric will, at Customer's choice, return all Personal Data to Customer or delete it within 30 days, except to the extent law requires storage. Customer can self-serve both via the dashboard: Settings, Export my data for return, Settings, Delete account for deletion.
Aggregated and anonymized data derived from Customer's Personal Data (as described in the Terms of Service, Section 4) is not Personal Data and is not subject to the deletion obligation.
3.9 Audits
Vyntric will make available to Customer information necessary to demonstrate compliance with this DPA, primarily through this DPA, the Privacy Policy, and security documentation made available on request.
For Customers on the Business plan or higher, Customer may, no more than once per calendar year and with at least 60 days' written notice, audit Vyntric's compliance with this DPA. Audits will be conducted during normal business hours at Customer's expense and will be subject to confidentiality obligations. Vyntric may satisfy this obligation by providing a current SOC 2 Type II report, ISO 27001 certification, or equivalent industry-standard audit report once such reports are available.
4. International transfers
4.1 Transfer mechanisms
Where Customer's Processing involves the transfer of Personal Data subject to GDPR, UK GDPR, or FADP to a country outside the European Economic Area, United Kingdom, or Switzerland that the European Commission, UK government, or Swiss Federal Data Protection and Information Commissioner has not deemed to provide an adequate level of protection, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference into this DPA and apply to that transfer.
For UK transfers, the UK International Data Transfer Addendum to the SCCs (issued by the UK Information Commissioner) is incorporated by reference and applies.
For Swiss transfers, the SCCs apply with the modifications required by the FADP.
4.2 Docking clause
Vyntric is the data importer under the SCCs. Customer is the data exporter.
4.3 SCC selections
- Clause 7 (docking): the optional docking clause does not apply.
- Clause 9 (sub-processors): Option 2 (general written authorization) applies. Vyntric will notify Customer of changes to its Sub-processor list per Section 3.4 above.
- Clause 11 (redress): the optional independent dispute-resolution body does not apply.
- Clause 17 (governing law): the SCCs are governed by the law of Ireland.
- Clause 18 (forum): the courts of Ireland have jurisdiction over disputes arising under the SCCs.
- Annex I, II, III of the SCCs: the description of Processing, technical and organizational measures, and Sub-processors is set out in Annex A and Annex B of this DPA.
4.4 Order of precedence
In the event of any conflict between this DPA and the SCCs, the SCCs prevail with respect to the international transfer of Personal Data.
5. CCPA / CPRA
When Vyntric Processes Personal Data of California residents subject to CCPA/CPRA on Customer's behalf, Vyntric acts as a "service provider" as defined by CCPA/CPRA. Vyntric:
- Will not Sell or Share Personal Data
- Will not retain, use, or disclose Personal Data for any purpose other than to perform the Service as specified in the Terms of Service
- Will not retain, use, or disclose Personal Data outside the direct business relationship between Vyntric and Customer
- Will not combine Personal Data received from Customer with Personal Data received from or on behalf of other persons, except as permitted by CCPA/CPRA
6. General
6.1 Order of precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Personal Data.
6.2 Updates
Vyntric may update this DPA to reflect changes in law, the Service, or Sub-processors. Material updates will be communicated as described in Section 14 of the Terms of Service.
6.3 Governing law
This DPA is governed by the same law as the Terms of Service, except where applicable data-protection law mandates a different governing law for specific provisions (such as the SCCs, which are governed by Irish law per Section 4.3).
Annex A: Technical and organizational measures
Vyntric implements the following measures to protect Personal Data:
A.1 Pseudonymization and encryption
- TLS 1.2 or higher for Personal Data in transit
- AES-256-GCM encryption for sensitive credentials at rest (Linear OAuth access tokens and refresh tokens, GitHub App tokens, integration secrets)
- Vyntric does not store payment card details; these are tokenized by Stripe
A.2 Confidentiality, integrity, availability, resilience
- Application-layer tenant scoping (every database query filters by organization id) as the primary defense against cross-tenant data exposure; database row-level security as belt-and-braces
- Hosted on Vercel with multi-region edge serving and managed Postgres on Neon with point-in-time recovery
- Background workers on Railway with automatic restart and queue-based retry semantics
- Daily database backups with 7-day retention; tested restore procedures
A.3 Recovery
- Postgres point-in-time recovery enabled
- Application deployments are immutable and trivially rollback-able from Vercel
- Sub-processor outages (Stripe, WorkOS, Linear, Anthropic) degrade specific features rather than crashing the Service
A.4 Testing, assessment, evaluation
- Continuous dependency vulnerability scanning
- Sentry error tracking with PII scrubbing on stack traces
- Audit log of administrative actions (workspace connect/disconnect, token issuance/revocation, account deletion, plan changes)
- Code review on every change to production code paths
A.5 Access control
- Role-based access controls for Vyntric personnel; production database and infrastructure access limited to engineers with operational need
- All administrative access requires multi-factor authentication
- Personnel access is logged and reviewed periodically
- Personnel are bound by confidentiality obligations on hire
A.6 Incident response
- 24-hour internal escalation for suspected security incidents
- Documented incident-response runbooks
- Customer notification within 72 hours of confirmed Personal Data Breach per Section 3.6
Annex B: Approved Sub-processors
As of the effective date of this DPA, Vyntric uses the following Sub-processors to provide the Service:
| Sub-processor | Purpose | Personal Data categories | Location |
|---|---|---|---|
| WorkOS, Inc. | User authentication and identity (AuthKit) | Account info (name, email, OAuth identifiers) | United States |
| Stripe, Inc. | Payment processing and subscription billing | Billing info, payment tokens | United States |
| Vercel, Inc. | Application hosting | All categories in transit and at rest in serverless caches | United States, global edge |
| Neon, Inc. | Postgres database | All service content at rest | United States |
| Railway Corp. | Background worker (Linear sync) | Service content in transit during sync | United States |
| Functional Software, Inc. (Sentry) | Error tracking | Request context, error stacks, IP addresses (PII-scrubbed where possible) | United States |
| Anthropic, PBC | LLM enrichment during Flesh phase | Session content (titles, drafts) sent to Anthropic's API; per Anthropic's commercial terms, this data is not used to train Anthropic's models | United States |
| Linear Orbit, Inc. | Workspace integration | Customer's Linear data, only as Customer authorizes through OAuth scopes | United States |
| GitHub, Inc. | Conventions repository access (when Customer chooses to use a custom conventions repo) | Repository access via OAuth or via the Parley GitHub App, scoped to one repository | United States |
The most up-to-date list lives at this URL. Customer may subscribe to Sub-processor change notifications by emailing privacy@vyntric.com.
Contact
For DPA-related questions:
- Legal: legal@vyntric.com
- Privacy: privacy@vyntric.com
- Security incidents: security@vyntric.com