PRIVACY

At SynaptyX, we treat privacy and data protection as foundational—not optional. As an AI-led services and consulting firm, we design, develop and deploy our proprietary Lattice accelerator suite with a "privacy-by-design" and "responsibility-by-default" mindset. We ensure:

• Transparent and lawful data usage
• Minimal data collection aligned to business need
• Fair and explainable AI practices
• Security measures fit for the evolving risk landscape

We are a startup but remain committed to implementing practices that align with global standards such as ISO 27001 and SOC 2 as we scale.

2. Data Collection and Processing Principles

When using the Lattice suite—comprising tools like SynProp, SynWise, SynCraft, SynStruct, SynSights, and SynIntel—we adhere to the following principles:

• Purpose Limitation: We only process data necessary to fulfil defined client use cases.
• Data Minimisation: We avoid collecting more data than is strictly required.
• Storage Limitation: Data is retained only for the duration required by the client contract or applicable law.
• Accuracy: Clients retain control over input datasets; we offer tools to help validate and deduplicate records.

No personal data is used to train general-purpose models within Lattice. All models are either fine-tuned or prompted on client-authorised datasets only.

3. Data Residency and Transfers

• UK Clients: Data remains within UK or EU servers where possible. Any transfers outside the UK comply with UK GDPR adequacy decisions or use Standard Contractual Clauses (SCCs).
• India Operations: All processing aligns with India's Digital Personal Data Protection Act (DPDPA) 2023. Client consent, purpose limitation and lawful processing are strictly observed.
• Cross-border Processing: We operate under Data Processing Agreements (DPAs) with clients and sub-processors, ensuring lawful international transfers under GDPR and EU AI Act guidelines.

4. Data Security Measures

Our current security protocols include:

• Encrypted data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control with least privilege enforcement
• Mandatory two-factor authentication (2FA) for administrative access
• Logical separation of customer environments
• Daily vulnerability scans and monthly threat modelling
• Secure development lifecycle (including static code analysis for Lattice modules)

We also conduct quarterly internal reviews and plan to undergo external audits as we mature.

5. AI-Specific Risk & Fairness Controls

To meet EU AI Act obligations (especially for "limited-risk" AI systems), SynaptyX follows these practices:

• Human Oversight: All Lattice-based outputs are reviewable and overridable by human experts.
• Explainability: Tools like SynWise and SynStruct offer reasoning traceability and explanation on request.
• Bias Checks: We conduct bias detection during pilot phases and simulate outcomes across demographic proxies (where relevant).
• Logging & Traceability: All inference and generation activities are logged to allow post-hoc audits or rollback.

We do not deploy or offer "high-risk" use cases (e.g., biometrics, health or medical advise, public surveillance) without explicit client-level risk mitigation and regulatory alignment.

6. Data Subject Rights

In alignment with GDPR and DPDPA:

• Individuals can request access, rectification, deletion, and data portability.
• We support DSAR (Data Subject Access Request) workflows within 30 days.
• As processors, we honour and enforce all such requests as directed by our clients (the data controllers).