Terms applicable to the processing of personal data by Sinky.
Data Processing Agreement — Updated June 2026.
Last updated: June 2026
1. Purpose
This Data Processing Agreement (“DPA”) establishes the terms applicable to the processing of Personal Data performed by Sinky in connection with the delivery of its services.
This DPA complements:
Sinky’s Terms of Use
Commercial agreements entered into between the Parties
Sinky’s Privacy Policy
Other applicable documents
In case of conflict between this DPA and other contractual documents related to the processing of Personal Data, this DPA shall prevail with respect specifically to data protection.
2. Definitions
Client
Legal entity contracting Sinky’s services.
Sinky
The entity responsible for providing the platform and contracted services.
Personal Data
Any information related to an identified or identifiable natural person.
Data Subject
Natural person to whom the Personal Data refers.
Processing
Any operation performed on Personal Data, including collection, storage, access, use, sharing, transfer, deletion, or any similar activity.
Controller
Party responsible for decisions regarding the processing of Personal Data.
Processor
Party that processes Personal Data on behalf of the Controller.
Subprocessor
Third party contracted by Sinky to assist in service delivery.
3. Roles of the Parties
Unless specifically provided otherwise in the contract:
Client
Acts as Controller of Personal Data processed through the platform.
Sinky
Acts as Processor of Personal Data processed on behalf of the Client.
4. Processing Scope
Sinky may process Personal Data exclusively for:
Delivery of contracted services
Execution of workflows configured by the Client
Decision processing
Integration with authorized data sources
Technical support
Operational monitoring
Platform security
Compliance with legal obligations
Sinky will not use Personal Data for purposes incompatible with service delivery.
5. Client Instructions
Sinky will process Personal Data according to:
Documented Client instructions
Configurations implemented by the Client on the platform
Applicable legal obligations
The Client acknowledges responsibility for policies, rules, workflows, integrations, and decisions implemented in their environment.
6. Data Categories
Depending on platform usage, processed Personal Data may include:
Identification Data
Name, national ID (CPF), government ID (RG), date of birth, address, phone, email.
Professional Data
Position, company, registration information.
Financial Data
Authorized financial transactions, Open Finance data, credit history, banking information.
The Client should not use the platform to process Sensitive Data, except when:
Permitted by applicable legislation
Necessary for the intended purpose
Duly authorized or based on a valid legal basis
When applicable, Sinky will adopt additional protection measures compatible with the nature of the processed data.
8. Information Security
Sinky maintains appropriate technical and organizational controls for the protection of Personal Data. These controls may include:
Encryption in transit
Encryption at rest
Role-based access control (RBAC)
Multi-factor authentication (MFA)
Continuous monitoring
Event logging
Environment segregation
Vulnerability management
Incident response
Additional information can be found in Sinky’s Security & Trust Appendix.
9. Subprocessors
Sinky may engage Subprocessors to support service delivery. The selection of these vendors considers criteria related to:
Security
Privacy
Availability
Compliance
The updated list of Subprocessors is available in a separate document maintained by Sinky.
10. International Transfers
Personal Data may be processed or stored in countries different from where the Client is located.
When applicable, Sinky will adopt appropriate mechanisms to ensure adequate protection of Personal Data, including:
Appropriate contractual clauses
Technical safeguards
Applicable legal requirements
11. AI & Automated Processing
The platform may use AI capabilities to support features such as:
Risk analysis
Fraud prevention
Compliance
Onboarding
OCR
Classification
Recommendation generation
Explainability
These features operate as decision support tools. Responsibility for final decisions remains with the Client.
12. AI Model Training
Sinky will not use Client Personal Data for training public foundational AI models without the Client’s express authorization.
Data processed through the platform will not be shared for general public model training without specific authorization.
13. Confidentiality
Sinky will ensure that employees, service providers, and authorized third parties are subject to appropriate confidentiality obligations.
14. Security Incidents
In the event of a security incident affecting Personal Data under Sinky’s responsibility, the company will adopt reasonable measures to:
Investigate the incident
Contain its effects
Mitigate impacts
Communicate to the Client when required by law or when reasonably necessary
15. Data Subject Rights
Whenever applicable, Sinky will provide reasonable assistance to the Client for handling requests related to data subject rights.
Primary responsibility for responding to data subjects remains with the Client as Controller.
16. Retention & Deletion
Personal Data will be maintained for the period necessary for:
Service execution
Compliance with legal obligations
Auditing
Security
Dispute resolution
After termination of the contractual relationship, data may be deleted or anonymized according to internal policies and applicable legal requirements.
17. Auditing
Upon reasonable request and subject to confidentiality and security obligations, Sinky may provide evidence related to its data protection controls.
This may be provided through:
Certifications
Independent reports
Compliance documents
Responses to security questionnaires
18. Limitation of Liability
Responsibilities related to data protection shall observe the limitation of liability provisions set forth in the main agreement entered into between the Parties, unless mandatory legal provisions provide otherwise.
19. Applicable Law
This DPA shall be interpreted in accordance with the applicable law set forth in the main agreement entered into between the Parties.
20. Contact
Questions related to data protection may be sent to: