Data Processing Agreement.

How SlideSync processes, stores, and protects your data on behalf of our customers.

Last updated: May 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") describes how SlideSync ("Processor") processes personal data on behalf of its customers ("Controllers") in connection with the SlideSync platform and services. This DPA applies to all personal data processed by SlideSync as a data processor under applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

SlideSync processes personal data solely to provide the services described in the Terms of Service and as instructed by the Controller. We do not process personal data for our own independent purposes beyond what is necessary to deliver and improve the platform.

2. Categories of Data Processed

In the course of providing the SlideSync platform, we process the following categories of personal data:

  • Identity data — name, email address, and profile photo provided through Google OAuth authentication.
  • Account data — subscription plan, billing information (processed by Stripe), and account preferences.
  • Usage data — feature interactions, session duration, pages visited, and anonymized analytics collected through Google Analytics 4.
  • Content data — files, text, and other materials uploaded by users for the purpose of generating presentations.
  • Technical data — IP address, browser type, device information, and access logs collected for security and troubleshooting purposes.

3. Sub-Processors

SlideSync engages the following sub-processors to deliver its services. Each sub-processor is contractually bound to process data in accordance with applicable data protection requirements:

  • Supabase — database hosting, authentication, and backend services. Data is stored in Supabase-managed PostgreSQL instances with AES-256 encryption at rest.
  • Vercel — application hosting, edge delivery, and serverless functions. Processes request data and serves application assets globally.
  • Stripe — payment processing and subscription management. Processes billing data including payment method details, transaction history, and invoicing.
  • Google — authentication (OAuth) and analytics (GA4). Processes identity data for sign-in and anonymized usage data for analytics.

We will notify Controllers of any intended changes to our sub-processor list by updating this page. Controllers may object to a new sub-processor by contacting us within 30 days of the notification.

4. International Data Transfers

SlideSync and its sub-processors may process personal data in jurisdictions outside of the European Economic Area (EEA), the United Kingdom, and Switzerland. Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data Processing Agreements with all sub-processors that include equivalent data protection obligations.
  • Encryption of data in transit (TLS) and at rest (AES-256) across all transfer channels.

5. Security Measures

SlideSync implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction. These measures include:

  • Encryption of all data in transit using TLS 1.2 or higher, and at rest using AES-256.
  • Role-based access controls limiting data access to authorized personnel only.
  • Regular security assessments and vulnerability scanning of infrastructure and application code.
  • Audit logging of administrative actions and data access events.
  • Incident response procedures aligned with SOC 2 security practices.

6. Data Breach Notification

In the event of a personal data breach, SlideSync will notify affected Controllers without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

  • A description of the nature of the breach.
  • The categories and approximate number of data subjects and records affected.
  • The likely consequences of the breach and the measures taken or proposed to mitigate its effects.
  • Contact information for the SlideSync team member responsible for coordinating the response.

SlideSync will cooperate fully with Controllers and relevant supervisory authorities in the investigation and resolution of any data breach.

7. Data Subject Rights

SlideSync will assist Controllers in fulfilling data subject requests under applicable data protection laws. This includes requests for access, rectification, erasure, restriction, portability, and objection to processing. Upon receiving a data subject request directly, SlideSync will redirect the individual to the relevant Controller unless otherwise instructed.

To submit a data subject request or to inquire about data processing practices, contact us at privacy@slidesync.ai.