Legal information
GDPR and AI.
A short operational note for teams reviewing Syntalith before an AI agent or LLM application project. It summarizes our default data-protection posture; the signed agreement and DPA define the binding scope.
Compliance posture · Last updated: June 2, 2026
Document summary
- Controller
- Syntalith sp. z o.o., Stefana Batorego 18/108, 02-591 Warsaw, Poland
- Privacy contact
- [email protected]
- DPA
- Available before implementation kickoff where Syntalith processes personal data on the client's behalf.
- Hosting posture
- EU hosting is the default target for Syntalith-managed environments; client infrastructure can be used when agreed.
- Model training
- Client data is not used to train Syntalith models. External providers are governed by the agreed subprocessor setup.
Sections
What this page is
This page is a practical summary for founders, operators, and legal reviewers who need to understand how we handle GDPR-relevant AI projects.
It is not legal advice and does not replace a DPIA, ROPA entry, vendor review, or internal compliance decision made by the client.
DPA and project scope
When Syntalith processes personal data as a processor, the engagement includes a data processing agreement before implementation starts.
The DPA and statement of work define the processing purpose, categories of data, retention, subprocessors, security expectations, and exit or deletion steps.
- Before build
- We identify which systems, data categories, and user groups the agent may access.
- During build
- Access is scoped to the work: least privilege, separate service accounts where possible, and audit trail requirements.
- After launch
- Retention, monitoring, incident handling, and change ownership are set in the maintenance or handover model.
Subprocessors and transfers
AI projects may require infrastructure, model, observability, email, or workflow providers. The concrete list depends on the project architecture.
Subprocessors and transfer mechanisms are documented in the agreement or DPA. If a US-based model provider is used, the project uses the contractual safeguards agreed for that provider.
EU hosting and containment
For Syntalith-managed systems, EU hosting is the default target. Some projects run inside the client's own cloud or infrastructure when that is safer for governance.
The important control is not only geography. We define where the agent can act, which credentials it receives, what it may read or write, and what action requires human approval.
- least-privilege credentials
- separate environments for development and production
- logging and audit trail for agent actions
- human approval before production-impacting actions where required
- retention and deletion rules agreed before launch
AI Act mapping
Our seven-criterion scoping frame creates technical input for operator-side AI Act documentation: work, context, tools, boundaries, escalation, measurement, and trace.
This is structural support for compliance work, not a legal classification of the system and not a determination that the client meets every obligation.
Separately, Art. 50 (telling a user they are talking to AI) binds providers and deployers from 2 August 2026, regardless of risk class.
- Trace · Art. 12 AI Act
- Supports event recording, automatic logs, and auditability discussions.
- Work and context · Art. 13 AI Act
- Supports transparency about intended use, data sources, and operating conditions.
- Tools · Art. 13 + 26 AI Act
- Supports documentation of the tools and systems the agent can reach, and deployer obligations at rollout.
- Boundaries and escalation · Art. 14 AI Act
- Supports human oversight, stop conditions, and handoff to the operator.
- Measurement · Art. 17 + 72 AI Act
- Supports quality management, post-launch monitoring, and system review.
Rights and related policies
Data subject requests and privacy questions can be sent to [email protected]. The privacy policy describes rights, legal bases, retention periods, cookies, and supervisory authority details in full.
The cookie policy describes the analytics and marketing tools. They run in consent mode: no cookies without consent, with full measurement and marketing pixels enabled only after consent.