Legal
Data Processing Addendum
Version 1.0 · Last updated June 2026 · Pending final legal review
1. Scope and roles
This Data Processing Addendum (“DPA”) forms part of the Terms of Servicebetween Routbox Inc. (“Routbox”) and a business (commercial) customer (“Customer”) and applies whenever Routbox processes Personal Data on Customer's behalf in providing the Cynact service. Where this DPA conflicts with the Terms of Service on the subject of data processing, this DPA controls.
For the purposes of applicable data-protection law, the Customer is the controller (or business) of Personal Data it submits to Cynact, and Routbox is the processor(or service provider) acting on Customer's documented instructions. This DPA is intended to satisfy Article 28 of the EU/UK GDPR and the service-provider requirements of the CCPA/CPRA.
2. Definitions
“Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “sub-processor” have the meanings given in the GDPR. “Business,” “service provider,” “sell,” and “share” have the meanings given in the CCPA/CPRA. “Applicable Law” means all data-protection and privacy laws that apply to a party's processing under this DPA.
3. Details of processing
| Element | Description |
|---|---|
| Subject matter | Provision of the Cynact building-automation platform |
| Duration | For the term of the subscription, plus the retention periods in the Privacy Policy |
| Nature and purpose | Hosting, monitoring, automating, and controlling connected building devices; account, billing, support, and security functions |
| Categories of data subjects | Customer's authorized users and sub-users; occupants, employees, tenants, guests, and visitors at sites where devices are connected |
| Categories of Personal Data | Identifiers and contact details; account and usage data; device telemetry and building-system events; and, where Customer connects them, camera/video, presence, and biometric-derived data (treated as sensitive / special-category data) |
Routbox will process Personal Data only on Customer's documented instructions (including those set out in the Terms, this DPA, and Customer's configuration of the Service), unless required to do otherwise by Applicable Law, in which case Routbox will inform Customer unless legally prohibited.
4. Routbox's obligations
- Process Personal Data only as described in Section 3 and on Customer's instructions.
- Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures, as described in the Security section of our Privacy Policy and our Security overview, consistent with GDPR Article 32.
- Taking into account the nature of processing, assist Customer (by appropriate technical and organizational measures) in responding to data-subject requests and in meeting its obligations for security, breach notification, and data-protection impact assessments.
- At Customer's choice, delete or return Personal Data at the end of the engagement, except where retention is required by Applicable Law (see the Privacy Policy retention schedule).
5. Sub-processors
Customer provides general authorization for Routbox to engage sub-processors to support the Service. Our current sub-processors are listed in the Service Providers section of our Privacy Policy. Routbox imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. We will give Customer reasonable notice of any intended addition or replacement of a sub-processor, giving Customer the opportunity to object on reasonable data-protection grounds.
6. International data transfers
Where processing involves the transfer of Personal Data out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, as applicable), which are incorporated into this DPA by reference. A copy is available on request at privacy@cynact.com.
7. Personal data breach
Routbox will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data, and will provide information reasonably available to Customer to help it meet its own notification obligations. Routbox's general breach-handling commitments are described in the Privacy Policy.
8. CCPA / CPRA service-provider terms
To the extent Routbox processes Personal Data of California residents on Customer's behalf, Routbox acts as a service provider and certifies that it will not:
- Sell or share that Personal Data;
- Retain, use, or disclose it for any purpose other than performing the Service, or as otherwise permitted by the CCPA/CPRA; or
- Combine it with Personal Data from other sources, except as permitted by the CCPA/CPRA.
9. Audits
Routbox will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, on reasonable prior notice, no more than once per year (absent a regulator requirement or evidence of a breach), subject to confidentiality and to not unreasonably disrupting Routbox's operations.
10. Contact and order of precedence
This DPA supplements and is incorporated into the Terms of Service. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Clauses prevail. For DPA requests (including a signed counterpart for procurement), contact privacy@cynact.com.
Routbox Inc. · Cynact (cynact.com)