top of page

Data Processing Agreement

This agreement governs how ABS Synergy Ltd processes personal data on behalf of clients using Synergy Up, Synergy Bookkeeping, and Synergy Stocktaking services.

Effective date  ·  March 2026      

1. Parties

3. Our Obligations

5. Sub - Processors

7. Retention & Deletion

9. Contact & Complaints

2. Personal Data Processed

4. Your Obligations

6. Data Location

8. Data Subject Rights

10. Governing Law

Section 1

Parties

Data Processor: 

ABS Synergy Ltd (trading as Synergy Up, Synergy Bookkeeping, and Synergy Stocktaking), CRO No. IE491109, VAT No. IE9773454J, with registered offices at 8–10 Coke Lane, Smithfield, Dublin, Ireland, D07 EN2Y.

 

Contact:

privacy@synergyup.com

 

Data Controller: 

The client organisation completing and accepting this agreement.

 

This agreement is entered into under Article 28 of the EU General Data Protection Regulation (2016/679) and the UK GDPR.

Section 2

Personal Data Processed on Your Behalf

Depending on which ABS Synergy Ltd services you use, we may process some or all of the following personal data on your behalf. Only the personal data relevant to the services you use will be processed.

​

Synergy Up

  • Employee Up: Employee names, contact details, dates of birth, PPS numbers, bank details, passport copies, work permit details, emergency contacts, employment contracts, and HR documents

  • Cash Up: Names and login details of staff who perform cash reconciliations

  • Order Up: Names of staff who perform stock counts and place orders; supplier email addresses

  • Report Up: Any personal data contained within reports uploaded to the platform

  • General platform access: Names and email addresses of managers and administrators

​

Synergy Bookkeeping services

  • Business owner and director details: Names, contact details, PPS numbers, and signatures where required for filings

  • Employee payroll and financial data: Names, PPS numbers, salary information, bank details, and tax records

  • Supplier and client contact details: Names, email addresses, phone numbers, and business addresses

  • Financial records: Bank statements, invoices, receipts, and VAT records which may contain personal data

  • Any other personal data contained within financial documents provided to us for processing

​

Synergy Stocktaking services

  • Client site contact details: Names, email addresses, and phone numbers of managers and staff on site

  • Staff identity for audit purposes: Names of staff present during stock counts, recorded for audit trail purposes

  • Report data: Any personal data contained within stocktaking reports or documentation

​

Section 3

Our Obligations as Data Processor

 

  • Instructions only: We will only process your data on your documented instructions and will inform you if we believe an instruction breaches GDPR.

  • Confidentiality: All staff and contractors with access to your data are bound by written confidentiality obligations.

  • Security: We implement encryption at rest and in transit, role-based access controls, and multi-factor authentication.

  • Sub-processors: We will notify you at least 30 days before engaging a new sub-processor.

  • Data subject rights: We will assist you in responding to requests from individuals exercising their GDPR rights within required timeframes.

  • Breach notification: We will notify you within 72 hours of becoming aware of a personal data breach affecting your data.

  • DPIAs: We will assist you with Data Protection Impact Assessments where our processing is relevant.

  • Deletion or return: At the end of your contract we will securely delete or return all your personal data within 30 days.

  • Audit rights: You have the right to audit our compliance with this agreement on reasonable written notice.

  • Compliance evidence: We will make available all information necessary to demonstrate compliance with Article 28 GDPR on request.

Section 4

Your Obligations as Data Controller

 

  • Ensure you have a lawful basis for each category of personal data you ask us to process on your behalf

  • Provide your employees, clients, and other data subjects with a privacy notice explaining how their data is used

  • Ensure that data provided to us is accurate, relevant, and limited to what is necessary

  • Inform us promptly of any data subject request or data breach affecting data we hold on your behalf

Section 5

Sub Processors

We engage the following sub-processors. Each is bound by data protection obligations equivalent to those in this agreement. We will provide at least 30 days' notice before adding a new sub-processor.

Sub Processor
Location
Purpose
Amazon Web Services (AWS)
Ireland
Cloud infrastructure and data storage
Bizimply
Ireland
Workforce management integration (Synergy Up clients only, where applicable)
Cloudflare
EU Nodes
Security, CDN, and DDoS protection
Spiceworks
United States
Customer support helpdesk

An up-to-date sub-processor list is available on request at privacy@synergyup.com.

Section 6

Data Location

All production personal data is stored in AWS eu-west-1 (Ireland). We do not transfer your production data outside the European Economic Area. Our development and testing environments use only fully synthetic (non-personal) data.

Section 7

Data Retention and Deletion

We retain your personal data only for the duration of your active contract with us.

​

Your responsibility: As Data Controller, you are responsible for retaining records for legally required periods under Irish and UK law (including the Taxes Consolidation Act 1997 and the Organisation of Working Time Act 1997). You must download and retain any records you are legally required to keep before ending your contract with us.

​

On termination: We will permanently and securely delete all of your organisation's personal data within 30 days of contract termination. This deletion is irreversible. We will send a reminder notification before deletion takes place.

​

Data export: You may request a full export of your data in portable format (CSV) at any time before termination by contacting privacy@synergyup.com. Exports will be fulfilled within 5 working days.

​

Our own records: We retain records of this agreement and its acceptance for 7 years for our own legal compliance purposes.

Section 8

Data Subject Rights

Responsibility for responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) lies with you as the Data Controller. We will assist you by providing technical means to extract, correct, or delete personal data held on our systems within required GDPR timeframes. Requests for assistance should be directed to privacy@synergyup.com.

Section 9

Contact and Complaints

For all data protection queries, contact: privacy@synergyup.com

​

If you believe we have not handled your data in accordance with this agreement or applicable law, you have the right to lodge a complaint with:

  • Irish Data Protection Commission (DPC): dataprotection.ie  ·  +353 57 8684800

  • UK Information Commissioner's Office (ICO): ico.org.uk  ·  0303 123 1113

Section 10

Governing Law

This agreement is governed by the laws of Ireland and subject to the exclusive jurisdiction of the Irish courts, except where UK GDPR applies to the relevant processing, in which case the laws of England and Wales and the relevant UK courts shall apply.

Questions?

bottom of page