SSyllecta

Data Processing

Data processing terms

Baseline data processing terms for controlled pilots and procurement review. Customer-specific DPA language must be finalized in a written agreement before paid or regulated production use.

Last updated: May 20, 2026

Roles

For tenant product data, Syllecta generally acts as a service provider or processor acting on behalf of the customer. The customer decides which webhook providers, payload fields, callback URLs, users, and tenant settings are configured.

Processed data

  • Tenant account data: tenant name, slug, users, roles, API key metadata, and settings.
  • Webhook operational metadata: provider, event id, type, status, timestamps, callback result, retry/replay state, reason, and correlation ids.
  • Webhook debug data: payloads and headers when needed for verification, delivery, replay, search, or troubleshooting.
  • Usage and billing support data: usage counters, invoices, reconcile diagnostics, billing alerts, and payment-provider references when enabled.
  • Support/audit data: admin/support actions, security events, and incident investigation context.

Processing purposes

Syllecta processes data to provide webhook verification, idempotent writes, dedupe, delivery tracking, retries, replay, observability, billing support, security, abuse prevention, customer support, and operational troubleshooting.

Payload boundaries

Syllecta is designed around operational metadata first. Raw payloads should be treated as temporary debug/replay data, not as the primary customer record. Customers should avoid sending card data, passwords, access tokens, session cookies, long-lived secrets, full customer profiles, or unnecessary personal data.

Retention and deletion

Operational retention classes are documented in the Data retention guide. Generic retention jobs do not delete financial ledgers, invoices, audit logs, tenants, users, API keys, webhook secrets, settings, or plans. Those require separate legal, accounting, customer-request, or offboarding decisions.

Support access

Support access should be exceptional, scoped to the affected tenant, and used for operational recovery, billing support, or security response. Tenant-scoped support access is separate from tenant impersonation and should be audit logged with reason and expiry.

Cross-border and subprocessors

Infrastructure, hosting, email, billing, and security tooling may involve third-party subprocessors. See Subprocessors and data flow for the current inventory baseline.