Security

1. Scope and responsibility

This document covers protection of data processed by Syntexa as controller (Marketing website, commercial inquiries) and as processor on behalf of Customers (Platform). The Customer is responsible for the lawfulness of uploading third-party personal data to the Platform, including obtaining required legal bases and providing information to data subjects.

This document does not replace the services agreement, data processing agreement, or Platform terms. In case of conflict, the Customer agreement prevails.

2. Data location and processing boundaries

Platform customer data is processed and stored within the European Union. We do not run production processing of Platform customer data outside the EU.

In limited cases necessary to deliver the service and subject to GDPR transfer mechanisms, technology providers established outside the EEA may be used — only to the extent contractually agreed with the Customer and with appropriate safeguards.

3. Document confidentiality and use of artificial intelligence

The Syntexa Platform supports analysis of insurance documents in a professional broker workflow. Before content is sent to external artificial intelligence for extraction or comparison, we apply a redaction layer for sensitive and personal data in documents. If redaction does not meet our quality requirements, processing does not continue in a manner that would expose personal data to unjustified risk.

We work with established technology providers under agreements that exclude using Customer data to train general models. We retain documents and processing results only for as long as necessary to deliver the service and meet contractual and legal obligations.

4. Access control and user identity

Access to the Platform is limited to authorized users of the Customer. We apply principles including:

• individual user account authentication;
• multi-factor authentication for Platform users;
• role-based permissions following least privilege;
• logical separation of each Customer organization’s data;
• procedures for granting, changing, and revoking access for Syntexa personnel who operate systems.

5. Encryption and transmission security

Connections to our services use industry-standard transport encryption. Data stored in production infrastructure is protected with measures appropriate to the class of information processed, including access controls at the system and backup level.

6. Organizational measures and compliance

• GDPR-aligned processes, including data processing agreements with B2B customers;
• regular software updates and controlled deployment of changes to production;
• staff training and confidentiality obligations;
• procedures for identifying, recording, and handling personal data security incidents vis-à-vis contracted Customers;
• risk assessment and selection of security measures proportionate to the processing.

7. Sub-processors and suppliers

We engage processors only to the extent necessary to deliver the service (including hosting, e-mail, customer support tools, and — within the Platform — document processing technology). Each processor is bound by contracts ensuring at least the level of protection required by Article 28 GDPR.

The current sub-processor list is provided to Customers in contractual documentation. Prospective partners may request information on sub-processor categories on reasonable request.

8. Security incidents

If we become aware of a personal data breach likely to result in a high risk to the rights and freedoms of natural persons, we act in accordance with GDPR obligations, including — where applicable — notifying the supervisory authority and informing the Customer as controller of entrusted data, enabling the Customer to fulfill obligations toward data subjects.

Report suspected events or incidents promptly to: kontakt@syntexa.pl.

9. Customer obligations

• use the Platform in accordance with the agreement and onboarding documentation;
• manage user accounts and protect login credentials;
• upload to the Platform only data for which a valid legal basis exists;
• notify Syntexa without delay of suspected unauthorized access or incidents.

10. Document updates

We may update this Overview as services or legal requirements evolve. The date of the last update is shown at the top. Material changes to Platform security are communicated to contracted Customers in accordance with the agreement.