Data Protection Impact Assessment
Status: Published · Version: 1.0 · Date of assessment: 2026-04-16 · Next review: 2027-04-16 or on material change. Regulatory reference: Article 35 GDPR; ICO "Data Protection Impact Assessments" template (v1.3).
This DPIA covers the processing summarised in the Data Inventory, Lawful-Basis Mapping, and Processor Data Flows. A DPIA is not strictly required for Syncflow's processing under Art. 35(3) or the ICO's list of high-risk processing, but one has been completed voluntarily to document the position and to support future scaling. It follows the ICO's seven-step template.
Step 1 — Identify the need for a DPIA
Art. 35(3) triggers reviewed
| Trigger | Applies? |
|---|---|
| Systematic and extensive profiling with legal or similarly significant effects | No — Syncflow does not profile users. |
| Large-scale processing of special-category data | No. |
| Systematic monitoring of a publicly accessible area | No. |
ICO additional screening
| Criterion | Applies? | Notes |
|---|---|---|
| Innovative technology | Partial | Large-language-model decomposition is a novel experience for some users; mitigations are addressed below. |
| Automated decisions denying a service | No | AI output is advisory. |
| Large-scale profiling | No | |
| Biometric data | No | |
| Genetic data | No | |
| Matching or combining datasets | No | |
| Invisible processing | No | Disclosed in the Privacy Policy. |
| Tracking location or behaviour | Partial | Aggregate analytics only, consent-gated. |
| Targeting children or vulnerable individuals | No | |
| Risk of physical harm | No |
Conclusion: DPIA not mandatory under Art. 35(3) or ICO criteria. Conducted voluntarily.
Step 2 — Describe the processing
Nature
- The user signs up through an identity provider or through an emailed sign-in link.
- The user creates tasks and may ask the service to decompose a task into crumbs using an AI provider.
- Progress against crumbs is recorded as the user works.
- Optional features include a daily reminder email and aggregate product analytics.
- Paid subscriptions are administered by a payment processor.
Scope
- Data subjects: registered users of Syncflow.
- Data categories: as set out in the Data Inventory.
- Special categories: none processed by design.
- Geographic scope: global user base; processors located in the EEA, the UK, and the United States.
Context
- Relationship: direct SaaS contract with each user.
- User expectations: users expect to be able to store tasks and — when they invoke the feature — to have the task content processed by an AI provider for decomposition.
- Prior concerns on record: none.
Purposes
The complete list of processing purposes is given in the Lawful-Basis Mapping.
Step 3 — Consultation
Consultation with data subjects
The Privacy Policy provides a contact address for privacy matters. No formal sampling of users was undertaken for this version of the DPIA. The consultation channel remains open.
Consultation with processors
Each processor's current DPA has been reviewed.
Internal consultation
The product owner and the compliance owner reviewed the data flows and this assessment.
Supervisory-authority consultation
Not required under Art. 36(1) — residual risk does not meet the threshold.
Step 4 — Assess necessity and proportionality
| Question | Answer |
|---|---|
| Is the processing lawful? | Yes — see the Lawful-Basis Mapping. |
| Does it achieve its purpose? | Yes — each category of data supports a disclosed feature. |
| Is there a less intrusive way? | On-device LLM decomposition is not presently viable at the quality and latency required. The feature is strictly opt-in per task. |
| How is data quality and minimisation ensured? | Only the content needed for the chosen feature is transmitted to any processor. Diagnostic telemetry excludes user-created content. |
| How are subjects informed? | Through the Privacy Policy and the Data Privacy Plan, linked from this register. |
| How are subject rights supported? | A self-service data-export and account-deletion flow is provided; closure cascades deletion across every category of the user's data. |
| How is processor compliance ensured? | Each processor is bound by a DPA and the safeguards recorded in the Processor Data Flows. |
| International transfers? | Relying on Standard Contractual Clauses and the UK International Data Transfer Addendum as applicable. |
Step 5 — Identify and assess risks
Likelihood and severity are scored Low / Medium / High. "Overall" is the combined residual risk after mitigations in Step 6.
| # | Risk to the rights and freedoms of data subjects | Likelihood | Severity | Overall |
|---|---|---|---|---|
| R1 | A user places sensitive or special-category information into free-text task content that is then transmitted to an AI provider. | Medium | Medium | Medium |
| R2 | Compromise of a user's authenticated session or sign-in credential leads to impersonation. | Low | High | Medium |
| R3 | Misuse of a user-supplied integration credential leads to consumption of that user's own third-party quota. | Low | Medium | Low |
| R4 | Accidental inclusion of personal data in service diagnostics. | Low | Medium | Low |
| R5 | Analytics is initialised before valid consent is recorded for a given region. | Low | Medium | Low |
| R6 | A processor located outside the EEA or UK is compelled by local law to disclose personal data. | Low | Medium | Low |
| R7 | Data belonging to a closed account is not fully removed from all processors. | Low | High | Medium |
| R8 | Reminder email is delivered after the user has opted out. | Low | Low | Low |
| R9 | A registered passkey becomes unusable, preventing sign-in. | Low | Medium | Low |
| R10 | Billing identifiers are used for purposes beyond billing. | Low | Low | Low |
Step 6 — Identify measures to reduce risk
Mitigations are described at a high level so that this document does not become a map of Syncflow's internal controls.
| Risk | Mitigation summary | Residual |
|---|---|---|
| R1 | Clear in-product and Privacy-Policy guidance not to place sensitive information into task content; AI payloads exclude identifiers; the feature is opt-in per task; AI providers with data-use opt-outs are preferred. | Low |
| R2 | Credentials are held encrypted; sessions expire; user-initiated revocation is available; users are encouraged to use passkeys. | Low |
| R3 | User-supplied integration credentials are encrypted at rest, never displayed in full after save, and can be revoked by the user. | Low |
| R4 | Diagnostic telemetry is designed to exclude user-created content. | Low |
| R5 | Analytics is gated behind a consent decision in regions where consent applies. | Low |
| R6 | Standard Contractual Clauses in every relevant processor's DPA; data sent to AI providers is minimised; data-use opt-outs enabled where offered. | Low |
| R7 | Account-closure removes every category of the user's personal data; processor exit procedures are followed when a processor is retired. | Low |
| R8 | Reminder dispatch consults the current preference before sending. | Low |
| R9 | Alternative sign-in paths (email link) remain available for passkey recovery. | Low |
| R10 | Billing identifiers are accessed only by billing functions. | Low |
Mitigations are kept under review as part of the annual review of this DPIA.
Step 7 — Sign-off and outcomes
| Item | Outcome |
|---|---|
| Measures approved by | Compliance owner for Syncflow. |
| Residual risks | All residual risks assessed Low; no Art. 36 consultation required. |
| Subject-consultation responses | None received during the publication window. |
| DPO advice | Syncflow is not required to appoint a DPO under Art. 37; a compliance owner is designated. |
| Review responsibility | Compliance owner, annually and on material change. |
Triggers for re-assessment
- Engagement of any new processor;
- Extension of AI processing beyond on-demand task decomposition;
- Introduction of any special-category or criminal-offence data;
- Launch of features directed at children;
- Any personal data breach of note;
- Relevant ICO or EDPB guidance updates.
Change log
| Date | Change |
|---|---|
| 2026-04-16 | Initial publication. |