← BACK TO LOGIN
SYNARIS BY MARSHA
Privacy Notice
Version 1.1 · Last updated: April 2026
This notice applies to users of the SYNARIS Sovereign Enterprise Operating System deployed by your organisation. Your employer is the data controller. MARSHA acts as the data processor under Article 28 GDPR.
1. Controller and Processor
Data controller: the organisation that has deployed this SYNARIS instance. For controller-specific enquiries, contact your organisation's DPO.
Data processor: Marsha Foundation ("MARSHA"), which processes personal data exclusively under documented instructions from the controller, in accordance with Article 28 GDPR and the corresponding Data Processing Agreement (DPA).
2. Categories of Personal Data
- Identity: corporate ID, department, role, name, avatar
- Authentication credentials: scrypt password hash, WebAuthn (FIDO2) public keys, Ed25519 signing public keys
- Biometric data (Art. 9 GDPR — special category): mathematical face descriptor encrypted AES-256-GCM at rest. Facial image is NOT stored. Enrolment subject to explicit, revocable consent
- Content: internal messages (HUB), internal mail (MI POST), encrypted files (VAULT), AI assistant conversations (MIA), private notes
- Communication metadata: timestamps, session IDs, video session participant identifiers (IRIS)
- Technical data: IP address, user agent, session tokens, device binding
- Audit: Ed25519 cryptographically signed append-only log for authentication, access and modification events
3. Legal Bases
- Art. 6.1.b — Contract: performance of the employment relationship between user and controller
- Art. 9.2.a — Explicit consent: facial biometric enrolment (revocable at any time without affecting prior lawful processing)
- Art. 9.2.b — Employment context: where biometrics are required by the controller's security policy and applicable law
- Art. 6.1.f — Legitimate interest: audit logging, security monitoring, cryptographic integrity verification
4. Data Protection Impact Assessment (DPIA · Art. 35)
Since SYNARIS processes biometric data (special category Art. 9 GDPR), a Data Protection Impact Assessment has been carried out. The DPIA document is available upon request through your organisation's DPO.
5. Automated Decisions and AI (Art. 22)
The sovereign AI assistant MIA operates via local on-premise inference without access to external providers. MIA does NOT make automated decisions producing legal or similarly significant effects on the user within the meaning of Art. 22 GDPR. MIA acts exclusively as a conversational assistant under the controller's human supervision. It performs no user profiling or scoring.
6. Sovereign Infrastructure
SYNARIS operates on dedicated infrastructure under the controller's administrative authority. No external AI provider, analytics service or tracking network has access to your data.
- Hosting sub-processor: Hetzner Online GmbH (Nuremberg, Germany) — EU/EEA only
- AI assistant (MIA): executed on-premise via local inference — prompts and responses never leave the sovereign node
- Video sessions (IRIS): end-to-end encrypted (WebRTC DTLS-SRTP) — SYNARIS performs no server-side recording under any circumstances
- File storage (VAULT): AES-256-GCM at rest, private S3 bucket in Nuremberg (DE)
- Antivirus: ClamAV on-premise · pre-encryption scan on upload
7. International Transfers (Art. 44+)
No international transfers of personal data outside the European Economic Area are performed. All infrastructure, storage and AI inference operate within Germany (EU).
8. Categories of Recipients (Art. 13.1.e)
Personal data is accessible only by:
- Authorised personnel of the controller (designated administrators)
- Internal auditors of the controller (read-only access to AuditChain)
- Sub-processors listed in section 13
- Public authorities where express legal obligation applies
No commercial third party, advertiser, data broker or external cloud provider has access to your data.
9. Technical and Organisational Measures (Art. 32)
- AES-256-GCM encryption at rest for sensitive data
- Ed25519 signatures for non-repudiation of messages and audit events
- Append-only cryptographic audit chain (tamper-evident)
- Multi-factor authentication: scrypt password + facial biometrics + WebAuthn FIDO2 hardware
- IP and user-agent binding for session tokens
- Anti-replay protection via TTL-based nonces
- ClamAV antivirus on upload (pre-encryption blocking)
- TLS 1.3 for all transport
- Tenant isolation: dedicated sovereign node per organisation
Detailed technical documentation available under NDA upon DPO request.
10. Data Retention
| Category | Default period | Basis |
|---|
| Active accounts | For the duration of the employment relationship | Art. 6.1.b |
| Deactivated accounts | Minimum 30 days, extendable per controller policy | Employment audit |
| Audit chain (AuditChain) | 5 years | LOPDGDD · sectoral regulation |
| HUB / MI POST messages | Per controller policy, configured in DPA | Art. 5.1.e |
| VAULT files | Per controller policy | Art. 5.1.e |
| IRIS video sessions | NOT persisted | Privacy by design |
| Biometric data | Until consent withdrawal or off-boarding | Art. 9.2.a |
Final applicable periods are those established in the DPA signed between MARSHA and your organisation.
11. Your Rights (Art. 15–22 GDPR)
You may exercise the following rights by contacting your organisation's DPO:
- Access (Art. 15) — obtain a copy of your personal data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — subject to legal retention obligations
- Restriction (Art. 18) — restrict specific processing
- Portability (Art. 20) — receive your data in structured JSON format
- Objection (Art. 21) — object to processing based on legitimate interest (audit logging) on grounds relating to your particular situation
- Withdrawal of biometric consent — disables facial authentication without affecting prior lawful processing
- Lodge a complaint with the Spanish Data Protection Agency (www.aepd.es)
How to request a copy of your data (Art. 15): contact your organisation's DPO. Upon validation, your data may be exported as a structured JSON file via the internal endpoint /privacy/export, including identity, messages, file metadata, audit events and consent records. Maximum response time: one month (Art. 12.3).
MARSHA assists the controller in responding to data subject requests within 72 hours of receipt.
12. Breach Notification (Art. 33)
In the event of a personal data breach, MARSHA shall notify the controller without undue delay and, in any case, within 72 hours of becoming aware, in accordance with Art. 33 GDPR. The notification will include the nature, affected categories, approximate number of data subjects, likely consequences and measures taken.
13. Sub-processors
| Sub-processor | Service | Location |
|---|
| Hetzner Online GmbH | Infrastructure hosting and Object Storage | Germany (EU) |
Any change or addition of sub-processor will be notified to the controller with 30 days advance notice, granting the right to object under Art. 28.2 GDPR.
14. Changes to this Notice
Material changes are communicated to the controller, which informs affected users. The version and date in the header reflect the current revision.
15. Applicable Law
This notice is governed by Spanish law and the General Data Protection Regulation (EU) 2016/679 (GDPR), together with Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD).
16. Contact
- MARSHA (Data processor): info@marshafoundation.org
- Your organisation's DPO: contact your internal administrator
- Supervisory authority (Spain): Spanish Data Protection Agency — www.aepd.es