PocketSync Data Processing Agreement

Effective: March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between WeaveHub Technologies LLC ("Processor", "WeaveHub", "we") and the individual using PocketSync ("Controller", "you"). This DPA applies specifically to the processing of personal data through PocketSync's Cloud Sync feature and is entered into in accordance with the requirements of the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection ("FADP").

For the purposes of this DPA, you are the Controller who determines the purposes and means of processing personal data (by configuring sync jobs), and WeaveHub is the Processor that processes personal data on your behalf (by executing those sync jobs).

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed through Cloud Sync, including file contents, file metadata, contact records (names, emails, phone numbers, addresses), calendar events (titles, attendees, locations), OAuth credentials, and device identifiers.
  • "Processing" means any operation performed on Personal Data, including collection, storage, transfer, retrieval, and deletion.
  • "Sub-processor" means any third party engaged by WeaveHub to process Personal Data on behalf of the Controller.
  • "Cloud Sync" means the PocketSync feature that transfers files, contacts, and calendar events between connected cloud providers (Google, Microsoft, Dropbox, Box, and CardDAV/CalDAV providers).
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Supervisory Authority" means the relevant data protection authority in the Controller's jurisdiction.

3. Scope of Processing

WeaveHub processes Personal Data solely for the purpose of providing the Cloud Sync service as configured by the Controller. The details of processing are as follows:

  • Subject matter: Transfer of files, contacts, and calendar events between cloud providers as directed by the Controller's sync job configurations.
  • Duration: For the duration of the Controller's active PocketSync subscription, plus 30 days for database backup retention after account deletion or sync job removal.
  • Nature and purpose: Automated file transfer, contact sync, calendar sync, delta sync tracking, conflict detection, and sync history logging.
  • Types of Personal Data: File contents (in transit only, buffered up to 1 hour), file metadata (paths, sizes, modification dates), contact records (names, email addresses, phone numbers, physical addresses, organization, job title, birthday, notes, photos), calendar events (titles, descriptions, attendee names and emails, locations, dates/times, recurrence, reminders), OAuth tokens and CardDAV/CalDAV credentials (encrypted), device identifiers, provider account email and display name, sync job configurations, and sync run history.
  • Categories of Data Subjects: The Controller; individuals whose personal data is contained within files transferred through Cloud Sync; individuals whose contact information is stored in synced address books (third-party data subjects); and individuals who are attendees of synced calendar events (third-party data subjects).

4. Obligations of the Processor

WeaveHub shall:

  • Process Personal Data only on documented instructions from the Controller (i.e., the sync job configurations you create), unless required to do so by applicable law, in which case WeaveHub shall inform the Controller of that legal requirement before processing (unless prohibited by law).
  • Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement and maintain the technical and organizational security measures described in Section 6 of this DPA.
  • Engage Sub-processors only in accordance with Section 7 of this DPA.
  • Assist the Controller, taking into account the nature of processing, in responding to requests from Data Subjects to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection).
  • Assist the Controller in ensuring compliance with obligations related to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities.
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.

5. Obligations of the Controller

The Controller shall:

  • Ensure that there is a lawful basis for the processing of Personal Data through Cloud Sync, including files containing personal data of third parties and contact/calendar records containing personal data of third parties (address book contacts and calendar attendees).
  • Provide documented instructions regarding the processing of Personal Data through sync job configurations.
  • Be responsible for the accuracy, quality, and legality of Personal Data transferred through Cloud Sync, including third-party personal data in contacts and calendars.
  • Ensure compliance with applicable data protection laws with respect to any personal data contained in transferred files.

6. Security Measures

WeaveHub implements the following technical and organizational measures to protect Personal Data processed through Cloud Sync:

  • Encryption at rest: OAuth access and refresh tokens are encrypted with AES-256-GCM before storage in the database. API keys are hashed with SHA-256 before storage.
  • Encryption in transit: All API communications use TLS (HTTPS). File transfers between cloud providers transit through encrypted channels.
  • Temporary file buffer: Files in transit are temporarily stored in a Cloudflare R2 bucket and automatically deleted within 1 hour of transfer completion.
  • Access control: API authentication via bearer tokens (SHA-256 hashed). OAuth state parameters use encrypted nonces with 10-minute expiry to prevent CSRF attacks. Single-use nonces prevent replay attacks.
  • Token refresh security: Automatic token refresh with race condition guards to prevent duplicate refresh operations.
  • Input validation: Folder IDs, file names, and exclusion patterns are validated. Path traversal attacks are blocked (rejection of ".." sequences and null characters).
  • Data minimization: Only file metadata necessary for delta sync is retained. File contents are not stored beyond the temporary transfer buffer.
  • Infrastructure security: All server-side infrastructure runs on Cloudflare Workers (edge compute), Cloudflare D1 (database), and Cloudflare R2 (object storage), all of which are SOC 2 Type II certified.

7. Sub-processors

The Controller provides general authorization for WeaveHub to engage the following Sub-processors. WeaveHub shall inform the Controller of any intended changes to the list of Sub-processors, giving the Controller the opportunity to object to such changes.

  • Cloudflare, Inc. (United States) — Workers compute runtime, D1 database storage, R2 object storage (temporary file buffer). Cloudflare GDPR commitment
  • Google LLC (United States) — Firebase Cloud Messaging (push notifications for sync completion). Firebase privacy information

WeaveHub shall impose on each Sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA. WeaveHub shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

To receive notifications of Sub-processor changes, contact us to subscribe to our Sub-processor update notifications.

8. Data Subject Rights

WeaveHub shall assist the Controller in responding to Data Subject requests. The following mechanisms are available:

  • Access & Portability: Sync job configurations and sync run history can be exported in machine-readable JSON format upon request.
  • Rectification: Sync job configurations can be edited within the PocketSync app.
  • Erasure: Disconnecting a cloud storage account deletes the associated encrypted OAuth tokens. Deleting a sync job deletes all associated file metadata, sync history, and any files on WeaveHub servers. The Controller may also request complete account deletion by contacting us.
  • Restriction: Sync jobs can be paused at any time from within the app, halting all automated processing.

WeaveHub shall respond to Data Subject requests forwarded by the Controller within 30 days.

9. Data Breach Notification

WeaveHub shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and data records concerned
  • The name and contact details of WeaveHub's point of contact for further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Breach notifications will be sent to the email address associated with the Controller's PocketSync account and/or the contact information provided during device registration.

10. International Data Transfers

Personal Data processed through Cloud Sync may be transferred to the United States, where WeaveHub and its Sub-processors are based. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, WeaveHub relies on:

  • The EU-US Data Privacy Framework, UK Extension, and Swiss-US Data Privacy Framework, where applicable and where Sub-processors are certified
  • The EU Commission's Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914, as a supplementary transfer mechanism
  • The UK International Data Transfer Agreement or UK Addendum to the EU SCCs, for transfers from the UK

Cloudflare, Inc. participates in the EU-US Data Privacy Framework and maintains Standard Contractual Clauses for international data transfers. Google LLC participates in the EU-US Data Privacy Framework.

11. Data Retention & Deletion

  • File contents: Temporarily buffered in Cloudflare R2 during transfer. Automatically deleted within 1 hour. Not retained beyond what is required for the sync to complete.
  • OAuth tokens: Encrypted and stored while the cloud storage connection is active. Deleted when the connection is disconnected or the account is deleted.
  • File metadata & sync history: Stored while the associated sync job exists. Deleted when the sync job is deleted.
  • Database backups: Retained for 30 days after data deletion, then permanently purged.
  • Upon termination: When the Controller's PocketSync subscription ends or upon verified deletion request, WeaveHub shall delete all Personal Data within 30 days, except as required by applicable law.

12. Audits

WeaveHub shall make available to the Controller, on request, all information necessary to demonstrate compliance with the obligations laid down in this DPA. WeaveHub shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and conducted during normal business hours. The Controller shall bear the costs of any audit it initiates.

WeaveHub may satisfy audit requests by providing relevant certifications, audit reports, or other documentation from its Sub-processors (e.g., Cloudflare's SOC 2 Type II report).

13. Termination

This DPA shall remain in effect for as long as WeaveHub processes Personal Data on behalf of the Controller. Upon termination of the PocketSync service or this DPA, WeaveHub shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless applicable law requires continued storage. The obligations in this DPA shall survive termination to the extent necessary to complete deletion of Personal Data and to comply with applicable law.

14. Governing Law

This DPA shall be governed by the laws of the State of New York, without regard to its conflict of laws principles, except where GDPR, UK GDPR, or FADP mandates otherwise. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

15. Contact

For questions about this DPA, data processing practices, or to exercise your rights, contact us.

WeaveHub Technologies LLC
Email: info@weavehub.app