Data Processing Agreement

For the personal data your team enters into Sentivel about your own users (“Customer Personal Data”), you are the controller and Sentivel is your processor: we process it only to provide the Service and only on your documented instructions, which include these terms and your use of the product’s features.

Separately, for the account and usage data about your relationship with us, Sentivel is an independent controller: that processing is described in our Privacy Policy, not this DPA.

• UK and EU GDPR: the UK General Data Protection Regulation and Data Protection Act 2018, and Regulation (EU) 2016/679, as each applies to the processing.
• Customer Personal Data: personal data we process as processor on your behalf through the Service.
• Sub-processor: a third party we engage to help process Customer Personal Data.
• Restricted transfer: a transfer of personal data to a country without a UK/EU adequacy decision.
• SCCs / UK Addendum: the EU Standard Contractual Clauses and the UK International Data Transfer Addendum to them.
• Other capitalised terms have the meaning given in our Terms of Service.

• Subject matter and duration: processing for the provision of the Service, for as long as your account is active and until data is returned or deleted under “Return and deletion”.
• Nature and purpose: hosting, storing and transmitting Customer Personal Data so we can run monitoring, render status pages, and deliver notifications you configure.
• Types of personal data: typically contact details of your responders and of status-page subscribers (such as name, email and phone), and any personal data you choose to include in incident text. Please don’t put special-category data into the Service.
• Categories of data subjects: your team members / responders and your status-page subscribers.

We will:

• process Customer Personal Data only on your documented instructions, and tell you if we believe an instruction breaks data-protection law (unless the law stops us);
• ensure people authorised to process it are bound by confidentiality;
• apply the security measures set out below, and not process the data for our own purposes;
• help you meet your own obligations (responding to data-subject requests, handling breaches, and where relevant data-protection impact assessments), taking into account the information available to us;
• notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

You confirm that you have a lawful basis to process the Customer Personal Data you put into Sentivel, that you have given any notices and obtained any consents required (including to monitor targets and to contact responders and subscribers), and that your instructions to us comply with data-protection law.

You give Sentivel general authorisation to engage the sub-processors listed in Schedule A. We impose data-protection terms on each that are no less protective than this DPA, and we remain responsible for their performance. We’ll update that list before adding or replacing a sub-processor; if you have a reasonable objection on data-protection grounds, tell us at privacy@sentivel.com and we’ll work with you in good faith.

Customer Personal Data is processed primarily in the EEA. Where providing the Service involves a restricted transfer (for example to a US-based sub-processor), we put appropriate safeguards in place (the EU SCCs together with the UK Addendum, and the Data Privacy Framework where the importer is certified), as detailed in Schedules D and E, incorporated into this DPA by reference.

We maintain technical and organisational measures appropriate to the risk, including:

• encryption in transit (TLS) and encryption at rest for stored secrets;
• strict tenant isolation so one workspace cannot read another’s data, enforced in the application layer;
• hashed credentials and API tokens, role-based access control, and optional two-factor authentication;
• least-privilege access to production, with logging and monitoring;
• managed, backed-up infrastructure with a hosting region pinned close to the database;
• breach detection and an incident-response process.

If we receive a request from one of your data subjects, we won’t respond directly (beyond confirming we’re a processor) and will forward it to you without undue delay. Taking into account the nature of the processing, we’ll give you reasonable assistance (including the self-service tools in the product) to help you respond.

We’ll notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information reasonably available to help you meet your own reporting duties to a supervisory authority and, where required, to affected individuals.

On reasonable written request (no more than once a year, unless a regulator requires otherwise), we’ll make available the information reasonably necessary to demonstrate our compliance with this DPA, and cooperate with an audit by you or an auditor you appoint, subject to reasonable confidentiality, scheduling and cost arrangements.

On the end of the Service, or at your reasonable request, we’ll delete or return Customer Personal Data and delete remaining copies, unless the law requires us to keep some of it, in which case we’ll continue to protect it and limit our processing to what the law requires.

The Schedules to this DPA (Schedule A, authorised sub-processors; B, details of processing; C, security measures; D, Standard Contractual Clauses; and E, the UK Addendum) form part of this DPA.

Each party’s liability under this DPA is subject to the limitations and exclusions in our Terms of Service. This DPA is governed by the laws of England and Wales. If any part of it conflicts with the SCCs or UK Addendum on a transfer matter, those clauses prevail to the extent of the conflict.