DPA Schedules

You authorise Sentivel to engage the following sub-processors to process Customer Personal Data in providing the Service. Each is bound by data-protection terms no less protective than the DPA.

Parties. The data exporter is you, the Customer (controller); the data importer is Sentivel Ltd (processor), of 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. This schedule also completes Annex I to the Standard Contractual Clauses.

• Categories of data subjects: your team members and responders, and your status-page subscribers.
• Categories of personal data: contact details (name, email, optional phone) and any personal data you choose to include in incident or component text.
• Special-category data: none. Please don’t put special-category data into the Service.
• Frequency of transfer: continuous, for the duration of your use of the Service.
• Nature and purpose: hosting, storing and transmitting Customer Personal Data to run monitoring, render status pages and deliver the notifications you configure, plus support and legally-required disclosures.
• Duration and retention: for the term of your account and until data is returned or deleted as set out in the DPA.

The technical and organisational measures Sentivelmaintains (Annex II to the SCCs), appropriate to the risk:

• encryption in transit (TLS) and encryption at rest for stored secrets;
• strict tenant isolation so one workspace cannot read another’s data, enforced in the application layer;
• hashed credentials and API tokens, role-based access control, and optional two-factor authentication;
• least-privilege access to production, with logging and monitoring;
• managed, backed-up infrastructure with a hosting region pinned close to the database;
• a software-development process with code review, and breach detection with an incident-response process.

For restricted transfers of Customer Personal Data protected by the EU GDPR, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated and completed as follows:

• Module Two (controller to processor) applies;
• in Clause 7, the optional docking clause applies; in Clause 9, Option 2 (general authorisation) applies, with the change notice period set out in the DPA; in Clause 11, the optional redress language does not apply;
• in Clause 17, the Clauses are governed by the law of Ireland; in Clause 18, the forum is the courts of Ireland;
• Annex I is completed by Schedule B above; Annex II by Schedule C above; and the Annex I sub-processor list by Schedule A above.

For restricted transfers protected by the UK GDPR, the EU SCCs above are incorporated as varied by the UK International Data Transfer Addendum issued by the Information Commissioner under s.119A of the Data Protection Act 2018. The Addendum’s tables are completed with the information in Schedules A–C; the competent authority is the Information Commissioner’s Office; and the governing law and courts are those of England and Wales. If the SCCs or this Addendum conflict with the DPA on a transfer matter, the Clauses prevail to the extent of the conflict.