Last updated:
Data Processing Addendum
This DPA forms part of the Sentro Terms of Service and applies whenever Sentro processes personal data on your behalf as a processor under GDPR Article 28.
1. Parties and scope
This DPA is between Sentro, Inc. ("Processor") and the customer entering into the Sentro Terms ("Controller"). It applies to Customer Personal Data processed by Processor solely to provide the Service.
2. Subject matter
The subject matter is the provision of an admin interface over Controller-supplied databases. Categories of data subjects and personal data are determined by Controller. The duration matches the Term of the Agreement, with the post-term retention specified in the Privacy Policy.
3. Roles and processing instructions
Processor will process Customer Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required to do so by law (in which case Processor will inform Controller of that legal requirement before processing, unless prohibited).
4. Confidentiality
Processor ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and trained on data protection.
5. Security
Processor implements the technical and organizational measures described at /legal/security, including encryption in transit and at rest, access control, vulnerability management, and continuous monitoring.
6. Subprocessors
Controller authorizes Processor to engage the subprocessors listed at /legal/subprocessors. Processor will give at least 30 days notice of changes via that page and email subscribers of the security notifications list. Each subprocessor is bound by terms providing protection no less stringent than this DPA.
7. Data subject rights
Processor will assist Controller with appropriate technical and organizational measures to enable Controller to respond to data subject requests under Articles 15–22 GDPR.
8. Personal data breach notification
Processor will notify Controller without undue delay and in no event later than 72 hours after becoming aware of a personal data breach affecting Customer Personal Data, with the information required under GDPR Article 33(3).
9. International transfers
Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Module 2 controller-to-processor) and, for UK transfers, the UK International Data Transfer Addendum, plus any supplementary measures required.
10. Audits
Processor makes available to Controller information necessary to demonstrate compliance, and allows for audits, including inspections, conducted by Controller or an auditor mandated by Controller, on reasonable notice and subject to confidentiality. Where available, recent third-party reports (SOC 2 Type II, ISO 27001) will be made available first.
11. Return or deletion
On termination or expiry of the Agreement, Processor will, at Controller's choice, delete or return all Customer Personal Data within 30 days, except to the extent retention is required by applicable law.
12. Liability
Each party's liability under this DPA is subject to the limitation of liability in the Agreement, except where applicable data protection law requires otherwise.