1. Parties & background
This DPA is entered into between [[Customer legal name]](the “Customer”, acting as Data Fiduciary / Controller) and [[Company legal name]](“Sentyra”, acting as Data Processor). It applies where Sentyra processes Personal Data on the Customer’s behalf in providing the Service, and supplements the Terms of Service or other master agreement between the parties (the “Principal Agreement”). In the event of conflict on data-protection matters, this DPA prevails.
2. Definitions
Capitalised terms not defined here have the meaning given in the Principal Agreement or applicable law. In this DPA:
- “Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including the Digital Personal Data Protection Act, 2023 and rules thereunder (the “DPDP Act”) and the EU/UK GDPR, as applicable.
- “Data Fiduciary” / “Controller” means the person who determines the purpose and means of processing — here, the Customer.
- “Data Processor” / “Processor” means a person who processes Personal Data on behalf of a Data Fiduciary — here, Sentyra.
- “Data Principal” / “Data Subject” means the individual to whom the Personal Data relates.
- “Personal Data” means data about an identifiable individual that Sentyra processes on the Customer’s behalf under the Principal Agreement, as described in Annex 1.
- “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
3. Roles & scope of processing
The Customer is the Data Fiduciary/Controller and Sentyra is the Data Processor for the Personal Data described in Annex 1. Sentyra will process Personal Data only for the purposes of providing the Service and only on the documented instructions of the Customer, including the configuration the Customer sets within the Service, this DPA, and the Principal Agreement. Sentyra will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.
The subject-matter, duration, nature, and purpose of the processing, the types of Personal Data, and categories of Data Principals are set out in Annex 1.
4. Processor obligations
- process Personal Data only on the Customer's documented instructions, including for international transfers, unless required by law (in which case Sentyra will notify the Customer where legally permitted);
- not sell Personal Data and not use it for its own purposes or for advertising;
- implement and maintain the technical and organisational measures described in Annex 2;
- ensure persons authorised to process Personal Data are bound by confidentiality;
- assist the Customer, taking into account the nature of processing, in meeting the Customer's own obligations under Data Protection Laws, including security, breach notification, and Data Principal requests;
- make available information reasonably necessary to demonstrate compliance with this DPA.
5. Confidentiality of personnel
Sentyra will limit access to Personal Data to personnel who need it to provide the Service, will ensure such personnel are subject to binding confidentiality obligations, and will provide appropriate data-protection training.
6. Security measures
Sentyra will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2. Current measures include tenant isolation via database row-level security, encryption in transit (TLS) and at rest for sensitive credentials, Ed25519 signing and SHA-256 hashing of evidence for integrity, hash-chained decision traces, and role-based access controls. The Customer is responsible for configuring the Service, managing its users, and the security of systems and credentials under its control.
7. Sub-processing
The Customer provides general authorisation for Sentyra to engage sub-processors to support the Service, listed in Annex 3. Sentyra will:
- impose data-protection obligations on each sub-processor that are no less protective than this DPA;
- remain liable for its sub-processors' performance of those obligations;
- give the Customer prior notice of any intended addition or replacement of a sub-processor, and a reasonable opportunity to object on reasonable data-protection grounds.
8. Assistance with data principal requests
Taking into account the nature of the processing, Sentyra will assist the Customer by appropriate technical and organisational measures, so far as possible, to respond to requests from Data Principals to exercise their rights (such as access, correction, and erasure). If Sentyra receives such a request directly, it will, unless legally required to respond, promptly forward it to the Customer and not respond except on the Customer’s instruction.
9. Personal data breach notification
Sentyra will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data, and in any event in time to enable the Customer to meet its own notification obligations. Consistent with the Digital Personal Data Protection Rules (rule 7), the Customer, as Data Fiduciary, is responsible for intimating affected Data Principals without delay and the Data Protection Board of India, including providing the required particulars to the Board within 72 hours of becoming aware (or such other period the Board may allow on request).
Sentyra’s notification will, to the extent known, include:
- the nature of the breach, including categories and approximate numbers of Data Principals and records affected;
- the likely consequences of the breach;
- measures taken or proposed to address it and mitigate adverse effects;
- a contact point for further information.
Sentyra will cooperate with the Customer and take reasonable steps to mitigate and remediate the breach. A notification is not an admission of fault or liability.
10. Return & deletion of personal data
On termination or expiry of the Service, and at the Customer’s choice, Sentyra will return or delete Personal Data processed on the Customer’s behalf, and delete existing copies, unless retention is required by law. The Customer may export its data during a defined post-termination window ([[export window — e.g. 30 days]]), after which Personal Data is deleted in accordance with Sentyra’s retention practices, subject to backup cycles and legal holds.
11. Audits & information
Sentyra will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To protect the security and confidentiality of other customers, audits will be conducted on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a Personal Data Breach), during business hours, and subject to confidentiality. Sentyra may satisfy audit requests by providing relevant documentation or reports it maintains.
12. International transfers
Sentyra will only transfer Personal Data across borders in accordance with the Customer’s instructions and Data Protection Laws. Where required, the parties will put in place an appropriate transfer mechanism (for example the applicable standard contractual clauses under the GDPR), and Sentyra will not transfer Personal Data to any jurisdiction restricted under the DPDP Act. Hosting locations are described in Annex 1 or available on request.
13. Liability, duration & general
This DPA takes effect on the effective date of the Principal Agreement and continues for as long as Sentyra processes Personal Data on the Customer’s behalf. Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. This DPA is governed by [[governing law / jurisdiction]]. If any provision is held invalid, the remainder continues in effect.
Annex 1 — Details of processing
- Subject-matter & duration: provision of the Sentyra Service for the term of the Principal Agreement.
- Nature & purpose: hosting, collection, organisation, analysis, and storage of compliance evidence and related content to operate the Customer’s compliance program.
- Types of Personal Data: [[e.g. names, work emails, user/account identifiers, access-log and access-review data]]. The Customer controls what data is submitted; Sentyra does not require special-category data and the Customer should avoid submitting it unless necessary.
- Categories of Data Principals: [[e.g. the Customer’s employees, contractors, and system users]].
- Hosting locations: [[hosting region(s)]].
Annex 2 — Technical & organisational measures
Sentyra maintains the following measures (described accurately; not a representation of any third-party certification):
- Tenant isolation enforced by database row-level security (RLS).
- Encryption in transit using TLS; encryption at rest for sensitive credentials, protected by a dedicated encryption key (SENTYRA_CREDENTIAL_KEY).
- Evidence integrity via Ed25519 digital signatures and SHA-256 hashing; decision traces are hash-chained so tampering is detectable.
- Authentication through a managed identity provider with short-lived sessions and role-based access control.
- Least-privilege access for personnel and audit logging of privileged actions.
- Separation of duties between evidence-collection agents and verification agents, and human-in-the-loop approval gates for critical actions.
- Backups and the ability to restore availability of Personal Data in a timely manner.
Additional or updated measures may be described at [[security page / trust center URL]].
Annex 3 — Approved sub-processors
The Customer authorises the following categories of sub-processors, engaged to support the Service. A current, itemised list (with entity names, roles, and locations) is maintained at [[sub-processor list URL]].
- Cloud infrastructure / compute hosting provider.
- Managed database and storage provider.
- Authentication / identity provider.
- Transactional email delivery provider.
- [[any additional sub-processors — add rows]]