Data Processing Agreement

Last updated: February 20, 2026

1. Preamble

This Data Processing Agreement ("DPA") is entered into between the customer using the Sentra platform (hereinafter "Controller") and:

Valentin Lionel Weinert
Sentra (Sole Proprietorship / Einzelunternehmen)
Dr.-Rohmer-Weg 11
65719 Hofheim am Taunus
Germany
Email: hello@sentra.so

(hereinafter "Processor")

This DPA supplements the Terms of Service and the Privacy Policy and governs the processing of personal data by the Processor on behalf of the Controller pursuant to Art. 28 of the General Data Protection Regulation (GDPR).

2. Subject Matter and Duration

  1. The Processor processes personal data on behalf of the Controller in connection with the provision of the Sentra SaaS platform.
  2. The duration of processing corresponds to the duration of the service agreement between the Controller and the Processor, plus any legally required retention periods.

3. Nature and Purpose of Processing

The processing includes the following activities:

  • Storage and management of uploaded files and text content (e.g., interview transcripts, support tickets, sales call notes)
  • AI-based analysis of content to extract evidence, discover patterns, and generate feature specifications
  • Authentication and account management
  • Transmission of content to AI sub-processors (Google, Anthropic) for analysis
  • Audio transcription via AssemblyAI (if applicable)

4. Types of Personal Data

The following types of personal data may be processed:

  • Names and contact information of individuals mentioned in uploaded sources
  • Job titles and company affiliations
  • Customer feedback, opinions, and statements
  • Usage data and behavioural patterns described in analytics exports
  • Any other personal data contained in files uploaded by the Controller

5. Categories of Data Subjects

The data subjects may include:

  • Customers and end users of the Controller's products
  • Employees and contractors of the Controller
  • Business partners, prospects, and stakeholders mentioned in uploaded data

6. Obligations of the Processor

The Processor shall:

  1. Process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law.
  2. Ensure that persons authorised to process personal data have committed themselves to confidentiality.
  3. Implement appropriate technical and organisational measures as set out in Annex: Technical and Organisational Measures below.
  4. Assist the Controller in responding to data subject requests (Art. 15–22 GDPR).
  5. Assist the Controller in ensuring compliance with the obligations pursuant to Art. 32–36 GDPR (security, breach notification, impact assessments).
  6. At the Controller's choice, delete or return all personal data after the end of the service, unless EU or Member State law requires continued storage.
  7. Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR.

7. Sub-Processors

  1. The Controller grants the Processor general authorisation to engage sub-processors. The current list of sub-processors is set out in Section 6 of the Privacy Policy.
  2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
  3. Where the Processor engages a sub-processor, the Processor shall impose the same data protection obligations as set out in this DPA by way of a contract.
  4. If the Controller uses the export functionality to push specs to third-party project management tools (e.g., Linear, Jira), the Controller acts as data controller for such transfers and is responsible for ensuring an appropriate legal basis.

8. Data Subject Rights

  1. The Processor shall assist the Controller in fulfilling data subject requests under Art. 15–22 GDPR (access, rectification, erasure, restriction, portability, objection).
  2. If a data subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.
  3. The Controller can exercise data export and deletion via the self-service features in Settings > Data & Privacy.

9. Deletion and Return of Data

  1. Upon termination of the service agreement, the Controller may export all data within 30 days.
  2. After the 30-day period, the Processor shall delete all personal data, unless EU or Member State law requires continued storage. Deletion includes all backups within a reasonable timeframe.
  3. The Controller may request deletion of individual data at any time via the platform or by contacting hello@sentra.so.

10. Audit Rights

  1. The Controller has the right to conduct audits or have them conducted by a mandated auditor to verify compliance with this DPA.
  2. The Processor shall make available all necessary information and allow and contribute to audits and inspections.
  3. Audits shall be announced with reasonable advance notice (at least 14 days) and conducted during normal business hours, without unreasonably disrupting the Processor's operations.

Annex: Technical and Organisational Measures (Art. 32 GDPR)

Physical Access Control

Sentra is a cloud-hosted service. All infrastructure is operated by Supabase (SOC 2 Type II certified) on AWS eu-central-1 (Frankfurt, Germany). Physical access to data centres is managed by AWS with multi-factor authentication, biometric controls, and 24/7 monitoring.

System Access Control

Authentication is handled by Supabase Auth with bcrypt password hashing, OAuth 2.0 support (Google, GitHub), and session-based token management. Cross-domain authentication uses secure cookies with domain: .sentra.so.

Data Access Control

Row-Level Security (RLS) policies are enabled on every database table. Each query is automatically scoped to the authenticated user's ID. File storage uses per-user paths with storage policies. No cross-tenant data access is possible.

Separation Control

Multi-tenant architecture with strict data isolation via RLS. Each user's data is logically separated at the database level. Projects, sources, evidence, patterns, and specs are all scoped to individual user accounts.

Encryption

  • In transit: TLS 1.2+ for all connections (HTTPS enforced)
  • At rest: AES-256 encryption for database and file storage (managed by Supabase/AWS)
  • Passwords: bcrypt hashing (never stored in plain text)

Availability and Resilience

  • Database: Supabase managed backups with point-in-time recovery
  • Hosting: Vercel edge network with automatic failover and global CDN
  • Target availability: 99.5% annual average (excluding scheduled maintenance)

Incident Response

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach (Art. 33 GDPR). The notification shall include the nature of the breach, categories and approximate number of affected data subjects, and measures taken or proposed.

AI Processing Safeguards

  • All API calls to AI providers (Google, Anthropic) are encrypted via TLS
  • Customer data is never used to train AI models
  • Anthropic API logs are deleted after 7 days; Google API logs per Google's retention policy
  • AI providers are contractually bound to data protection obligations