Data Processing Agreement
Last updated: 2026-05-11
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Seentrix Ltd (company number 17169165, registered in England and Wales at 167-169 Great Portland Street, London W1W 5PF; "Processor", "Seentrix") and you or the entity you represent ("Controller", "Customer"). It applies whenever Seentrix processes personal data on behalf of the Controller in connection with the Service.
1. Definitions
Terms such as "personal data", "processing", "controller", "processor", and "sub-processor" have the meanings given to them in Regulation (EU) 2016/679 (the "GDPR").
2. Subject matter and duration
Seentrix processes personal data as a processor for the purpose of providing the Service, for the duration of the Controller's subscription. Upon termination the data is retained for 30 days then deleted, except records required by law (e.g. CRA 10-year DoC retention).
3. Nature and purpose of processing
Seentrix processes personal data to: authenticate users, organise compliance artefacts (products, SBOMs, incidents, DoCs), generate regulatory documents, deliver transactional communications, and record audit-grade activity logs.
4. Categories of data subjects and data
- Data subjects: Customer's employees and contractors who use the Service; individuals named as signatories or signatories on Declarations of Conformity; researchers who submit reports through the public PSIRT page; affected end users named in incident notifications.
- Personal data: names, business email addresses, roles, avatar images, signatures (typed name + title), optional reporter contact details.
5. Processor obligations
Seentrix will:
- Process personal data only on documented instructions from the Controller.
- Ensure all personnel authorised to process personal data have committed to confidentiality.
- Implement appropriate technical and organisational measures (TOMs) as described in Schedule A.
- Assist the Controller in responding to data-subject requests.
- Notify the Controller of any personal-data breach without undue delay and in any event within 72 hours.
6. Sub-processors
The Controller authorises Seentrix to engage the sub-processors listed at Schedule B. We will give at least 30 days' notice (via email to the account admin) before adding or replacing a sub-processor. The Controller may object to a change; if we cannot accommodate the objection, either party may terminate the affected portion of the Service.
7. International transfers
Where a transfer outside the EEA occurs, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply as incorporated by this DPA. Additional safeguards are applied based on Transfer Impact Assessments ("TIAs") we perform per sub-processor.
8. Controller obligations
The Controller warrants that it has a valid legal basis for every data-subject's data uploaded to the Service, and will not upload special-category data (GDPR Art. 9) unless a specific data-class addendum has been signed.
9. Return and deletion
Upon termination of the Service the Controller may export all processed data in a machine-readable format within 30 days. After that period, Seentrix will delete the data from live systems within 14 days and from backups within the next rolling backup cycle (up to 30 days).
10. Audits
Seentrix will respond to a reasonable data-processing-related audit inquiry from the Controller once per calendar year, by providing a current SOC 2 Type II report (when available) or completing the Controller's security questionnaire. On-site audits are limited to when strictly necessary and the Controller bears the cost.
Schedule A — Technical and organisational measures
- TLS 1.3 for data in transit; AES-256 for data at rest.
- Role-based access control (admin / compliance officer / CTO / editor / viewer) with row-level security in the database.
- Multi-factor authentication available; administrator MFA required.
- Annual penetration testing (external); vulnerability scanning on every deployment.
- Incident response plan with 72-hour data-breach notification.
- Least-privilege access to production; all production access audit-logged.
- Data segregation: one Postgres schema with org-scoped RLS; no cross-customer queries possible at the database layer.
Schedule B — Sub-processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database + authentication | EU (Frankfurt) |
| Vercel Inc. | Web application hosting | EU (Frankfurt) edge + US-based control plane |
| Stripe Payments Europe Ltd. | Billing + payments | Ireland + US |
| Resend | Transactional email delivery | US |
| Sentry (Functional Software, Inc.) | Error monitoring | US |
| Mistral AI SAS | Seentrix AI — LLM inference + embeddings | France (EU) |
| Upstash, Inc. | Rate-limit store for Seentrix AI quotas | Ireland (EU) |
Sign a counter-signed copy of this DPA by emailing support@seentrix.com.
Seentrix Ltd · Company number 17169165 · Registered in England and Wales · 167-169 Great Portland Street, London W1W 5PF, United Kingdom