Data processing agreement

1. Scope and roles

Customer is the controller of personal data it uploads, connects, or causes to be processed through Sentra (including supplier records, mailbox content, user accounts, and audit data). Sentra processes that data only on Customer's documented instructions to provide the payment-risk monitoring service described in the Terms.

Sentra may act as an independent controller for limited purposes such as billing, product security, abuse prevention, and aggregated service improvement, as described in the Privacy policy.

2. Subject matter, duration, and nature of processing

• Subject matter: Payment-fraud monitoring for construction and trades SMEs — ingesting payment-risk email, comparing against verified supplier baselines, risk scoring, case management, and verification workflows.
• Duration: For as long as Customer maintains an active account and a reasonable period thereafter for backup, dispute resolution, and legal compliance.
• Nature of processing: Collection, storage, organisation, retrieval, analysis, comparison, display to authorised users, and deletion in accordance with Customer instructions and this DPA.

3. Types of personal data and data subjects

Categories of data subjects

• Customer's employees and authorised users
• Customer's suppliers, subcontractors, and their contacts (names, emails, phone numbers)
• Individuals appearing in payment-risk email (senders, signatories, contacts in message bodies)

Types of personal data

• Account and profile data (name, work email, role)
• Supplier baseline data (names, domains, trusted emails, phone numbers, bank identifiers)
• Email metadata and content required for fraud detection (sender, subject, body, reply-to, headers)
• Text extracted from invoice PDF attachments where applicable
• Risk cases, verification notes, and audit trail entries

Sentra does not require bank login credentials or full organisation-wide mailbox access beyond mailboxes Customer explicitly connects.

4. Customer instructions and responsibilities

Customer instructs Sentra to process data as necessary to deliver the service. Customer is responsible for:

• Ensuring a lawful basis exists for processing and for connecting Microsoft 365 and Xero
• Obtaining internal approvals and providing any required notices to data subjects
• Connecting only mailboxes intended for payment-risk monitoring
• Keeping supplier baseline data accurate and verifying bank details through trusted channels
• Configuring user access appropriately within Customer's organisation

Customer may issue additional written processing instructions that do not conflict with the Terms. If Sentra believes an instruction infringes applicable data protection law, we will inform Customer promptly.

5. Processor obligations

Sentra shall:

• Process personal data only on documented instructions from Customer, unless required by law
• Ensure personnel with access are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 8)
• Not engage another processor without informing Customer (see Section 6)
• Assist Customer with data subject rights requests where reasonably possible
• Assist Customer with security, breach notification, and impact assessment obligations where reasonably possible
• Delete or return Customer personal data on termination, subject to legal retention requirements
• Make available information necessary to demonstrate compliance and allow audits on reasonable notice

6. Sub-processors

Customer authorises Sentra to use the following categories of sub-processors to deliver the service. We impose data protection obligations on sub-processors that are no less protective than this DPA:

• Supabase — database hosting, authentication infrastructure (EU/UK regions where configured)
• Vercel — application hosting and edge delivery
• Stripe — subscription billing and payment processing
• Microsoft — when Customer connects Microsoft 365, per Customer's OAuth consent
• Xero — when Customer connects Xero, per Customer's OAuth consent
• Resend (if enabled) — transactional email for enquiries and notifications

We will notify Customer of material changes to sub-processors (for example via email or in-app notice). Customer may object on reasonable grounds relating to data protection. If we cannot accommodate a reasonable objection, Customer may terminate the affected service.

7. International transfers

Some sub-processors may process data outside the UK. Where required, Sentra relies on appropriate safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or EU Standard Contractual Clauses (as applicable), and supplementary measures where appropriate.

8. Security measures

Sentra maintains measures including authentication, per-organisation data isolation (row-level security), encryption of sensitive fields and integration tokens, least-privilege integration scopes, access logging, and secure development practices. See our Security & data statement for a summary. No system is perfectly secure; Customer should report concerns promptly.

9. Personal data breach

Sentra will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably available to assist Customer in meeting its breach notification obligations under applicable law.

10. Deletion and return

On termination of the service, Sentra will delete or return Customer personal data within a reasonable period, unless retention is required by law or for legitimate purposes such as resolving disputes or meeting tax obligations. Customer may request export of key platform data before closure by contacting us.

11. Audits

On reasonable written notice, Customer may request information to verify Sentra's compliance with this DPA. Sentra may satisfy audit requests through third-party certifications, security documentation, or questionnaires where appropriate, rather than on-site inspection, except where required by law or a regulator.

12. Liability

Liability arising from processing under this DPA is subject to the limitations and exclusions in the Terms of use, except where liability cannot be limited under applicable law.

13. Governing law

This DPA is governed by the laws of England and Wales. Courts in England and Wales have exclusive jurisdiction, subject to mandatory protections that apply to either party.