Sentinel42Last reviewed: 4 July 2026

Data Processing Agreement

Article 28 UK GDPR — controller-to-processor terms. This Data Processing Agreement (“DPA”) is an addendum to, and forms part of, the Master Services Agreement (the “Principal Agreement”) between the Customer (the “Controller”) and Sentinel42 Ltd (the “Processor”).

The version below is the operative text. A signed PDF is issued at contract execution and prevails in the event of any typographical discrepancy with this web version.

Parties

  • Controller / Client: as identified in the Principal Agreement or Order Form.
  • Processor: Sentinel42 Ltd, registered in England & Wales, company number 17286468, ICO registration number C1974552, registered office 66 Paul Street, London EC2A 4NA.

Background

(A) The Processor provides information security, cyber and AI governance, risk and compliance advisory services to the Controller under the Principal Agreement.

(B) In providing certain of those services, the Processor may process personal data on behalf of the Controller. This DPA sets out the terms governing that processing as required by Article 28 UK GDPR.

(C) Where a particular engagement does not involve the processing of personal data by the Processor on the Controller’s behalf, this DPA does not apply to that engagement.

1. Definitions and interpretation

Data Protection Legislation: the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and all other laws applicable to the processing of personal data and privacy in the United Kingdom, in each case as amended or replaced.

UK GDPR: the retained EU law version of Regulation (EU) 2016/679 as defined in section 3(10) (supplemented by section 205(4)) of the Data Protection Act 2018.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing and Supervisory Authority have the meanings given in the Data Protection Legislation.

Sub-processor: any third party engaged by the Processor to process Personal Data on behalf of the Controller under this DPA.

Restricted Transfer: a transfer of Personal Data to, or access from, a country outside the United Kingdom that is not the subject of UK adequacy regulations.

UK Transfer Mechanism: the International Data Transfer Agreement (IDTA), or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or any successor mechanism.

In the event of conflict between this DPA and the Principal Agreement in relation to the processing of Personal Data, this DPA prevails.

2. Status of the parties & scope

2.1 The Controller is the controller and the Processor is the processor for the Personal Data processed under this DPA.

2.2 The subject-matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are set out in Schedule 1. The Controller may amend Schedule 1 on reasonable written notice where required to reflect a change in the services.

2.3 Each Party shall comply with its respective obligations under the Data Protection Legislation.

3. Processor obligations

The Processor shall, in respect of Personal Data processed on behalf of the Controller:

  • (a) process the Personal Data only on the documented instructions of the Controller (including Restricted Transfers), unless required otherwise by law;
  • (b) ensure persons authorised to process the Personal Data are subject to an appropriate duty of confidentiality;
  • (c) implement and maintain the technical and organisational measures in clause 5 and Schedule 2 (Article 32);
  • (d) respect the conditions in clause 6 for engaging a Sub-processor;
  • (e) assist the Controller by appropriate technical and organisational measures in responding to Data Subject rights requests (clause 7);
  • (f) assist the Controller with Articles 32–36 obligations (security, breach notification, DPIAs, prior consultation);
  • (g) at the Controller’s choice, delete or return all Personal Data at the end of the services (clause 12); and
  • (h) make available all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits (clause 11).

The Processor shall immediately inform the Controller if an instruction, in its opinion, infringes the Data Protection Legislation.

4. Controller obligations

4.1 The Controller warrants that it has, and will maintain, a lawful basis for the processing of the Personal Data and for its disclosure to the Processor and any authorised Sub-processor.

4.2 The Controller is responsible for the accuracy, quality and legality of the Personal Data and the means by which it acquired it.

5. Security of processing

5.1 Taking into account the state of the art, cost of implementation, and the nature, scope, context and purposes of processing, and the risk to Data Subjects, the Processor shall implement appropriate technical and organisational measures as described in Schedule 2.

5.2 The Processor shall regularly review and, where appropriate, update those measures, and shall not materially reduce their overall level of protection during the term.

6. Sub-processing

6.1 The Controller grants the Processor general authorisation to engage the Sub-processors listed in Schedule 3. The Processor shall inform the Controller of any intended addition or replacement of a Sub-processor, giving the Controller a reasonable opportunity to object on reasonable data-protection grounds.

6.2 The Processor shall impose on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA.

6.3 The Processor remains fully liable to the Controller for the performance of each Sub-processor’s obligations.

7. Data subject requests

7.1 The Processor shall promptly notify the Controller of any Data Subject rights request and shall not respond itself except on the Controller’s documented instructions or as required by law.

7.2 The Processor shall provide reasonable assistance to enable the Controller to respond within the applicable time limits.

8. Personal data breach

8.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Personal Data.

8.2 The notification shall, to the extent available, describe the nature of the breach (including the categories and approximate number of Data Subjects and records concerned), the likely consequences, and the measures taken or proposed to address it and mitigate its effects.

8.3 The Processor shall co-operate with the Controller in the investigation, mitigation and remediation of the breach, and shall not notify a Supervisory Authority or Data Subject in the Controller’s name without prior authorisation, unless required by law.

9. Data protection impact assessments

The Processor shall provide reasonable assistance with any DPIA and any prior consultation with a Supervisory Authority under Articles 35 or 36 UK GDPR, in each case solely in relation to processing under this DPA and taking into account the information available to the Processor.

10. International transfers

10.1 The Processor shall not make a Restricted Transfer of the Personal Data without the prior written authorisation of the Controller.

10.2 Where a Restricted Transfer is authorised, the Parties shall ensure it is subject to appropriate safeguards, including the applicable UK Transfer Mechanism, before any such transfer takes place.

11. Audit & records

11.1 The Processor shall maintain records of its processing activities as required by Article 30(2) UK GDPR.

11.2 The Processor shall make available to the Controller, on reasonable written request, the information necessary to demonstrate compliance, and shall allow for and contribute to audits or inspections, no more than once in any twelve (12) month period (save where required by a Supervisory Authority or following a Personal Data Breach), on reasonable notice, during business hours, and subject to appropriate confidentiality obligations.

12. Return or deletion of personal data

12.1 On termination or expiry of the relevant services, or earlier on the Controller’s written request, the Processor shall (at the Controller’s choice) securely delete or return all Personal Data and delete existing copies.

12.2 The Processor may retain Personal Data to the extent, and for as long as, required by law, provided it maintains confidentiality and does not further process it except as required by that law.

13. Liability

The liability of each Party under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, which apply as if set out in full.

14. Term & termination

14.1 This DPA takes effect on its effective date and continues for as long as the Processor processes Personal Data on behalf of the Controller.

14.2 Termination of the Principal Agreement automatically terminates this DPA. Clauses which by their nature are intended to survive (including clause 12) continue in force.

15. General & governing law

Except as expressly amended by this DPA, the Principal Agreement remains in full force and effect. This DPA is governed by the law of England and Wales, and the Parties submit to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 — Details of processing

The following are completed per engagement in the applicable Order Form or statement of work:

  • Subject-matter of processing (e.g. ISMS platform hosting, DPO-as-a-service, fractional CISO support).
  • Duration: term of the relevant engagement.
  • Nature: collection, storage, review, analysis, deletion.
  • Purpose: delivery of the contracted services.
  • Types of Personal Data: business contact data of Client personnel, and any Personal Data the Client uploads to the platform.
  • Categories of Data Subjects: Client employees, contractors, and customers (as applicable).
  • Special category data: none by default; only where the Client explicitly instructs and an Article 9 condition is confirmed.

Schedule 2 — Technical & organisational measures (Article 32)

  • Access control & authentication. Role-based least-privilege access; MFA on administrative and remote access; unique named accounts; prompt revocation on leaver or role change.
  • Encryption. TLS in transit; encryption at rest at the platform layer for the managed database and object storage.
  • Logging & monitoring. Append-only, hash-chained security audit log with integrity verification; 2-year retention.
  • Availability & backup. Managed database backups and point-in-time recovery; documented business-continuity arrangements.
  • Data minimisation. Processing limited to what is necessary; pseudonymisation or anonymisation applied where appropriate.
  • Incident management. Documented incident-response process with a defined breach-notification workflow to the Controller.
  • Supplier management. Due diligence and written data-protection terms with all Sub-processors.
  • Secure disposal. Secure deletion of Personal Data and secure wiping of media at end of processing.
  • Governance. Records of processing (Article 30(2)); periodic review of measures; alignment to ISO/IEC 27001 control patterns.

Schedule 3 — Sub-processors & international transfers

Current authorised Sub-processors:

Sub-processorPurposeLocationTransfer safeguard
Lovable Cloud (managed Supabase)Hosting, Postgres database, authentication, storageEU (Ireland)UK adequacy / SCCs as applicable
Lovable AI GatewayIn-product AI assistanceEUUK adequacy / SCCs as applicable
CloudflareEdge runtime, TLS termination, CDNGlobal (EU edge)UK IDTA / SCCs
Transactional email providerAuth and notification emailsEUActivated once sentinel42.com sender domain is verified

List current as of 4 July 2026. Changes are notified per clause 6.1.