Data Processing Agreement (DPA)

    Last updated: April 28, 2026 (v1.0)

    This Data Processing Agreement ("DPA") implements Article 28(3) of Regulation (EU) 2016/679 ("GDPR") and forms an integral part of the ARD Sentinel™ Terms of Service.

    Important

    The customer-specific DPA (with your company details, IDs, and signatures) is generated automatically when you accept the Terms at checkout. A signed copy is stored on your account and downloadable any time from Dashboard → Account → Legal. This page is the public template version.

    1. Definitions

    • Personal Data — any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller
    • Data Subject — reviewer whose data is processed in connection with the Service, OR a Controller representative
    • Sub-processor — third party engaged by the Processor
    • Personal Data Breach — meaning in GDPR Art.4(12)

    2. Subject matter & duration (Art.28(3))

    The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Service as described in the Terms.

    Duration: term of the Terms + 30-day data retention window post-termination + 7 years for evidence chain (DSA Art.5(2)).

    3. Nature of processing

    • Collection (web scraping of public review platforms)
    • Storage (Firestore + Cloud Storage in EU)
    • Analysis (AI classification via Sherlock V4 pipeline)
    • Generation (DSA Art.16 notices, GDPR Art.17 erasure requests)
    • Transmission (notice submission to platforms, ADR, DSC, courts)
    • Erasure (per retention schedule + Art.17 requests)

    4. Type of personal data & categories of data subjects

    Reviewer data: public profile name, profile ID, review text, profile photo URL, review history, behavioral signals.

    Controller representative data: name, email, role, login activity.

    Categories of Data Subjects: reviewers of the Controller's business on public platforms; Controller's representatives (employees with dashboard access).

    5. Processor obligations (Art.28(3)(a)-(h))

    5.1 Documented instructions only. Processor processes Personal Data only on documented instructions from the Controller — Terms + this DPA + dashboard configuration.

    5.2 Confidentiality. Personnel authorized to process Personal Data have committed to confidentiality.

    5.3 Security measures (Art.32):

    • Encryption at rest (AES-256) + in transit (TLS 1.3)
    • Role-based access control + multi-factor authentication for admins
    • Append-only audit log (7-year retention)
    • Pseudonymization where feasible
    • Daily backup + quarterly DR drills

    5.4 Sub-processors. Controller grants general authorization for sub-processors listed at /sub-processors. Notification 30 days before adding new sub-processor; right to object within 30 days.

    5.5 Assistance with Data Subject requests. Processor assists Controller in fulfilling GDPR Art.15-22 requests via dashboard UI + 30-day SLA on direct requests.

    5.6 Erasure on termination. Within 30 days of termination: JSON export provided on request, then hard-delete. Notice content + evidence chain retained 7 years per DSA Art.5(2).

    5.7 Audits. Controller may audit Processor up to once per 12 months with 30 days written notice. Processor may satisfy via SOC 2 / ISO 27001 reports when obtained.

    6. International transfers (Art.44-49)

    For sub-processors outside EU/EEA:

    • EU-US Data Privacy Framework (for DPF-certified processors)
    • Standard Contractual Clauses (Module 2, Controller-to-Processor) for non-DPF
    • EDPB Recommendation 01/2020 supplementary measures (TLS, encryption, contractual challenges)

    7. Personal Data Breach notification (Art.33)

    Processor notifies Controller of a Personal Data Breach without undue delay and within 24 hours. Notification includes nature, categories of data subjects, likely consequences, measures taken, and contact point.

    Controller is responsible for notifying the supervisory authority within 72 hours (Art.33) and Data Subjects where required (Art.34).

    8. Liability

    Processor is liable only for damages caused by its non-compliance with GDPR obligations specifically directed to processors, or where it acts contrary to Controller's lawful instructions (Art.82(2)).

    Processor's aggregate liability under this DPA is capped at the higher of €10,000 or total fees paid in the 12 months preceding the claim.

    9. Governing law

    Law of the EU Member State where the Processor is established (full details in your executed DPA). Disputes settled by direct negotiation 30 days before litigation.

    10. Survival

    Sections 5.6 (erasure on termination), 7 (breach notification), 8 (liability), and 9 (governing law) survive termination of the Terms.

    Annexes

    • Annex 1 — Processing details (filled in your customer-specific DPA)
    • Annex 2 — Technical & organizational security measures (see Privacy Policy Section 8)
    • Annex 3 — Sub-processors (see /sub-processors)
    • Annex 4 — Standard Contractual Clauses (incorporated by reference; full text at eur-lex.europa.eu)

    Contact

    DPA inquiries: privacy@ardsentinel.com

    Customers may request a signed copy of their executed DPA by authenticated support ticket.