Welcome to www.sentra.io (the “Website”), a website of Sentra Inc. (“Sentra”, “Company”, “our”, “we” or “us”). This Privacy Policy (the “Privacy Policy”) is intended to describe our practices regarding the information we may collect from you (“You” or “User”) when you use our Website and/or our online Security Posture Management platform (the “Solution”) the manners in which we may use such information, and the choices and rights available to you.
- YOUR CONSENT
BY ACCESSING THE WEBSITE, YOU AGREE TO THE TERMS AND CONDITIONS SET FORTH IN THIS PRIVACY POLICY, INCLUDING TO THE COLLECTION AND PROCESSING OF YOUR PERSONAL INFORMATION (AS DEFINED BELOW) IN THE EVENT YOU DECIDE TO PROVIDE US WITH SUCH. IF YOU DISAGREE TO ANY TERM PROVIDED HEREIN, YOU MAY NOT ACCESS OR USE THE WEBSITE AN/OR THE SOLUTION.
Please note: you are not obligated by law to provide us with any Personal Information. You hereby acknowledge and agree that you are providing us with Personal Information at your own free will. You hereby agree that we may collect and use such Personal Information pursuant to this Privacy Policy and any applicable laws and regulations.
TO THE EXTENT THAT YOU PROVIDE US WITH ANY PERSONAL INFORMATION RELATED TO ANY THIRD PARTY OR ANY OTHER PERSON OR ENTITY WHICH IS NOT YOU, INCLUDING INFORMATION RELATED TO ANY OF YOUR PERSONNEL, COLLEAGUES OR CUSTOMERS, YOU ARE SOLELY RESPONSIBLE TO RECEIVE AND HEREBY REPRESENT THAT YOU HAVE AND UNDERTAKE THAT YOU SHALL HAVE AT ALL TIMES, MAINTAINED AND RECEIVED, THE CONSENT, AUTHORITY, PERMISSION AND APPROVAL OF SUCH PERSONS AND PROVIDED THEM WITH SUFFICIENT DISCLOSURES, TO ALLOW US TO ACCESS, STORE, COLLECT, ANALYZE AND PROCESS SUCH PERSONAL INFORMATION AS DETAILED HEREIN.
- SCOPE AND APPLICABILITY
This Privacy Policy applies only to the information we collect in connection with your use of the Website and/or information we may receive or process in connection with your access or use of Solution made available by Sentra to your organization or otherwise when you receive services from us, such as support services with respect to such use or access of the Solution.
- WHAT INFORMATION DO WE COLLECT FROM OUR USERS?
- Non-personal Information: Non-personal Information is, un-identified and non-identifiable information pertaining to Users, which may be made available to us, or collected automatically via their use of the Website. Such Non-personal Information does not enable us to identify the person from whom it was collected, and mainly consists of technical and aggregated usage information which is not linked to an identifiable individual, such as the operation system and browser, browser version, duration of usage of the Website, User's 'click-stream' activity, keyboard language, etc.
- Personal Information: Personal Information is information that pertains or relates to a specific individual, where such individual is identified or may be identified with reasonable efforts or together with additional information, we have access to. Personal Information does not include information that has been anonymized or aggregated; provided that such information can no longer be used to identify a specific natural person. Personal Information that is collected by us may include the following types of information: name, email address, IP address, device identifier, organization identifiers and name, position and other personal information provided or otherwise made available to us in connection with or as part of: (i) filling out of registration forms available on the Website; and (ii) use of the Solution and/or the Services; and (iii) engagement with our support services. In addition, Personal Information we may collect also includes Candidates Information (as defined below).
We do not collect any Personal Information from you or related to you without your approval or pursuant to the approvals provided to us by your Organization (including on your behalf), which is obtained, inter alia, through your active acceptance of this Privacy Policy. We may also have access to personal information as part of Customer Data (as defined in our Terms and Conditions https://www.sentra.io/legal/terms-of-use) which is made available to us by our Customer as part of our Customer’s use of the Services, who have assured us it has the rights to do so. Our access and use of any such Customer Data is governed under our Terms and Conditions https://www.sentra.io/legal/terms-of-use.
More specifically we collect and use the following categories and types of Personal Information in the following respective circumstances:
- Personal Information you provide us actively and voluntarily when you use or interact with our Website and/or Solution:
This category refers to any information, data or content you actively and voluntarily create or provide through the Website such as:
- Contact information such as full name, email address, company and any other information you actively input through our Website’s and/or Solution’s online forms and text fields and in your access to the Solution and as part of your correspondence with us through various channels of communication, including when you address our support services, register for an account with us or when you update your account details.
- The contents of your interaction with our customer support or sales team which may include text/video/audio recording and transcripts of such communications.
- Personal Information we automatically obtain when you use or interact with our Website and/or Solution:
This category refers to any information we obtain through the Website and/or Solution and which is derived, learned, or detected as a result of your access to and/or interaction with the Website, such as:
- Technical information with respect to the devices and software you use to access our Website and/or Solution such as operating system, browser type and version, type of end-user device, device ID, etc.
- Usability information with respect to your use of the Website and/or Solution and your engagement, such as clickstream, event and log data, page visits, and different segmentation we apply when we consider your engagement with our Website and/or Solution.
- Impression and attribution information which mainly includes information concerning your navigations from and to our Website and/or Solution, such as http referrals, IP address, advertiser ID.
We perform such automatic collection through: (i) use of cookies, web beacons, and similar technologies; and (ii) unique identifiers you provided us with, such as email, ID number, full name or other unique identifiers that generally only identify a computer, device, browser or application.
Keep in mind - Most mobile devices, operating systems and browsers, allow their user to control or disable the use of certain collectible information including location services, by any application, in the device's settings menu.
- Personal information collected from other sources:
We may collect personal information concerning you, from third parties who have assured us that they have obtained your consent for such provision of information (including without limitation he Customer). We may also have access to personal information as part of Customer Data, which is made available to us by our Customer, as part of our Customer’s use of the Services, who have assured us it has the rights to do so. Our access and use of any such Customer Data is governed under our Terms and Conditions https://www.sentra.io/legal/terms-of-use For avoidance of doubt, any Non-Personal Information connected or linked to any Personal Information shall be deemed as Personal Information as long as such connection or linkage exists.
We do not collect any Personal Information from you or related to you without your approval, which is obtained, through various means, including through your acceptance of this Privacy Policy.
- WHY DO WE COLLECT INFORMATION ON OUR USERS?
We may use information that we collect and receive about you for the following purposes:
- To provide and operate our Website and/or Solution and related services.
- To allow users to access to certain components of our Website and/or provide our Solution or related services to our Customers.
- To allow users who are Candidates to apply for work with us.
- To be able to contact users who requested such contact to be made, for the purpose of providing them with further information on Sentra and its services or to respond otherwise to such contact request or other voluntary submission of data by User.
- To prevent, detect, mitigate, and investigate fraud, security breaches or other potentially prohibited or illegal activities, whether suspected or actual.
- To market our services to users or potential users, and to be able to track and evaluate our marketing activities and their results and attribute different marketing achievements to the respective marketing efforts.
- To display or send to you marketing and advertising material including general and personalized content.
- To be able to deliver and enhance the Website and/or Solution, provide the users with technical assistance and support.
- To send you updates, notices, notifications, announcements, and additional information related to the Website and/or Solution and related services.
- To act upon and comply with requests you may make pursuant to this Privacy Policy and the privacy laws that apply to you.
- To perform functions or services as otherwise described to you at the time of collection of the relevant information;
- To create cumulative statistical data and other cumulative information and/or other conclusive information that is non-personal, in which we and/or our business partners might make use of in order to operate and improve our Website and/or Solution and provide related services.
- To comply with any applicable rule or regulation and/or response or defend against legal proceedings versus us or our affiliates.
- LAWFUL GROUNDS FOR COLLECTING INFORMATION ON OUR USERS
We collect and process your information for the purposes described in this policy, based at least on one of the following legal grounds:
- With your consent: We ask for your agreement to process your information for specific purposes and you have the right to withdraw your consent at any time. For example, we ask for your consent to provide you with personalized content and ads through the use of cookies;
- Providing the requested services: we collect Personal Information to provide our users with the Website and/or Solution and the access to the services available through our Website and/or Solution.
- Legitimate interests: We process your information for our legitimate interests while applying appropriate safeguards that protect your privacy. This means that we process your information for things like detecting, preventing, or otherwise addressing fraud, abuse, security, usability, functionality or technical issues with our services, protecting against harm to the rights, property or safety of our properties, or our users, or the public as required or permitted by law; Enforcing legal claims, including investigation of potential violations of this Privacy Policy; in order to comply and/or fulfil our obligation under applicable laws, regulation, guidelines, industry standards and contractual requirements, legal process, subpoena or governmental request, as well as our Terms of Sale and End User License Agreement.
- WHERE DO WE STORE USER’S PERSONAL INFORMATION?
Information regarding the Users will be maintained, processed and stored by us and our authorized affiliates and service providers in the EU, US and in Israel, and as necessary, in secured cloud storage, provided by our third-party service provider.
While the data protection laws in the above jurisdictions may be different than the laws of your residence or location, please know that we, our affiliates and our service providers that store or process your Personal Information on our behalf are each committed to keep it protected and secured, pursuant to this Privacy Policy and industry standards, regardless of any lesser legal requirements that may apply in their jurisdiction.
You hereby accept the place of storage and the transfer of information as described above.
- WHO DO WE SHARE USER INFORMATION WITH AND WHY?
We keep the information processed by us in strict confidence and we may only share information with third parties (or otherwise allow them access to it) in very limited circumstances and for very specific purposes, as described below:
- Internally – We may share information with our family of companies, as well as our employees or other personnel, for the purposes described in this Privacy Policy and in accordance with Section 5 above. In addition, should Sentra or any of its affiliates undergo any change in control, including by means of merger, acquisition or purchase of substantially all of its assets, your information may be shared with the parties involved in such event under strict security conditions, for the purpose of evaluating such event and in accordance with the terms of this Privacy Policy. If we believe that such change in control might materially affect your Personal Information then stored with us, we will notify you of this event and the choices you may have, either through a prominent notice on our Website or by contacting you directly through contact details you have provided us.
- Protecting Rights and Safety – We may share your information to enforce this Privacy Policy and/or any other agreement between Sentra and you, including investigation of potential violations thereof; to detect, prevent, or otherwise address fraud, security or technical issues; or otherwise, if we believe in good faith that this will help protect the rights, property or personal safety of any of our users, or any member of the general public.
- Third Parties & Business Partners –We partner with certain third parties to provide selected services that are used to facilitate and enhance the Website and/or Solution, your use thereof, or otherwise to facilitate us in our exercise of rights under this Privacy Policy (“Service Providers"). Such Service Providers may have access to, or process on our behalf personal information which we collect, hold, use, analyse, process and/or manage. These Service Providers include among others, hosting, database and server co-location services (e.g. AWS), data analytics services (e.g. Google, Facebook), authentication services (Okta, Google) and our business, legal and financial advisors. We remain responsible for any personal information processing done by Service Provider on our behalf, except for events outside of our and/or their reasonable control, and except with respect to Service Providers with whom you are contractually engaged, either through a prior separate contractual engagement and/or through acceptance of their privacy policy and terms of use if such are referenced under section 9 below.
- Law Enforcement – We may cooperate with government and law enforcement officials to enforce and comply with the law. We may therefore disclose any information to government or law enforcement officials as we believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect our or a third party’s property and legal rights, to protect the safety of the public or any person, or to prevent or stop any activity we may consider to be, or to pose a risk of being, illegal, unethical, inappropriate or legally actionable.
Specifically, each of our Service Providers which store or process your Personal Information either: (i) assured us that they provide adequate safeguards to protect your rights to privacy including where applicable, by undertaking to comply with the EU Standard Contractual Clauses; (ii) where applicable, hold and process such information on our behalf in jurisdictions which have been determined to ensure an adequate level protection by the EU Commission; (iii) perform such processing pursuant to your consent and acceptance of their privacy policy as further detailed in this Privacy Policy.
For avoidance of doubt, we may share anonymized/de-identified information with any other third party, at our sole discretion.
- YOUR RIGHTS
If your are a visitor of our Website and to the extent that the law applicable to you grants you such rights, you may provide us with certain requests with respect to your Personal Information that is stored in our systems. You may also ask for our confirmation as to whether or not we process your Personal Information. In some jurisdictions, you may request to exercise rights concerning your Personal Information as follows:
- Right of access. You may have a right to know what information we hold about you and, in some cases, to have the information communicated to you. We reserve the right to ask for reasonable evidence to verify your identity before we provide you with any information.
- Right to correct Personal Information. We endeavour to keep the information that we hold about you accurate and up to date. Should you realize that any of the information that we hold about you is incorrect, please let us know and we will use our best efforts to correct it as soon as we can.
- Data deletion. In some circumstances and under certain laws and regulations, you may have a right to request that some portions of the Personal Information that we hold about you be deleted or otherwise anonymized/de-identified.
- Data portability. In some circumstances and under certain laws and regulations, you may have the right to request that data which you have provided to us is provided to you, so you can transfer or port it elsewhere.
If you wish to exercise any of these rights, contact us at: info@sentra.io. When handling these requests, we may ask for additional information to confirm your identity and your request. Please note, upon request to delete your Personal Information, we may retain such data in whole or in part to comply with any applicable rule or regulation and/or response or defend against legal proceedings versus us or our affiliates.
Please Note: Sentra is merely acting as a processor of certain personal information on behalf of its Customers (pursuant to the Terms and Conditions of our Solution). As such, if you are using of our Solution and related services on behalf of your organization, or your personal information has been made available to us as part of Customer Data provided to us, you should contact your organization in order to enforce any of the rights listed in this section 8 above.
To find out whether these rights apply to you and on any other privacy related matter, you can contact your local data protection authority if you have concerns regarding your rights under local law.
- USING COOKIES AND OTHER TRACKING TECHNOLOGIES
- When you access or use the Website, we may use industry-wide monitoring and tracking technologies such as "cookies" or “pixel tags” (or similar technologies), which store certain information on your computer ("Local Storage"), and which will allow us to enable automatic activation of certain features and make your service experience much more convenient and effortless. The Local Storage is created per session and may be deleted by you, or you may configure your browser to not accept any such local storage items.
For example, these technologies enable us to: (i) provide you with the Website and/or Solution, (ii) keep track of our users’ preferences and authenticated sessions, (iii) secure our website by detecting abnormal behaviours, (iv) identify technical issues and improve the overall performance of the Website and/or Solution, and (v) deliver targeted advertisements that are more tailored to their audience and track ad performance (For more information about this practice, click here: http://www.aboutads.info/choices/).
Such tracking technologies may include Pixel tags (also commonly known as web beacons), transparent images, iFrames, cookies, or Java script placed on our Website and/or Solution or our advertisements and emails, that are used to understand how you interact with the Website and/or Solution, with such advertisements and emails. To learn more about our use of Cookies and other tracking technologies, please see our Cookie Policy. It is important to note that some of these tracking technologies are provided to us by our Services Providers who collect and process personal information in the scope of the services that they provide us.
Please note – in certain cases such Services Providers may collect and process personal information, in a scope which is broader than the scope of collection and processing required for the purposes set forth above. This means that sometimes these Services Providers have access to more of your personal information than we do. In such cases, all such excess collections and processing are performed pursuant to and under a direct contractual relationship you have with such Service Providers, as detailed below and any rights you may have with respect to such information, collected by such Services Providers, shall be governed by such contractual relationship. Otherwise, the terms of this Privacy Policy shall fully apply.
- We may also use Google and Facebook functionality of re-marketing tracking cookies and pixel-based retargeting. This means that if you provide your consent to Google or Facebook, (the “Social Ad Platforms”) to be provided with personalized commercial offers, you may be served with ads based on your use of the Website, outside of the Website and across the internet. In such event the Social Ad Platforms, will place cookies or pixels on your web browser and use such technologies to serve you ads based on past visits to our Website.
Please visit the Social Ad Platforms’ individual privacy policy to find out how they use such information:
If you wish to opt-out of such re-targeting and tracking functionality of the Social Ad Platforms, you may do so at the following links:
In addition, if you wish not to receive ads from us based on your use of the Website, please send us an e-mail to info@sentra.io and we will respond within a reasonable timeframe and in accordance with applicable laws.
- By accepting this Privacy Policy and using the Website and/or Solution you hereby consent that the following third-party Services Providers shall collect and process your personal information in accordance with their respective privacy policy to which you hereby agree:
- Learn more about your choices and how to opt-out of tracking technologies: In order to delete or block any tracking technologies, please refer to the “Help” area on your internet browser for further instructions, or You may also opt out of third party tracking technologies by following the instructions provided by each third party service provider in its privacy policy listed above or visiting www.youronlinechoices.eu or http://www.aboutads.info/choices/. Please note however that deleting any of our tracking technologies or disabling future tracking technologies may prevent you from accessing certain areas or features of our Website, or may otherwise adversely affect your user experience. Please also note that we do not respond to the ‘Do Not Track’ setting on your browser as the protocol and form for such setting has not yet been generally accepted.
- DIRECT MARKETING
You hereby agree that we may use your contact details provided during the filling of a registration form on the Website for the purpose of informing you regarding our products and services which may interest you, and to send to you other marketing material. You may withdraw your consent via sending us written notice by email to the following address: info@sentra.io or by pressing the “Unsubscribe” button in the mail.
Please note that the Company may also contact you with important information regarding our Website and/or Solution. For example, we may notify you (through any of the means available to us) of changes or updates to our Website and/or Solution, payment issues, service maintenance, etc. You will not be able to opt-out of receive such service messages.
- MINORS
To use our Website and/or Solution, you must be over the age of eighteen (18). Therefore, we do not knowingly collect Personal Information from minors under the age of eighteen (18) and do not wish to do so. We reserve the right to request proof of age at any stage so that we can verify that minors under the age of eighteen (18) are not using the Website and/or Solution.
Without derogating from the above, certain personal information of persons under the age of eighteen (18) might be included as part of the Customer Data, which is made available to us by our Customer, as part of our Customer’s use of the Services, who have assured us it has the rights to do so. Our access and use of any such Customer Data is governed under our Terms and Conditions https://www.sentra.io/legal/terms-of-use
- INFORMATION SECURITY
We take great care in implementing and maintaining the security of the Website and/or Solution and of your Personal Information. We have implemented administrative, technical and physical safeguards to help prevent unauthorized access, use or disclosure of your Personal Information. Your information is stored on secure servers and isn’t publicly available. We limit access of your information only to those employees, third party service providers or partners on a “need to know” basis, and strictly in order to enable us to perform the agreement between you and us or the agreement between us and your organization (in its capacity as our Customer).
Despite these measures, we cannot provide absolute information security or eliminate all risks associated with Personal Information, and security breaches may happen. If you have any questions about our Personal Information security, please contact us at info@sentra.io .
- DATA RETENTION
If you are a visitor of our Website, we will retain your Personal Information only for as long as necessary to achieve the purposes for collection and processing set forth above. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. If you withdraw your consent to our processing of your Personal Information, we will delete your Personal Information from our systems (except to the extent retaining such data in whole or in part is necessary to comply with any applicable rule or regulation and/or to respond to or defend against legal proceedings brought against us or our affiliates).
Please Note: If you are using of our Solution and related services on behalf of your organization, or your Personal Information has been made available to us as part of Customer Data on behalf of our Customers (any of such pursuant to the Terms and Conditions of our Solution), you should contact your organization in order to request the deletion of your Personal Information and/or any part thereof.
- JOB CANDIDATES
We welcomes all qualified candidates (“Candidates”) to apply to any of the open positions posted at www.Sentra.io, or that we otherwise publish on Facebook or LinkedIn, by sending us information which may include your full name, email address, phone number, curriculum vitae, and other information such Candidates may elect to share with us over the course of their candidacy (“Candidates Information”). Since privacy and discreetness are very important to our Candidates, we are committed to keep Candidates’ Information private and use it solely for our internal recruitment purposes (including for identifying Candidates, evaluating their applications, making hiring and employment decisions, and contacting Candidates by phone or in writing).
Please note that the Company may retain Candidates Information submitted to it even after the applied position has been filled or closed. This is done so we could re-consider Candidates for other positions and opportunities at the Company; so we could use their Candidates Information as reference for future applications submitted by them; and in case the Candidate is hired, for additional employment and business purposes related to their work.
If you previously submitted your Candidates Information to the Company, and now wish to access it, update it or have it deleted from our systems, please contact us at info@sentra.io
- UPDATES TO THIS PRIVACY POLICY
We reserve the right to change this policy at any time, so please re-visit this page frequently. We will notify you regarding substantial changes of this Privacy Policy by changing the link to the Privacy Policy on the Website and/or Solution and/or by sending you an e-mail regarding such changes to the e-mail address that you provided during registration. Such substantial changes will take effect seven (7) days after such notice was provided on our Website or sent by email. Otherwise, all other changes to this Privacy Policy are effective as of the stated “Last Revised” date and your continued use of the Website and/or Solution after the Last Revised date will constitute acceptance of, and agreement to be bound by, those changes.
- GENERAL INFORMATION
This Privacy Policy, its interpretation, and any claims and disputes related hereto, shall be governed by the laws of the State of New York, without respect to its criminal law principles. Any and all such claims and disputes shall be brought in, and you hereby consent to them being litigated in and decided exclusively by a court of competent jurisdiction located in New York, NY.
This Privacy Policy was written in English, and may be translated into other languages for your convenience. If a translated (non-English) version of this Privacy Policy conflicts in any way with the English version, the provisions of the English version shall prevail.
- HAVE ANY QUESTIONS?
If you have any questions (or comments) concerning this Privacy Policy, you are welcome to send us an email at: info@sentra.io and we will make an effort to reply within a reasonable timeframe.
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Evaluation Terms and/or Subscription Terms available at https://www.sentra.io/legal/terms-of-use (the “Principal Agreement”) entered into by and between Company (hereinafter referred to as “Controller” or “Client”) and Sentra Inc. (hereinafter referred to as “Processor” or “Sentra”). Controller and Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.
- Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
- “Applicable Laws” means (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws;
- “Authorized Personnel” means any person who processes Controller Personal Data on Processor’s behalf, including Processor’s employees, officers, partners, principals, contractors and Sub Processors;
- “CCPA” means the California Civil Code Section 1798.100-1978.199;
- “Controller Personal Data” means any Personal Data Processed by Sentra on behalf of the Client pursuant to or in connection with the provision of the Services under the Principal Agreement.
- "Data Protection Laws" means, as applicable in connection with the Processing of Controller Personal Data under the Principal Agreement: (a) EU Data Protection Laws, or (b) CCPA and any legislation and/or regulation implementing or made pursuant to the GDPR and the CCPA, or which amends or replaces any of them;
- "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- "GDPR" means EU General Data Protection Regulation 2016/679;
- "Restricted Transfer" means (i) a transfer of Controller Personal Data from Controller to Processor; or (ii) an onward transfer of Controller Personal Data from a Processor to a Sub Processor, or between two establishments of Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a legal transfer mechanism to be established under this DPA, including without limitation the applicable Standard Contractual Clauses;
- "Sub Processor" means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller in connection with the Principal Agreement;
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein for convenience by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
- The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
- The terms “Service Provider”, “Sell”, “Sub-Contractor” and “Consumer” shall be interpreted in accordance with the CCPA; Where applicable, references to Processor shall also refer to ‘Service Provider’, references to Sub Processor shall refer to ‘Sub-Contractor’ and references to Data Subject shall also refer to ‘Consumer’.
- Roles of the Parties; Processing of Controller Personal Data
- In the scope of Sentra’s processing of Controller Personal Data, as between the Parties, for the purposes of this DPA only, and except where otherwise indicated, Sentra shall be deemed the Data Processor/Service Provider and Client shall be deemed the Data Controller (or its equivalent under the CCPA).
- Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable and customary instructions as specified in the Principal Agreement or this DPA that were specifically and explicitly agreed to by Processor, unless such Processing is required by Applicable Laws to which the Processor is subject.
- Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the services provided under the Principal Agreement and consistent with Sections 2.1 above and the Principal Agreement, and in accordance with Applicable Laws.
- Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 2.2 and any additional instructions as provided pursuant to the Principal Agreement and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Principal Agreement is in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data.
- Controller sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Annex 1 (Details of Processing of Controller Personal Data), attached hereto.
- Without derogating from Controller’s obligations hereunder, including under the Principal Agreement, Controller may only provide to Processor, or otherwise have Processor (or anyone on its behalf) process, such Controller Personal Data types and parameters which are explicitly described in the Principal Agreement (the “Permitted Controller Personal Data”). Solely Controller (and not Processor) shall be liable for any data which is provided or otherwise made available to Processor or anyone on its behalf in excess of the Permitted Controller Personal Data (“Excess Data”). Processor obligations under the Principal Agreement or this DPA shall not apply to any such Excess Data.
- Processor Personnel. Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know/access basis, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Controller Personal Data.
- Security. Processor shall, in relation to the Controller Personal Data, implement appropriate technical and organizational measures to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
- Sub Processing
- Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and any restrictions in the Principal Agreement.
- Processor and each Processor Affiliate may continue to use those Sub Processors already engaged by Processor or any Processor Affiliate as of the date of this DPA, including for the purpose of cloud hosting services by reputable Sub Processors, as well as any Sub Processors whom Controller requested Processor to use. A current list of Sub Processors is either attached hereto as Annex 2.
- Processor may appoint new Sub Processors and shall give notice of the appointment of any new Sub Processor (for instance by e-mail), whether by general or specific reference to such Sub Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub Processor. If, within seven (7) days of such notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment, Processor shall not appoint for the processing of Controller Personal Data the proposed Sub Processor until reasonable steps have been taken to address the objections raised by Controller, and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination.
- With respect to each new Sub Processor, Processor shall:
- before the Sub Processor first Processes Controller Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed to provide the level of protection for Controller Personal Data required by the Principal Agreement; and
- ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Controller Personal Data as those set out in this DPA that meet the requirements of Applicable Laws.
- Data Subject Rights
- Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Taking into account the nature of the Processing, Processor shall reasonably endeavour to assist Controller insofar as feasible, to fulfil Controller's said obligations with respect to such Data Subject requests, as applicable, at Controller’s sole expense.
- Processor shall:
- promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before it responds to the request.
- Personal Data Breach
- Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, in connection with the Processing of such Controller Personal Data by the Processor or Processor Affiliates. In such event, Processor shall provide Controller with information (to the extent in Processor’s possession) to assist Controller to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Laws.
- At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
- Data Protection Impact Assessment and Prior Consultation. At the written request of the Controller, the Processor and each Processor Affiliate shall provide reasonable assistance to Controller, at Controller's expense, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Controller Personal Data by the Processor.
- Deletion or return of Controller Personal Data
- Subject to Section 9.2, Processor shall promptly and in any event within up to sixty (60) days of the date of cessation of any services involving the Processing of Controller Personal Data (the "Cessation Date"), delete or anonymize all copies of those Controller Personal Data, except such copies as authorized including under the Principal Agreement and this DPA or required to be retained in accordance with applicable law and/or regulation. Without derogating from the foregoing, Processor may also retain one copy of the Controller Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.
- Subject to the Principal Agreement, Processor may retain Controller Personal Data to the extent authorized or required by Applicable Laws, provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that it is only processed for such legal purpose(s).
- Audit Rights
- Subject to Sections 10.2 and 10.3, Processor shall make available to a reputable auditor mandated by Controller in coordination with Processor, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
- Provisions of information and audits are and shall be at Controller’s sole expense and may only arise under Section 10.1 to the extent that the Principal Agreement does not otherwise give Controller information and audit rights meeting the relevant requirements of the applicable Data Protection Laws. In any event, all audits or inspections shall be subject to the terms of the Principal Agreement, and to Processor's obligations to third parties, including with respect to confidentiality.
- Controller shall give Processor reasonable prior written notice of any audit or inspection to be conducted under Section 10.1 and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- if Processor was not given a written notice of such audit or inspection at least 2 weeks in advance;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller has given notice to Processor that this is the case before attendance outside those hours begins;
- for premises outside the Processor's control (such as data storage farms of Processor's cloud hosting providers);
- if more than one (1) audit or inspection, in respect of each Processor, already took place in the same calendar year, except for any additional audits or inspections which:
- Controller reasonably considers necessary because of genuine concerns as to Processor’s compliance with this DPA; or
- Controller is required to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
- Data Transfers.
- Client acknowledges that Sentra may operate and provide services outside the EU, therefore any transfer of EU Data Subjects Personal Data shall be subject to (i) Adequacy Decisions; or (ii) Module II and Module III of the Standard Contractual Clauses, in which case Sentra shall be deemed as a "Data Importer" and Client shall be deemed as a "Data Exporter" in which case Annex 1 shall apply to Module II (Data Controller to Data Processor transfer) and Module 2 (Data Processor to Data Processor transfer).
- If Sentra engages a Sub-Processor, in accordance with Section 5, for carrying out specific processing activities (on behalf of Client), Sentra and the Sub-Processor shall ensure compliance with GDPR Chapter V by using the Standard Contractual Clauses. In such event, Sentra shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Sentra and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
- Specifically, EU-US Transfers: Following Schrems II, Case No. C-311/18, and related guidance from supervisory authorities, the parties acknowledge that supplemental measures may be needed with respect to EU-U.S. data transfers where Personal Data may be Processed in the US. The parties acknowledge and warrants that Sentra’s EU operations involve merely ordinary commercial services, and any EU-U.S. transfers of Personal Data contemplated by this DPA involve ordinary commercial information, which is not the type of data that is of interest to, or generally subject to, surveillance by U.S. intelligence agencies. Accordingly, Sentra acknowledges that it will not provide access to Data Subject Personal Data to any US government or intelligence agency, except where, following consultancy with its legal advisors, it is necessary under the US law or a valid and binding order of a government authority (such as pursuant to a court order). In any such case, Sentra will attempt to redirect the law enforcement agency to request the data directly from Client. Unless Sentra is legally prohibited from doing so, in any such case Sentra will: (1) promptly give Client and Data Subject in subject a written notice of such demand in order to allow Client to seek resource or other appropriate remedy to adequately protect the privacy of the Data Subject Personal Data; and (2) in any event, provide access only to such Personal Data as is strictly required by the relevant law or binding order (having used reasonable efforts to minimize and limit the scope of any such access), as determined solely by Sentra’s legal advisors.
- General Terms
- Governing Law and Jurisdiction.
- The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
- Order of Precedence. Nothing in this DPA reduces Processor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this DPA and the Principal Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originate from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Controller’s own obligations and liabilities towards the Processor under the Principal Agreement, and/or pursuant to the GDPR or any law applicable to Controller, in connection with the collection, handling and use of Personal Data by Controller or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Processor and/or providing access thereto to Processor.
Subject to this Section 12.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
- Changes in Data Protection Laws.
- Controller may by at least forty-five (45) calendar days' prior written notice to Processor, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Controller Personal Data to be made (or continue to be made) without breach of that Data Protection Law; and
- If Controller gives notice with respect to its request to modify this DPA under Section 11.3.1:
- Processor shall make commercially reasonable efforts to accommodate such modification request; and
- Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
- If Controller gives notice under Section 11.3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller's notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days, then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Principal Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
- Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Annex 1: Details of Processing Of Controller Personal Data
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Data Exporter
Data Importer
Name: Sentra Inc.
Contact Person Name, Contact Person Position, Contact Person Email:
Contact Person's Name, position and contact details: As identified in the Principal Agreement or Order
Activities relevant to the transfer: See below
Activities relevant to the transfer: See below
Role: Data Controller or Data Processor
Role: Data Processor
Subject matter and duration of the Processing of Controller Personal Data. The subject matter and duration of the Processing of the Controller Personal Data are set out in the Principal Agreement.
The nature and purpose of the Processing of Controller Personal Data: the purposes of Processing Controller Personal Data shall include the following: (i) Performance, management and enforcement of the Principal Agreement, this DPA, and, to the extent applicable, other contracts executed by the Parties, including with respect to the provision of Sentra products and or services and any support and technical maintenance un connection thereto; (ii) for Sentra to comply with Clients’ instructions where such instructions are consistent with the terms of the Principal Agreement; (iii) resolving disputes; (iv) Defending Sentra’s rights; (v) compliance with applicable laws and regulations, including where such compliance entails cooperation with local and foreign tax authorities; any and all tasks related to the foregoing.
The types of Controller Personal Data to be processed are as follows:
- Full name
- Username and Password
- Email address
- Organization name
- Position
- IP address
- Information contained in Clients’s cloud (including without limitation cloud infrastructure)
The categories of Data Subjects to whom the Controller Personal Data relates to are as follows:
- Client employees, consultants and other personnel.
- Any third parties that may have access to or otherwise be included in any Client’s cloud materials.
The competent supervisory authority, in accordance with Clause 13 of the SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.
Annex 2: List of approved Sub-Processors
Name (of entity if applicable): AWS
Address: 410 Terry Avenue North, Seattle, WA 98109-5210
Server location: US, Virginia
Description of the processing: Hosting services
Name (of entity if applicable): Okta Inc.
Address: 10800 NE 8th Street, Suite 700, Bellevue, Washington 98004, USA
Server location: United States
Description of the processing: Authentication services