Data Processing Agreement
Data Processor: SentraSales Ltd · Data Controller: The subscribing Customer
Effective: 9 March 2026 · Regulation: UK GDPR / EU GDPR (where applicable)
1. Definitions
2. Nature & Purpose of Processing
Subject Matter: SentraSales Ltd processes personal data on behalf of the Customer solely to provide the SentraSales platform services, including lead management, call recording and transcription, AI-powered call analysis, follow-up automation, and reporting.
Types of Personal Data:
- B2B contact information (names, job titles, email addresses, telephone numbers, company names)
- Call recordings and associated metadata
- AI-generated transcripts and analysis derived from calls
- User account data (names, email addresses, roles)
Categories of Data Subjects: Platform users (employees of the Customer) and the Customer's business contacts and leads.
Duration: Processing continues for the duration of the subscription. Upon termination, personal data is retained for 90 days for data export, then securely deleted unless longer retention is required by law.
3. Processor Obligations
SentraSales Ltd agrees to:
- Process personal data only on the documented instructions of the Customer
- Ensure all personnel with data access are subject to confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures (Article 32 UK GDPR)
- Notify the Customer within 72 hours upon becoming aware of a personal data breach
- Assist the Customer in responding to data subject requests within UK GDPR timescales
- Allow for audits and inspections with reasonable notice
- Delete or return all personal data upon termination in accordance with the retention schedule
4. Sub-Processors
| Sub-Processor | Services | Key Guarantee |
|---|---|---|
| OpenAI Inc. | Call transcription (Whisper) & AI analysis (GPT-4o) | API data is NOT used to train OpenAI models. DPA compliant with UK/EU GDPR. SCCs in place for US transfers. |
| Twilio Inc. | Phone provisioning, call routing, recording storage | SOC 2 Type II & ISO 27001 certified. EU/UK data region configured by default. |
| Stripe Inc. | Payment processing & subscription management | PCI DSS Level 1 certified. Card data never processed by SentraSales directly. |
| Google LLC | Gmail integration & Docs generation (optional) | Only engaged when Customer explicitly connects Google Workspace via OAuth. |
We will provide at least 30 days' prior notice before engaging any new sub-processor. Customers may object during this period.
5. Data Retention & Deletion
| Data Type | Retention Period | Notes |
|---|---|---|
| Call Recordings | 90 days | Auto-deleted after 90 days. Custom retention available on Scale plan. |
| Call Transcripts | 12 months | Text only. Can be deleted at any time from the lead record. |
| Call Metadata | Account lifetime | Date, duration, outcome — retained for reporting. Deleted on account termination. |
| Lead / Contact Data | Account lifetime | Retained until lead is deleted or account is terminated. |
| Account Data | 90 days post-termination | Retained for export, then securely deleted. |
6. International Data Transfers
Transfers to countries outside the UK/EEA (specifically OpenAI in the United States) are made under Standard Contractual Clauses (SCCs) approved by the UK ICO under the IDTA framework, or where an adequacy decision exists.
7. Security Measures
8. Controller Obligations
The Customer confirms that it has a lawful basis for processing the personal data provided to SentraSales Ltd, has provided required notices to data subjects (including regarding call recording), will comply with all applicable data protection legislation, and will promptly inform SentraSales Ltd of any data subject requests or regulatory enquiries.
9. Contact
Data Protection Officer: legal@sentrasales.com
Suite 608, 37 Westminster Buildings, Theatre Square, Nottingham, NG1 6LG