Data Processing Agreement

Data Processor: SentraSales Ltd · Data Controller: The subscribing Customer

Effective: 9 March 2026 · Regulation: UK GDPR / EU GDPR (where applicable)

By subscribing to and using the SentraSales platform, the Customer agrees to the terms of this DPA. This DPA forms part of the Terms of Service and is incorporated by reference. No separate signature is required — acceptance occurs at the point of subscription.

1. Definitions

ControllerThe Customer — the entity that determines the purposes and means of processing personal data through the platform.
ProcessorSentraSales Ltd — the entity that processes personal data on behalf of the Controller.
Sub-ProcessorA third party engaged by the Processor to assist in processing personal data.
Personal DataAny information relating to an identified or identifiable natural person processed via the platform, including lead contact data, call recordings, transcripts, and user account data.

2. Nature & Purpose of Processing

Subject Matter: SentraSales Ltd processes personal data on behalf of the Customer solely to provide the SentraSales platform services, including lead management, call recording and transcription, AI-powered call analysis, follow-up automation, and reporting.

Types of Personal Data:

  • B2B contact information (names, job titles, email addresses, telephone numbers, company names)
  • Call recordings and associated metadata
  • AI-generated transcripts and analysis derived from calls
  • User account data (names, email addresses, roles)

Categories of Data Subjects: Platform users (employees of the Customer) and the Customer's business contacts and leads.

Duration: Processing continues for the duration of the subscription. Upon termination, personal data is retained for 90 days for data export, then securely deleted unless longer retention is required by law.

3. Processor Obligations

SentraSales Ltd agrees to:

  • Process personal data only on the documented instructions of the Customer
  • Ensure all personnel with data access are subject to confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures (Article 32 UK GDPR)
  • Notify the Customer within 72 hours upon becoming aware of a personal data breach
  • Assist the Customer in responding to data subject requests within UK GDPR timescales
  • Allow for audits and inspections with reasonable notice
  • Delete or return all personal data upon termination in accordance with the retention schedule

4. Sub-Processors

Sub-ProcessorServicesKey Guarantee
OpenAI Inc.Call transcription (Whisper) & AI analysis (GPT-4o)API data is NOT used to train OpenAI models. DPA compliant with UK/EU GDPR. SCCs in place for US transfers.
Twilio Inc.Phone provisioning, call routing, recording storageSOC 2 Type II & ISO 27001 certified. EU/UK data region configured by default.
Stripe Inc.Payment processing & subscription managementPCI DSS Level 1 certified. Card data never processed by SentraSales directly.
Google LLCGmail integration & Docs generation (optional)Only engaged when Customer explicitly connects Google Workspace via OAuth.

We will provide at least 30 days' prior notice before engaging any new sub-processor. Customers may object during this period.

5. Data Retention & Deletion

Data TypeRetention PeriodNotes
Call Recordings90 daysAuto-deleted after 90 days. Custom retention available on Scale plan.
Call Transcripts12 monthsText only. Can be deleted at any time from the lead record.
Call MetadataAccount lifetimeDate, duration, outcome — retained for reporting. Deleted on account termination.
Lead / Contact DataAccount lifetimeRetained until lead is deleted or account is terminated.
Account Data90 days post-terminationRetained for export, then securely deleted.

6. International Data Transfers

Transfers to countries outside the UK/EEA (specifically OpenAI in the United States) are made under Standard Contractual Clauses (SCCs) approved by the UK ICO under the IDTA framework, or where an adequacy decision exists.

7. Security Measures

Encryption in transit (TLS 1.2+)
Encryption at rest (AES-256)
Role-based access control (RBAC)
Multi-tenant data isolation
Regular penetration testing
Employee security training
Audit logging of data access
Incident response procedures

8. Controller Obligations

The Customer confirms that it has a lawful basis for processing the personal data provided to SentraSales Ltd, has provided required notices to data subjects (including regarding call recording), will comply with all applicable data protection legislation, and will promptly inform SentraSales Ltd of any data subject requests or regulatory enquiries.

9. Contact

Data Protection Officer: legal@sentrasales.com

Suite 608, 37 Westminster Buildings, Theatre Square, Nottingham, NG1 6LG