DATA PROCESSING ADDENDUM – Sentai Ltd
This Data Processing Addendum (“Addendum”) is entered into by and between:
1. Sentai Ltd, a company incorporated in England and Wales with company number 12049288 whose registered office is at 71-75 Shelton Street, London, Greater London, WC2H 9JQ, United Kingdom (“Processor”); and
2. The customer whose details are set out in the Main Agreement (as defined below) (“Controller”).
Background
(A) The Controller and Processor entered into the Main Agreement that will require the Processor to process Personal Data on behalf of the Controller.
(B) This Addendum sets out the additional terms, requirements and conditions on which the Processor will process Personal Data when providing services under the Main Agreement. This Addendum contains the mandatory clauses required by Article 28(3) of the UK GDPR.
Together, the “Parties” agree as follows:
1. Definitions and Interpretation
• “Main Agreement”: the Trial Agreement or SaaS Agreement between the parties, as applicable. If the parties entered into a SaaS Agreement following the Trial Agreement, then references to ‘Main Agreement’ shall automatically apply to the SaaS Agreement.
• “Business Purposes”: the services to be provided by the Processor to the Controller as described in the Main Agreement.
• “Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing”: have the meanings given in the Data Protection Laws.
• “Data Protection Laws” means:
o to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
o to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Processor or Controller is subject, which relates to the protection of Personal Data.
• “Data Transfer” means a transfer of personal data outside the UK/EEA that requires additional safeguards under Data Protection Laws.
• “EU GDPR”: the General Data Protection Regulation (EU) 2016/679.
• “Subprocessor” means any third party appointed by the Processor to process personal data on behalf of the Processor.
• “Supervisory Authority” means an independent public authority established under Data Protection Laws to supervise compliance with Data Protection Laws, which, in the United Kingdom, refers to the Information Commissioner’s Office (ICO).
• “Term”: this Addendum’s term as defined in clause 11.1.
• “UK GDPR”: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
• This Addendum is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. Interpretations and defined terms set forth in the Main Agreement apply to the interpretation of this Addendum.
• The Annex forms part of this Addendum and will have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the Annex.
• A reference to writing or written includes email.
• In case of a conflict between any of the provisions of this Addendum and the provisions of the Main Agreement, the provisions of this Addendum will prevail.
2. Personal data types and processing purposes
2.1 The Controller and the Processor agree and acknowledge that for the purpose of the Data Protection Laws the Controller retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Processor.
3. Scope & Processing of Data
3.1 This clause 3 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Processor may process the Personal Data to fulfil the Business Purposes.
3.2 Subject Matter of Processing: providing the services set out in Main Agreement on behalf of the Controller.
3.3 Duration of Processing: The term of the Main Agreement.
3.4 Nature of Processing: The Processing is related to the provision of SaaS solutions to the Customer. Sentai and its Sub processors will perform such acts of Processing of Personal Data as are necessary to provide those Services according to Controllers instructions, including but not limited to the transmission, storage, and other Processing of Personal Data submitted to the Services.
3.5 Types of Personal Data Processed:
• Identity Data (e.g. name, date of birth)
• Contact Data (e.g. email, phone number)
• Activity Data (e.g. motion, presence detection)
• Communication Data (e.g. chat messages, transcripts)
• Device Data (e.g. IP address, call logs)
3.6 Categories of Data Subjects:
• Care provider employees
• End users (consumers receiving the Processor’s services)
• Family members of end users
3.7 Lawful Basis for Processing:
3.7.1 The Controller warrants that it has a lawful basis for processing personal data and has obtained all necessary consents where required under GDPR or other applicable data protection laws.
3.7.2 Where the processing of special category data (as defined under Article 9 UK GDPR) is necessary, the Controller shall ensure that it has obtained explicit consent from data subjects or identified another valid legal basis. The Processor shall apply heightened security and access controls to such data.
4. Processor Obligations
4.1 The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Controller’s written instructions. The Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Addendum or the Data Protection Laws. The Processor must promptly notify the Controller if, in its opinion, the Controller’s instructions do not comply with the Data Protection Laws.
4.2 The Processor shall:
4.2.1 Comply with all applicable Data Protection Laws.
4.2.2 Ensure that employees or personnel who handle Personal Data are bound by strict confidentiality obligations.
4.3 The Processor shall implement appropriate technical and organisational measures to protect Personal Data, including but not limited to:
4.3.1 Encryption of data at rest and in transit
4.3.2 Access controls with role-based permissions
4.3.3 Firewalls and intrusion detection systems
4.3.4 Maintenance of logs for all personnel access to Company Personal Data
4.4 The Processor will reasonably assist the Controller, at the Controller’s cost, with meeting the Controller’s compliance obligations under the Data Protection Laws, taking into account the nature of the Processor’s processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Supervisory Authority under the Data Protection Laws.
5. Subprocessing
5.1 Authorisation to Use Subprocessors
5.1.1 To the extent necessary to fulfil the Processor’s contractual obligations under this Addendum, the Controller hereby authorises the Processor to engage Subprocessors. A current list of Subprocessors for the applicable services is available at www.sentai.co.uk/subprocessors (the “Subprocessor List”). The Controller agrees to the appointment of those Subprocessors listed in the Subprocessor List.
5.1.2 Sentai Ltd agrees that it shall not transfer Personal Data to any entity not named on the Subprocessor List without providing prior notice to the Controller.
5.2 Subprocessor Compliance
The Processor shall:
5.2.1 Enter into a written agreement with each Subprocessor that imposes data protection obligations consistent with this Addendum; and
5.2.2 Remain responsible for the acts and omissions of Subprocessors to the same extent Sentai Ltd would be liable if performing the services directly under this Addendum.
5.3 Right to Object to Subprocessors
5.3.1 Sentai Ltd will, at least 15 days prior to engaging a new Subprocessor, notify the Controller by updating the Subprocessor List and providing written notice. The Controller, acting reasonably, may object to such engagement in writing within 15 days of such notice. If the Controller does not object within that period, the new Subprocessor will be deemed accepted.
5.3.2 If the Controller objects and Sentai Ltd cannot provide the services without using the objected-to Subprocessor, and cannot reasonably satisfy the Controller’s concerns within thirty (30) days, then the Controller may elect to terminate any portion of the services requiring the use of that Subprocessor.
6. Data Subject Rights
6.1 Handling Data Subject Requests
• The Processor shall notify the Controller if it receives any request from a Data Subject regarding Personal Data or otherwise relating to the Controller, including a Data Subject’s exercise of rights under applicable Data Protection Laws (a “Data Subject Request”).
6.2 Controller Responsibility for Data Subject Requests
• If the Processor receives a Data Subject Request relating to Personal Data, it will direct the Data Subject to submit the request to the Controller, who is responsible for responding to the request. Where necessary and upon written request, the Processor will provide reasonable assistance (taking into account the nature of the processing) to enable the Controller to respond to such requests.
7. Security Incidents
7.1 The Processor must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in the Annex.
7.2 The Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
7.2.1 the pseudonymisation and encryption of Personal Data;
7.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
7.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
7.2.4 a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
7.3 In the event of a Personal Data Breach, the Processor shall promptly and without undue delay:
7.3.1 Take immediate steps to mitigate and contain the Personal Data Breach and minimise further risks or damage.
7.3.2 Implement appropriate industry-standard measures to preserve and document electronic evidence related to the Personal Data Breach.
7.3.3 Notify the Controller of the nature of the Personal Data Breach, including (where possible) details of the affected Personal Data, categories of Data Subjects involved, and the estimated number of records impacted.
7.3.4 Provide contact information of the Processor’s designated point of contact for further inquiries, along with any available details on potential consequences of the Security Incident and steps taken to address or mitigate adverse effects.
7.3.5 Take proactive measures to prevent similar incidents in the future by reviewing and enhancing security protocols as necessary.
7.3.6 Cooperate with any investigations, legal disputes, regulatory inquiries, or other proceedings relating to the Security Incident.
8. Data Transfers
8.1 The Processor shall not transfer personal data outside the UK/EEA without the Controller’s prior written approval.
8.2 Where such data transfers occur, the Processor shall ensure:
8.2.1 The implementation of a valid transfer mechanism under Data Protection Laws; and
8.2.2 Additional safeguards as appropriate (e.g. encryption, strict access controls).
9. Data Retention & Deletion
9.1 Upon termination or expiration of this Addendum, the Processor shall:
9.1.1 Return or securely delete all Personal Data within ten (30) business days, unless it is legally required to retain it.
9.1.2 Provide a written certification of data deletion upon the Controller’s request.
10. Audit & Compliance
10.1 The Processor shall:
10.1.1 Maintain records of its processing activities in respect of the Personal Data.
10.1.2 Allow the Controller (or its appointed auditor) to conduct audits, including on-site inspections, to verify compliance with this Addendum, subject to 30 days’ written notice and clause 12 (Confidentiality).
10.1.3 Provide the Controller with information necessary to demonstrate compliance with Data Protection Laws.
11. Term and termination
11.1 This Addendum will remain in full force and effect so long as:
11.1.1 The Main Agreement remains in effect; or
11.1.2 the Processor retains any of the Personal Data related to the Main Agreement in its possession or control (Term).
11.2 Any provision of this Addendum that expressly or by implication should come into or continue in force on or after termination of the Main Agreement in order to protect the Personal Data will remain in full force and effect.
12. Confidentiality
12.1 Each party undertakes that it shall not at any time disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by clause 12.2.
12.2 Each party may disclose the other party’s confidential information:
12.2.1 to its employees, officers, representatives, contractors, subcontractors or advisers who need to know such information for the purposes of exercising the party’s rights or carrying out its obligations under or in connection with this Addendum. Each party shall ensure that its employees, officers, representatives, contractors, subcontractors or advisers to whom it discloses the other party’s confidential information comply with this clause 12; and
12.2.2 as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
12.3 No party may use any other party’s confidential information for any purpose other than to exercise its rights and perform its obligations under or in connection with this Addendum.
13. Notice
13.1 The notice provisions of the Main Agreement shall apply to this Addendum.
14. Governing Law & Jurisdiction
14.1 This Addendum shall be governed by and construed in accordance with the laws of England and Wales.
14.2 Any dispute or claim arising out of or in connection with this Addendum or its subject matter shall be subject to the exclusive jurisdiction of the courts of England and Wales.
ANNEX
Security measures
This Annex outlines the technical and organisational measures implemented by the Data Processor to ensure the security of Personal Data processed under the Addendum, categorised as follows:
1. PHYSICAL ACCESS CONTROLS
1.1. Secured Facilities: Physical access to data processing facilities is restricted through measures like keycards, biometrics, and 24/7 surveillance.
1.2. Environmental Protections: Infrastructure housing Personal Data is safeguarded against environmental risks and unauthorised physical intrusion.
2. SYSTEM ACCESS CONTROLS
2.1. Authentication Mechanisms: Accessing systems processing Personal Data requires secure login procedures, including strong passwords, multi-factor authentication, and network intrusion detection.
2.2. Malware Protection: Up-to-date antivirus, anti-malware, and endpoint detection tools are deployed across all systems.
2.3. Vulnerability Management: Regular scans and patches are performed to identify and address system vulnerabilities.
2.4. Network Security: Firewalls, encryption, and network segmentation are used to prevent unauthorised access.
3. DATA ACCESS CONTROLS
3.1. Authorization: Personal Data is accessible only to authorised personnel for the purposes specified in this Addendum.
3.2. Audit Logs: System and audit trails record access, modifications, and transfers of Personal Data, retained for 2 years.
3.3. Pseudonymisation/Encryption: Personal Data is pseudonymised or encrypted at rest, where appropriate, to reduce identifiability risks.
3.4. Training: Employees and contractors undergo regular training on data protection and security protocols.
4. TRANSMISSION CONTROLS
4.1. Encryption in Transit: Personal Data is encrypted during transmission using secure protocols (e.g., TLS, HTTPS).
4.2. Secure Channels: Data transfers occur only through approved, authenticated channels to prevent interception or tampering.
5. INPUT CONTROLS
5.1. Validation: Input mechanisms include automated validation checks to ensure data integrity and accuracy.
5.2. Authorisation for Entry: Only authorised personnel may input, modify, or delete Personal Data in systems.
6. DATA BACKUPS
6.1. Redundancy and Recovery: Regular backups are performed, stored securely, and tested to ensure timely restoration of Personal Data in case of incidents.
7. DATA SEGREGATION
7.1. Logical Separation: Personal Data is logically segregated to ensure it is processed only for the purposes specified in the DPA.