Data Processing Addendum

SENTRAMA — DATA PROCESSING ADDENDUM (DPA)
Algorithmic Cold Calling Platform

1. Introduction and incorporation

1.1 This Data Processing Addendum (the "DPA") is entered into between Brightside Enterprises Limited T/A Sentrama, a company registered in England and Wales with company number 12265340, registered office Unit 3, Temple Campus, Temple Gate, Bristol, England, BS1 6QA ("Sentrama", "we", "us"), and the customer that accepts the Sentrama Terms of Service (the "Terms") and uses the Platform ("you", "Customer").

1.2 Incorporation. This DPA forms part of, and is incorporated by reference into, the Terms. It is binding on both parties from the moment you accept the Terms, whether or not it is also separately signed. Terms defined in the Terms have the same meaning in this DPA unless otherwise defined here. This DPA governs our Processing of Personal Data carried out as your Processor in connection with the Platform.

1.3 Purpose. The purpose of this DPA is to set out the parties' respective obligations in relation to the Processing of Personal Data and to satisfy the requirements of Article 28(3) of the GDPR and equivalent provisions of the Data Protection Laws.

1.4 Order of precedence. In the event of any conflict in relation to the Processing of Personal Data: (a) the SCCs and/or UK IDTA (Section 9) prevail over the rest of this DPA to the extent of any restricted transfer; (b) this DPA prevails over the remainder of the Terms; and (c) the Terms prevail over any other agreement. In all other respects the Terms govern.

2. Definitions

  • "Data Protection Laws" — all laws and regulations applicable to the Processing of Personal Data under the Terms, including the UK GDPR (the retained EU General Data Protection Regulation as defined in the Data Protection Act 2018), the EU GDPR (Regulation (EU) 2016/679) where applicable, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR").
  • "Customer Personal Data" — Personal Data contained in Your Content or otherwise Processed by us as your Processor on your behalf under the Terms (for example, your uploaded contact lists, and the recordings, transcripts and calling-outcome records generated on your account).
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Process/Processing", "Special Category Data", "supervisory authority" — as defined in the UK GDPR.
  • "Sub-processor" — any third party engaged by us to Process Customer Personal Data.
  • "Restricted Transfer" — a transfer of Customer Personal Data to, or access from, a country outside the UK (or, where the EU GDPR applies, the EEA) that is not the subject of an adequacy decision.
  • "SCCs" — the Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914) for the transfer of personal data to third countries.
  • "UK IDTA" — the UK International Data Transfer Agreement, and/or the UK Addendum to the SCCs, issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
  • "Platform", "Prospect Data", "Your Content", "LIA" — as defined in the Terms.

3. Roles and scope of Processing

3.1 Roles. In respect of Customer Personal Data, you are the Controller and Sentrama is your Processor. Where you are yourself acting as a processor on behalf of a third-party controller, you warrant that you have that controller's authority to appoint us as a sub-processor on these terms and to give the instructions in this DPA.

3.2 Independent Controller processing. In respect of data that we independently source, compile, verify and prepare before making it available to you (including reachability verification under clause 4.1(c) of the Terms), Sentrama acts as an independent Controller, with its own lawful basis and its own privacy notice. This DPA governs only our Processor activities; our independent-Controller activities are governed by our Privacy Policy and applicable law, not by this DPA. Once such data is delivered or made available to you, you become the Controller for your subsequent use of it.

3.3 Details of Processing. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.

3.4 No Special Category Data. The Platform is not intended to Process Special Category Data or data relating to criminal convictions and offences, and you must not submit such data (Terms, §4.4). We have no liability arising from your provision of prohibited data.

4. Our obligations as Processor (Article 28(3))

We will:

4.1 Documented instructions — Art 28(3)(a). Process Customer Personal Data only on your documented instructions (including as set out in the Terms, this DPA, and your configuration and use of the Platform), including with regard to Restricted Transfers, unless required to do otherwise by law to which we are subject; in that case we will inform you of the legal requirement before Processing, unless the law prohibits it on important grounds of public interest. We will inform you if, in our reasonable opinion, an instruction infringes the Data Protection Laws (but we are not obliged to provide legal advice or to monitor your compliance).

4.2 Confidentiality — Art 28(3)(b). Ensure that persons authorised to Process Customer Personal Data are subject to an appropriate duty of confidentiality (whether contractual or statutory) and Process the data only as instructed.

4.3 Security — Art 28(3)(c) / Art 32. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as further described in Annex 2. We may update these measures from time to time provided the level of protection is not materially reduced.

4.4 Sub-processors — Art 28(3)(d) / Art 28(2) & (4). Engage Sub-processors only in accordance with Section 7, and impose on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA. We remain fully liable to you for the performance of each Sub-processor's obligations.

4.5 Assistance with Data Subject rights — Art 28(3)(e). Taking into account the nature of the Processing, assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR (see Section 8).

4.6 Assistance with Articles 32–36 — Art 28(3)(f). Taking into account the nature of the Processing and the information available to us, assist you in ensuring compliance with your obligations under Articles 32 to 36 of the UK GDPR (security, Personal Data Breach notification, data protection impact assessments, and prior consultation with the supervisory authority).

4.7 Deletion or return — Art 28(3)(g). At your choice, delete or return all Customer Personal Data to you after the end of the provision of Services, and delete existing copies, unless the Data Protection Laws require storage of the data. This is subject to the export window and retention exceptions in Section 10.

4.8 Audits and information — Art 28(3)(h). Make available to you all information reasonably necessary to demonstrate compliance with the obligations in Article 28 and this DPA, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, on the terms set out in Section 6.

5. Your obligations as Controller

You will: (a) comply with the Data Protection Laws in respect of Customer Personal Data, including having a valid lawful basis to Process and to share it with us; (b) where you rely on legitimate interests, complete and maintain a valid LIA (Terms, §6.4); (c) provide all privacy information required to Data Subjects (including, where applicable, the notice required by Article 14 of the UK GDPR); (d) ensure your instructions to us are lawful; and (e) be responsible for the accuracy, quality and legality of Customer Personal Data and the means by which you acquired it. You are responsible for the lawfulness of any calling, recording, or messaging you carry out through the Platform (Terms, §4.3 and §5.2).

6. Audits and information

6.1 We will make available the information described in clause 4.8 on your written request. Audits will be conducted on a documentation basis in the first instance (for example, by our provision of policies, certifications, or third-party audit reports where available).

6.2 Where a documentation-basis review is genuinely insufficient to verify our compliance, you (or an independent auditor mandated by you and bound by confidentiality, who must not be a competitor of ours) may carry out an on-site inspection no more than once in any 12-month period (and additionally following a Personal Data Breach affecting your data or where required by a supervisory authority), on reasonable prior written notice of at least 30 days, during normal business hours, in a manner that does not disrupt our operations and does not compromise the confidentiality, security, or data of our other customers.

6.3 Each party bears its own costs of an audit, save that you will reimburse our reasonable costs for any audit that goes beyond the scope reasonably necessary to verify compliance, or that is more frequent than provided above.

7. Sub-processors

7.1 General authorisation. You grant a general authorisation for us to engage Sub-processors to Process Customer Personal Data to provide the Platform (for example, categories such as cloud hosting and storage, telephony and messaging, data enrichment, transcription, email delivery, and error monitoring). A list of our current Sub-processors is available on request and (where published) at our Sub-processor page.

7.2 Changes. Before we add or replace a Sub-processor that Processes Customer Personal Data, we will give you at least 14 days' prior notice (by email to your account address and/or by in-Platform notice). You may object to the change on reasonable data-protection grounds by written notice to accounts@sentrama.com within that period. We will work with you in good faith to address your concern; if we cannot reasonably resolve it, your sole remedy is to terminate the affected part of the Platform and receive a pro-rata refund of any prepaid fees for the unused period.

7.3 Flow-down and liability. We will impose on each Sub-processor data-protection obligations no less protective than those in this DPA, and we remain fully liable to you for each Sub-processor's acts and omissions in respect of Customer Personal Data.

8. Data Subject requests

8.1 If we receive a request from a Data Subject relating to Customer Personal Data (for example, access, rectification, erasure, restriction, portability, or objection), we will, unless legally required to respond ourselves, promptly notify you and will not respond to the request except on your documented instructions or as required by law.

8.2 Taking into account the nature of the Processing, we will provide reasonable assistance (including appropriate technical and organisational measures) to help you fulfil your obligation to respond to such requests. Where we receive an objection, erasure request, or opt-out relating to a contact, we may suppress and/or erase that contact across the Platform and our brands to meet our own and your legal obligations (Terms, §6.6).

9. International transfers

9.1 Data location. We host and Process Platform data primarily in the United Kingdom and/or the European Economic Area (EEA).

9.2 Restricted Transfers. Where we or our Sub-processors make a Restricted Transfer of Customer Personal Data, we will ensure an appropriate safeguard under Chapter V of the UK GDPR is in place before the transfer — namely reliance on an adequacy decision or, where none applies, the UK IDTA (and/or the EU SCCs where the EU GDPR applies), or any successor mechanism. Where the SCCs and/or UK IDTA apply, they are incorporated into this DPA by reference and completed as set out in Annex 3, and prevail over this DPA to the extent of any conflict.

10. Deletion, return and retention

10.1 On termination or expiry of the Terms (or earlier on your written request), we will, at your choice, delete or return Customer Personal Data in accordance with clause 4.7, subject to clauses 10.2–10.3.

10.2 Export window. For 30 days after termination (unless we are legally required to delete sooner, or you request earlier deletion), we will preserve Your Content — including your call recordings, transcripts and call/disposition records — and, on request within that period, provide you a single bulk export free of charge, as set out in §10.4 of the Terms.

10.3 Retention exceptions. We may retain Customer Personal Data to the extent, and for as long as, required by the Data Protection Laws or other applicable law, and copies held in routine backup archives that are not readily accessible, provided such retained data remains protected in accordance with this DPA and is deleted in the ordinary course of our backup cycle. We may retain aggregated or anonymised data that does not identify any individual or you.

11. Personal Data Breach

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide, in phases as it becomes available, information reasonably necessary to enable you to meet your own breach-notification obligations under Articles 33–34 of the UK GDPR, including (to the extent known) the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. We will take reasonable steps to mitigate and remediate the breach. Our notification is not an acknowledgement of fault or liability.

12. Liability

The liability of each party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in §12 of the Terms, and any claims under this DPA and the Terms are subject to a single aggregate liability cap as stated there. This does not limit either party's liability to a Data Subject or supervisory authority to the extent such liability cannot be limited under the Data Protection Laws.

13. Term and termination

This DPA takes effect on your acceptance of the Terms and continues for as long as we Process Customer Personal Data on your behalf. Clauses that by their nature should survive termination (including Sections 10, 11, and 12) survive.

14. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales and is subject to the governing-law and dispute-resolution provisions of the Terms (§§14–15), except that, where the EU SCCs apply, the governing law and forum for those SCCs are as stated in them.

15. General

Except as expressly amended by this DPA, the Terms remain in full force and effect. If any provision of this DPA is held unenforceable, the remainder continues in effect. This DPA may be updated by us from time to time in the same manner as the Terms; where a change materially reduces the protections in this DPA, we will give reasonable prior notice.

Annex 1 — Details of Processing

  • Subject matter: our provision of the Platform (a self-serve outbound-calling and sales-data platform) to you under the Terms.
  • Duration: for the term of the Terms and until deletion or return of Customer Personal Data in accordance with Section 10.
  • Nature and purpose of Processing: hosting and storage; data upload, verification, enrichment, qualification and reachability/connect scoring; placing and connecting outbound calls initiated by you; call recording and transcription; AI-assisted briefing, opener suggestions, coaching, call classification and analytics; meeting booking and confirmation; SMS and email sending; CRM/calendar/mailbox integration; screening and suppression; and related support and security functions.
  • Types of Personal Data: business contact identifiers and details (e.g. name, business email address, business telephone/mobile number, job title, employer, professional profile links, location); firmographic and enrichment data associated with a contact; call recordings and transcripts; calling outcomes, dispositions and engagement/scoring data; meeting and scheduling data; and account and usage data of your authorised users. No Special Category Data.
  • Categories of Data Subjects: your prospects and business contacts; your customers' representatives; and your own personnel and authorised users of the Platform.

Annex 2 — Technical and Organisational Measures (Article 32)

We maintain a security programme that includes, as appropriate to the risk:

  • Access control: role-based access on the principle of least privilege; individual named accounts; multi-factor authentication on administrative access; and prompt revocation of access on role change or departure.
  • Encryption: encryption of Personal Data in transit (TLS) over public networks and at rest for primary data stores.
  • Network and application security: environment separation (development/production); secure software-development practices including code review and dependency/vulnerability scanning; and protection of the application's public interfaces.
  • Logging and monitoring: application and access logging, error/exception monitoring, and review of security-relevant events.
  • Resilience and recovery: use of managed, backed-up data infrastructure with point-in-time recovery capability, and periodic restore testing, to support availability and the ability to restore access to Personal Data in a timely manner after an incident.
  • Data minimisation and retention: data classification and handling controls, and retention/deletion in line with our retention schedule and Section 10.
  • Personnel: confidentiality obligations on personnel and security-awareness practices.
  • Supplier management: due diligence and contractual data-protection obligations on Sub-processors (Section 7).
  • Incident response: documented procedures for detecting, assessing, and responding to Personal Data Breaches (Section 11).

We continually review and improve these measures and may update them provided the overall level of protection is not materially reduced.

Annex 3 — Sub-processors and transfer mechanism

  • Sub-processor categories: cloud hosting and storage; telephony and messaging; data enrichment; transcription; email delivery; error monitoring and logging; and payment processing (as an independent controller of payment data). A current, named list of Sub-processors is available on request and, where published, at our Sub-processor page. Changes are notified and may be objected to under Section 7.
  • Transfer mechanism: where a Restricted Transfer occurs, the UK IDTA (and/or the EU SCCs with the UK Addendum, as applicable) applies, with Sentrama (or the relevant exporter) as data exporter and the recipient as data importer; the module for controller-to-processor (or processor-to-processor) transfers applies as appropriate; the optional docking clause applies; and the technical and organisational measures in Annex 2 are the measures for the purposes of those clauses. The information required to complete the SCCs/UK IDTA (parties, roles, categories of data and Data Subjects, and competent supervisory authority — the UK Information Commissioner's Office) is as set out in this DPA and Annex 1.

Contact

Data protection queries and audit or Sub-processor requests: accounts@sentrama.com

Sentrama (Brightside Enterprises Limited T/A Sentrama), Unit 3, Temple Campus, Temple Gate, Bristol, England, BS1 6QA · Company no. 12265340