SentientUI

Data Processing Agreement (DPA)

Version 1.0 | Effective: June 1, 2026

Required for GDPR compliance: This DPA applies when you collect Personal Data on EU residents via the SentientUI SDK. By using the Service for EU visitors, you agree to this DPA.

What This Agreement Covers

This DPA defines the relationship between you (Data Controller) and SentientUI (Data Processor) when processing visitor data under GDPR (EU Regulation 2016/679).

SentientUI processes the following types of Personal Data on your behalf:

  • Device data (type, OS, browser)
  • Behavioral data (page views, clicks, scroll depth, interactions)
  • Session data (duration, timestamp, referrer domain)
  • Derived data (behavioral portraits, clusters, segments)

Your Responsibilities (as Data Controller)

You are responsible for:

  • Determining the lawful basis for collecting visitor data (consent, legitimate interest, contract, etc.)
  • Providing privacy notices to visitors
  • Obtaining consent where required (e.g., GDPR Art. 7)
  • Handling visitor requests to access, delete, or port their data
  • Notifying authorities of breaches within 72 hours (GDPR Art. 33)
  • Complying with GDPR, CCPA, LGPD, and other privacy laws in your jurisdiction

SentientUI's Commitments (as Data Processor)

SentientUI commits to:

  • Process only as instructed: We process data only as directed by you and per this DPA
  • Confidentiality: All employees and subprocessors are bound by confidentiality
  • Security: We implement encryption, access controls, and regular audits
  • Sub-processing: We notify you of subprocessors (Stripe, Clerk, Sentry, Upstash, hosting) and allow you to object
  • Data subject rights: We assist you in fulfilling access, deletion, and portability requests
  • Audit: We provide evidence of compliance and permit annual audits

Security Measures

SentientUI implements:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest
  • Authentication: API key-based with restricted scopes
  • Access controls: Principle of least privilege for employees
  • Availability: 99.5% uptime SLA; disaster recovery plan
  • Incident response: 24-hour breach notification to you
  • Audits: Annual SOC 2 Type II equivalent or third-party penetration testing

Data Retention and Deletion

Raw event data is retained for 90 days by default, then permanently deleted. Aggregated analytics are retained indefinitely until you delete your project.

Upon account termination, all your data is deleted within 30 days. You can request immediate deletion by contacting support.

Helping You With Data Subject Rights

If a visitor requests to access, delete, or export their data, we will assist you by:

  • Access: Providing data in machine-readable format via API or dashboard
  • Deletion: Removing data via DELETE /v1/visitor endpoint (immediate for raw events)
  • Portability: Exporting data in JSON format

Please allow 15 days' notice for complex requests; we will respond within 30 days.

International Data Transfers

If you are in the EU and your data is processed in the US, the transfer is authorized under the EU Commission's Standard Contractual Clauses (SCC) (2021/914/EU), which are incorporated into this DPA by reference.

SentientUI implements Supplementary Measures per the European Court of Justice's Schrems II ruling, including encryption and strict access controls, to mitigate transfer risk.

Sub-processors

SentientUI uses these subprocessors, each bound by GDPR-equivalent data protection obligations:

  • Stripe (payments, US)
  • Clerk (authentication, US/EU)
  • Sentry (error monitoring, US)
  • Upstash (caching, EU/US)
  • Neon / Fly Postgres (database, US/EU)
  • Vercel / Fly.io (hosting, US/EU)

We notify you of new subprocessors with 30 days' notice. You may object within 15 days; if unresolved, you can terminate your subscription without penalty within 30 days.

Breach Notification

If we discover a Personal Data breach, we will notify you without undue delay (within 24 hours of discovery) with details of the breach, affected data, and measures taken. We will cooperate with your breach investigation and authority notifications.

Audit and Compliance

You may audit our compliance by requesting evidence of security controls, conducting an annual on-site audit (with 30 days' notice), and requiring remediation of deficiencies.

SentientUI commits to obtaining and maintaining SOC 2 Type II compliance (annual audit) and ISO 27001 certification within 18 months of first paying customer.

Limitation of Liability

SentientUI's liability for data breaches or privacy violations is limited to the lesser of actual damages proven in court, or fees paid by you in the 12 months preceding the breach.

This does NOT limit liability for gross negligence, willful misconduct, or confidentiality breaches.

Contact and Disputes

For DPA-related questions, exercise data subject rights, or file complaints, contact:

Data Protection Officer: dpo@sentient-ui.com

General Support: support@sentient-ui.com

EU Residents: You have the right to lodge a complaint with your local Data Protection Authority.

For the complete Data Processing Agreement with Standard Contractual Clauses, see the full document in our repository.

Data Processing Agreement — SentientUI — SentientUI