Early Access — All features free while spots last. Join Now

Data Processing Agreement

Last updated: 2026-04-02

Pursuant to Art. 28 GDPR and Art. 9 Swiss nDSG (FADP)

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

  • Data Controller ("Customer", "you") — the entity that signs up for or uses SentriKat services.
  • Data Processor ("SentriKat", "we", "us") — Denis Sota, operating as SentriKat, Via Lucomagno 97, 6715 Dongio, Switzerland. Email: [email protected]

This DPA applies to all processing of personal data by SentriKat on behalf of the Customer in connection with the SentriKat SaaS platform. It does not apply to the on-premises edition, where the Customer is solely responsible for data processing on their own infrastructure.

2. Definitions

"Personal Data", "Processing", "Data Subject", "Data Controller", "Data Processor", and "Supervisory Authority" have the meanings given in the GDPR (Regulation (EU) 2016/679) and, where applicable, the Swiss Federal Act on Data Protection (nDSG/FADP, SR 235.1).

3. Subject Matter, Nature, and Duration

3.1 Subject matter

SentriKat processes personal data on behalf of the Customer solely to provide the SentriKat SaaS vulnerability management platform, including:

  • User account management (names, email addresses, roles)
  • Agent heartbeat and inventory data from Customer endpoints
  • Vulnerability scan results and remediation tracking
  • Compliance report generation
  • Alert and notification delivery

3.2 Categories of data subjects

  • Customer employees and authorized users
  • Customer IT administrators

3.3 Types of personal data

  • Full name, email address, role/title
  • IP addresses of managed endpoints
  • Hostnames, operating system versions, installed software inventory
  • Authentication logs (login timestamps, IP addresses)

SentriKat does not process special categories of data (Art. 9 GDPR), financial data, or health data.

3.4 Duration

Processing continues for the duration of the service agreement. Upon termination, Section 11 (Data Deletion) applies.

4. Obligations of the Processor

SentriKat shall:

  • Process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country (Art. 28(3)(a) GDPR).
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
  • Take all measures required pursuant to Art. 32 GDPR (security of processing), as described in Section 6.
  • Not engage another processor without prior specific or general written authorization of the Customer (Art. 28(2) GDPR). See Section 7 (Sub-processors).
  • Assist the Customer in fulfilling its obligation to respond to requests for exercising Data Subject rights (Art. 28(3)(e) GDPR).
  • Assist the Customer in ensuring compliance with obligations pursuant to Art. 32–36 GDPR (security, breach notification, DPIA, prior consultation).
  • At the choice of the Customer, delete or return all personal data after the end of the provision of services (Art. 28(3)(g) GDPR).
  • Make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits (Art. 28(3)(h) GDPR).

5. Obligations of the Controller

The Customer shall:

  • Ensure that it has a lawful basis for processing personal data and for instructing SentriKat to process such data.
  • Provide documented instructions to SentriKat regarding the processing of personal data.
  • Be responsible for the accuracy, quality, and legality of personal data provided to SentriKat.
  • Fulfill its own obligations under applicable data protection law, including providing notice to Data Subjects and obtaining any necessary consents.

6. Technical and Organizational Measures

SentriKat implements and maintains the following security measures pursuant to Art. 32 GDPR:

  • Encryption in transit — All data transmitted between the Customer and SentriKat services is encrypted using TLS 1.2 or higher.
  • Encryption at rest — Database storage uses AES-256 encryption.
  • Access control — Role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication for administrative access.
  • Infrastructure security — Services hosted in EU-based data centers (Hetzner, Germany/Finland). Firewalled with automated security updates.
  • Application security — OWASP ASVS Level 1 verified. Regular dependency scanning. See Security page for details.
  • Backup and recovery — Automated daily backups with point-in-time recovery capability.
  • Logging and monitoring — Audit logs of all administrative actions. Anomaly detection and alerting.
  • Personnel — All personnel with access to personal data are bound by confidentiality obligations.

7. Sub-processors

The Customer provides general authorization for SentriKat to engage sub-processors. The current list of sub-processors is available at sentrikat.com/subprocessors.

SentriKat shall:

  • Inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object to such changes.
  • Maintain a publicly available list of sub-processors with their names, locations, and purposes.
  • Impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract (Art. 28(4) GDPR).
  • Remain fully liable to the Customer for the performance of the sub-processor's obligations.

If the Customer objects to a new sub-processor on reasonable data protection grounds, SentriKat will use reasonable efforts to make available an alternative or the Customer may terminate the affected service.

8. International Data Transfers

SentriKat processes Customer data in the European Union (Germany/Finland) and Switzerland. No personal data is transferred to countries outside the EU/EEA/Switzerland unless:

  • The destination country has been recognized as providing an adequate level of data protection by the European Commission or the Swiss Federal Council; or
  • Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

As of the date of this DPA, all sub-processors are located in the EU or in countries with an adequacy decision. See the sub-processors list for details.

9. Data Subject Rights

SentriKat shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures for the fulfillment of the Customer's obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR, including:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

If SentriKat receives a request directly from a Data Subject, SentriKat shall promptly redirect the Data Subject to the Customer and inform the Customer of the request.

10. Data Breach Notification

SentriKat shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach (Art. 33 GDPR). The notification shall include:

  • A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
  • The name and contact details of the point of contact
  • A description of the likely consequences
  • A description of the measures taken or proposed to address the breach

11. Data Deletion and Return

Upon termination of the service agreement, SentriKat shall, at the Customer's choice:

  • Return all personal data to the Customer in a structured, commonly used, and machine-readable format (JSON or CSV); or
  • Delete all personal data and confirm deletion in writing.

If no instruction is received within 30 days of termination, SentriKat shall delete all personal data. Backup copies will be deleted within 90 days of the deletion of production data.

12. Audit Rights

SentriKat shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Art. 28 GDPR, and shall allow for and contribute to audits and inspections conducted by the Customer or another auditor mandated by the Customer, subject to:

  • Reasonable advance written notice (minimum 30 days)
  • Audits limited to once per year unless required by a supervisory authority
  • Confidentiality obligations regarding any information obtained during the audit

SentriKat may satisfy audit requests by providing an independent third-party audit report (e.g., SOC 2 Type II or ISO 27001 audit report) if available.

13. Swiss Data Protection Law

Where the Swiss Federal Act on Data Protection (nDSG / FADP, SR 235.1) applies:

  • References to GDPR articles shall be read as references to the corresponding provisions of the nDSG.
  • The term "Supervisory Authority" includes the Swiss Federal Data Protection and Information Commissioner (FDPIC).
  • Data transfers to countries outside Switzerland are governed by Art. 16-17 nDSG. The Swiss Federal Council's list of adequate countries applies.
  • In the event of a conflict between this DPA and the nDSG, the provision offering the higher level of data protection shall prevail.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for claims by Data Subjects or regulatory penalties resulting from a party's breach of its data protection obligations.

15. Contact

For questions about this DPA or data protection matters:

Denis Sota
SentriKat — Data Protection
Via Lucomagno 97, 6715 Dongio, Switzerland
Email: [email protected]