This Data Processing Agreement (DPA) is available for counter-signature by enterprise clients and corporate sponsors who require a formal DPA for procurement or compliance purposes.
Download the PDF, sign it, then submit a DPA Request via the contact form. Sentinel CPO will countersign and return an executed copy within 5 business days.
This Data Processing Agreement ("DPA") is entered into between Sentinel CPO LLC, a Connecticut limited liability company ("Processor", "Sentinel CPO"), and the entity identified as the Controller in the signature block below ("Controller").
This DPA forms part of, and is subject to, the Sentinel CPO Private Client Agreement (or equivalent executed agreement between the parties). In the event of a conflict between this DPA and the main agreement on matters of personal data processing, this DPA controls.
Terms used but not defined in this DPA have the meaning given in the applicable data protection law or the main agreement between the parties.
The parties acknowledge that in connection with the provision of the Sentinel CPO service:
The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex I to this DPA.
Sentinel CPO agrees to:
The Controller agrees to:
Sentinel CPO processes Personal Data in the United States. Where the Controller is subject to GDPR and transfers Personal Data from the European Economic Area to Sentinel CPO in the United States, such transfer is governed by the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are incorporated by reference into this DPA. Sentinel CPO will execute SCCs on request.
This DPA is effective for the duration of the main agreement and terminates automatically upon termination or expiration of the main agreement. Obligations of confidentiality and data deletion survive termination.
Each party's liability under this DPA is subject to the limitations of liability set out in the main agreement. Sentinel CPO's aggregate liability under this DPA shall not exceed the fees paid by the Controller to Sentinel CPO in the twelve months preceding the event giving rise to the claim.
This DPA is governed by the laws of the State of Connecticut, USA, without regard to conflict of law principles, except that provisions required by GDPR or other applicable data protection law shall be interpreted in accordance with the law of the relevant jurisdiction.
| Item | Description |
|---|---|
| Subject matter | Provision of AI-powered executive performance intelligence services, including biometric data integration, behavioral session analysis, and delivery of intelligence briefings. |
| Duration | For the term of the main agreement, plus the post-termination data deletion period (up to 90 days). |
| Nature of processing | Collection, storage, retrieval, analysis, structuring, and deletion of personal data for the purpose of service delivery. |
| Purpose of processing | To provide the Sentinel CPO executive performance intelligence service as described in the main agreement. |
| Types of personal data |
|
| Categories of data subjects | Business executives and senior professionals enrolled in the Sentinel CPO platform. |
| Special categories | Biometric data (health-adjacent physiological metrics). Processed under explicit consent obtained at enrollment and governed by Sentinel CPO's Biometric Privacy Policy. |
| Control | Measure |
|---|---|
| Encryption at rest | AES-256 (Supabase managed PostgreSQL and object storage) |
| Encryption in transit | TLS 1.2 minimum on all connections. No unencrypted data paths. |
| Access control | Row-Level Security at the database layer; minimum necessary access principle; role-based access controls; service-role key restricted to server-side processes only |
| Pseudonymization | All intelligence processing conducted against pseudonymous Client ID (CPO-XXXX). Real identity compartmentalized to billing and authentication records only. |
| Audit logging | Administrative and PM access to Client data logged in platform audit records. |
| Data minimization | Voice audio not retained (processed in real-time and discarded). Biometric data retrieved as aggregated daily metrics only (no raw sensor data). Behavioral data stored as structured metadata fields only. |
| Sub-processor controls | All sub-processors contractually prohibited from using Client data for their own purposes or model training. Sub-processor list publicly disclosed at sub-processors.html. |
| Incident response | Client notification within 72 hours of confirmed breach. Incident Response Policy published at security.html. |
| Data deletion | Automatic deletion within 30 days of license termination. Anonymized records deleted within 90 days. Irreversible — no recovery possible post-deletion. |
| Infrastructure security | Hosted on Vercel (SOC 2 Type II) and Supabase (SOC 2 Type II). Dependencies monitored for CVEs. |
By signing below, the parties agree to be bound by this Data Processing Agreement.
Sentinel CPO LLC
State of Connecticut, USA
Authorized Signature
Printed Name & Title
Date
[Organization Name]
[Jurisdiction]
Authorized Signature
Printed Name & Title
Date
Download the PDF above, sign it, and submit a DPA Request via the contact form. Sentinel CPO will countersign and return an executed copy within 5 business days.