Data Processing Agreement
Last updated: 2 April 2026 | Tentrois Ltd
This Data Processing Agreement ("DPA") forms part of the service agreement between Tentrois Ltd ("Processor") and the subscribing client organisation ("Controller"), collectively the "Parties".
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed under this Agreement
- "Processing" has the meaning given in Article 4(2) UK GDPR
- "Sub-processor" means any third party engaged by the Processor to process Personal Data
- "Data Protection Laws" means UK GDPR, the Data Protection Act 2018, and any successor legislation
2. Scope and Purpose
The Processor processes Personal Data on behalf of the Controller for the purpose of delivering B2B lead intelligence services, specifically:
- Collecting publicly available business data from open sources
- Scoring and qualifying business leads using machine learning
- Enriching leads with AI-generated intelligence layers
- Delivering qualified leads to the Controller via the Tentrois dashboard
2.1 Categories of Data Subjects
Business professionals at mid-market companies (typically companies with fewer than 5,000 employees) across the following niches: B2B SaaS, Fintech, E-commerce/D2C, and B2B Marketing Agency.
2.2 Types of Personal Data
- Business contact name and job title
- Business email address (where publicly available)
- Company name, domain, country, and industry
- Hiring activity and job posting data
- Publicly reported funding and growth data
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorised to process Personal Data have committed to confidentiality
- Implement appropriate technical and organisational security measures including:
- Encryption of data in transit (TLS) and at rest
- Access controls with JWT authentication and bcrypt password hashing
- Regular security testing of the data pipeline
- Per-client data isolation in delivery
- Not engage another processor without prior written authorisation from the Controller
- Assist the Controller in responding to data subject rights requests within 30 days
- Assist the Controller with DPIA obligations and prior consultation where required
- Delete or return all Personal Data to the Controller upon termination of the service agreement, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
4. Sub-processors
The Controller authorises the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Supabase Inc. | Cloud database hosting (PostgreSQL) | EU (AWS eu-west-2) |
| Render Inc. | Application hosting and deployment | US/EU |
| Google LLC | AI enrichment (Gemini API) | US |
The Processor will notify the Controller of any intended changes to sub-processors, providing the Controller an opportunity to object within 14 days.
5. International Transfers
Where Personal Data is transferred outside the United Kingdom, the Processor shall ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Transfer impact assessments where required
- Verification that the receiving jurisdiction provides adequate protection
6. Data Breach Notification
The Processor shall:
- Notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data breach
- Provide sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 UK GDPR
- Co-operate with the Controller in investigating and remediating any breach
7. Data Retention and Deletion
| Data Category | Retention Period | Deletion Method |
|---|
| Raw extracted data | 90 days | Automated database purge |
| Qualified/enriched leads | 12 months | Automated database purge |
| Delivered leads | 12 months from delivery | Automated database purge |
Upon termination of the service agreement, all Controller-specific data will be deleted within 30 days unless the Controller requests a data export.
8. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be:
- Conducted with reasonable prior notice (minimum 14 days)
- Limited to once per calendar year unless a breach has occurred
- Conducted during normal business hours
- At the Controller's expense
9. Liability
Each Party's liability under this DPA is subject to the limitations set out in the Client Agreement.
10. Term
This DPA shall remain in effect for the duration of the service agreement between the Parties and shall survive termination to the extent necessary to complete the deletion or return of Personal Data.
11. Governing Law
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the English courts.