Data Protection Impact Assessment

Last updated: 2 April 2026 | Tentrois Ltd

1. Overview

This Data Protection Impact Assessment (DPIA) evaluates the privacy risks arising from Tentrois Ltd's 6-stage B2B lead intelligence pipeline. This assessment is conducted in accordance with Article 35 of UK GDPR.

Field	Detail
Data Controller	Tentrois Ltd
Assessment Date	2 April 2026
Processing Purpose	B2B lead intelligence — scoring, enriching, and delivering qualified business leads
Lawful Basis	Legitimate Interest (Art. 6(1)(f)) — see LIA
Data Subjects	Business professionals at mid-market companies (employees at companies with fewer than 5,000 staff)

2. Description of Processing

2.1 Pipeline Stages

Stage	Processing Activity	Data Involved
1. Extraction	Collect data from 54 public sources (job boards, RSS feeds, government registries, APIs)	Company names, domains, job titles, news mentions, filing data
2. Transformation	Normalise, deduplicate, and verify data quality	Same as above, cleaned and merged
3. Signal Intersection	Score companies on 5 signal vectors (hiring, funding, tech stack, growth, registration). Filter enterprises (5,000+ employees)	Signal scores, company metadata
4. XGBoost Scoring	Machine learning propensity scoring to rank leads	Feature vectors derived from signals
5. AI Enrichment	LLM generates 12 intelligence layers per lead (company summary, pain points, outreach scripts)	Company name, domain, signals, contact title sent to LLM API
6. Delivery	Route leads to subscribed clients by niche	Enriched lead data delivered via dashboard

2.2 Data Sources

All data is sourced from publicly available endpoints:

Public ATS APIs (Greenhouse, Lever, Ashby, Workable, SmartRecruiters, Recruitee, Personio, Teamtailor, BambooHR, JazzHR)
News RSS feeds (TechCrunch, VentureBeat, Sifted, BetaKit, etc.)
Government registries (UK Companies House, SEC EDGAR, etc.)
Public APIs (Hacker News, Product Hunt, GitHub Trending, Dev.to, Reddit)

3. Risk Assessment

Risk	Likelihood	Severity	Overall	Mitigation
Inaccurate data delivered to clients	Medium	Low	Low	Multi-stage validation, deduplication, signal threshold (3+ signals required)
Excessive data collection beyond purpose	Low	Medium	Low	Enterprise blocklist (5,000+ employees filtered), data minimisation at extraction
Unauthorised access to lead data	Low	High	Medium	JWT authentication, bcrypt passwords, role-based access, TLS encryption
Data breach at infrastructure provider	Low	High	Medium	SOC 2 compliant providers (Supabase, Render), encrypted at rest
LLM provider retaining prompt data	Low	Medium	Low	Prompts contain only business-context data (company name, domain, signals). No personal identifiers beyond business title. API terms reviewed.
Data subject unable to exercise rights	Low	Medium	Low	Clear contact mechanism (privacy@tentrois.com), 30-day response commitment
Re-identification from enriched profiles	Low	Low	Low	Enrichment is company-level analysis, not individual profiling

4. Automated Decision-Making

Our pipeline includes automated scoring (XGBoost propensity model) and AI-generated enrichment. However:

No decisions with legal or similarly significant effects are made about individuals
Scoring determines which companies are surfaced to clients, not decisions about individuals
All outreach decisions are made by human sales professionals at our client organisations
Data subjects are not profiled as individuals — analysis is at the company/role level

This processing therefore does not fall within the scope of Article 22 (automated individual decision-making).

5. Data Transfers

Provider	Location	Purpose	Safeguard
Supabase	EU (AWS eu-west-2)	Database hosting	EU adequacy, SCCs
Render	US/EU	Application hosting	SCCs
Google (Gemini API)	US	AI enrichment	SCCs, data processing terms

6. Measures to Address Risks

Data minimisation — Only business-context data collected; personal/consumer data excluded
Purpose limitation — Data processed solely for B2B lead intelligence delivery
Retention limits — Raw data: 90 days. Qualified data: 12 months. Then securely deleted
Access controls — JWT auth, bcrypt hashing, per-client data isolation
Delivery deduplication — 30-day window prevents repeated surfacing of same company
Enterprise filter — Companies with 5,000+ employees automatically excluded
Subject rights process — Documented erasure/objection workflow via privacy@tentrois.com

7. Consultation

This DPIA has been reviewed internally. Given that residual risks are assessed as low to medium after mitigations, prior consultation with the ICO under Article 36 is not required at this stage.

8. Review Schedule

This DPIA will be reviewed:

Annually (next review: 2 April 2027)
When new data sources are added to the pipeline
When AI/LLM providers are changed
Following any data security incident