SentinelSentinel

Data Processing Agreement

Last updated: March 27, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer") and Invicta Media, operator of Sentinel ("Sentinel", "we", "our"), a company based in the United States.

It applies when we process personal information on your behalf in connection with the Sentinel dashboard. It is designed to satisfy the requirements of applicable U.S. privacy laws (including the California Consumer Privacy Act / CPRA) and — where Customer is located in the EEA or UK — Article 28 of the EU General Data Protection Regulation (GDPR).

1. Roles of the parties

  • Under CPRA, Customer acts as the "Business" and Sentinel acts as a "Service Provider".
  • Under GDPR, Customer acts as the "Controller" and Sentinel acts as the "Processor".

Sentinel processes personal information only on Customer's documented instructions (conveyed through use of the service) and only for the purposes described below.

2. Subject matter & purpose

We process the personal information listed in our Privacy Policy to provide the Sentinel dashboard — synchronizing Shopify and Google Ads data, generating analytics, and enabling team collaboration.

3. Duration

Processing continues for as long as Customer has an active account. Upon termination, data is deleted within 30 days unless retention is required by law.

4. Categories of data subjects / consumers

  • Customer's team members and employees who use the dashboard.
  • End-customers of Customer's Shopify store (order-level data, aggregated or pseudonymized).

5. Categories of personal information

  • Account data: name, email, username.
  • Order metadata: country, currency, product line items, amounts.
  • Ad campaign data: metrics, identifiers.

Sentinel does notrequire raw consumer PII (names, addresses, payment details) to function and does not process "sensitive personal information" as defined by the CPRA, except where strictly necessary to operate the service.

6. Our obligations as Service Provider / Processor

  • Process personal information only on Customer's documented instructions.
  • Not sell or share personal information (within the meaning of the CCPA/CPRA).
  • Not use personal information outside the direct business relationship with Customer.
  • Not combine personal information received from Customer with personal information received from other sources, except as permitted by law.
  • Ensure personnel with access are under confidentiality obligations.
  • Implement appropriate technical and organizational measures (see Annex below).
  • Assist Customer with consumer/data-subject requests and with responding to any data security incident.
  • Delete or return personal information at the end of the service, at Customer's choice.

7. Sub-service-providers / subprocessors

Customer authorizes Sentinel to engage the sub-providers listed in our Privacy Policy (currently: Supabase, Vercel, Resend). Each is contractually bound to protections at least as protective as those in this DPA. We will notify Customer of any changes and provide an opportunity to object.

8. International transfers

Because Sentinel is operated from the United States, personal information of EEA, UK, or Swiss data subjects may be transferred to the U.S. We rely on the EU Standard Contractual Clauses (SCCs), including Module 3 (Processor-to-Processor) where applicable, and apply supplementary technical measures (encryption at rest and in transit, access controls) to protect such transfers.

9. Security (Annex — technical & organizational measures)

  • Encryption at rest — AES-256-CBC for sensitive credentials; Postgres-level encryption via Supabase.
  • Encryption in transit — TLS 1.2+ enforced.
  • Access control — role-based access, least-privilege, 2FA on administrative accounts.
  • Audit logging — authentication and data-modification events are logged.
  • Backups — managed by Supabase with point-in-time recovery.
  • Incident response — security incidents affecting personal information are reported to Customer without undue delay, and within 72 hours where required by law.

10. Consumer / data-subject requests

If a consumer or data subject contacts Sentinel directly regarding data processed on Customer's behalf, Sentinel will forward the request to Customer and will not respond independently unless legally obligated.

11. Audits

On reasonable written notice, Sentinel will make available the information necessary to demonstrate compliance with this DPA. Audit requests should be directed to support@invicta-media.co.

12. Termination

On termination of the service, Sentinel will delete all personal information within 30 days unless U.S. federal, state, or other applicable law requires continued retention.

13. Governing law

This DPA is governed by the laws of the State of Delaware, United States. Where this DPA conflicts with our Terms of Service, this DPA controls as to the processing of personal information.

14. Contact

Invicta Media, operator of Sentinel. For DPA queries or to request a signed copy, email support@invicta-media.co.

This document is provided for transparency. For binding agreements or legal advice, please contact us at support@invicta-media.co.