DATA PROCESSING ADDENDUM

Standard DPA — summary.

This page summarises the standard Data Processing Addendum (DPA) that PartSentinel signs with every customer subject to GDPR. The full executable DPA is available on request and is appended to the Master Service Agreement.

Last updated : 2026-04-27Working draft · contractually binding only when annexed to a signed MSA.

1 · Roles

Customer is the data controller for any personal data submitted (typically: contact details of catalogue stakeholders, if any). PartSentinel is the data processor. For audit catalogue data — references, OE numbers, fitments — neither party considers it personal data under GDPR; it is handled as commercially confidential information under MSA terms.

2 · Sub-processors

  • Cloud infrastructure — Scaleway (FR), OVHcloud (FR), AWS Frankfurt (DE).
  • LLM API providers — only when a customer audit explicitly targets a hosted model (OpenAI, Anthropic, Google, Mistral, etc.). For these calls, only the audit prompt — never raw catalogue files — is transmitted.
  • Email and CRM — Resend (FR), Linear (US, GDPR DPA in place).
  • Full live list at /security#sub-processors and updated 14 days before any change.

3 · Standard contractual clauses

Where any sub-processor is outside the EU, transfers are governed by the EU Standard Contractual Clauses (SCCs) Module 3, with supplementary measures (encryption, access controls, audit logs).

4 · Customer rights

  • Right to audit — annual audit on reasonable notice, subject to confidentiality.
  • Right to deletion — within 30 days of contract termination, except for the AI Act seven-year retention requirement (anonymised after termination).
  • Right to portability — full export of audit history in JSON + Excel on request.

5 · Security measures

Annex 2 of the DPA enumerates technical and organisational measures (TOMs). Summary at /security.

Request the executable DPA:

legal@partsentinel.com
PrivacyTermsSecurity