Skip to main content
SYSTEM ONLINE · aws us-west-1 · build 26.04.1
POs & NET 30 accepted · 559-251-7767 · Fresno, CA
SentraCheck // scan before you publish
Login Free corpus audit
Procurement & Legal

Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into and governed by the SentraCheck Terms of Service. It sets out the customer-controller / SentraCheck-processor relationship for personal data and confidential records processed through the SentraCheck platform.

Version: 2026.04 Effective: 2026-04-29 Governing law: California Format: public template
Request countersigned DPA →
For procurement teams. This page is the standard template most agencies sign as-is. If your procurement office requires changes (e.g., custom indemnity language, governing-law modifications, agency-specific addenda), email legal@sentracheck.com and we will turn redlines around within two business days.
// Table of contents
  1. Definitions
  2. Subject matter & duration
  3. Roles & responsibilities
  4. Categories of data & data subjects
  5. Subprocessors
  6. Security measures
  7. Data subject rights
  8. Data breach notification
  9. International transfers
  10. Audit rights
  11. Return & deletion of data
  12. Liability & indemnification
  13. Governing law
  14. Annex A — processing details
  15. Annex B — security measures

§ 1 Definitions

Capitalized terms have the meanings given below; terms not defined here have the meaning given in the SentraCheck Terms of Service or applicable law.

§ 2 Subject matter & duration

The subject matter of this DPA is the Processing of Customer Data by SentraCheck in the course of providing the Services described in the SentraCheck Terms of Service and any applicable order form. This DPA remains in effect for the duration of the Services and survives termination to the extent necessary for the return or deletion obligations in § 11.

§ 3 Roles & responsibilities

  1. The parties acknowledge that, with respect to Personal Data submitted to the SentraCheck platform, Customer is the Controller and SentraCheck is the Processor.
  2. Customer is responsible for the lawfulness of Processing instructions, the legal basis for Processing under applicable law, and providing required notices to data subjects.
  3. SentraCheck Processes Customer Data only on documented instructions from the Customer (which include the SentraCheck Terms of Service and the Customer’s configuration and use of the Services), unless required to do otherwise by applicable law. If SentraCheck is so required, it will notify Customer before Processing unless prohibited by law.
  4. SentraCheck will not sell, rent, or share Personal Data with third parties except as authorized under this DPA, and will not retain, use, or disclose Personal Data outside the direct business relationship between the parties or for any commercial purpose other than providing the Services.

§ 4 Categories of data & data subjects

The categories of Personal Data Processed under this DPA, the categories of data subjects, and the purposes of Processing are described in Annex A.

§ 5 Subprocessors

  1. Customer authorizes SentraCheck’s use of the Subprocessors listed at sentracheck.com/subprocessors.html.
  2. SentraCheck will provide at least thirty (30) days’ notice before adding or replacing a Subprocessor, by updating the public list and (where Customer has subscribed) sending email notice. Customer may object in writing within the notice period; the parties will work in good faith to resolve concerns. If unresolved, Customer may terminate the affected Services without penalty for the affected portion.
  3. SentraCheck remains responsible for its Subprocessors’ performance of obligations under this DPA and will impose contractual obligations on Subprocessors that are no less protective than those in this DPA.

§ 6 Security measures

SentraCheck will implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. Current measures are described in Annex B and at sentracheck.com/security.html. SentraCheck may update these measures from time to time, provided the level of protection is not materially decreased.

§ 7 Data subject rights

SentraCheck will provide reasonable assistance to Customer in responding to requests from data subjects exercising rights under applicable law (including the right to know, the right to delete, the right to correct, and the right to limit use of sensitive Personal Information under CCPA/CPRA). Where Customer can fulfill the request directly through the Services (for example, by deleting an account or exporting data), SentraCheck’s assistance is limited to providing those features.

§ 8 Data breach notification

SentraCheck will notify Customer of a confirmed Security Incident affecting Customer Data without undue delay and in any event within seventy-two (72) hours of becoming aware of it. The notice will include, to the extent known: the nature of the incident, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to mitigate possible adverse effects. SentraCheck will provide reasonable assistance to Customer in fulfilling Customer’s own notification obligations under applicable law.

§ 9 International transfers

SentraCheck Processes Customer Data in the United States. Persistent Customer Data is stored exclusively in AWS us-west-1 (N. California). SentraCheck does not transfer Customer Data outside the United States. If, in the future, transfers outside the U.S. become necessary, SentraCheck will (i) update this DPA, (ii) obtain Customer’s consent or implement an appropriate transfer mechanism (e.g., the EU Standard Contractual Clauses), and (iii) provide Customer at least 30 days’ advance notice.

§ 10 Audit rights

  1. SentraCheck will, on Customer’s reasonable written request and not more than once per twelve (12) month period (except in case of a confirmed Security Incident), make available to Customer a summary of its most recent independent audit reports (e.g., SOC 2 Type II once obtained), security control documentation, and reasonable additional information to demonstrate compliance with this DPA.
  2. Where required by law and after exhausting subsection (a), Customer may request an on-site audit at mutually agreed times, scope, and duration; Customer will bear the reasonable costs of such audit unless the audit reveals material non-compliance.

§ 11 Return & deletion of data

Upon termination or expiration of the Services, or upon Customer’s written request, SentraCheck will, at Customer’s option:

  1. Export. Provide a complete export of Customer Data in a structured, commonly used, machine-readable format (e.g., JSON + ZIP archive) within thirty (30) days of request, at no additional charge for the first export.
  2. Delete. Permanently delete all Customer Data, including from backups in the normal backup-rotation cycle, within sixty (60) days of termination, except where retention is required by applicable law (in which case the data will continue to be Processed under this DPA until deleted).
  3. Both. Customer may request both export and deletion; the export will be delivered before deletion is completed.

Document content scanned through the platform is processed in memory and deleted immediately upon completion of the scan; only scan findings, redaction artifacts, and audit metadata are persisted, and only those persisted records are subject to the export/deletion process above.

§ 12 Liability & indemnification

The liability of each party arising out of or in connection with this DPA is subject to the limitations of liability set out in the SentraCheck Terms of Service. Neither party limits its liability for fraud, willful misconduct, or other liability that cannot be limited under applicable law.

§ 13 Governing law

This DPA is governed by the laws of the State of California, without regard to conflict-of-laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in Fresno County, California for any dispute arising under or relating to this DPA, except that Customer (if a California public agency) may seek dispute resolution in its own jurisdiction where required by law.

Annex A — Processing details

Subject matter Document compliance scanning, PII detection & redaction, ADA / WCAG accessibility analysis, and PDF → accessible HTML conversion.
Duration For the term of the Services and any wind-down period under § 11.
Nature & purpose Automated analysis of Customer-submitted documents to identify compliance issues; on-demand conversion to accessible HTML; audit logging of access and modification events.
Categories of data subjects Customer’s end users (employees, agents); members of the public whose Personal Data may incidentally appear in Customer-submitted documents.
Categories of Personal Data Identifiers (names, addresses, phone, email); government-issued IDs (SSN, driver’s license, passport); financial identifiers (account, card numbers); biometric identifiers; precise geolocation; protected health information (PHI), where applicable; demographic information.
Sensitive Personal Information SentraCheck Processes Sensitive Personal Information (as defined under CPRA) only as necessary to perform the Services. Sensitive Personal Information is not used or disclosed for any other purpose, in accordance with Cal. Civ. Code § 1798.121.
Retention Document content: deleted immediately after scan completion. Scan findings & redaction artifacts: retained for the duration of Customer’s account or 30 days after termination, whichever is shorter. Audit logs: retained for 7 years to meet Customer compliance and SentraCheck SOC 2 obligations.

Annex B — Security measures

Encryption in transit TLS 1.2+ for all customer endpoints and inter-service traffic. HSTS enforced.
Encryption at rest AES-256 (AWS-managed KMS keys) for all persistent storage including databases, object storage, and backups.
Access controls Role-based access; mandatory MFA for SentraCheck personnel; least-privilege production access reviewed quarterly; SSO (Microsoft Entra, Google Workspace) supported for Customer accounts on every plan.
Network Private subnets for all compute and data tiers; no public ingress to data layer; Cloudflare DDoS & WAF at edge.
Audit logging SHA-256 signed audit log of every access, scan, conversion, and modification event. Logs are immutable and retained 7 years.
Vulnerability management Continuous dependency scanning; quarterly internal penetration testing; annual third-party penetration test (results available under NDA).
Incident response 24/7 on-call rotation; documented runbooks; 72-hour customer-notification SLA per § 8.
Personnel Background checks for U.S. employees with production access; mandatory annual security & privacy training; binding confidentiality obligations.
Certifications SOC 2 Type II audit in progress (target completion 2026-Q4). California-resident infrastructure (AWS us-west-1) with data residency commitment per § 9.
Customer (Controller) Name: ____________________________
Title: ____________________________
Date: ____________________________
Entity: ____________________________
SentraCheck (Processor) Name: ____________________________
Title: ____________________________
Date: ____________________________
Computer Systems Plus, Inc.

This template is provided for procurement-review convenience and reflects SentraCheck’s standard data-processing terms as of the effective date above. The countersigned, executed version of the DPA between the parties controls in case of any conflict with this online template. To request a countersigned DPA, email legal@sentracheck.com.

SentraCheck is a product of Computer Systems Plus, Inc., a California corporation (Fresno, CA). For our public list of subprocessors, see sentracheck.com/subprocessors.html. For our security practices, see sentracheck.com/security.html.