Legal

Data Processing Agreement

Last updated: 17 July 2026

This DPA governs BITS Blackrock IT Solutions LLC’s processing of personal data on behalf of the Subscriber under GDPR Art. 28 and equivalent provisions of regional data-protection law (including PDPL). It forms part of the Terms of Service.

1. Roles

The Subscriber is the controller of personal data it enters into SentiQore (including data entered on behalf of its own clients). BITS Blackrock IT Solutions LLC is the processor, acting only on the Subscriber’s documented instructions — which include operating the Service as configured.

2. Scope of Processing

  • Subject matter: provision of the SentiQore business-continuity and risk-intelligence platform.
  • Duration: the term of the subscription, plus the deletion window below.
  • Nature & purpose: hosting, storing, and processing business-continuity data as directed.
  • Data types: account identifiers, organisation profiles, risk registers, BIA records, recovery strategies, governance documents, and related metadata.
  • Data subjects: the Subscriber’s staff and the contact persons recorded in its client engagements.

3. Our Obligations

  • Process personal data only on the Subscriber’s documented instructions.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Section 5).
  • Assist the Subscriber with data-subject requests and its own security obligations, taking into account the information available to us.
  • Make available information necessary to demonstrate compliance and allow for reasonable audits.

4. Sub-processors

The Subscriber authorises the sub-processors below. We impose data-protection obligations on each that are no less protective than this DPA, remain responsible for their performance, and will give reasonable notice of intended changes.

Sub-processorPurposeLocation
Hetzner Online GmbHHostingGermany (EU)
SupabaseDatabase & storageEU (Frankfurt)
ClerkAuthentication & identityUSA — SCCs
AnthropicAI inference (Rasid)USA — SCCs, no training on customer content
Lemon SqueezyPayments (Merchant of Record)USA — PCI-DSS
SentryError monitoringUSA — SCCs, PII minimised

5. Security Measures

  • Encryption of data in transit (TLS) and at rest.
  • Client data scoped per workspace; access restricted to the authenticated Subscriber.
  • Authentication delegated to a dedicated identity provider with MFA support.
  • Primary data storage in the EU (Frankfurt); hosting in Germany.
  • Least-privilege internal access; error monitoring with PII minimised.

6. International Transfers

Where personal data is transferred outside the Subscriber’s region, the transfer is covered by Standard Contractual Clauses or an equivalent approved safeguard, as reflected in the sub-processor table.

7. Personal Data Breach

We will notify the Subscriber without undue delay, and in any event within 72 hoursof becoming aware of a personal data breach affecting Subscriber data, with the information reasonably available to support the Subscriber’s own obligations.

8. Return & Deletion

On termination, and at the Subscriber’s choice, we will return or delete Subscriber personal data within 30 days, except where retention is required by law.

9. Signing this DPA

A countersigned copy is available on request at privacy@bits-solution.com. Accepting the Terms of Service incorporates this DPA where the Subscriber acts as a controller under GDPR or PDPL.

PrivacyTermsImprintTrust CenterSentiQore · BITS Blackrock IT Solutions LLC