Senshin

1. Parties

Controller: The organisation that has entered into a subscription agreement with Senshin ("Customer").

Processor: Senshin Ltd, registered in England and Wales, 71-75 Shelton Street, London WC2H 9JQ ("Senshin").

2. Definitions

Terms used in this DPA have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK Data Protection Act 2018. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" are as defined therein.

3. Scope and purpose

Senshin processes Personal Data on behalf of the Customer solely for the purpose of providing the Senshin project delivery platform and related services as described in the subscription agreement.

Categories of data subjects: Customer employees, contractors, project stakeholders, and guest users.

Types of Personal Data: Name, email address, job title, organisation, project role, communication preferences, and any data voluntarily entered into the platform by the Customer.

Duration: Processing continues for the duration of the subscription plus any retention period described in section 10.

4. Processor obligations

Senshin shall:

• Process Personal Data only on documented instructions from the Customer.
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures (see section 7).
• Not engage a sub-processor without prior written consent (see section 5).
• Assist the Customer in responding to data subject rights requests.
• Assist the Customer in ensuring compliance with GDPR Articles 32-36.
• Delete or return all Personal Data upon termination of the subscription (see section 10).
• Make available all information necessary to demonstrate compliance.

5. Sub-processors

The Customer authorises Senshin to engage the following sub-processors:

Senshin will notify the Customer at least 30 days before adding a new sub-processor. The Customer may object within 14 days. If the objection cannot be resolved, the Customer may terminate the subscription.

6. Data location

All Customer data is stored and processed in Google Cloud Platform, europe-west2 (London, United Kingdom). Data does not leave the UK/EEA unless required by a sub-processor listed above, in which case Standard Contractual Clauses (SCCs) apply.

7. Security measures

Senshin implements the following technical and organisational measures:

• Encryption in transit: TLS 1.2+ for all connections.
• Encryption at rest: AES-256 for all stored data (GCP default).
• Access control: Role-based access control (RBAC), principle of least privilege.
• Authentication: Firebase Auth with MFA support. Service accounts with IAM-only access.
• Audit logging: Immutable audit trail for all data changes and access events.
• Network security: VPC isolation, private IP for database, Cloud Run with ingress controls.
• Backup: Automated Firestore backups with point-in-time recovery.
• Vulnerability management: Regular dependency auditing and patching.
• Incident response: Documented incident response procedure with escalation paths.

8. Breach notification

In the event of a Personal Data breach, Senshin shall:

1. Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach.
2. Provide sufficient information for the Customer to fulfil its own breach notification obligations.
3. Take immediate steps to contain and remediate the breach.
4. Cooperate with the Customer and any supervisory authority in investigating the breach.

9. Data subject rights

Senshin shall assist the Customer in responding to requests from data subjects exercising their rights under GDPR, including: access, rectification, erasure, restriction of processing, data portability, and objection to processing.

The platform includes self-service tools for data export and deletion requests accessible via the admin console.

10. Retention and deletion

Active subscription: Data is retained for the duration of the subscription.

After termination: Customer data is retained for 30 days to allow retrieval, then permanently deleted.

Backups: Backup copies are purged within 90 days of deletion.

Audit logs: Retained for 2 years for compliance purposes, then archived or deleted.

The Customer may request immediate deletion at any time via the GDPR tools in the admin console.

11. Audit rights

The Customer may audit Senshin's compliance with this DPA by:

• Requesting Senshin's most recent SOC 2 report or equivalent certification (when available).
• Submitting written audit questions, which Senshin will answer within 30 days.
• Conducting an on-site or remote audit with 30 days' notice, at the Customer's expense, no more than once per year.

12. Liability

Senshin's liability under this DPA is subject to the limitations set out in the subscription agreement. Nothing in this DPA excludes or limits liability for breaches caused by wilful misconduct or gross negligence.

13. Termination

This DPA is effective for the duration of the subscription agreement. It automatically terminates when the subscription ends, subject to the retention periods in section 10.