This data processing agreement ("DPA") forms part of the Sentinel subscription terms between Fortitude Media Limited ("Fortitude", "we", "processor") and the customer ("you", "controller"). It applies where we process personal data on your behalf in providing the service. If anything here conflicts with the rest of the agreement, this DPA wins for data protection matters.
For most Sentinel usage we process very little personal data on your behalf, because the product is about brands and competitors rather than people. This DPA still sets out the protections you should expect, and it is the document your procurement or legal team will want on file.
1. Definitions
"UK GDPR" means the UK General Data Protection Regulation and the Data Protection Act 2018. "Personal data", "processing", "controller", "processor", "data subject" and "personal data breach" have the meanings given in the UK GDPR. "Sub-processor" means a third party we engage to process personal data in providing the service.
2. Roles and scope
You are the controller and we are the processor for the personal data described in Annex 1. You confirm that you have a lawful basis to share that data with us and to instruct the processing in this DPA. We will process personal data only to provide and support the service and only on your documented instructions, which include this DPA, the subscription terms, and your use of the product's settings. If we believe an instruction breaks data protection law, we will tell you.
3. Our obligations
We will:
- Process only on your instructions, and not for our own purposes, except where the law requires otherwise (in which case we will tell you unless the law forbids it).
- Keep the data confidential and make sure anyone we authorise to process it is under a duty of confidence.
- Secure the data with appropriate technical and organisational measures, described in Annex 2, taking account of the state of the art, the costs, and the risks to people.
- Help you respond to data subjects who exercise their rights, by appropriate technical and organisational measures, so far as possible.
- Help you meet your obligations on security, breach notification, data protection impact assessments and consultation with the ICO, taking account of the information available to us.
- Tell you without undue delay after becoming aware of a personal data breach affecting your data, with enough information to help you meet your own notification duties.
- Delete or return the data at the end of the service, as set out in section 7.
- Make available the information you reasonably need to show compliance with Article 28 of the UK GDPR, and allow for and contribute to audits as described in section 6.
4. Sub-processors
You give us general authorisation to use sub-processors to provide the service. The current sub-processors are listed in Annex 3, which we keep up to date. When we plan to add or replace a sub-processor, we will update that list and, where you have asked us to, give you reasonable notice so you can object on reasonable data protection grounds. We will put a written contract in place with each sub-processor imposing the same data protection obligations as in this DPA, and we remain responsible to you for what our sub-processors do.
5. International transfers
We store data in the UK and the EEA where possible. Where providing the service involves transferring personal data outside the UK, we will make sure an appropriate safeguard is in place, such as a UK adequacy decision, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, together with any extra measures required.
6. Audit
On reasonable written notice, and no more than once a year unless a regulator or a breach requires otherwise, we will give you the information you reasonably need to confirm we are meeting this DPA. We can satisfy audit requests by providing current certifications, security summaries or third-party reports. Any on-site audit will be at your cost, during business hours, and arranged so it does not disrupt our other customers.
7. Return and deletion
When the service ends, or earlier if you ask, we will delete or return the personal data we process on your behalf, and delete existing copies, unless the law requires us to keep it. Backups are deleted on our normal backup cycle. Our standard retention windows are in our privacy policy.
8. Liability
Each party's liability under this DPA is subject to the limitation of liability in the subscription terms.
9. Governing law
This DPA is governed by the law of England and Wales.
---
Annex 1: Details of the processing
Subject matter. Provision of the Fortitude Sentinel AI visibility monitoring service.
Duration. For as long as the customer has an active account, plus the retention periods in the privacy policy.
Nature and purpose. Hosting, storing and processing the customer's account configuration and usage so we can monitor AI engine outputs, generate reports and recommendations, send notifications, and support the customer.
Types of personal data. Account holder and user details (name, work email, role, sign-in records). Any personal data the customer chooses to include in prompts, settings or uploaded material, which is expected to be minimal.
Categories of data subjects. The customer's staff and authorised users. Occasionally, individuals named by the customer within their configuration.
Special category data. None requested or required. Customers are asked not to include it.
Annex 2: Security measures
- Encryption of personal data in transit, and at rest where supported by our infrastructure providers.
- Role-based access controls and the principle of least privilege for staff access.
- Authentication controls for customer accounts, including support for strong passwords.
- Audit logging of access to systems holding personal data.
- Network and application security controls provided by our hosting partners.
- Regular backups and a documented restore process.
- Routine security reviews and prompt patching of known vulnerabilities.
- Staff confidentiality obligations and security awareness.
- A documented process for detecting, investigating and reporting personal data breaches.
Annex 3: Sub-processor list
We keep this list current and update it whenever a provider changes. The only item still to confirm before publication is the analytics and error-monitoring provider.
| Sub-processor | What they do for us | Where |
|---|---|---|
| Supabase | Application database, authentication and file storage | EU / US (region configurable) |
| Vercel | Hosting for the Sentinel application | US and global edge network |
| Cloudflare | Content delivery and object storage (R2) | Global |
| Lovable | Hosting for the public marketing website | EU / US |
| Paddle (Paddle.com Market Ltd) | Payments and Merchant of Record | UK / EU |
| Stripe (Stripe Payments Europe Ltd) | Card payments, and Merchant of Record where selected | EU / US |
| GoCardless (GoCardless Ltd) | Direct debit collection | UK / EU |
| Resend | Transactional and report email delivery | US / EU |
| OpenAI, Anthropic, Google, Microsoft, Perplexity | AI engines queried to generate your reports, using brand and category prompts rather than personal data | US and global |
| Analytics and error monitoring provider (confirm, e.g. Vercel Analytics, Plausible, Sentry) | Aggregate product analytics and error tracking | EU / US |
Contact for data protection queries. Email privacy@fortitudemedia.ai or write to Fortitude Media Limited, 5 Missenden Road, Chesham, England, HP5 1JL.