Data Processing Agreement (DPA)

Last Updated: 11 March 2026 | Version 1.0

This Data Processing Agreement ("DPA") supplements the Master Subscription Agreement ("MSA") between Sentine ("Data Processor") and the Reporting Entity/Subscriber ("Firm" or "Data Controller"). It outlines the standards and obligations for processing personal and sensitive data handled by the Sentine platform.

This agreement aligns with the Australian Privacy Principles (APP) under the Privacy Act 1988 (Cth). A separate GDPR addendum is available upon request for Firms serving EU-connected clients.

1. Roles and Responsibilities

  • Data Controller: The Firm determines the purposes and parameters for processing its clients' personal data.
  • Data Processor: Sentine processes the data strictly according to the documented instructions of the Firm, as provided through the platform's workflows and configuration.

1A. Scope and Duration of Processing

Categories of Data Subjects

  • Employees and personnel of the Firm (Subscriber account holders and users).
  • Clients and customers of the Firm whose data is processed for AML/CTF compliance purposes.
  • Beneficial owners, controllers, and associated parties of the Firm's clients.

Types of Personal Data Processed

  • Contact information (names, email addresses, phone numbers, residential addresses).
  • Identity documents (government-issued IDs, passport details, driver's licence information).
  • Biometric data (facial recognition and liveness check data, processed via FrankieOne).
  • Financial and business information (ABN/ACN, company structures, beneficial ownership details).
  • Screening results (PEP status, sanctions matches, adverse media findings).
  • Risk assessment data (risk ratings, enhanced due diligence records).
  • Audit trail data (user actions, timestamps, matter lifecycle events).

Duration of Processing

Processing commences upon the Firm's activation of a Sentine subscription and continues for the duration of the subscription. Upon termination, data is retained for a 90-day export window as specified in the Master Subscription Agreement, after which it is securely deleted unless a longer retention period is agreed in writing or required by law.

1B. Processor Obligations

Lawful Instructions

Sentine shall process personal data only on documented instructions from the Firm. If Sentine believes that an instruction from the Firm infringes applicable privacy legislation, Sentine shall promptly inform the Firm before carrying out the instruction, unless prohibited by law from doing so.

Personnel Confidentiality

Sentine ensures that all personnel authorised to process personal data on behalf of the Firm are bound by appropriate confidentiality obligations, whether by contract or statutory duty. Access to Firm data is granted on a need-to-know basis and subject to internal access controls.

2. Technical and Organisational Measures

Sentine implements enterprise-grade technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of AML/CTF data.

  • Encryption: AES-256 bit encryption for data at rest, and TLS 1.3 encryption for data in transit.
  • Access Controls: Strict Role-Based Access Control (RBAC) segregated by tenant/Firm. Internal Sentine staff do not have access to Firm matter data unless explicitly and temporarily granted by the Firm for troubleshooting.
  • Audit Trails: Immutable, append-only event streams tracking all actions inside matters.

3. Data Localisation

Primary processing, application hosting, and data storage are fully localised within Tier 1 data centres in the Australian region (Sydney and Melbourne) to fulfil data sovereignty and compliance requirements.

4. Sub-Processors

Sentine uses trusted sub-processors to deliver core platform functionalities. This sub-processor list is maintained as a living document within this DPA.

Current Sub-Processors:

  • FrankieOne: Processing KYC/KYB identity verification, biometric data, PEP, and sanctions screening.
  • InfoTrack: Accessing ASIC/business registry extracts.
  • Stripe: Processing subscription payments and billing.
  • Keycloak: Managing platform authentication and identity.
  • Microsoft Azure: Providing secure cloud infrastructure within Australian data centres (Australia East — Sydney, Australia Southeast — Melbourne).

Changes to Sub-Processors (Right to Object)

Sentine will notify Firms at least thirty (30) days prior to appointing any new sub-processor that handles personal data. Within this notification period, the Firm has a defined Right to Object to the new sub-processor on legitimate data protection grounds. If Sentine cannot address the Firm's concerns, the Firm may terminate their subscription without penalty.

5. Security Breach Notification

Sentine operates in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

  • In the event Sentine becomes aware of an actual or reasonably suspected personal data breach, Sentine will notify affected Firms without undue delay, and no later than 72 hours after becoming aware of the breach.
  • We will cooperate with the Firm and provide necessary information to assist the Firm in fulfilling its notification obligations to the Office of the Australian Information Commissioner (OAIC) and affected data subjects.

6. AI Processing Limitation

Sentine formally affirms that we do not and will not use any protected customer data, identity documents, screening results, or matter metadata provided by the Firm to train any foundational Artificial Intelligence (AI) or Large Language Models (LLMs). This is an explicit limitation in our processing capabilities.

6A. Data Return and Deletion on Termination

Upon termination or expiry of the Master Subscription Agreement:

  1. Export Window: The Firm has ninety (90) days to export all personal data held within the platform, including evidence packs, matter records, customer data, and audit logs.
  2. Deletion: After the 90-day export window, Sentine shall securely delete all personal data processed on behalf of the Firm from its primary systems within thirty (30) days, using industry-standard data destruction methods.
  3. Backup Purge: Personal data residing in encrypted backups will be overwritten through the normal backup rotation cycle, not exceeding ninety (90) days from the deletion of primary data.
  4. Certificate of Destruction: Upon written request by Enterprise-tier Firms, Sentine will provide a Certificate of Data Destruction confirming the completion of the deletion process.
  5. Exceptions: Sentine may retain anonymised, aggregated data that cannot be used to identify any individual. Sentine may also retain data where required by law or court order, in which case the Firm will be notified to the extent legally permitted.

7. Audits and Compliance

Firms have the right to request reasonable evidence of Sentine's compliance with this DPA. Sentine will make available security reports, generic architecture documentation, or system audit trails upon written request, ensuring independent Part 8.6 reviewers engaged by the Firm can verify the integrity of the data processing environment.

8. Governing Law

This Data Processing Agreement is governed by the laws of New South Wales, Australia, and is subject to the jurisdiction of the courts of New South Wales.