Data processing agreement
Last updated: June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between your organisation ("Customer", "Controller") and Sentra Cyber Fraud Ltd ("Fiducio", "Processor") when you use the Fiducio platform. It supplements our Terms of use and Privacy policy.
1. Scope and roles
Customer is the controller of personal data it uploads, connects, or causes to be processed through Fiducio (including supplier records, mailbox content, user accounts, and audit data). Fiducio processes that data only on Customer's documented instructions to provide the payment-risk monitoring service described in the Terms.
Fiducio may act as an independent controller for limited purposes such as billing, product security, abuse prevention, and aggregated service improvement, as described in the Privacy policy.
2. Subject matter, duration, and nature of processing
- Subject matter: Payment-fraud monitoring for construction and trades SMEs — ingesting payment-risk email, comparing against verified supplier baselines, risk scoring, case management, and verification workflows.
- Duration: For as long as Customer maintains an active account and a reasonable period thereafter for backup, dispute resolution, and legal compliance.
- Nature of processing: Collection, storage, organisation, retrieval, analysis, comparison, display to authorised users, and deletion in accordance with Customer instructions and this DPA.
3. Types of personal data and data subjects
Categories of data subjects
- Customer's employees and authorised users
- Customer's suppliers, subcontractors, and their contacts (names, emails, phone numbers)
- Individuals appearing in payment-risk email (senders, signatories, contacts in message bodies)
Types of personal data
- Account and profile data (name, work email, role)
- Supplier baseline data (names, domains, trusted emails, phone numbers, bank identifiers)
- Email metadata and content required for fraud detection (sender, subject, body, reply-to, headers)
- Text extracted from invoice PDF attachments where applicable
- Risk cases, verification notes, and audit trail entries
Fiducio does not require bank login credentials or full organisation-wide mailbox access beyond mailboxes Customer explicitly connects.
4. Customer instructions and responsibilities
Customer instructs Fiducio to process data as necessary to deliver the service. Customer is responsible for:
- Ensuring a lawful basis exists for processing and for connecting Microsoft 365 and Xero
- Obtaining internal approvals and providing any required notices to data subjects
- Connecting only mailboxes intended for payment-risk monitoring
- Keeping supplier baseline data accurate and verifying bank details through trusted channels
- Configuring user access appropriately within Customer's organisation
Customer may issue additional written processing instructions that do not conflict with the Terms. If Fiducio believes an instruction infringes applicable data protection law, we will inform Customer promptly.
5. Processor obligations
Fiducio shall:
- Process personal data only on documented instructions from Customer, unless required by law
- Ensure personnel with access are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 8)
- Not engage another processor without informing Customer (see Section 6)
- Assist Customer with data subject rights requests where reasonably possible
- Assist Customer with security, breach notification, and impact assessment obligations where reasonably possible
- Delete or return Customer personal data on termination, subject to legal retention requirements
- Make available information necessary to demonstrate compliance and allow audits on reasonable notice
6. Sub-processors
Customer authorises Fiducio to use the following categories of sub-processors to deliver the service. We impose data protection obligations on sub-processors that are no less protective than this DPA:
- Supabase — database hosting, authentication infrastructure (EU/UK regions where configured)
- Vercel — application hosting and edge delivery
- Stripe — subscription billing and payment processing
- Microsoft — when Customer connects Microsoft 365, per Customer's OAuth consent
- Xero — when Customer connects Xero, per Customer's OAuth consent
- Resend (if enabled) — transactional email for enquiries and notifications
We will notify Customer of material changes to sub-processors (for example via email or in-app notice). Customer may object on reasonable grounds relating to data protection. If we cannot accommodate a reasonable objection, Customer may terminate the affected service.
7. International transfers
Some sub-processors may process data outside the UK. Where required, Fiducio relies on appropriate safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or EU Standard Contractual Clauses (as applicable), and supplementary measures where appropriate.
8. Security measures
Fiducio maintains measures including authentication, per-organisation data isolation (row-level security), encryption of sensitive fields and integration tokens, least-privilege integration scopes, access logging, and secure development practices. See our Security & data statement for a summary. No system is perfectly secure; Customer should report concerns promptly.
9. Personal data breach
Fiducio will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably available to assist Customer in meeting its breach notification obligations under applicable law.
10. Deletion and return
On termination of the service, Fiducio will delete or return Customer personal data within a reasonable period, unless retention is required by law or for legitimate purposes such as resolving disputes or meeting tax obligations. Customer may request export of key platform data before closure by contacting us.
11. Audits
On reasonable written notice, Customer may request information to verify Fiducio's compliance with this DPA. Fiducio may satisfy audit requests through third-party certifications, security documentation, or questionnaires where appropriate, rather than on-site inspection, except where required by law or a regulator.
12. Liability
Liability arising from processing under this DPA is subject to the limitations and exclusions in the Terms of use, except where liability cannot be limited under applicable law.
13. Governing law
This DPA is governed by the laws of England and Wales. Courts in England and Wales have exclusive jurisdiction, subject to mandatory protections that apply to either party.
14. Contact & signed copies
Data protection, legal, and general enquiries: info@fiducio-cyber.com
This online DPA is incorporated by reference when you use Fiducio on behalf of an organisation. Enterprise customers may request a countersigned copy for their records.
Privacy policy · Terms of use · Data processing agreement · Security