DPA — Sentry
Data Processing Agreement — Sentry
Between:
- Data Controller: ALAI Holding AS, Org. No. 932 516 136 ("Controller")
- Data Processor: Functional Software, Inc. dba Sentry ("Processor")
Effective Date: [DATE] Product: Drop payment services — Error Monitoring and Performance
This DPA supplements the generic DPA template (dpa-template.md) with Sentry-specific processing details. All general terms from the template apply unless overridden below.
Appendix 1 — Processing Details
| Field | Description |
|---|---|
| Purpose | Application error monitoring, crash reporting, and performance tracking for the Drop application to ensure service reliability and rapid incident response |
| Nature | Collection, storage, and analysis of error reports, stack traces, and performance metrics |
| Duration | Duration of Sentry subscription agreement |
| Data subjects | Drop end users (indirectly, via error context), Drop application developers and administrators |
| Data types | Error messages and stack traces, request URLs and HTTP headers (redacted), IP addresses (anonymizable), browser/device information, user agent strings, request IDs, breadcrumb events, performance traces (transaction timing) |
| Special categories | None — financial data and PII are scrubbed before transmission to Sentry (see Data Scrubbing section) |
Appendix 2 — Security Measures (Sentry)
- Encryption: TLS 1.3 in transit; AES-256 at rest
- Access Control: SSO/SAML, RBAC, MFA enforcement, IP allowlisting available
- Data Residency: EU data region available (selected for Drop); data stored in EU
- Logging: Access audit logs available via Sentry dashboard
- Data Retention: Configurable retention (Controller sets to 90 days for error data); automatically purged after retention period
- Incident Response: Sentry security incident response per SOC 2 procedures
- Certifications: SOC 2 Type II
- Privacy: Sentry does not sell or share customer data; processes data solely per Controller instructions
Additional Sentry-Specific Terms
Data Scrubbing (Controller Responsibility)
The Controller implements the following data scrubbing measures BEFORE data is transmitted to Sentry:
- PII Filtering: All user names, email addresses, phone numbers, and national ID numbers are stripped from error payloads using Sentry SDK's
beforeSendhook - Financial Data: Transaction amounts, account numbers, IBANs, and card numbers are never included in error reports
- IP Anonymization: IP addresses are anonymized (last octet zeroed) via Sentry SDK configuration
- Request Body Filtering: POST bodies containing financial or personal data are excluded from error reports
- Custom Scrubbing Rules: Sentry's server-side data scrubbing enabled for additional patterns (credit card, SSN)
Data Minimization
- Only error context necessary for debugging is transmitted
- User ID may be included for error correlation (pseudonymized identifier only)
- Request ID (correlation ID) included for log cross-referencing
- No financial transaction details, KYC data, or AML data transmitted to Sentry
Data Subject Rights
- Since data transmitted to Sentry is scrubbed of direct identifiers, data subject requests are primarily handled by the Controller
- If pseudonymized user IDs need to be purged, Controller can use Sentry's data deletion API
- Sentry supports GDPR data deletion requests via their API
Spike Protection
- Sentry spike protection prevents excessive data collection during error storms
- Controller configures rate limits to prevent inadvertent data over-collection
Signatures
Data Controller — ALAI Holding AS
Name: ___________________________ Title: ___________________________ Date: ___________________________
Data Processor — Functional Software, Inc. dba Sentry
Name: ___________________________ Title: ___________________________ Date: ___________________________
No comments to display
No comments to display