GDPR & Data Processing

Effective Date: February 22, 2026 · Last Updated: February 22, 2026

1. Our Commitment to GDPR

ReaTech, Inc. ("ReaTech") is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Union (EU) and European Economic Area (EEA). This page describes how we process personal data in connection with the Sentinel compliance automation platform, our roles under GDPR, and how you can exercise your data protection rights.

2. Roles and Responsibilities

2.1 ReaTech as Data Controller

ReaTech acts as the Data Controller for the following categories of personal data:

  • Account registration data (name, email address, company name)
  • Billing and subscription information
  • Usage data and analytics
  • Communications and support interactions

2.2 ReaTech as Data Processor

ReaTech acts as the Data Processor when processing data on your behalf, including:

  • Compliance evidence collected from your connected cloud accounts (AWS, GitHub, Google Workspace)
  • Configuration data and metadata retrieved during evidence collection
  • Compliance reports generated from your evidence data
  • Policy documents generated based on your organization's information

In these cases, you (the Customer) are the Data Controller, and we process data solely in accordance with your instructions as provided through your use of the Service.

3. Lawful Bases for Processing

We process personal data under the following lawful bases as defined in GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the Sentinel platform, manage your account, process subscriptions, and deliver compliance services
  • Legitimate interests (Art. 6(1)(f)) — processing for service improvement, security monitoring, fraud prevention, and internal analytics, where such interests are not overridden by your data protection rights
  • Consent (Art. 6(1)(a)) — processing for optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)) — processing required to comply with applicable tax, financial reporting, and regulatory obligations

4. Data Processing Activities

We process the following categories of data for the specified purposes:

4.1 Account Management

  • Data: Name, email, company name, role, password hash
  • Purpose: User authentication, account administration, role-based access control
  • Retention: Duration of account activity plus 30 days after deletion

4.2 Cloud Integration Evidence Collection

  • Data: Cloud resource configurations, security settings, access controls, metadata from AWS, GitHub, and Google Workspace
  • Purpose: Compliance evidence collection, security posture assessment, audit reporting
  • Retention: Duration of account activity plus 90 days after deletion

4.3 Compliance Reporting

  • Data: Aggregated compliance evidence, control assessments, remediation status
  • Purpose: Generating SOC 2, ISO 27001, and executive summary reports
  • Retention: Duration of account activity

4.4 Payment Processing

  • Data: Billing information processed by Stripe (we do not store payment card data)
  • Purpose: Subscription management, invoicing, payment processing
  • Retention: As required by tax and financial regulations (up to 7 years)

5. International Data Transfers

Sentinel's infrastructure is located in the United States. If you are located in the EU/EEA, your personal data will be transferred to and processed in the United States. We protect such transfers through the following safeguards:

  • Standard Contractual Clauses (SCCs) — we use EU-approved Standard Contractual Clauses as the legal mechanism for transferring personal data from the EU/EEA to the United States, in accordance with GDPR Article 46(2)(c)
  • Supplementary measures — we implement technical and organizational measures including encryption, access controls, and data minimization to ensure an adequate level of protection

A copy of our Standard Contractual Clauses is available upon request by contacting nicholas@reatech.io.

6. Data Subject Rights

Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:

  • Right of Access (Art. 15) — you have the right to obtain confirmation of whether we process your personal data and to request a copy of that data
  • Right to Rectification (Art. 16) — you have the right to request correction of inaccurate personal data or completion of incomplete data
  • Right to Erasure (Art. 17) — you have the right to request deletion of your personal data ("right to be forgotten") when the data is no longer necessary for its original purpose, you withdraw consent, or the data has been unlawfully processed
  • Right to Restriction of Processing (Art. 18) — you have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data
  • Right to Data Portability (Art. 20) — you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller
  • Right to Object (Art. 21) — you have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Rights Related to Automated Decision-Making (Art. 22) — Sentinel does not make automated decisions with legal or similarly significant effects on individuals. Compliance assessments are informational tools, not automated decisions about individuals.

To exercise any of these rights, please contact our Data Protection Officer at nicholas@reatech.io. We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days with notice.

7. Data Protection Officer

We have designated a Data Protection Officer (DPO) who can be contacted for any data protection-related inquiries:

8. Sub-Processors

We use the following sub-processors to deliver the Service. Each sub-processor is bound by data processing agreements that ensure appropriate data protection:

  • Amazon Web Services (AWS) — cloud infrastructure hosting (United States)
  • Stripe, Inc. — payment processing (United States)

We will notify you at least 30 days in advance of adding new sub-processors. You may object to a new sub-processor by contacting us within that notice period. If we cannot reasonably accommodate your objection, you may terminate your subscription.

9. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Document all breaches, including the facts, effects, and remedial actions taken

10. Data Retention

We retain personal data only for as long as necessary for the purposes outlined in this document:

  • Account data: Duration of account activity + 30 days after deletion
  • Compliance evidence: Duration of account activity + 90 days after deletion
  • Generated reports and policies: Duration of account activity
  • Payment records: Up to 7 years (legal obligation)
  • Usage analytics: Up to 12 months
  • Support communications: Up to 24 months after resolution

11. Data Processing Agreement

We offer a Data Processing Agreement (DPA) for customers who require one for GDPR compliance. Our DPA covers:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Obligations and rights of the controller
  • Technical and organizational security measures
  • Sub-processor management
  • Data breach notification procedures
  • Data deletion and return

To request a copy of our DPA, please contact nicholas@reatech.io.

12. Supervisory Authority

If you are located in the EU/EEA and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority. You can find your supervisory authority through the European Data Protection Board.

We encourage you to contact us first at nicholas@reatech.io so we can address your concerns directly.

13. Contact

For any questions about this GDPR page or our data processing practices: